Merge "Implement system admin for trusts API"
This commit is contained in:
commit
707df89ab2
|
@ -22,6 +22,7 @@ SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE = (
|
||||||
)
|
)
|
||||||
SYSTEM_READER_OR_TRUSTOR = base.SYSTEM_READER + ' or ' + RULE_TRUSTOR
|
SYSTEM_READER_OR_TRUSTOR = base.SYSTEM_READER + ' or ' + RULE_TRUSTOR
|
||||||
SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE
|
SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE
|
||||||
|
SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR
|
||||||
|
|
||||||
deprecated_list_trusts = policy.DeprecatedRule(
|
deprecated_list_trusts = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_trusts',
|
name=base.IDENTITY % 'list_trusts',
|
||||||
|
@ -35,6 +36,10 @@ deprecated_get_role_for_trust = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_role_for_trust',
|
name=base.IDENTITY % 'get_role_for_trust',
|
||||||
check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
|
check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
|
||||||
)
|
)
|
||||||
|
deprecated_delete_trust = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'delete_trust',
|
||||||
|
check_str=RULE_TRUSTOR
|
||||||
|
)
|
||||||
deprecated_get_trust = policy.DeprecatedRule(
|
deprecated_get_trust = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'get_trust',
|
name=base.IDENTITY % 'get_trust',
|
||||||
check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
|
check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
|
||||||
|
@ -115,11 +120,14 @@ trust_policies = [
|
||||||
deprecated_since=versionutils.deprecated.TRAIN),
|
deprecated_since=versionutils.deprecated.TRAIN),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_trust',
|
name=base.IDENTITY % 'delete_trust',
|
||||||
check_str=RULE_TRUSTOR,
|
check_str=SYSTEM_ADMIN_OR_TRUSTOR,
|
||||||
scope_types=['project'],
|
scope_types=['system', 'project'],
|
||||||
description='Revoke trust.',
|
description='Revoke trust.',
|
||||||
operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
|
operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
|
||||||
'method': 'DELETE'}]),
|
'method': 'DELETE'}],
|
||||||
|
deprecated_rule=deprecated_delete_trust,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_trust',
|
name=base.IDENTITY % 'get_trust',
|
||||||
check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
|
check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
|
||||||
|
|
|
@ -378,9 +378,7 @@ class SystemAdminTests(TrustTests, _AdminTestsMixin, _SystemUserTests):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
super(SystemAdminTests, self).setUp()
|
super(SystemAdminTests, self).setUp()
|
||||||
# TODO(cmurphy) enable enforce_scope when trust policies become
|
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
||||||
# system-scope aware
|
|
||||||
# self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
|
||||||
|
|
||||||
self.user_id = self.bootstrapper.admin_user_id
|
self.user_id = self.bootstrapper.admin_user_id
|
||||||
auth = self.build_authentication_request(
|
auth = self.build_authentication_request(
|
||||||
|
@ -396,16 +394,14 @@ class SystemAdminTests(TrustTests, _AdminTestsMixin, _SystemUserTests):
|
||||||
self.token_id = r.headers['X-Subject-Token']
|
self.token_id = r.headers['X-Subject-Token']
|
||||||
self.headers = {'X-Auth-Token': self.token_id}
|
self.headers = {'X-Auth-Token': self.token_id}
|
||||||
|
|
||||||
def test_admin_cannot_delete_trust_for_other_user(self):
|
def test_admin_can_delete_trust_for_other_user(self):
|
||||||
# only the is_admin admin can do this
|
|
||||||
ref = PROVIDERS.trust_api.create_trust(
|
ref = PROVIDERS.trust_api.create_trust(
|
||||||
self.trust_id, **self.trust_data)
|
self.trust_id, **self.trust_data)
|
||||||
|
|
||||||
with self.test_client() as c:
|
with self.test_client() as c:
|
||||||
c.delete(
|
c.delete(
|
||||||
'/v3/OS-TRUST/trusts/%s' % ref['id'],
|
'/v3/OS-TRUST/trusts/%s' % ref['id'],
|
||||||
headers=self.headers,
|
headers=self.headers
|
||||||
expected_status_code=http_client.FORBIDDEN
|
|
||||||
)
|
)
|
||||||
|
|
||||||
def test_admin_cannot_delete_trust_for_user_overridden_defaults(self):
|
def test_admin_cannot_delete_trust_for_user_overridden_defaults(self):
|
||||||
|
|
|
@ -0,0 +1,41 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
[`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
|
||||||
|
The trusts API now supports the ``admin``, ``member``, and ``reader``
|
||||||
|
default roles. System users can now audit and clean up trusts using the
|
||||||
|
default policies.
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
[`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
|
||||||
|
[`bug 1818850 <https://bugs.launchpad.net/keystone/+bug/1818850>`_]
|
||||||
|
The trusts API uses new default policies that make it more
|
||||||
|
accessible to end users and administrators in a secure way. Please
|
||||||
|
consider these new defaults if your deployment overrides
|
||||||
|
trust policies.
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
[`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
|
||||||
|
[`bug 1818850 <https://bugs.launchpad.net/keystone/+bug/1818850>`_]
|
||||||
|
The trust policies have been deprecated. The ``identity:list_trusts``
|
||||||
|
policy now uses ``(role:reader and system_scope:all)`` instead of
|
||||||
|
``rule_admin_required``. The ``identity:list_roles_for_trust``,
|
||||||
|
``identity:get_role_for_trust``, and ``identity:get_trust`` policies now
|
||||||
|
use ``(role:reader and system_scope:all) or
|
||||||
|
user_id:%(target.trust.trustor_user_id)s or
|
||||||
|
user_id:%(target.trust.trustee_user_id)s`` instead
|
||||||
|
of``user_id:%(target.trust.trustor_user_id)s or
|
||||||
|
user_id:%(target.trust.trustee_user_id)s``. The ``identity:delete_trust``
|
||||||
|
policy now uses ``(role:admin and system_scope:all) or
|
||||||
|
user_id:%(target.trust.trustor_user_id)s`` instead of
|
||||||
|
``user_id:%(target.trust.trustor_user_id)s``. These new defaults
|
||||||
|
automatically account for system-scope and support a read-only role, making
|
||||||
|
it easier for system administrators to delegate subsets of responsibility
|
||||||
|
without compromising security. Please consider these new defaults if your
|
||||||
|
deployment overrides trust policies.
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
[`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
|
||||||
|
[`bug 1818850 <https://bugs.launchpad.net/keystone/+bug/1818850>`_]
|
||||||
|
The trusts API now uses system-scope and default roles to
|
||||||
|
provide better accessibility to users in a secure way.
|
Loading…
Reference in New Issue