Browse Source

Merge "Implement system admin for trusts API"

tags/16.0.0.0rc1
Zuul Gerrit Code Review 8 months ago
parent
commit
707df89ab2
3 changed files with 55 additions and 10 deletions
  1. +11
    -3
      keystone/common/policies/trust.py
  2. +3
    -7
      keystone/tests/unit/protection/v3/test_trusts.py
  3. +41
    -0
      releasenotes/notes/bug-1818846-d1a8c77d20659ad6.yaml

+ 11
- 3
keystone/common/policies/trust.py View File

@@ -22,6 +22,7 @@ SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE = (
)
SYSTEM_READER_OR_TRUSTOR = base.SYSTEM_READER + ' or ' + RULE_TRUSTOR
SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE
SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR

deprecated_list_trusts = policy.DeprecatedRule(
name=base.IDENTITY % 'list_trusts',
@@ -35,6 +36,10 @@ deprecated_get_role_for_trust = policy.DeprecatedRule(
name=base.IDENTITY % 'get_role_for_trust',
check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
)
deprecated_delete_trust = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_trust',
check_str=RULE_TRUSTOR
)
deprecated_get_trust = policy.DeprecatedRule(
name=base.IDENTITY % 'get_trust',
check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
@@ -115,11 +120,14 @@ trust_policies = [
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_trust',
check_str=RULE_TRUSTOR,
scope_types=['project'],
check_str=SYSTEM_ADMIN_OR_TRUSTOR,
scope_types=['system', 'project'],
description='Revoke trust.',
operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
'method': 'DELETE'}]),
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_trust,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_trust',
check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,


+ 3
- 7
keystone/tests/unit/protection/v3/test_trusts.py View File

@@ -378,9 +378,7 @@ class SystemAdminTests(TrustTests, _AdminTestsMixin, _SystemUserTests):

def setUp(self):
super(SystemAdminTests, self).setUp()
# TODO(cmurphy) enable enforce_scope when trust policies become
# system-scope aware
# self.config_fixture.config(group='oslo_policy', enforce_scope=True)
self.config_fixture.config(group='oslo_policy', enforce_scope=True)

self.user_id = self.bootstrapper.admin_user_id
auth = self.build_authentication_request(
@@ -396,16 +394,14 @@ class SystemAdminTests(TrustTests, _AdminTestsMixin, _SystemUserTests):
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}

def test_admin_cannot_delete_trust_for_other_user(self):
# only the is_admin admin can do this
def test_admin_can_delete_trust_for_other_user(self):
ref = PROVIDERS.trust_api.create_trust(
self.trust_id, **self.trust_data)

with self.test_client() as c:
c.delete(
'/v3/OS-TRUST/trusts/%s' % ref['id'],
headers=self.headers,
expected_status_code=http_client.FORBIDDEN
headers=self.headers
)

def test_admin_cannot_delete_trust_for_user_overridden_defaults(self):


+ 41
- 0
releasenotes/notes/bug-1818846-d1a8c77d20659ad6.yaml View File

@@ -0,0 +1,41 @@
---
features:
- |
[`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
The trusts API now supports the ``admin``, ``member``, and ``reader``
default roles. System users can now audit and clean up trusts using the
default policies.
upgrade:
- |
[`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
[`bug 1818850 <https://bugs.launchpad.net/keystone/+bug/1818850>`_]
The trusts API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides
trust policies.
deprecations:
- |
[`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
[`bug 1818850 <https://bugs.launchpad.net/keystone/+bug/1818850>`_]
The trust policies have been deprecated. The ``identity:list_trusts``
policy now uses ``(role:reader and system_scope:all)`` instead of
``rule_admin_required``. The ``identity:list_roles_for_trust``,
``identity:get_role_for_trust``, and ``identity:get_trust`` policies now
use ``(role:reader and system_scope:all) or
user_id:%(target.trust.trustor_user_id)s or
user_id:%(target.trust.trustee_user_id)s`` instead
of``user_id:%(target.trust.trustor_user_id)s or
user_id:%(target.trust.trustee_user_id)s``. The ``identity:delete_trust``
policy now uses ``(role:admin and system_scope:all) or
user_id:%(target.trust.trustor_user_id)s`` instead of
``user_id:%(target.trust.trustor_user_id)s``. These new defaults
automatically account for system-scope and support a read-only role, making
it easier for system administrators to delegate subsets of responsibility
without compromising security. Please consider these new defaults if your
deployment overrides trust policies.
security:
- |
[`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
[`bug 1818850 <https://bugs.launchpad.net/keystone/+bug/1818850>`_]
The trusts API now uses system-scope and default roles to
provide better accessibility to users in a secure way.

Loading…
Cancel
Save