Sync keystone policy
Based on keystone commit cfbc2aa30b7406b4bc77e40a55561d1f46174b5c keystone uses policy-in-code now, so there is a lot of differences. The new file was generated by oslopolicy-sample-generator. Sorted version diff is http://paste.openstack.org/show/628745/. Removed policies are: default identity:change_password identity:get_identity_providers 'identity:change_password' is used in horizon. There seems no corresponding new policy, so the corresponding horizon rules are dropped in this commit. Our UT depends on the identity policy file. This commit updates the UTs in a more robust way. Change-Id: I76eb9f95c7112bcbad75ee151f363f892298d081
This commit is contained in:
parent
c2bc6ccb06
commit
117ec5ddc2
@ -2,137 +2,50 @@
|
||||
"admin_required": "role:admin or is_admin:1",
|
||||
"service_role": "role:service",
|
||||
"service_or_admin": "rule:admin_required or rule:service_role",
|
||||
"owner" : "user_id:%(user_id)s",
|
||||
"owner": "user_id:%(user_id)s",
|
||||
"admin_or_owner": "rule:admin_required or rule:owner",
|
||||
"token_subject": "user_id:%(target.token.user_id)s",
|
||||
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
|
||||
"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
|
||||
|
||||
"default": "rule:admin_required",
|
||||
|
||||
"identity:get_region": "",
|
||||
"identity:list_regions": "",
|
||||
"identity:create_region": "rule:admin_required",
|
||||
"identity:update_region": "rule:admin_required",
|
||||
"identity:delete_region": "rule:admin_required",
|
||||
|
||||
"identity:get_service": "rule:admin_required",
|
||||
"identity:list_services": "rule:admin_required",
|
||||
"identity:create_service": "rule:admin_required",
|
||||
"identity:update_service": "rule:admin_required",
|
||||
"identity:delete_service": "rule:admin_required",
|
||||
|
||||
"identity:get_endpoint": "rule:admin_required",
|
||||
"identity:list_endpoints": "rule:admin_required",
|
||||
"identity:create_endpoint": "rule:admin_required",
|
||||
"identity:update_endpoint": "rule:admin_required",
|
||||
"identity:delete_endpoint": "rule:admin_required",
|
||||
|
||||
"identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
|
||||
"identity:list_domains": "rule:admin_required",
|
||||
"identity:create_domain": "rule:admin_required",
|
||||
"identity:update_domain": "rule:admin_required",
|
||||
"identity:delete_domain": "rule:admin_required",
|
||||
|
||||
"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
|
||||
"identity:list_projects": "rule:admin_required",
|
||||
"identity:list_user_projects": "rule:admin_or_owner",
|
||||
"identity:create_project": "rule:admin_required",
|
||||
"identity:update_project": "rule:admin_required",
|
||||
"identity:delete_project": "rule:admin_required",
|
||||
|
||||
"identity:get_user": "rule:admin_or_owner",
|
||||
"identity:list_users": "rule:admin_required",
|
||||
"identity:create_user": "rule:admin_required",
|
||||
"identity:update_user": "rule:admin_required",
|
||||
"identity:delete_user": "rule:admin_required",
|
||||
"identity:change_password": "rule:admin_or_owner",
|
||||
|
||||
"identity:get_group": "rule:admin_required",
|
||||
"identity:list_groups": "rule:admin_required",
|
||||
"identity:list_groups_for_user": "rule:admin_or_owner",
|
||||
"identity:create_group": "rule:admin_required",
|
||||
"identity:update_group": "rule:admin_required",
|
||||
"identity:delete_group": "rule:admin_required",
|
||||
"identity:list_users_in_group": "rule:admin_required",
|
||||
"identity:remove_user_from_group": "rule:admin_required",
|
||||
"identity:check_user_in_group": "rule:admin_required",
|
||||
"identity:add_user_to_group": "rule:admin_required",
|
||||
|
||||
"identity:authorize_request_token": "rule:admin_required",
|
||||
"identity:get_access_token": "rule:admin_required",
|
||||
"identity:get_access_token_role": "rule:admin_required",
|
||||
"identity:list_access_tokens": "rule:admin_required",
|
||||
"identity:list_access_token_roles": "rule:admin_required",
|
||||
"identity:delete_access_token": "rule:admin_required",
|
||||
"identity:get_auth_catalog": "",
|
||||
"identity:get_auth_projects": "",
|
||||
