Implement system admin for OAUTH1 consumers

This change deprecates the rule:admin_required policies for the
create/update/delete actions of the OAUTH consumer API and replaces it
with the system-specific check strings for the admin role.

Change-Id: Id6742ff295ce206d0a4965465b0e9ec2ceab7cd5
Closes-bug: #1805363
This commit is contained in:
Colleen Murphy 2019-09-06 19:25:44 -07:00 committed by Colleen Murphy
parent 8566099608
commit 4f0c7394ed
3 changed files with 107 additions and 6 deletions

View File

@ -23,6 +23,18 @@ deprecated_list_consumers = policy.DeprecatedRule(
name=base.IDENTITY % 'list_consumers',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_create_consumer = policy.DeprecatedRule(
name=base.IDENTITY % 'create_consumer',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_update_consumer = policy.DeprecatedRule(
name=base.IDENTITY % 'update_consumer',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_delete_consumer = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_consumer',
check_str=base.RULE_ADMIN_REQUIRED
)
DEPRECATED_REASON = """
As of the Train release, the OAUTH1 consumer API understands how to
@ -55,25 +67,34 @@ consumer_policies = [
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_consumer',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Create OAUTH1 consumer.',
operations=[{'path': '/v3/OS-OAUTH1/consumers',
'method': 'POST'}]),
'method': 'POST'}],
deprecated_rule=deprecated_create_consumer,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_consumer',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Update OAUTH1 consumer.',
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
'method': 'PATCH'}]),
'method': 'PATCH'}],
deprecated_rule=deprecated_update_consumer,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_consumer',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Delete OAUTH1 consumer.',
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
'method': 'DELETE'}])
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_consumer,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
]

View File

@ -136,3 +136,51 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserOauth1ConsumerTests):
def setUp(self):
super(SystemAdminTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
# Reuse the system administrator account created during
# ``keystone-manage bootstrap``
self.user_id = self.bootstrapper.admin_user_id
auth = self.build_authentication_request(
user_id=self.user_id,
password=self.bootstrapper.admin_password,
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_create_consumer(self):
with self.test_client() as c:
c.post('/v3/OS-OAUTH1/consumers',
json={'consumer': {}},
headers=self.headers)
def test_user_can_update_consumer(self):
ref = PROVIDERS.oauth_api.create_consumer(
{'id': uuid.uuid4().hex})
with self.test_client() as c:
c.patch('/v3/OS-OAUTH1/consumers/%s' % ref['id'],
json={'consumer': {'description': uuid.uuid4().hex}},
headers=self.headers)
def test_user_can_delete_consumer(self):
ref = PROVIDERS.oauth_api.create_consumer(
{'id': uuid.uuid4().hex})
with self.test_client() as c:
c.delete('/v3/OS-OAUTH1/consumers/%s' % ref['id'],
headers=self.headers)

View File

@ -0,0 +1,32 @@
---
features:
- |
[`bug 1805363 <https://bugs.launchpad.net/keystone/+bug/1805363>`_]
The oauth1 consumer API now supports the ``admin``,
``member``, and ``reader`` default roles.
upgrade:
- |
[`bug 1805363 <https://bugs.launchpad.net/keystone/+bug/1805363>`_]
The oauth1 consumer API uses new default policies to
make it more accessible to end users and administrators in a secure way.
Please consider these new defaults if your deployment overrides oauth1
consumer policies.
deprecations:
- |
[`bug 1805363 <https://bugs.launchpad.net/keystone/+bug/1805363>`_]
The oauth1 consumer policies have been deprecated. The
``identity:get_consumer`` and ``identity:list_consumers`` policies now use
``role:reader and system_scope:all`` instead of
``rule:admin_required``. The ``identity:create_consumer``,
``identity:update_consumer``, and ``identity:delete_consumer`` policies now
use ``role:admin and system_scope:all`` instead of ``rule:admin_required``.
These new defaults automatically account for system-scope and support
a read-only role, making it easier for system administrators to delegate
subsets of responsibility without compromising security. Please consider
these new defaults if your deployment overrides the oauth1 consumer policies.
security:
- |
[`bug 1805363 <https://bugs.launchpad.net/keystone/+bug/1805363>`_]
The oauth1 consumer API now uses system-scope and default
roles to provide better accessibility to users in a secure manner.