Merge "Make system admin policies consistent for grants" into stable/stein
This commit is contained in:
commit
744502b981
|
@ -53,6 +53,12 @@ deprecated_list_grants = policy.DeprecatedRule(
|
|||
deprecated_check_grant = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED
|
||||
)
|
||||
deprecated_create_grant = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED
|
||||
)
|
||||
deprecated_revoke_grant = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Stein release, the assignment API now understands default roles and
|
||||
|
@ -141,7 +147,7 @@ grant_policies = [
|
|||
deprecated_since=versionutils.deprecated.STEIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_grant',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
# FIXME(lbragstad): See the above comment about scope_types before
|
||||
# adding 'project' to scope_types below.
|
||||
scope_types=['system'],
|
||||
|
@ -151,10 +157,13 @@ grant_policies = [
|
|||
'to the OS-INHERIT APIs, where grants on the target '
|
||||
'are inherited to all projects in the subtree, if '
|
||||
'applicable.'),
|
||||
operations=list_operations(resource_paths, ['PUT'])),
|
||||
operations=list_operations(resource_paths, ['PUT']),
|
||||
deprecated_rule=deprecated_create_grant,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.STEIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'revoke_grant',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
# FIXME(lbragstad): See the above comment about scope_types before
|
||||
# adding 'project' to scope_types below.
|
||||
scope_types=['system'],
|
||||
|
@ -166,7 +175,10 @@ grant_policies = [
|
|||
'applicable. In that case, revoking the role grant in '
|
||||
'the target would remove the logical effect of '
|
||||
'inheriting it to the target\'s projects subtree.'),
|
||||
operations=list_operations(resource_paths, ['DELETE'])),
|
||||
operations=list_operations(resource_paths, ['DELETE']),
|
||||
deprecated_rule=deprecated_revoke_grant,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.STEIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_system_grants_for_user',
|
||||
check_str=base.SYSTEM_READER,
|
||||
|
|
|
@ -460,3 +460,196 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
|
|||
r = c.post('/v3/auth/tokens', json=auth)
|
||||
self.token_id = r.headers['X-Subject-Token']
|
||||
self.headers = {'X-Auth-Token': self.token_id}
|
||||
|
||||
|
||||
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin,
|
||||
_SystemUserGrantTests):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemAdminTests, self).setUp()
|
||||
self.loadapp()
|
||||
self.useFixture(ksfixtures.Policy(self.config_fixture))
|
||||
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
||||
|
||||
self.user_id = self.bootstrapper.admin_user_id
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.user_id,
|
||||
password=self.bootstrapper.admin_password,
|
||||
system=True
|
||||
)
|
||||
|
||||
# Grab a token using the persona we're testing and prepare headers
|
||||
# for requests we'll be making in the tests.
|
||||
with self.test_client() as c:
|
||||
r = c.post('/v3/auth/tokens', json=auth)
|
||||
self.token_id = r.headers['X-Subject-Token']
|
||||
self.headers = {'X-Auth-Token': self.token_id}
|
||||
|
||||
def test_user_can_create_grant_for_user_on_project(self):
|
||||
user = PROVIDERS.identity_api.create_user(
|
||||
unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
project = PROVIDERS.resource_api.create_project(
|
||||
uuid.uuid4().hex, unit.new_project_ref(
|
||||
domain_id=CONF.identity.default_domain_id
|
||||
)
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.put(
|
||||
'/v3/projects/%s/users/%s/roles/%s' % (
|
||||
project['id'], user['id'], self.bootstrapper.reader_role_id
|
||||
),
|
||||
headers=self.headers
|
||||
)
|
||||
|
||||
def test_user_can_create_grant_for_user_on_domain(self):
|
||||
user = PROVIDERS.identity_api.create_user(
|
||||
unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
domain = PROVIDERS.resource_api.create_domain(
|
||||
uuid.uuid4().hex, unit.new_domain_ref()
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.put(
|
||||
'/v3/domains/%s/users/%s/roles/%s' % (
|
||||
domain['id'], user['id'], self.bootstrapper.reader_role_id
|
||||
),
|
||||
headers=self.headers
|
||||
)
|
||||
|
||||
def test_user_can_create_grant_for_group_on_project(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
project = PROVIDERS.resource_api.create_project(
|
||||
uuid.uuid4().hex, unit.new_project_ref(
|
||||
domain_id=CONF.identity.default_domain_id
|
||||
)
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.put(
|
||||
'/v3/projects/%s/groups/%s/roles/%s' % (
|
||||
project['id'],
|
||||
group['id'],
|
||||
self.bootstrapper.reader_role_id
|
||||
),
|
||||
headers=self.headers
|
||||
)
|
||||
|
||||
def test_user_can_create_grant_for_group_on_domain(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
domain = PROVIDERS.resource_api.create_domain(
|
||||
uuid.uuid4().hex, unit.new_domain_ref()
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.put(
|
||||
'/v3/domains/%s/groups/%s/roles/%s' % (
|
||||
domain['id'], group['id'], self.bootstrapper.reader_role_id
|
||||
),
|
||||
headers=self.headers
|
||||
)
|
||||
|
||||
def test_user_can_revoke_grant_from_user_on_project(self):
|
||||
user = PROVIDERS.identity_api.create_user(
|
||||
unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
project = PROVIDERS.resource_api.create_project(
|
||||
uuid.uuid4().hex, unit.new_project_ref(
|
||||
domain_id=CONF.identity.default_domain_id
|
||||
)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.bootstrapper.reader_role_id, user_id=user['id'],
|
||||
project_id=project['id']
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.delete(
|
||||
'/v3/projects/%s/users/%s/roles/%s' % (
|
||||
