Update registered limit policies for system admin
This change makes the policy definitions for admin registered limit operations consistent with the other registered limit policies. Subsequent patches will incorporate: - domain user test coverage - project user test coverage Change-Id: If0352220670fdf5c98d0820309817416466b1466 Related-Bug: 1805372 Related-Bug: 1805880
This commit is contained in:
parent
e287f58fbb
commit
4f5e462844
|
@ -41,21 +41,21 @@ registered_limit_policies = [
|
||||||
'method': 'HEAD'}]),
|
'method': 'HEAD'}]),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_registered_limits',
|
name=base.IDENTITY % 'create_registered_limits',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str='role:admin',
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
description='Create registered limits.',
|
description='Create registered limits.',
|
||||||
operations=[{'path': '/v3/registered_limits',
|
operations=[{'path': '/v3/registered_limits',
|
||||||
'method': 'POST'}]),
|
'method': 'POST'}]),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_registered_limit',
|
name=base.IDENTITY % 'update_registered_limit',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str='role:admin',
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
description='Update registered limit.',
|
description='Update registered limit.',
|
||||||
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
|
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
|
||||||
'method': 'PATCH'}]),
|
'method': 'PATCH'}]),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_registered_limit',
|
name=base.IDENTITY % 'delete_registered_limit',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str='role:admin',
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
description='Delete registered limit.',
|
description='Delete registered limit.',
|
||||||
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
|
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
|
||||||
|
|
|
@ -193,3 +193,125 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
|
||||||
r = c.post('/v3/auth/tokens', json=auth)
|
r = c.post('/v3/auth/tokens', json=auth)
|
||||||
self.token_id = r.headers['X-Subject-Token']
|
self.token_id = r.headers['X-Subject-Token']
|
||||||
self.headers = {'X-Auth-Token': self.token_id}
|
self.headers = {'X-Auth-Token': self.token_id}
|
||||||
|
|
||||||
|
|
||||||
|
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
|
||||||
|
common_auth.AuthTestMixin):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(SystemAdminTests, self).setUp()
|
||||||
|
self.loadapp()
|
||||||
|
self.useFixture(ksfixtures.Policy(self.config_fixture))
|
||||||
|
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
||||||
|
|
||||||
|
# Reuse the system administrator account created during
|
||||||
|
# ``keystone-manage bootstrap``
|
||||||
|
self.user_id = self.bootstrapper.admin_user_id
|
||||||
|
auth = self.build_authentication_request(
|
||||||
|
user_id=self.user_id,
|
||||||
|
password=self.bootstrapper.admin_password,
|
||||||
|
system=True
|
||||||
|
)
|
||||||
|
|
||||||
|
# Grab a token using the persona we're testing and prepare headers
|
||||||
|
# for requests we'll be making in the tests.
|
||||||
|
with self.test_client() as c:
|
||||||
|
r = c.post('/v3/auth/tokens', json=auth)
|
||||||
|
self.token_id = r.headers['X-Subject-Token']
|
||||||
|
self.headers = {'X-Auth-Token': self.token_id}
|
||||||
|
|
||||||
|
def test_user_can_get_a_registered_limit(self):
|
||||||
|
service = PROVIDERS.catalog_api.create_service(
|
||||||
|
uuid.uuid4().hex, unit.new_service_ref()
|
||||||
|
)
|
||||||
|
|
||||||
|
registered_limit = unit.new_registered_limit_ref(
|
||||||
|
service_id=service['id'], id=uuid.uuid4().hex
|
||||||
|
)
|
||||||
|
limits = PROVIDERS.unified_limit_api.create_registered_limits(
|
||||||
|
[registered_limit]
|
||||||
|
)
|
||||||
|
limit_id = limits[0]['id']
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
r = c.get(
|