"identity:get_auth_domains": "",
|
||||
"identity:get_consumer": "rule:admin_required",
|
||||
"identity:list_consumers": "rule:admin_required",
|
||||
"identity:create_consumer": "rule:admin_required",
|
||||
"identity:update_consumer": "rule:admin_required",
|
||||
"identity:delete_consumer": "rule:admin_required",
|
||||
"identity:get_credential": "rule:admin_required",
|
||||
"identity:list_credentials": "rule:admin_required",
|
||||
"identity:create_credential": "rule:admin_required",
|
||||
"identity:update_credential": "rule:admin_required",
|
||||
"identity:delete_credential": "rule:admin_required",
|
||||
|
||||
"identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
|
||||
"identity:list_domains": "rule:admin_required",
|
||||
"identity:create_domain": "rule:admin_required",
|
||||
"identity:update_domain": "rule:admin_required",
|
||||
"identity:delete_domain": "rule:admin_required",
|
||||
"identity:create_domain_config": "rule:admin_required",
|
||||
"identity:get_domain_config": "rule:admin_required",
|
||||
"identity:get_security_compliance_domain_config": "",
|
||||
"identity:update_domain_config": "rule:admin_required",
|
||||
"identity:delete_domain_config": "rule:admin_required",
|
||||
"identity:get_domain_config_default": "rule:admin_required",
|
||||
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
"identity:ec2_list_credentials": "rule:admin_or_owner",
|
||||
"identity:ec2_create_credential": "rule:admin_or_owner",
|
||||
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
|
||||
"identity:get_role": "rule:admin_required",
|
||||
"identity:list_roles": "rule:admin_required",
|
||||
"identity:create_role": "rule:admin_required",
|
||||
"identity:update_role": "rule:admin_required",
|
||||
"identity:delete_role": "rule:admin_required",
|
||||
"identity:get_domain_role": "rule:admin_required",
|
||||
"identity:list_domain_roles": "rule:admin_required",
|
||||
"identity:create_domain_role": "rule:admin_required",
|
||||
"identity:update_domain_role": "rule:admin_required",
|
||||
"identity:delete_domain_role": "rule:admin_required",
|
||||
|
||||
"identity:get_implied_role": "rule:admin_required ",
|
||||
"identity:list_implied_roles": "rule:admin_required",
|
||||
"identity:create_implied_role": "rule:admin_required",
|
||||
"identity:delete_implied_role": "rule:admin_required",
|
||||
"identity:list_role_inference_rules": "rule:admin_required",
|
||||
"identity:check_implied_role": "rule:admin_required",
|
||||
|
||||
"identity:check_grant": "rule:admin_required",
|
||||
"identity:list_grants": "rule:admin_required",
|
||||
"identity:create_grant": "rule:admin_required",
|
||||
"identity:revoke_grant": "rule:admin_required",
|
||||
|
||||
"identity:list_role_assignments": "rule:admin_required",
|
||||
"identity:list_role_assignments_for_tree": "rule:admin_required",
|
||||
|
||||
"identity:get_policy": "rule:admin_required",
|
||||
"identity:list_policies": "rule:admin_required",
|
||||
"identity:create_policy": "rule:admin_required",
|
||||
"identity:update_policy": "rule:admin_required",
|
||||
"identity:delete_policy": "rule:admin_required",
|
||||
|
||||
"identity:check_token": "rule:admin_or_token_subject",
|
||||
"identity:validate_token": "rule:service_admin_or_token_subject",
|
||||
"identity:validate_token_head": "rule:service_or_admin",
|
||||
"identity:revocation_list": "rule:service_or_admin",
|
||||
"identity:revoke_token": "rule:admin_or_token_subject",
|
||||
|
||||
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
|
||||
"identity:list_trusts": "",
|
||||
"identity:list_roles_for_trust": "",
|
||||
"identity:get_role_for_trust": "",
|
||||
"identity:delete_trust": "",
|
||||
|
||||
"identity:create_consumer": "rule:admin_required",
|
||||
"identity:get_consumer": "rule:admin_required",
|
||||
"identity:list_consumers": "rule:admin_required",
|
||||
"identity:delete_consumer": "rule:admin_required",
|
||||
"identity:update_consumer": "rule:admin_required",
|
||||
|
||||
"identity:authorize_request_token": "rule:admin_required",
|
||||
"identity:list_access_token_roles": "rule:admin_required",
|
||||
"identity:get_access_token_role": "rule:admin_required",
