diff --git a/keystone/common/policies/service_provider.py b/keystone/common/policies/service_provider.py index 7459ca5c01..04bc032de4 100644 --- a/keystone/common/policies/service_provider.py +++ b/keystone/common/policies/service_provider.py @@ -23,6 +23,18 @@ deprecated_list_sp = policy.DeprecatedRule( name=base.IDENTITY % 'list_service_providers', check_str=base.RULE_ADMIN_REQUIRED ) +deprecated_update_sp = policy.DeprecatedRule( + name=base.IDENTITY % 'update_service_provider', + check_str=base.RULE_ADMIN_REQUIRED +) +deprecated_create_sp = policy.DeprecatedRule( + name=base.IDENTITY % 'create_service_provider', + check_str=base.RULE_ADMIN_REQUIRED +) +deprecated_delete_sp = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_service_provider', + check_str=base.RULE_ADMIN_REQUIRED +) DEPRECATED_REASON = """ As of the Stein release, the service provider API now understands default @@ -35,7 +47,7 @@ relying on overrides in your deployment for the service provider API. service_provider_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_service_provider', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, # FIXME(lbragstad): Today, keystone doesn't support federation without # modifying configuration files. It makes sense to require system scope # for these operations until keystone supports a way to add federated @@ -46,7 +58,10 @@ service_provider_policies = [ description='Create federated service provider.', operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' '{service_provider_id}'), - 'method': 'PUT'}]), + 'method': 'PUT'}], + deprecated_rule=deprecated_create_sp, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_service_providers', check_str=base.SYSTEM_READER, @@ -89,20 +104,26 @@ service_provider_policies = [ ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_service_provider', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Update federated service provider.', operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' '{service_provider_id}'), - 'method': 'PATCH'}]), + 'method': 'PATCH'}], + deprecated_rule=deprecated_update_sp, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_service_provider', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Delete federated service provider.', operations=[{'path': ('/v3/OS-FEDERATION/service_providers/' '{service_provider_id}'), - 'method': 'DELETE'}]) + 'method': 'DELETE'}], + deprecated_rule=deprecated_delete_sp, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN) ] diff --git a/keystone/tests/unit/protection/v3/test_service_providers.py b/keystone/tests/unit/protection/v3/test_service_providers.py index 1c22b94df1..16e4d210b8 100644 --- a/keystone/tests/unit/protection/v3/test_service_providers.py +++ b/keystone/tests/unit/protection/v3/test_service_providers.py @@ -173,3 +173,73 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap, r = c.post('/v3/auth/tokens', json=auth) self.token_id = r.headers['X-Subject-Token'] self.headers = {'X-Auth-Token': self.token_id} + + +class SystemAdminTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemUserServiceProviderTests): + + def setUp(self): + super(SystemAdminTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + # Reuse the system administrator account created during + # ``keystone-manage bootstrap`` + self.user_id = self.bootstrapper.admin_user_id + auth = self.build_authentication_request( + user_id=self.user_id, + password=self.bootstrapper.admin_password, + system=True + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id} + + def test_user_can_create_service_providers(self): + service_provider = PROVIDERS.federation_api.create_sp( + uuid.uuid4().hex, unit.new_service_provider_ref() + ) + + service_provider = unit.new_service_provider_ref() + create = {'service_provider': service_provider} + + with self.test_client() as c: + c.put( + '/v3/OS-FEDERATION/service_providers/%s' % uuid.uuid4().hex, + headers=self.headers, + json=create, + expected_status_code=http_client.CREATED + ) + + def test_user_can_update_service_providers(self): + service_provider = PROVIDERS.federation_api.create_sp( + uuid.uuid4().hex, unit.new_service_provider_ref() + ) + + update = {'service_provider': {'enabled': False}} + + with self.test_client() as c: + c.patch( + '/v3/OS-FEDERATION/service_providers/%s' % + service_provider['id'], + headers=self.headers, + json=update + ) + + def test_user_can_delete_service_providers(self): + service_provider = PROVIDERS.federation_api.create_sp( + uuid.uuid4().hex, unit.new_service_provider_ref() + ) + + with self.test_client() as c: + c.delete( + '/v3/OS-FEDERATION/service_providers/%s' % + service_provider['id'], + headers=self.headers + ) diff --git a/releasenotes/notes/bug-1804522-00df902cd2d74ee3.yaml b/releasenotes/notes/bug-1804522-00df902cd2d74ee3.yaml new file mode 100644 index 0000000000..9c9ac79856 --- /dev/null +++ b/releasenotes/notes/bug-1804522-00df902cd2d74ee3.yaml @@ -0,0 +1,34 @@ +--- +features: + - | + [`bug 1804522 `_] + The federated service provider API now supports the ``admin``, ``member``, + and ``reader`` default roles. +upgrade: + - | + [`bug 1804522 `_] + The federated service provider API uses new default policies that + make it more accessible to end users and administrators. Please consider + these new defaults if your deployment overrides federated service provider + policies. +deprecations: + - | + [`bug 1804522 `_] + The federated service provider policies have been deprecated. The + ``identity:get_service_provider`` and + ``identity:list_service_providers`` policies now use ``role:reader + and system_scope:all`` instead of ``rule:admin_required``. The + ``identity:create_service_provider``, + ``identity:update_service_provider``, and + ``identity:delete_service_provider`` policies now use ``role:admin + and system_scope:all`` instead of ``rule:admin_required``. These + new defaults automatically include support for a read-only role + and allow for more granular access to service provider APIs, + making it easier for system administrators to delegate + authorization. Please consider these new defaults if your + deployment overrides the federated service provider policies. +security: + - | + [`bug 1804522 `_] + The federated service provider API now uses system-scope and default + roles to provide better accessibility to users in a secure way.