Test domain and project users against group system assignment API
This commit ensures that domain and project users are not able to operate on system role assignments for groups in anyway since they lack the proper authorization to do so. Subsequent patches will: - remove obsolete policies from policy.v3cloudsample.json Change-Id: I696e5d161fae7efbc208355372bf7bf09f96849f Related-Bug: 1805368 Related-Bug: 1750669 Related-Bug: 1806762
This commit is contained in:
parent
ba09e89ba1
commit
6e118bad3d
|
@ -229,6 +229,68 @@ class _DomainAndProjectUserSystemAssignmentTests(object):
|
|||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_list_group_system_role_assignments(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_group(
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/system/groups/%s/roles' % group['id'], headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_check_group_system_role_assignments(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_group(
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/system/groups/%s/roles/%s' % (
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_grant_group_system_assignments(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.put(
|
||||
'/v3/system/groups/%s/roles/%s' % (
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_revoke_group_system_assignments(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_group(
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.delete(
|
||||
'/v3/system/groups/%s/roles/%s' % (
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
|
||||
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin,
|
||||
|
|
|
@ -19,18 +19,20 @@ deprecations:
|
|||
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
||||
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
|
||||
The system assignment policies have been deprecated. The
|
||||
``identity:list_system_grants_for_user`` and
|
||||
``identity:check_system_grant_for_user`` policies now use
|
||||
``identity:list_system_grants_for_user``,
|
||||
``identity:check_system_grant_for_user``,
|
||||
``identity:list_system_grants_for_group``, and
|
||||
``identity:check_system_grant_for_group`` policies now use
|
||||
``role:reader and system_scope:all`` instead of
|
||||
``rule:admin_required``. The
|
||||
``identity:create_system_grant_for_user`` and
|
||||
``identity:revoke_system_grant_for_user`` policies now use
|
||||
``role:admin and system_scope:all`` instead of
|
||||
``rule:admin_required``. These new defaults automatically include
|
||||
support for a read-only role and allow for more granular access to
|
||||
the system assignment API, making it easier for administrators to
|
||||
delegate authorization, safely. Please consider these new defaults
|
||||
if your deployment overrides the system assignment APIs.
|
||||
``rule:admin_required``. The ``identity:create_system_grant_for_user``,
|
||||
``identity:revoke_system_grant_for_user``,
|
||||
``identity:create_system_grant_for_group``, and
|
||||
``identity:revoke_system_grant_for_group`` policies now use ``role:admin
|
||||
and system_scope:all`` instead of ``rule:admin_required``. These new
|
||||
defaults automatically include support for a read-only role and allow for
|
||||
more granular access to the system assignment API, making it easier for
|
||||
administrators to delegate authorization, safely. Please consider these new
|
||||
defaults if your deployment overrides the system assignment APIs.
|
||||
security:
|
||||
- |
|
||||
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
||||
|
|
Loading…
Reference in New Issue