|
||||
"identity:list_access_tokens": "rule:admin_required",
|
||||
"identity:get_access_token": "rule:admin_required",
|
||||
"identity:delete_access_token": "rule:admin_required",
|
||||
|
||||
"identity:list_projects_for_endpoint": "rule:admin_required",
|
||||
"identity:add_endpoint_to_project": "rule:admin_required",
|
||||
"identity:check_endpoint_in_project": "rule:admin_required",
|
||||
"identity:list_endpoints_for_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_from_project": "rule:admin_required",
|
||||
|
||||
"identity:get_endpoint": "rule:admin_required",
|
||||
"identity:list_endpoints": "rule:admin_required",
|
||||
"identity:create_endpoint": "rule:admin_required",
|
||||
"identity:update_endpoint": "rule:admin_required",
|
||||
"identity:delete_endpoint": "rule:admin_required",
|
||||
"identity:create_endpoint_group": "rule:admin_required",
|
||||
"identity:list_endpoint_groups": "rule:admin_required",
|
||||
"identity:get_endpoint_group": "rule:admin_required",
|
||||
@ -144,40 +57,41 @@
|
||||
"identity:list_endpoint_groups_for_project": "rule:admin_required",
|
||||
"identity:add_endpoint_group_to_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_group_from_project": "rule:admin_required",
|
||||
|
||||
"identity:check_grant": "rule:admin_required",
|
||||
"identity:list_grants": "rule:admin_required",
|
||||
"identity:create_grant": "rule:admin_required",
|
||||
"identity:revoke_grant": "rule:admin_required",
|
||||
"identity:get_group": "rule:admin_required",
|
||||
"identity:list_groups": "rule:admin_required",
|
||||
"identity:list_groups_for_user": "rule:admin_or_owner",
|
||||
"identity:create_group": "rule:admin_required",
|
||||
"identity:update_group": "rule:admin_required",
|
||||
"identity:delete_group": "rule:admin_required",
|
||||
"identity:list_users_in_group": "rule:admin_required",
|
||||
"identity:remove_user_from_group": "rule:admin_required",
|
||||
"identity:check_user_in_group": "rule:admin_required",
|
||||
"identity:add_user_to_group": "rule:admin_required",
|
||||
"identity:create_identity_provider": "rule:admin_required",
|
||||
"identity:list_identity_providers": "rule:admin_required",
|
||||
"identity:get_identity_providers": "rule:admin_required",
|
||||
"identity:get_identity_provider": "rule:admin_required",
|
||||
"identity:update_identity_provider": "rule:admin_required",
|
||||
"identity:delete_identity_provider": "rule:admin_required",
|
||||
|
||||
"identity:create_protocol": "rule:admin_required",
|
||||
"identity:update_protocol": "rule:admin_required",
|
||||
"identity:get_protocol": "rule:admin_required",
|
||||
"identity:list_protocols": "rule:admin_required",
|
||||
"identity:delete_protocol": "rule:admin_required",
|
||||
|
||||
"identity:get_implied_role": "rule:admin_required",
|
||||
"identity:list_implied_roles": "rule:admin_required",
|
||||
"identity:create_implied_role": "rule:admin_required",
|
||||
"identity:delete_implied_role": "rule:admin_required",
|
||||
"identity:list_role_inference_rules": "rule:admin_required",
|
||||
"identity:check_implied_role": "rule:admin_required",
|
||||
"identity:create_mapping": "rule:admin_required",
|
||||
"identity:get_mapping": "rule:admin_required",
|
||||
"identity:list_mappings": "rule:admin_required",
|
||||
"identity:delete_mapping": "rule:admin_required",
|
||||
"identity:update_mapping": "rule:admin_required",
|
||||
|
||||
"identity:create_service_provider": "rule:admin_required",
|
||||
"identity:list_service_providers": "rule:admin_required",
|
||||
"identity:get_service_provider": "rule:admin_required",
|
||||
"identity:update_service_provider": "rule:admin_required",
|
||||
"identity:delete_service_provider": "rule:admin_required",
|
||||
|
||||
"identity:get_auth_catalog": "",
|
||||
"identity:get_auth_projects": "",
|
||||
"identity:get_auth_domains": "",
|
||||
|
||||
"identity:list_projects_for_user": "",
|
||||
"identity:list_domains_for_user": "",
|
||||
|
||||
"identity:list_revoke_events": "rule:service_or_admin",
|
||||
|
||||
"identity:get_policy": "rule:admin_required",
|
||||
"identity:list_policies": "rule:admin_required",
|
||||
