Browse Source

Update registered limit policies for system admin

This change makes the policy definitions for admin registered limit
operations consistent with the other registered limit
policies. Subsequent patches will incorporate:

 - domain user test coverage
 - project user test coverage

Change-Id: If0352220670fdf5c98d0820309817416466b1466
Related-Bug: 1805372
Related-Bug: 1805880
changes/16/621016/4
Lance Bragstad 3 years ago
parent
commit
4f5e462844
  1. 6
      keystone/common/policies/registered_limit.py
  2. 122
      keystone/tests/unit/protection/v3/test_registered_limits.py
  3. 25
      releasenotes/notes/bug-1805372-af4ebf4b19500b72.yaml

6
keystone/common/policies/registered_limit.py

@ -41,21 +41,21 @@ registered_limit_policies = [
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_registered_limits',
check_str=base.RULE_ADMIN_REQUIRED,
check_str='role:admin',
scope_types=['system'],
description='Create registered limits.',
operations=[{'path': '/v3/registered_limits',
'method': 'POST'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_registered_limit',
check_str=base.RULE_ADMIN_REQUIRED,
check_str='role:admin',
scope_types=['system'],
description='Update registered limit.',
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
'method': 'PATCH'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_registered_limit',
check_str=base.RULE_ADMIN_REQUIRED,
check_str='role:admin',
scope_types=['system'],
description='Delete registered limit.',
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',

122
keystone/tests/unit/protection/v3/test_registered_limits.py

@ -193,3 +193,125 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin):
def setUp(self):
super(SystemAdminTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
# Reuse the system administrator account created during
# ``keystone-manage bootstrap``
self.user_id = self.bootstrapper.admin_user_id
auth = self.build_authentication_request(
user_id=self.user_id,
password=self.bootstrapper.admin_password,
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_get_a_registered_limit(self):
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
registered_limit = unit.new_registered_limit_ref(
service_id=service['id'], id=uuid.uuid4().hex
)
limits = PROVIDERS.unified_limit_api.create_registered_limits(
[registered_limit]
)
limit_id = limits[0]['id']
with self.test_client() as c:
r = c.get(
'/v3/registered_limits/%s' % limit_id, headers=self.headers
)
self.assertEqual(limit_id, r.json['registered_limit']['id'])
def test_user_can_list_registered_limits(self):
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
registered_limit = unit.new_registered_limit_ref(
service_id=service['id'], id=uuid.uuid4().hex
)
limits = PROVIDERS.unified_limit_api.create_registered_limits(
[registered_limit]
)
limit_id = limits[0]['id']
with self.test_client() as c:
r = c.get(
'/v3/registered_limits', headers=self.headers
)
self.assertTrue(len(r.json['registered_limits']) == 1)
self.assertEqual(limit_id, r.json['registered_limits'][0]['id'])
def test_user_can_create_registered_limits(self):
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
create = {
'registered_limits': [
unit.new_registered_limit_ref(
service_id=service['id']
)
]
}
with self.test_client() as c:
c.post('/v3/registered_limits', json=create, headers=self.headers)
def test_user_can_update_registered_limits(self):
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
registered_limit = unit.new_registered_limit_ref(
service_id=service['id'], id=uuid.uuid4().hex
)
limits = PROVIDERS.unified_limit_api.create_registered_limits(
[registered_limit]
)
limit_id = limits[0]['id']
with self.test_client() as c:
update = {
'registered_limit': {'default_limit': 5}
}
c.patch(
'/v3/registered_limits/%s' % limit_id, json=update,
headers=self.headers
)
def test_user_can_delete_registered_limits(self):
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
registered_limit = unit.new_registered_limit_ref(
service_id=service['id'], id=uuid.uuid4().hex
)
limits = PROVIDERS.unified_limit_api.create_registered_limits(
[registered_limit]
)
limit_id = limits[0]['id']
with self.test_client() as c:
c.delete(
'/v3/registered_limits/%s' % limit_id, headers=self.headers
)

25
releasenotes/notes/bug-1805372-af4ebf4b19500b72.yaml

@ -0,0 +1,25 @@
---
features:
- |
[`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
The registered limit API now supports the ``admin``, ``member``, and
``reader`` default roles.
upgrade:
- |
[`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
The following registered limit policy check strings have changed
in favor of more clear and concise defaults:
* ``identity:create_registered_limits``
* ``identity:update_registered_limit``
* ``identity:delete_registered_limit``
These policies are not being formally deprecated because the
unified limits API is still considered experiemental. Please
consider these new defaults if your deployment overrides the
registered limit policies.
security:
- |
[`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
The registered limit API now uses system-scope and default
roles to provide better accessibility to users in a secure way.
Loading…
Cancel
Save