||||||
|
'/v3/registered_limits/%s' % limit_id, headers=self.headers
|
||||||
|
)
|
||||||
|
self.assertEqual(limit_id, r.json['registered_limit']['id'])
|
||||||
|
|
||||||
|
def test_user_can_list_registered_limits(self):
|
||||||
|
service = PROVIDERS.catalog_api.create_service(
|
||||||
|
uuid.uuid4().hex, unit.new_service_ref()
|
||||||
|
)
|
||||||
|
|
||||||
|
registered_limit = unit.new_registered_limit_ref(
|
||||||
|
service_id=service['id'], id=uuid.uuid4().hex
|
||||||
|
)
|
||||||
|
limits = PROVIDERS.unified_limit_api.create_registered_limits(
|
||||||
|
[registered_limit]
|
||||||
|
)
|
||||||
|
limit_id = limits[0]['id']
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
r = c.get(
|
||||||
|
'/v3/registered_limits', headers=self.headers
|
||||||
|
)
|
||||||
|
self.assertTrue(len(r.json['registered_limits']) == 1)
|
||||||
|
self.assertEqual(limit_id, r.json['registered_limits'][0]['id'])
|
||||||
|
|
||||||
|
def test_user_can_create_registered_limits(self):
|
||||||
|
service = PROVIDERS.catalog_api.create_service(
|
||||||
|
uuid.uuid4().hex, unit.new_service_ref()
|
||||||
|
)
|
||||||
|
|
||||||
|
create = {
|
||||||
|
'registered_limits': [
|
||||||
|
unit.new_registered_limit_ref(
|
||||||
|
service_id=service['id']
|
||||||
|
)
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
c.post('/v3/registered_limits', json=create, headers=self.headers)
|
||||||
|
|
||||||
|
def test_user_can_update_registered_limits(self):
|
||||||
|
service = PROVIDERS.catalog_api.create_service(
|
||||||
|
uuid.uuid4().hex, unit.new_service_ref()
|
||||||
|
)
|
||||||
|
|
||||||
|
registered_limit = unit.new_registered_limit_ref(
|
||||||
|
service_id=service['id'], id=uuid.uuid4().hex
|
||||||
|
)
|
||||||
|
limits = PROVIDERS.unified_limit_api.create_registered_limits(
|
||||||
|
[registered_limit]
|
||||||
|
)
|
||||||
|
limit_id = limits[0]['id']
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
update = {
|
||||||
|
'registered_limit': {'default_limit': 5}
|
||||||
|
}
|
||||||
|
|
||||||
|
c.patch(
|
||||||
|
'/v3/registered_limits/%s' % limit_id, json=update,
|
||||||
|
headers=self.headers
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_user_can_delete_registered_limits(self):
|
||||||
|
service = PROVIDERS.catalog_api.create_service(
|
||||||
|
uuid.uuid4().hex, unit.new_service_ref()
|
||||||
|
)
|
||||||
|
|
||||||
|
registered_limit = unit.new_registered_limit_ref(
|
||||||
|
service_id=service['id'], id=uuid.uuid4().hex
|
||||||
|
)
|
||||||
|
limits = PROVIDERS.unified_limit_api.create_registered_limits(
|
||||||
|
[registered_limit]
|
||||||
|
)
|
||||||
|
limit_id = limits[0]['id']
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
c.delete(
|
||||||
|
'/v3/registered_limits/%s' % limit_id, headers=self.headers
|
||||||
|
)
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
[`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
|
||||||
|
The registered limit API now supports the ``admin``, ``member``, and
|
||||||
|
``reader`` default roles.
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
[`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
|
||||||
|
The following registered limit policy check strings have changed
|
||||||
|
in favor of more clear and concise defaults:
|
||||||
|
|
||||||
|
* ``identity:create_registered_limits``
|
||||||
|
* ``identity:update_registered_limit``
|
||||||
|
* ``identity:delete_registered_limit``
|
||||||
|
|
||||||
|
These policies are not being formally deprecated because the
|
||||||
|
unified limits API is still considered experiemental. Please
|
||||||
|
consider these new defaults if your deployment overrides the
|
||||||
|
registered limit policies.
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
[`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
|
||||||
|
The registered limit API now uses system-scope and default
|
||||||
|
roles to provide better accessibility to users in a secure way.
|
Loading…
Reference in New Issue