Implement system_admin for endpoint_groups
This change modifies the policies for endpoint_groups API to be more self-service by properly checking for system scope. It also includes the test cases. Subsequent patches will - - domains user test coverage - project user test coverage Change-Id: I6fba8bbd9b113d872b6c3bab4e080552b75a1f7c Partial-Bug: #1818734
This commit is contained in:
parent
e4fb1e1fdd
commit
7d223bec9d
|
@ -45,6 +45,31 @@ deprecated_list_endpoint_groups_for_project = policy.DeprecatedRule(
|
|||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
)
|
||||
|
||||
deprecated_create_endpoint_group = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'create_endpoint_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
)
|
||||
|
||||
deprecated_update_endpoint_group = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'update_endpoint_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
)
|
||||
|
||||
deprecated_delete_endpoint_group = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'delete_endpoint_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
)
|
||||
|
||||
deprecated_add_endpoint_group_to_project = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'add_endpoint_group_to_project',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
)
|
||||
|
||||
deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'remove_endpoint_group_from_project',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
)
|
||||
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Train release, the endpoint groups API now understands default roles
|
||||
|
@ -58,11 +83,14 @@ relying on overrides in your deployment for the endpoint groups API.
|
|||
group_endpoint_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_endpoint_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Create endpoint group.',
|
||||
operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
|
||||
'method': 'POST'}]),
|
||||
'method': 'POST'}],
|
||||
deprecated_rule=deprecated_create_endpoint_group,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.TRAIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_endpoint_groups',
|
||||
check_str=base.SYSTEM_READER,
|
||||
|
@ -89,20 +117,26 @@ group_endpoint_policies = [
|
|||
deprecated_since=versionutils.deprecated.TRAIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'update_endpoint_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Update endpoint group.',
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||
'{endpoint_group_id}'),
|
||||
'method': 'PATCH'}]),
|
||||
'method': 'PATCH'}],
|
||||
deprecated_rule=deprecated_update_endpoint_group,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.TRAIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'delete_endpoint_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Delete endpoint group.',
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||
'{endpoint_group_id}'),
|
||||
'method': 'DELETE'}]),
|
||||
'method': 'DELETE'}],
|
||||
deprecated_rule=deprecated_delete_endpoint_group,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.TRAIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
|
||||
check_str=base.SYSTEM_READER,
|
||||
|
@ -154,20 +188,26 @@ group_endpoint_policies = [
|
|||
deprecated_since=versionutils.deprecated.TRAIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'add_endpoint_group_to_project',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Allow a project to access an endpoint group.',
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||
'{endpoint_group_id}/projects/{project_id}'),
|
||||
'method': 'PUT'}]),
|
||||
'method': 'PUT'}],
|
||||
deprecated_rule=deprecated_add_endpoint_group_to_project,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.TRAIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'remove_endpoint_group_from_project',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Remove endpoint group from project.',
|
||||
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
|
||||
'{endpoint_group_id}/projects/{project_id}'),
|
||||
'method': 'DELETE'}])
|
||||
'method': 'DELETE'}],
|
||||
deprecated_rule=deprecated_remove_endpoint_group_from_project,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.TRAIN)
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -277,3 +277,102 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
|
|||
r = c.post('/v3/auth/tokens', json=auth)
|
||||
self.token_id = r.headers['X-Subject-Token']
|
||||
self.headers = {'X-Auth-Token': self.token_id}
|
||||
|
||||
|
||||
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin,
|
||||
_SystemUserEndpointGroupsTests):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemAdminTests, self).setUp()
|
||||
self.loadapp()
|
||||
self.useFixture(ksfixtures.Policy(self.config_fixture))
|
||||
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
||||
|
||||
# Reuse the system administrator account created during
|
||||
# ``keystone-manage bootstrap``
|
||||
self.user_id = self.bootstrapper.admin_user_id
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.user_id,
|
||||
password=self.bootstrapper.admin_password,
|
||||
system=True
|
||||
)
|
||||
|
||||
# Grab a token using the persona we're testing and prepare headers
|
||||
# for requests we'll be making in the tests.
|
||||
with self.test_client() as c:
|
||||
r = c.post('/v3/auth/tokens', json=auth)
|
||||
self.token_id = r.headers['X-Subject-Token']
|
||||
self.headers = {'X-Auth-Token': self.token_id}
|
||||
|
||||
def test_user_can_create_endpoint_group(self):
|
||||
create = {
|
||||
'endpoint_group': {
|
||||
'id': uuid.uuid4().hex,
|
||||
'description': uuid.uuid4().hex,
|
||||
'filters': {'interface': 'public'},
|
||||
'name': uuid.uuid4().hex
|
||||
}
|
||||
}
|
||||
|
||||
with self.test_client() as c:
|
||||
c.post(
|
||||
'/v3/OS-EP-FILTER/endpoint_groups', json=create, headers=self.headers)
|
||||
|
||||
def test_user_can_update_endpoint_group(self):
|
||||
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
|
||||
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
|
||||
endpoint_group['id'], endpoint_group
|
||||
)
|
||||
|
||||
update = {'endpoint_group': {'filters': {'interface': 'internal'}}}
|
||||
|
||||
with self.test_client() as c:
|
||||
c.patch(
|
||||
'/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], json=update,
|
||||
headers=self.headers)
|
||||
|
||||
def test_user_can_delete_endpoint_group(self):
|
||||
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
|
||||
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
|
||||
endpoint_group['id'], endpoint_group
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.delete(
|
||||
'/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], headers=self.headers
|
||||
)
|
||||
|
||||
def test_user_add_endpoint_group_to_project(self):
|
||||
project = PROVIDERS.resource_api.create_project(
|
||||
uuid.uuid4().hex, unit.new_project_ref(
|
||||
domain_id=CONF.identity.default_domain_id
|
||||
)
|
||||
)
|
||||
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
|
||||
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
|
||||
endpoint_group['id'], endpoint_group
|
||||
)
|
||||
with self.test_client() as c:
|
||||
c.put('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s'
|
||||
% (endpoint_group['id'], project['id']),
|
||||
headers=self.headers
|
||||
)
|
||||
|
||||
def test_remove_endpoint_group_from_project(self):
|
||||
project = PROVIDERS.resource_api.create_project(
|
||||
uuid.uuid4().hex, unit.new_project_ref(
|
||||
domain_id=CONF.identity.default_domain_id
|
||||
)
|
||||
)
|
||||
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
|
||||
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
|
||||
endpoint_group['id'], endpoint_group
|
||||
)
|
||||
PROVIDERS.catalog_api.add_endpoint_group_to_project(
|
||||
endpoint_group['id'], project['id'])
|
||||
with self.test_client() as c:
|
||||
c.delete('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s'
|
||||
% (endpoint_group['id'], project['id']),
|
||||
headers=self.headers
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue