Change get_project permission

Previously to issue GET /project a user needed at least project_admin level of permission. With this change, a user can issue GET /project by just having a role on the project. Change-Id: I9d23edc22eb88d0b21ab8968dfbe63661220a6fd Closes-Bug: 1535878
2016-01-20 08:41:33 +00:00 · 2016-01-20 08:41:33 +00:00 · 38e115d385
commit 38e115d385
parent 1053b63e8c
4 changed files with 20 additions and 7 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@ -34,7 +34,7 @@
    "identity:update_domain": "rule:admin_required",
    "identity:delete_domain": "rule:admin_required",

-    "identity:get_project": "rule:admin_required",
+    "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
    "identity:list_projects": "rule:admin_required",
    "identity:list_user_projects": "rule:admin_or_owner",
    "identity:create_project": "rule:admin_required",
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -37,8 +37,7 @@

    "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
    "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
-    "admin_and_matching_target_project_id": "rule:admin_required and project_id:%(target.project.id)s",
-    "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or rule:admin_and_matching_target_project_id",
+    "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
    "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
    "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
    "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@ -1384,17 +1384,23 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
        self.delete('/auth/tokens', token=admin_token,
                    headers={'X-Subject-Token': user_token})

-    def test_project_admin_get_project(self):
+    def test_user_with_a_role_get_project(self):
        user_auth = self.build_authentication_request(
            user_id=self.just_a_user['id'],
            password=self.just_a_user['password'],
            project_id=self.project['id'])

-        self.get('/projects/%s' % self.project['id'], auth=user_auth,
+        # Test user can get project for one they have a role in
+        self.get('/projects/%s' % self.project['id'], auth=user_auth)
+
+        # Test user can not get project for one they don't have a role in,
+        # even if they have a role on another project
+        project2 = unit.new_project_ref(domain_id=self.domainA['id'])
+        self.resource_api.create_project(project2['id'], project2)
+        self.get('/projects/%s' % project2['id'], auth=user_auth,
                 expected_status=exception.ForbiddenAction.code)

-        # Now, authenticate with a user that does have the project
-        # admin role
+    def test_project_admin_get_project(self):
        admin_auth = self.build_authentication_request(
            user_id=self.project_admin_user['id'],
            password=self.project_admin_user['password'],
--- a/releasenotes/notes/bug-1535878-change-get_project-permission-e460af1256a2c056.yaml
+++ b/releasenotes/notes/bug-1535878-change-get_project-permission-e460af1256a2c056.yaml
@ -0,0 +1,8 @@
+---
+fixes:
+  - >
+    [`bug 1535878 <https://bugs.launchpad.net/keystone/+bug/1535878>`_]
+    Originally, to perform GET /projects/{project_id}, the provided policy
+    files required a user to have at least project admin level of permission.
+    They have been updated to allow it to be performed by any user who has a
+    role on the project.