Test domain and project users against group system assignment API
This commit ensures that domain and project users are not able to
operate on system role assignments for groups in anyway since they
lack the proper authorization to do so.
Subsequent patches will:
- remove obsolete policies from policy.v3cloudsample.json
Change-Id: I696e5d161fae7efbc208355372bf7bf09f96849f
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit 6e118bad3d
)
This commit is contained in:
parent
02eebfe573
commit
56e4812793
|
@ -229,6 +229,68 @@ class _DomainAndProjectUserSystemAssignmentTests(object):
|
|||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_list_group_system_role_assignments(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_group(
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/system/groups/%s/roles' % group['id'], headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_check_group_system_role_assignments(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_group(
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/system/groups/%s/roles/%s' % (
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_grant_group_system_assignments(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.put(
|
||||
'/v3/system/groups/%s/roles/%s' % (
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_revoke_group_system_assignments(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_group(
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.delete(
|
||||
'/v3/system/groups/%s/roles/%s' % (
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
|
||||
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin,
|
||||
|
|
|
@ -19,18 +19,20 @@ deprecations:
|
|||
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
||||
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
|
||||
The system assignment policies have been deprecated. The
|
||||
``identity:list_system_grants_for_user`` and
|
||||
``identity:check_system_grant_for_user`` policies now use
|
||||
``identity:list_system_grants_for_user``,
|
||||
``identity:check_system_grant_for_user``,
|
||||
``identity:list_system_grants_for_group``, and
|
||||
``identity:check_system_grant_for_group`` policies now use
|
||||
``role:reader and system_scope:all`` instead of
|
||||
``rule:admin_required``. The
|
||||
``identity:create_system_grant_for_user`` and
|
||||
``identity:revoke_system_grant_for_user`` policies now use
|
||||
``role:admin and system_scope:all`` instead of
|
||||
``rule:admin_required``. These new defaults automatically include
|
||||
support for a read-only role and allow for more granular access to
|
||||
the system assignment API, making it easier for administrators to
|
||||
delegate authorization, safely. Please consider these new defaults
|
||||
if your deployment overrides the system assignment APIs.
|
||||
``rule:admin_required``. The ``identity:create_system_grant_for_user``,
|
||||
``identity:revoke_system_grant_for_user``,
|
||||
``identity:create_system_grant_for_group``, and
|
||||
``identity:revoke_system_grant_for_group`` policies now use ``role:admin
|
||||
and system_scope:all`` instead of ``rule:admin_required``. These new
|
||||
defaults automatically include support for a read-only role and allow for
|
||||
more granular access to the system assignment API, making it easier for
|
||||
administrators to delegate authorization, safely. Please consider these new
|
||||
defaults if your deployment overrides the system assignment APIs.
|
||||
security:
|
||||
- |
|
||||
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
||||
|
|
Loading…
Reference in New Issue