diff --git a/keystone/common/policies/role.py b/keystone/common/policies/role.py index fede605293..72ee8cec30 100644 --- a/keystone/common/policies/role.py +++ b/keystone/common/policies/role.py @@ -23,6 +23,18 @@ deprecated_list_role = policy.DeprecatedRule( name=base.IDENTITY % 'list_roles', check_str=base.RULE_ADMIN_REQUIRED ) +deprecated_update_role = policy.DeprecatedRule( + name=base.IDENTITY % 'update_role', + check_str=base.RULE_ADMIN_REQUIRED +) +deprecated_create_role = policy.DeprecatedRule( + name=base.IDENTITY % 'create_role', + check_str=base.RULE_ADMIN_REQUIRED +) +deprecated_delete_role = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_role', + check_str=base.RULE_ADMIN_REQUIRED +) DEPRECATED_REASON = """ As of the Stein release, the role API now understands default roles and @@ -64,25 +76,34 @@ role_policies = [ deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_role', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Create role.', operations=[{'path': '/v3/roles', - 'method': 'POST'}]), + 'method': 'POST'}], + deprecated_rule=deprecated_create_role, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_role', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Update role.', operations=[{'path': '/v3/roles/{role_id}', - 'method': 'PATCH'}]), + 'method': 'PATCH'}], + deprecated_rule=deprecated_update_role, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_role', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Delete role.', operations=[{'path': '/v3/roles/{role_id}', - 'method': 'DELETE'}]), + 'method': 'DELETE'}], + deprecated_rule=deprecated_delete_role, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_domain_role', check_str=base.RULE_ADMIN_REQUIRED, diff --git a/keystone/tests/unit/protection/v3/test_roles.py b/keystone/tests/unit/protection/v3/test_roles.py index 320c966a8a..d4198d218e 100644 --- a/keystone/tests/unit/protection/v3/test_roles.py +++ b/keystone/tests/unit/protection/v3/test_roles.py @@ -151,3 +151,56 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap, r = c.post('/v3/auth/tokens', json=auth) self.token_id = r.headers['X-Subject-Token'] self.headers = {'X-Auth-Token': self.token_id} + + +class SystemAdminTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemUserRoleTests): + + def setUp(self): + super(SystemAdminTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + # Reuse the system administrator account created during + # ``keystone-manage bootstrap`` + self.user_id = self.bootstrapper.admin_user_id + auth = self.build_authentication_request( + user_id=self.user_id, + password=self.bootstrapper.admin_password, + system=True + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id} + + def test_user_can_create_roles(self): + create = {'role': unit.new_role_ref()} + + with self.test_client() as c: + c.post('/v3/roles', json=create, headers=self.headers) + + def test_user_can_update_roles(self): + role = PROVIDERS.role_api.create_role( + uuid.uuid4().hex, unit.new_role_ref() + ) + + update = {'role': {'description': uuid.uuid4().hex}} + + with self.test_client() as c: + c.patch( + '/v3/roles/%s' % role['id'], json=update, headers=self.headers, + ) + + def test_user_can_delete_roles(self): + role = PROVIDERS.role_api.create_role( + uuid.uuid4().hex, unit.new_role_ref() + ) + + with self.test_client() as c: + c.delete('/v3/roles/%s' % role['id'], headers=self.headers) diff --git a/releasenotes/notes/bug-1805402-75d0d93f31af620f.yaml b/releasenotes/notes/bug-1805402-75d0d93f31af620f.yaml new file mode 100644 index 0000000000..e9ec178901 --- /dev/null +++ b/releasenotes/notes/bug-1805402-75d0d93f31af620f.yaml @@ -0,0 +1,32 @@ +--- +features: + - | + [`bug 1805402 `_] + The role API now supports the ``admin``, ``member``, and + ``reader`` default roles. +upgrade: + - | + [`bug 1805402 `_] + The role API uses new default policies that make it more + accessible to end users and administrators in a secure way. Please + consider these new defaults if your deployment overrides role + policies. +deprecations: + - | + [`bug 1805402 `_] + The role policies have been deprecated. The ``identity:get_role`` and + ``identity:list_roles`` policies now use ``role:reader and + system_scope:all`` instead of ``rule:admin_required``. The + ``identity:create_role``, ``identity:update_role``, and + ``identity:delete_role`` policies now use ``role:admin and + system_scope:all`` instead of ``rule:admin_required``. These new + defaults automatically account for system-scope and support a read-only + role, making it easier for system administrators to delegate subsets of + responsibility without compromising security. Please consider these new + defaults if your deployment overrides the role policies. +security: + - | + [`bug 1805402 `_] + The role API now uses system-scope and default roles to provide + better accessibility to users in a secure way. +