Browse Source

Update group system grant policies for admins

This commit updates the policies for adding and removing system
assignments from groups to be consistent with other system-scoped
policies.

Subsequent patches will build on this work and:

  - add domain user test coverage
  - add project user test coverage
  - remove obsolete policies from policy.v3cloudsample.json

Change-Id: I90ecc67dbae60c74b69bb227a08205d4415bd16e
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit ba09e89ba1)
changes/79/647679/1
Lance Bragstad 3 years ago
committed by Colleen Murphy
parent
commit
02eebfe573
  1. 22
      keystone/common/policies/grant.py
  2. 28
      keystone/tests/unit/protection/v3/test_system_assignments.py

22
keystone/common/policies/grant.py

@ -39,6 +39,14 @@ deprecated_list_system_grants_for_group = policy.DeprecatedRule(
name=base.IDENTITY % 'list_system_grants_for_group',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_create_system_grant_for_group = policy.DeprecatedRule(
name=base.IDENTITY % 'create_system_grant_for_group',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_revoke_system_grant_for_group = policy.DeprecatedRule(
name=base.IDENTITY % 'revoke_system_grant_for_group',
check_str=base.RULE_ADMIN_REQUIRED
)
DEPRECATED_REASON = """
As of the Stein release, the system assignment API now understands default
@ -239,7 +247,7 @@ grant_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_system_grant_for_group',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Grant a group a role on the system.',
operations=[
@ -247,11 +255,14 @@ grant_policies = [
'path': '/v3/system/groups/{group_id}/roles/{role_id}',
'method': ['PUT']
}
]
],
deprecated_rule=deprecated_create_system_grant_for_group,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'revoke_system_grant_for_group',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Remove a role from a group on the system.',
operations=[
@ -259,7 +270,10 @@ grant_policies = [
'path': '/v3/system/groups/{group_id}/roles/{role_id}',
'method': ['DELETE']
}
]
],
deprecated_rule=deprecated_revoke_system_grant_for_group,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN
)
]

28
keystone/tests/unit/protection/v3/test_system_assignments.py

@ -359,6 +359,34 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
), headers=self.headers
)
def test_user_can_grant_group_system_assignments(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(CONF.identity.default_domain_id)
)
with self.test_client() as c:
c.put(
'/v3/system/groups/%s/roles/%s' % (
group['id'], self.bootstrapper.member_role_id
), headers=self.headers,
)
def test_user_can_revoke_group_system_assignments(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_system_grant_for_group(
group['id'], self.bootstrapper.member_role_id
)
with self.test_client() as c:
c.delete(
'/v3/system/groups/%s/roles/%s' % (
group['id'], self.bootstrapper.member_role_id
), headers=self.headers
)
class DomainUserTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,

Loading…
Cancel
Save