openstack
/
keystone
Code Issues Proposed changes

Update system group assignment policies for reader and member 

This commit introduces the reader and member default roles to the
system assignment API for groups. Users with the `reader` and `member`
role on the system should be able to list and check system role
assignments for all users in the deployment.

Subsequent patches will:

  - simplify the policies for system admin
  - add domain user test coverage
  - add project user test coverage
  - remove obsolete policies from policy.v3cloudsample.json

Change-Id: I7eebb1b07213a1406e98f8a621ec44c87b812457
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit 593e67e6ca)
This commit is contained in:
Lance Bragstad 2019-03-21 18:21:42 +00:00 committed by Colleen Murphy
parent de083009eb
commit 1d8ac830a1
2 changed files with 84 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
keystone/common/policies/grant.py
View File

@ -31,6 +31,14 @@ deprecated_revoke_system_grant_for_user = policy.DeprecatedRule(
name=base.IDENTITY % 'revoke_system_grant_for_user', name=base.IDENTITY % 'revoke_system_grant_for_user',
check_str=base.RULE_ADMIN_REQUIRED check_str=base.RULE_ADMIN_REQUIRED
) )
deprecated_check_system_grant_for_group = policy.DeprecatedRule(
name=base.IDENTITY % 'check_system_grant_for_group',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_list_system_grants_for_group = policy.DeprecatedRule(
name=base.IDENTITY % 'list_system_grants_for_group',
check_str=base.RULE_ADMIN_REQUIRED
)
DEPRECATED_REASON = """ DEPRECATED_REASON = """
As of the Stein release, the system assignment API now understands default As of the Stein release, the system assignment API now understands default
@ -201,7 +209,7 @@ grant_policies = [
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_system_grants_for_group', name=base.IDENTITY % 'list_system_grants_for_group',
check_str=base.RULE_ADMIN_REQUIRED, check_str=base.SYSTEM_READER,
scope_types=['system'], scope_types=['system'],
description='List all grants a specific group has on the system.', description='List all grants a specific group has on the system.',
operations=[ operations=[
@ -209,11 +217,14 @@ grant_policies = [
'path': '/v3/system/groups/{group_id}/roles', 'path': '/v3/system/groups/{group_id}/roles',
'method': ['HEAD', 'GET'] 'method': ['HEAD', 'GET']
} }
] ],
deprecated_rule=deprecated_list_system_grants_for_group,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=base.IDENTITY % 'check_system_grant_for_group', name=base.IDENTITY % 'check_system_grant_for_group',
check_str=base.RULE_ADMIN_REQUIRED, check_str=base.SYSTEM_READER,
scope_types=['system'], scope_types=['system'],
description='Check if a group has a role on the system.', description='Check if a group has a role on the system.',
operations=[ operations=[
@ -221,7 +232,10 @@ grant_policies = [
'path': '/v3/system/groups/{group_id}/roles/{role_id}', 'path': '/v3/system/groups/{group_id}/roles/{role_id}',
'method': ['HEAD', 'GET'] 'method': ['HEAD', 'GET']
} }
] ],
deprecated_rule=deprecated_check_system_grant_for_group,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_system_grant_for_group', name=base.IDENTITY % 'create_system_grant_for_group',

66
keystone/tests/unit/protection/v3/test_system_assignments.py
View File

@ -65,6 +65,42 @@ class _SystemUserSystemAssignmentTests(object):
expected_status_code=http_client.NO_CONTENT expected_status_code=http_client.NO_CONTENT
) )
def test_user_can_list_group_system_role_assignments(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_system_grant_for_group(
group['id'], self.bootstrapper.member_role_id
)
with self.test_client() as c:
r = c.get(
'/v3/system/groups/%s/roles' % group['id'],
headers=self.headers
)
self.assertEqual(1, len(r.json['roles']))
self.assertEqual(
self.bootstrapper.member_role_id, r.json['roles'][0]['id']
)
def test_user_can_check_group_system_role_assignments(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_system_grant_for_group(
group['id'], self.bootstrapper.member_role_id
)
with self.test_client() as c:
c.get(
'/v3/system/groups/%s/roles/%s' % (
group['id'], self.bootstrapper.member_role_id
), headers=self.headers,
expected_status_code=http_client.NO_CONTENT
)
class _SystemMemberAndReaderSystemAssignmentTests(object): class _SystemMemberAndReaderSystemAssignmentTests(object):
@ -98,6 +134,36 @@ class _SystemMemberAndReaderSystemAssignmentTests(object):
expected_status_code=http_client.FORBIDDEN expected_status_code=http_client.FORBIDDEN
) )
def test_user_cannot_grant_group_system_assignment(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(CONF.identity.default_domain_id)
)
with self.test_client() as c:
c.put(
'/v3/system/groups/%s/roles/%s' % (
group['id'], self.bootstrapper.member_role_id
), headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_revoke_group_system_assignment(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_system_grant_for_group(
group['id'], self.bootstrapper.member_role_id
)
with self.test_client() as c:
c.delete(
'/v3/system/groups/%s/roles/%s' % (
group['id'], self.bootstrapper.member_role_id
), headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
class _DomainAndProjectUserSystemAssignmentTests(object): class _DomainAndProjectUserSystemAssignmentTests(object):