Implement system admin role in domains API

This commit introduces the system admin role to the API, making it
consistent with other system-admin policy definitions.

Subsequent patches will include domain support for:

  - domain user test coverage
  - project user test coverage

Change-Id: Ic9a789dc3f34d9735de3b4bc4bd48b41190cbfba
Closes-Bug: 1794376
Partial-Bug: 968696
This commit is contained in:
Lance Bragstad 2018-09-27 18:26:48 +00:00
parent d5a57414b4
commit 7fa424f1de
4 changed files with 116 additions and 6 deletions

View File

@ -30,6 +30,7 @@ RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'
READER_ROLE = 'role:reader'
ADMIN_ROLE = 'role:admin'
rules = [

View File

@ -31,6 +31,18 @@ deprecated_get_domain = policy.DeprecatedRule(
name=base.IDENTITY % 'get_domain',
check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN
)
deprecated_update_domain = policy.DeprecatedRule(
name=base.IDENTITY % 'update_domain',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_create_domain = policy.DeprecatedRule(
name=base.IDENTITY % 'create_domain',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_delete_domain = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_domain',
check_str=base.RULE_ADMIN_REQUIRED
)
domain_policies = [
policy.DocumentedRuleDefault(
@ -62,25 +74,34 @@ domain_policies = [
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_domain',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.ADMIN_ROLE,
scope_types=['system'],
description='Create domain.',
operations=[{'path': '/v3/domains',
'method': 'POST'}]),
'method': 'POST'}],
deprecated_rule=deprecated_create_domain,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_domain',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.ADMIN_ROLE,
scope_types=['system'],
description='Update domain.',
operations=[{'path': '/v3/domains/{domain_id}',
'method': 'PATCH'}]),
'method': 'PATCH'}],
deprecated_rule=deprecated_update_domain,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_domain',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.ADMIN_ROLE,
scope_types=['system'],
description='Delete domain.',
operations=[{'path': '/v3/domains/{domain_id}',
'method': 'DELETE'}])
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_domain,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
]

View File

@ -191,3 +191,59 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserDomainTests):
def setUp(self):
super(SystemAdminTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
self.system_admin_id = self.bootstrapper.admin_user_id
auth = self.build_authentication_request(
user_id=self.system_admin_id,
password=self.bootstrapper.admin_password,
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_update_a_domain(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
update = {'domain': {'description': uuid.uuid4().hex}}
with self.test_client() as c:
c.patch(
'/v3/domains/%s' % domain['id'], json=update,
headers=self.headers
)
def test_user_can_create_a_domain(self):
create = {'domain': {'name': uuid.uuid4().hex}}
with self.test_client() as c:
c.post(
'/v3/domains', json=create, headers=self.headers
)
def test_user_can_delete_a_domain(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
with self.test_client() as c:
update = {'domain': {'enabled': False}}
path = '/v3/domains/%s' % domain['id']
c.patch(path, json=update, headers=self.headers)
c.delete(path, headers=self.headers)

View File

@ -0,0 +1,32 @@
---
features:
- |
[`bug 1794376 <https://bugs.launchpad.net/keystone/+bug/1794376>`_]
The domain API now supports the ``admin``, ``member``, and
``reader`` default roles.
upgrade:
- |
[`bug 1794376 <https://bugs.launchpad.net/keystone/+bug/1794376>`_]
The domain API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides
domain policies.
deprecations:
- |
[`bug 1794376 <https://bugs.launchpad.net/keystone/+bug/1794376>`_]
The following domain policy check strings have been deprecated in
favor of more clear and concise defaults:
* ``identity:get_domain``
* ``identity:list_domains``
* ``identity:create_domain``
* ``identity:update_domain``
* ``identtity:delete_domain``
Please consider these new default if your deployment overrides
domain policies.
security:
- |
[`bug 1794376 <https://bugs.launchpad.net/keystone/+bug/1794376>`_]
The domain API now uses system-scope and default roles to
provide better accessibility to users in a secure way.