project['id'], user['id'], self.bootstrapper.reader_role_id
|
||||
),
|
||||
headers=self.headers
|
||||
)
|
||||
|
||||
def test_user_can_revoke_grant_from_user_on_domain(self):
|
||||
user = PROVIDERS.identity_api.create_user(
|
||||
unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
domain = PROVIDERS.resource_api.create_domain(
|
||||
uuid.uuid4().hex, unit.new_domain_ref()
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.bootstrapper.reader_role_id, user_id=user['id'],
|
||||
domain_id=domain['id']
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.delete(
|
||||
'/v3/domains/%s/users/%s/roles/%s' % (
|
||||
domain['id'], user['id'], self.bootstrapper.reader_role_id
|
||||
),
|
||||
headers=self.headers
|
||||
)
|
||||
|
||||
def test_user_can_revoke_grant_from_group_on_project(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
project = PROVIDERS.resource_api.create_project(
|
||||
uuid.uuid4().hex, unit.new_project_ref(
|
||||
domain_id=CONF.identity.default_domain_id
|
||||
)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.bootstrapper.reader_role_id, group_id=group['id'],
|
||||
project_id=project['id']
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.delete(
|
||||
'/v3/projects/%s/groups/%s/roles/%s' % (
|
||||
project['id'],
|
||||
group['id'],
|
||||
self.bootstrapper.reader_role_id
|
||||
),
|
||||
headers=self.headers
|
||||
)
|
||||
|
||||
def test_user_can_revoke_grant_from_group_on_domain(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
domain = PROVIDERS.resource_api.create_domain(
|
||||
uuid.uuid4().hex, unit.new_domain_ref()
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.bootstrapper.reader_role_id, group_id=group['id'],
|
||||
domain_id=domain['id']
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.delete(
|
||||
'/v3/domains/%s/groups/%s/roles/%s' % (
|
||||
domain['id'], group['id'], self.bootstrapper.reader_role_id
|
||||
),
|
||||
headers=self.headers
|
||||
)
|
||||
|
|
|
@ -4,39 +4,49 @@ features:
|
|||
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
||||
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
|
||||
The system assignment API now supports the ``admin``, ``member``,
|
||||
and ``reader`` default roles across system-scope, domain-scope,
|
||||
and project-scope.
|
||||
and ``reader`` default roles across system-scope, domain-scope, and
|
||||
project-scope. The grant API now supports the ``admin``,
|
||||
``member``, and ``reader`` default roles for system-scope.
|
||||
upgrade:
|
||||
- |
|
||||
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
||||
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
|
||||
The system assignment API uses new default policies that make it more
|
||||
accessible to end users and administrators in a secure way. Please
|
||||
consider these new defaults if your deployment overrides system
|
||||
assignment policies.
|
||||
The system assignment and grant APIs uses new default policies that
|
||||
make it more accessible to end users and administrators in a secure
|
||||
way. Please consider these new defaults if your deployment
|
||||
overrides system assignment policies.
|
||||
deprecations:
|
||||
- |
|
||||
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
||||
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
|
||||
The system assignment policies have been deprecated. The
|
||||
The system assignment and grant policies have been deprecated. The
|
||||
``identity:list_system_grants_for_user``,
|
||||
``identity:check_system_grant_for_user``,
|
||||
``identity:list_system_grants_for_group``, and
|
||||
``identity:check_system_grant_for_group`` policies now use
|
||||
``role:reader and system_scope:all`` instead of
|
||||
``rule:admin_required``. The ``identity:create_system_grant_for_user``,
|
||||
``rule:admin_required``. The
|
||||
``identity:create_system_grant_for_user``,
|
||||
``identity:revoke_system_grant_for_user``,
|
||||
``identity:create_system_grant_for_group``, and
|
||||
``identity:revoke_system_grant_for_group`` policies now use ``role:admin
|
||||
and system_scope:all`` instead of ``rule:admin_required``. These new
|
||||
defaults automatically include support for a read-only role and allow for
|
||||
more granular access to the system assignment API, making it easier for
|
||||
administrators to delegate authorization, safely. Please consider these new
|
||||
defaults if your deployment overrides the system assignment APIs.
|
||||
``identity:revoke_system_grant_for_group`` policies now use
|
||||
``role:admin and system_scope:all`` instead of
|
||||
``rule:admin_required``. The ``identity:check_grant`` and
|
||||
``identity:list_grants`` policies now use ``role:reader and
|
||||
system_scope:all`` instead of ``rule:admin_required``. The
|
||||
``identity:create_grant`` and ``identity:revoke_grant`` policies
|
||||
now use ``role:admin and system_scope:all`` instead of
|
||||
``rule:admin_required``. These new defaults automatically include
|
||||
support for a read-only role and allow for more granular access to
|
||||
the system assignment and grant APIs, making it easier for
|
||||
administrators to delegate authorization, safely. Please consider
|
||||
these new defaults if your deployment overrides the system
|
||||
assignment APIs.
|
||||
security:
|
||||
- |
|
||||
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
||||
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
|
||||
The system assignment API now uses system-scope, domain-scope,
|
||||
project-scope, and default roles to provide better accessibility
|
||||
to users in a secure way.
|
||||
project-scope, and default roles to provide better accessibility to
|
||||
users in a secure way. The grant API now uses system-scope and
|
||||
default to provide better accessbility to operators.
|
||||
|
|
Loading…
Reference in New Issue