Update service provider policies for system admin

This change makes the policy definitions for admin service
provider operations consistent with the other service provider
policies. Subsequent patches will incorporate:

 - domain users test coverage
 - project users test coverage

Change-Id: I621192f089d1b29e2585d0030716348274e50bf1
Related-Bug: 1804520
Closes-Bug: 1804522
This commit is contained in:
Lance Bragstad 2018-11-26 20:43:09 +00:00
parent 5c55e472a4
commit 7ce5e3e24e
3 changed files with 131 additions and 6 deletions

View File

@ -23,6 +23,18 @@ deprecated_list_sp = policy.DeprecatedRule(
name=base.IDENTITY % 'list_service_providers',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_update_sp = policy.DeprecatedRule(
name=base.IDENTITY % 'update_service_provider',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_create_sp = policy.DeprecatedRule(
name=base.IDENTITY % 'create_service_provider',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_delete_sp = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_service_provider',
check_str=base.RULE_ADMIN_REQUIRED
)
DEPRECATED_REASON = """
As of the Stein release, the service provider API now understands default
@ -35,7 +47,7 @@ relying on overrides in your deployment for the service provider API.
service_provider_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_service_provider',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
# FIXME(lbragstad): Today, keystone doesn't support federation without
# modifying configuration files. It makes sense to require system scope
# for these operations until keystone supports a way to add federated
@ -46,7 +58,10 @@ service_provider_policies = [
description='Create federated service provider.',
operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
'{service_provider_id}'),
'method': 'PUT'}]),
'method': 'PUT'}],
deprecated_rule=deprecated_create_sp,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_service_providers',
check_str=base.SYSTEM_READER,
@ -89,20 +104,26 @@ service_provider_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_service_provider',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Update federated service provider.',
operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
'{service_provider_id}'),
'method': 'PATCH'}]),
'method': 'PATCH'}],
deprecated_rule=deprecated_update_sp,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_service_provider',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Delete federated service provider.',
operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
'{service_provider_id}'),
'method': 'DELETE'}])
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_sp,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN)
]

View File

@ -173,3 +173,73 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserServiceProviderTests):
def setUp(self):
super(SystemAdminTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
# Reuse the system administrator account created during
# ``keystone-manage bootstrap``
self.user_id = self.bootstrapper.admin_user_id
auth = self.build_authentication_request(
user_id=self.user_id,
password=self.bootstrapper.admin_password,
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_create_service_providers(self):
service_provider = PROVIDERS.federation_api.create_sp(
uuid.uuid4().hex, unit.new_service_provider_ref()
)
service_provider = unit.new_service_provider_ref()
create = {'service_provider': service_provider}
with self.test_client() as c:
c.put(
'/v3/OS-FEDERATION/service_providers/%s' % uuid.uuid4().hex,
headers=self.headers,
json=create,
expected_status_code=http_client.CREATED
)
def test_user_can_update_service_providers(self):
service_provider = PROVIDERS.federation_api.create_sp(
uuid.uuid4().hex, unit.new_service_provider_ref()
)
update = {'service_provider': {'enabled': False}}
with self.test_client() as c:
c.patch(
'/v3/OS-FEDERATION/service_providers/%s' %
service_provider['id'],
headers=self.headers,
json=update
)
def test_user_can_delete_service_providers(self):
service_provider = PROVIDERS.federation_api.create_sp(
uuid.uuid4().hex, unit.new_service_provider_ref()
)
with self.test_client() as c:
c.delete(
'/v3/OS-FEDERATION/service_providers/%s' %
service_provider['id'],
headers=self.headers
)

View File

@ -0,0 +1,34 @@
---
features:
- |
[`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
The federated service provider API now supports the ``admin``, ``member``,
and ``reader`` default roles.
upgrade:
- |
[`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
The federated service provider API uses new default policies that
make it more accessible to end users and administrators. Please consider
these new defaults if your deployment overrides federated service provider
policies.
deprecations:
- |
[`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
The federated service provider policies have been deprecated. The
``identity:get_service_provider`` and
``identity:list_service_providers`` policies now use ``role:reader
and system_scope:all`` instead of ``rule:admin_required``. The
``identity:create_service_provider``,
``identity:update_service_provider``, and
``identity:delete_service_provider`` policies now use ``role:admin
and system_scope:all`` instead of ``rule:admin_required``. These
new defaults automatically include support for a read-only role
and allow for more granular access to service provider APIs,
making it easier for system administrators to delegate
authorization. Please consider these new defaults if your
deployment overrides the federated service provider policies.
security:
- |
[`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
The federated service provider API now uses system-scope and default
roles to provide better accessibility to users in a secure way.