Merge "Update service provider policies for system admin"

keystone/common/policies/service_provider.py

@@ -23,6 +23,18 @@ deprecated_list_sp = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_service_providers',
     check_str=base.RULE_ADMIN_REQUIRED
 )
+deprecated_update_sp = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_service_provider',
+    check_str=base.RULE_ADMIN_REQUIRED
+)
+deprecated_create_sp = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_service_provider',
+    check_str=base.RULE_ADMIN_REQUIRED
+)
+deprecated_delete_sp = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_service_provider',
+    check_str=base.RULE_ADMIN_REQUIRED
+)
 
 DEPRECATED_REASON = """
 As of the Stein release, the service provider API now understands default
@@ -35,7 +47,7 @@ relying on overrides in your deployment for the service provider API.
 service_provider_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_service_provider',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
         # FIXME(lbragstad): Today, keystone doesn't support federation without
         # modifying configuration files. It makes sense to require system scope
         # for these operations until keystone supports a way to add federated
@@ -46,7 +58,10 @@ service_provider_policies = [
         description='Create federated service provider.',
         operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
                               '{service_provider_id}'),
-                     'method': 'PUT'}]),
+                     'method': 'PUT'}],
+        deprecated_rule=deprecated_create_sp,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_service_providers',
         check_str=base.SYSTEM_READER,
@@ -89,20 +104,26 @@ service_provider_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_service_provider',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
         scope_types=['system'],
         description='Update federated service provider.',
         operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
                               '{service_provider_id}'),
-                     'method': 'PATCH'}]),
+                     'method': 'PATCH'}],
+        deprecated_rule=deprecated_update_sp,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_service_provider',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
         scope_types=['system'],
         description='Delete federated service provider.',
         operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
                               '{service_provider_id}'),
-                     'method': 'DELETE'}])
+                     'method': 'DELETE'}],
+        deprecated_rule=deprecated_delete_sp,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN)
 ]
 
 

keystone/tests/unit/protection/v3/test_service_providers.py

@@ -173,3 +173,73 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
             r = c.post('/v3/auth/tokens', json=auth)
             self.token_id = r.headers['X-Subject-Token']
             self.headers = {'X-Auth-Token': self.token_id}
+
+
+class SystemAdminTests(base_classes.TestCaseWithBootstrap,
+                       common_auth.AuthTestMixin,
+                       _SystemUserServiceProviderTests):
+
+    def setUp(self):
+        super(SystemAdminTests, self).setUp()
+        self.loadapp()
+        self.useFixture(ksfixtures.Policy(self.config_fixture))
+        self.config_fixture.config(group='oslo_policy', enforce_scope=True)
+
+        # Reuse the system administrator account created during
+        # ``keystone-manage bootstrap``
+        self.user_id = self.bootstrapper.admin_user_id
+        auth = self.build_authentication_request(
+            user_id=self.user_id,
+            password=self.bootstrapper.admin_password,
+            system=True
+        )
+
+        # Grab a token using the persona we're testing and prepare headers
+        # for requests we'll be making in the tests.
+        with self.test_client() as c:
+            r = c.post('/v3/auth/tokens', json=auth)
+            self.token_id = r.headers['X-Subject-Token']
+            self.headers = {'X-Auth-Token': self.token_id}
+
+    def test_user_can_create_service_providers(self):
+        service_provider = PROVIDERS.federation_api.create_sp(
+            uuid.uuid4().hex, unit.new_service_provider_ref()
+        )
+
+        service_provider = unit.new_service_provider_ref()
+        create = {'service_provider': service_provider}
+
+        with self.test_client() as c:
+            c.put(
+                '/v3/OS-FEDERATION/service_providers/%s' % uuid.uuid4().hex,
+                headers=self.headers,
+                json=create,
+                expected_status_code=http_client.CREATED
+            )
+
+    def test_user_can_update_service_providers(self):
+        service_provider = PROVIDERS.federation_api.create_sp(
+            uuid.uuid4().hex, unit.new_service_provider_ref()
+        )
+
+        update = {'service_provider': {'enabled': False}}
+
+        with self.test_client() as c:
+            c.patch(
+                '/v3/OS-FEDERATION/service_providers/%s' %
+                service_provider['id'],
+                headers=self.headers,
+                json=update
+            )
+
+    def test_user_can_delete_service_providers(self):
+        service_provider = PROVIDERS.federation_api.create_sp(
+            uuid.uuid4().hex, unit.new_service_provider_ref()
+        )
+
+        with self.test_client() as c:
+            c.delete(
+                '/v3/OS-FEDERATION/service_providers/%s' %
+                service_provider['id'],
+                headers=self.headers
+            )

releasenotes/notes/bug-1804522-00df902cd2d74ee3.yaml

@@ -0,0 +1,34 @@
+---
+features:
+  - |
+    [`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
+    The federated service provider API now supports the ``admin``, ``member``,
+    and ``reader`` default roles.
+upgrade:
+  - |
+    [`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
+    The federated service provider API uses new default policies that
+    make it more accessible to end users and administrators. Please consider
+    these new defaults if your deployment overrides federated service provider
+    policies.
+deprecations:
+  - |
+    [`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
+    The federated service provider policies have been deprecated. The
+    ``identity:get_service_provider`` and
+    ``identity:list_service_providers`` policies now use ``role:reader
+    and system_scope:all`` instead of ``rule:admin_required``. The
+    ``identity:create_service_provider``,
+    ``identity:update_service_provider``, and
+    ``identity:delete_service_provider`` policies now use ``role:admin
+    and system_scope:all`` instead of ``rule:admin_required``. These
+    new defaults automatically include support for a read-only role
+    and allow for more granular access to service provider APIs,
+    making it easier for system administrators to delegate
+    authorization. Please consider these new defaults if your
+    deployment overrides the federated service provider policies.
+security:
+  - |
+    [`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
+    The federated service provider API now uses system-scope and default
+    roles to provide better accessibility to users in a secure way.