Browse Source

Test domain and project users against group system assignment API

This commit ensures that domain and project users are not able to
operate on system role assignments for groups in anyway since they
lack the proper authorization to do so.

Subsequent patches will:

 - remove obsolete policies from policy.v3cloudsample.json

Change-Id: I696e5d161fae7efbc208355372bf7bf09f96849f
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit 6e118bad3d)
changes/80/647680/1
Lance Bragstad 3 years ago
committed by Colleen Murphy
parent
commit
56e4812793
  1. 62
      keystone/tests/unit/protection/v3/test_system_assignments.py
  2. 24
      releasenotes/notes/bug-1750669-dfce859550126f03.yaml

62
keystone/tests/unit/protection/v3/test_system_assignments.py

@ -229,6 +229,68 @@ class _DomainAndProjectUserSystemAssignmentTests(object):
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_list_group_system_role_assignments(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_system_grant_for_group(
group['id'], self.bootstrapper.member_role_id
)
with self.test_client() as c:
c.get(
'/v3/system/groups/%s/roles' % group['id'], headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_check_group_system_role_assignments(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_system_grant_for_group(
group['id'], self.bootstrapper.member_role_id
)
with self.test_client() as c:
c.get(
'/v3/system/groups/%s/roles/%s' % (
group['id'], self.bootstrapper.member_role_id
), headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_grant_group_system_assignments(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(CONF.identity.default_domain_id)
)
with self.test_client() as c:
c.put(
'/v3/system/groups/%s/roles/%s' % (
group['id'], self.bootstrapper.member_role_id
), headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_revoke_group_system_assignments(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_system_grant_for_group(
group['id'], self.bootstrapper.member_role_id
)
with self.test_client() as c:
c.delete(
'/v3/system/groups/%s/roles/%s' % (
group['id'], self.bootstrapper.member_role_id
), headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,

24
releasenotes/notes/bug-1750669-dfce859550126f03.yaml

@ -19,18 +19,20 @@ deprecations:
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
The system assignment policies have been deprecated. The
``identity:list_system_grants_for_user`` and
``identity:check_system_grant_for_user`` policies now use
``identity:list_system_grants_for_user``,
``identity:check_system_grant_for_user``,
``identity:list_system_grants_for_group``, and
``identity:check_system_grant_for_group`` policies now use
``role:reader and system_scope:all`` instead of
``rule:admin_required``. The
``identity:create_system_grant_for_user`` and
``identity:revoke_system_grant_for_user`` policies now use
``role:admin and system_scope:all`` instead of
``rule:admin_required``. These new defaults automatically include
support for a read-only role and allow for more granular access to
the system assignment API, making it easier for administrators to
delegate authorization, safely. Please consider these new defaults
if your deployment overrides the system assignment APIs.
``rule:admin_required``. The ``identity:create_system_grant_for_user``,
``identity:revoke_system_grant_for_user``,
``identity:create_system_grant_for_group``, and
``identity:revoke_system_grant_for_group`` policies now use ``role:admin
and system_scope:all`` instead of ``rule:admin_required``. These new
defaults automatically include support for a read-only role and allow for
more granular access to the system assignment API, making it easier for
administrators to delegate authorization, safely. Please consider these new
defaults if your deployment overrides the system assignment APIs.
security:
- |
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]

Loading…
Cancel
Save