Browse Source

Merge "Implement system admin for trusts API"

changes/44/680844/2
Zuul 1 week ago
parent
commit
707df89ab2

+ 11
- 3
keystone/common/policies/trust.py View File

@@ -22,6 +22,7 @@ SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE = (
22 22
 )
23 23
 SYSTEM_READER_OR_TRUSTOR = base.SYSTEM_READER + ' or ' + RULE_TRUSTOR
24 24
 SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE
25
+SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR
25 26
 
26 27
 deprecated_list_trusts = policy.DeprecatedRule(
27 28
     name=base.IDENTITY % 'list_trusts',
@@ -35,6 +36,10 @@ deprecated_get_role_for_trust = policy.DeprecatedRule(
35 36
     name=base.IDENTITY % 'get_role_for_trust',
36 37
     check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
37 38
 )
39
+deprecated_delete_trust = policy.DeprecatedRule(
40
+    name=base.IDENTITY % 'delete_trust',
41
+    check_str=RULE_TRUSTOR
42
+)
38 43
 deprecated_get_trust = policy.DeprecatedRule(
39 44
     name=base.IDENTITY % 'get_trust',
40 45
     check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
@@ -115,11 +120,14 @@ trust_policies = [
115 120
         deprecated_since=versionutils.deprecated.TRAIN),
116 121
     policy.DocumentedRuleDefault(
117 122
         name=base.IDENTITY % 'delete_trust',
118
-        check_str=RULE_TRUSTOR,
119
-        scope_types=['project'],
123
+        check_str=SYSTEM_ADMIN_OR_TRUSTOR,
124
+        scope_types=['system', 'project'],
120 125
         description='Revoke trust.',
121 126
         operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
122
-                     'method': 'DELETE'}]),
127
+                     'method': 'DELETE'}],
128
+        deprecated_rule=deprecated_delete_trust,
129
+        deprecated_reason=DEPRECATED_REASON,
130
+        deprecated_since=versionutils.deprecated.TRAIN),
123 131
     policy.DocumentedRuleDefault(
124 132
         name=base.IDENTITY % 'get_trust',
125 133
         check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,

+ 3
- 7
keystone/tests/unit/protection/v3/test_trusts.py View File

@@ -378,9 +378,7 @@ class SystemAdminTests(TrustTests, _AdminTestsMixin, _SystemUserTests):
378 378
 
379 379
     def setUp(self):
380 380
         super(SystemAdminTests, self).setUp()
381
-        # TODO(cmurphy) enable enforce_scope when trust policies become
382
-        # system-scope aware
383
-        # self.config_fixture.config(group='oslo_policy', enforce_scope=True)
381
+        self.config_fixture.config(group='oslo_policy', enforce_scope=True)
384 382
 
385 383
         self.user_id = self.bootstrapper.admin_user_id
386 384
         auth = self.build_authentication_request(
@@ -396,16 +394,14 @@ class SystemAdminTests(TrustTests, _AdminTestsMixin, _SystemUserTests):
396 394
             self.token_id = r.headers['X-Subject-Token']
397 395
             self.headers = {'X-Auth-Token': self.token_id}
398 396
 
399
-    def test_admin_cannot_delete_trust_for_other_user(self):
400
-        # only the is_admin admin can do this
397
+    def test_admin_can_delete_trust_for_other_user(self):
401 398
         ref = PROVIDERS.trust_api.create_trust(
402 399
             self.trust_id, **self.trust_data)
403 400
 
404 401
         with self.test_client() as c:
405 402
             c.delete(
406 403
                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
407
-                headers=self.headers,
408
-                expected_status_code=http_client.FORBIDDEN
404
+                headers=self.headers
409 405
             )
410 406
 
411 407
     def test_admin_cannot_delete_trust_for_user_overridden_defaults(self):

+ 41
- 0
releasenotes/notes/bug-1818846-d1a8c77d20659ad6.yaml View File

@@ -0,0 +1,41 @@
1
+---
2
+features:
3
+  - |
4
+    [`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
5
+    The trusts API now supports the ``admin``, ``member``, and ``reader``
6
+    default roles. System users can now audit and clean up trusts using the
7
+    default policies.
8
+upgrade:
9
+  - |
10
+    [`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
11
+    [`bug 1818850 <https://bugs.launchpad.net/keystone/+bug/1818850>`_]
12
+    The trusts API uses new default policies that make it more
13
+    accessible to end users and administrators in a secure way. Please
14
+    consider these new defaults if your deployment overrides
15
+    trust policies.
16
+deprecations:
17
+  - |
18
+    [`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
19
+    [`bug 1818850 <https://bugs.launchpad.net/keystone/+bug/1818850>`_]
20
+    The trust policies have been deprecated. The ``identity:list_trusts``
21
+    policy now uses ``(role:reader and system_scope:all)`` instead of
22
+    ``rule_admin_required``. The ``identity:list_roles_for_trust``,
23
+    ``identity:get_role_for_trust``, and ``identity:get_trust`` policies now
24
+    use ``(role:reader and system_scope:all) or
25
+    user_id:%(target.trust.trustor_user_id)s or
26
+    user_id:%(target.trust.trustee_user_id)s`` instead
27
+    of``user_id:%(target.trust.trustor_user_id)s or
28
+    user_id:%(target.trust.trustee_user_id)s``. The ``identity:delete_trust``
29
+    policy now uses ``(role:admin and system_scope:all) or
30
+    user_id:%(target.trust.trustor_user_id)s`` instead of
31
+    ``user_id:%(target.trust.trustor_user_id)s``. These new defaults
32
+    automatically account for system-scope and support a read-only role, making
33
+    it easier for system administrators to delegate subsets of responsibility
34
+    without compromising security. Please consider these new defaults if your
35
+    deployment overrides trust policies.
36
+security:
37
+  - |
38
+    [`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
39
+    [`bug 1818850 <https://bugs.launchpad.net/keystone/+bug/1818850>`_]
40
+    The trusts API now uses system-scope and default roles to
41
+    provide better accessibility to users in a secure way.

Loading…
Cancel
Save