"identity:create_policy": "rule:admin_required",
|
||||
"identity:update_policy": "rule:admin_required",
|
||||
"identity:delete_policy": "rule:admin_required",
|
||||
"identity:create_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:check_policy_association_for_endpoint": "rule:admin_required",
|
||||
"identity:delete_policy_association_for_endpoint": "rule:admin_required",
|
||||
@ -189,11 +103,72 @@
|
||||
"identity:delete_policy_association_for_region_and_service": "rule:admin_required",
|
||||
"identity:get_policy_for_endpoint": "rule:admin_required",
|
||||
"identity:list_endpoints_for_policy": "rule:admin_required",
|
||||
|
||||
"identity:create_domain_config": "rule:admin_required",
|
||||
"identity:get_domain_config": "rule:admin_required",
|
||||
"identity:get_security_compliance_domain_config": "",
|
||||
"identity:update_domain_config": "rule:admin_required",
|
||||
"identity:delete_domain_config": "rule:admin_required",
|
||||
"identity:get_domain_config_default": "rule:admin_required"
|
||||
"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
|
||||
"identity:list_projects": "rule:admin_required",
|
||||
"identity:list_user_projects": "rule:admin_or_owner",
|
||||
"identity:create_project": "rule:admin_required",
|
||||
"identity:update_project": "rule:admin_required",
|
||||
"identity:delete_project": "rule:admin_required",
|
||||
"identity:list_project_tags": "rule:admin_required or project_id:%(target.project.id)s",
|
||||
"identity:get_project_tag": "rule:admin_required or project_id:%(target.project.id)s",
|
||||
"identity:update_project_tags": "rule:admin_required",
|
||||
"identity:create_project_tag": "rule:admin_required",
|
||||
"identity:delete_project_tags": "rule:admin_required",
|
||||
"identity:delete_project_tag": "rule:admin_required",
|
||||
"identity:list_projects_for_endpoint": "rule:admin_required",
|
||||
"identity:add_endpoint_to_project": "rule:admin_required",
|
||||
"identity:check_endpoint_in_project": "rule:admin_required",
|
||||
"identity:list_endpoints_for_project": "rule:admin_required",
|
||||
"identity:remove_endpoint_from_project": "rule:admin_required",
|
||||
"identity:create_protocol": "rule:admin_required",
|
||||
"identity:update_protocol": "rule:admin_required",
|
||||
"identity:get_protocol": "rule:admin_required",
|
||||
"identity:list_protocols": "rule:admin_required",
|
||||
"identity:delete_protocol": "rule:admin_required",
|
||||
"identity:get_region": "",
|
||||
"identity:list_regions": "",
|
||||
"identity:create_region": "rule:admin_required",
|
||||
"identity:update_region": "rule:admin_required",
|
||||
"identity:delete_region": "rule:admin_required",
|
||||
"identity:list_revoke_events": "rule:service_or_admin",
|
||||
"identity:get_role": "rule:admin_required",
|
||||
"identity:list_roles": "rule:admin_required",
|
||||
"identity:create_role": "rule:admin_required",
|
||||
"identity:update_role": "rule:admin_required",
|
||||
"identity:delete_role": "rule:admin_required",
|
||||
"identity:get_domain_role": "rule:admin_required",
|
||||
"identity:list_domain_roles": "rule:admin_required",
|
||||
"identity:create_domain_role": "rule:admin_required",
|
||||
"identity:update_domain_role": "rule:admin_required",
|
||||
"identity:delete_domain_role": "rule:admin_required",
|
||||
"identity:list_role_assignments": "rule:admin_required",
|
||||
"identity:list_role_assignments_for_tree": "rule:admin_required",
|
||||
"identity:get_service": "rule:admin_required",
|
||||
"identity:list_services": "rule:admin_required",
|
||||
"identity:create_service": "rule:admin_required",
|
||||
"identity:update_service": "rule:admin_required",
|
||||
"identity:delete_service": "rule:admin_required",
|
||||
"identity:create_service_provider": "rule:admin_required",
|
||||
"identity:list_service_providers": "rule:admin_required",
|
||||
"identity:get_service_provider": "rule:admin_required",
|
||||
"identity:update_service_provider": "rule:admin_required",
|
||||
"identity:delete_service_provider": "rule:admin_required",
|
||||
"identity:revocation_list": "rule:service_or_admin",
|
||||
"identity:check_token": "rule:admin_or_token_subject",
|
||||
"identity:validate_token": "rule:service_admin_or_token_subject",
|
||||
"identity:validate_token_head": "rule:service_or_admin",
|
||||
"identity:revoke_token": "rule:admin_or_token_subject",
|
||||
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
|
||||
"identity:list_trusts": "",
|
||||
"identity:list_roles_for_trust": "",
|
||||
"identity:get_role_for_trust": "",
|
||||
"identity:delete_trust": "",
|
||||
"identity:get_trust": "",
|
||||
"identity:get_user": "rule:admin_or_owner",
|
||||
"identity:list_users": "rule:admin_required",
|
||||
"identity:list_projects_for_user": "",
|
||||
"identity:list_domains_for_user": "",
|
||||
"identity:create_user": "rule:admin_required",
|
||||
"identity:update_user": "rule:admin_required",
|
||||
"identity:delete_user": "rule:admin_required"
|
||||
}
|
||||
|
@ -54,14 +54,12 @@ class EditUserLink(policy.PolicyTargetMixin, tables.LinkAction):
|
||||
return api.keystone.keystone_can_edit_user()
|
||||
|
||||
|
||||
class ChangePasswordLink(policy.PolicyTargetMixin, tables.LinkAction):
|
||||
class ChangePasswordLink(tables.LinkAction):
|
||||
name = "change_password"
|
||||
verbose_name = _("Change Password")
|
||||
url = "horizon:identity:users:change_password"
|
||||
classes = ("ajax-modal",)
|
||||
icon = "key"
|
||||
policy_rules = (("identity", "identity:change_password"),)
|
||||
policy_target_attrs = (("user_id", "id"),)
|
||||
|
||||
def allowed(self, request, user):
|
||||
return api.keystone.keystone_can_edit_user()
|
||||
|
@ -22,7 +22,6 @@ from openstack_dashboard.dashboards.settings import dashboard
|
||||
class PasswordPanel(horizon.Panel):
|
||||
name = _("Change Password")
|
||||
slug = 'password'
|
||||
policy_rules = (("identity", "identity:change_password"),)
|
||||
|
||||
|
||||
dashboard.Settings.register(PasswordPanel)
|
||||
|
@ -58,9 +58,9 @@ class PolicyBackendTestCase(test.TestCase):
|
||||
policy_backend.reset()
|
||||
value = policy.check((("identity", "i_dont_exist"),),
|
||||
request=self.request)
|
||||
# this should fail because the default check for
|
||||
# identity is admin_required
|
||||
self.assertFalse(value)
|
||||
# this should succeed because the default check does not exist and
|
||||
# if the default check does not exist the policy check should succeed.
|
||||
self.assertTrue(value)
|
||||
|
||||
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
||||
def test_check_nova_context_is_admin_false(self):
|
||||
@ -98,17 +98,33 @@ class PolicyBackendTestCaseAdmin(test.BaseAdminViewTests):
|
||||
policy_backend.reset()
|
||||
value = policy.check((("identity", "i_dont_exist"),),
|
||||
request=self.request)
|
||||
# this should succeed because the default check for
|
||||
# identity is admin_required
|
||||
# This assume the identity policy file does not contain the default
|
||||
# check. If both a specified rule and the default rule do not exist,
|
||||
# the check should succeed.
|
||||
self.assertTrue(value)
|
||||
|
||||
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
||||
def test_compound_check_true(self):
|
||||
policy_backend.reset()
|
||||
value = policy.check((("identity", "admin_required"),
|
||||
("identity", "identity:default"),),
|
||||
request=self.request)
|
||||
self.assertTrue(value)
|
||||
|
||||
# Check a single rule works expectly
|
||||
self.assertTrue(policy.check((("identity", "admin_required"),),
|
||||
request=self.request))
|
||||
self.assertTrue(policy.check((("identity", "owner"),),
|
||||
request=self.request,
|
||||
target={'user_id': 1}))
|
||||
self.assertFalse(policy.check((("identity", "owner"),),
|
||||
request=self.request,
|
||||
target={'user_id': 2}))
|
||||
|
||||
self.assertTrue(
|
||||
policy.check((("identity", "admin_required"),
|
||||
("identity", "owner"),),
|
||||
request=self.request, target={'user_id': 1}))
|
||||
self.assertFalse(
|
||||
policy.check((("identity", "admin_required"),
|
||||
("identity", "owner"),),
|
||||
request=self.request, target={'user_id': 2}))
|
||||
|
||||
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
||||
def test_check_nova_context_is_admin_true(self):
|
||||
|
Loading…
Reference in New Issue
Block a user