correct the admin_or_target_domain rule

With the removal of KeystoneToken from the token model, we longer have the ability to use the token data syntax in the policy rules. This change broke backward compatibility for those is deploying customized Keystone policies. Unfortunately, we can't go back to KeystoneToken model as the change was tightly coupled with the other refactored authorization functionalities. Since the scope information is now available in the credential dictionary, we can just make use of it instead. Those who have custom policies must update their policy files accordingly. Change-Id: I83eae5c390d720da05e91264519ae01e8ca32159 closes-bug: 1810983
2019-01-09 16:07:36 -08:00 · 2019-01-09 16:07:36 -08:00 · a2e307ed4d
parent 718f4a9c4c
commit a2e307ed4d
4 changed files with 33 additions and 2 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -41,7 +41,7 @@
    "identity:update_limit": "rule:admin_required",
    "identity:delete_limit": "rule:admin_required",

-    "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
+    "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or project_domain_id:%(target.domain.id)s",
    "identity:list_domains": "rule:cloud_admin",
    "identity:create_domain": "rule:cloud_admin",
    "identity:update_domain": "rule:cloud_admin",
--- a/keystone/common/policies/base.py
+++ b/keystone/common/policies/base.py
@ -20,7 +20,7 @@ RULE_ADMIN_OR_CREDENTIAL_OWNER = (
    '(rule:owner and user_id:%(target.credential.user_id)s)')
 RULE_ADMIN_OR_TARGET_DOMAIN = (
    'rule:admin_required or '
-    'token.project.domain.id:%(target.domain.id)s')
+    'project_domain_id:%(target.domain.id)s')
 RULE_ADMIN_OR_TARGET_PROJECT = (
    'rule:admin_required or '
    'project_id:%(target.project.id)s')
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@ -1559,6 +1559,23 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
        entity_url = '/domains/%s' % self.domainA['id']
        self.get(entity_url, auth=self.auth)

+    def test_project_admin_get_own_domain(self):
+        self.auth = self.build_authentication_request(
+            user_id=self.project_admin_user['id'],
+            password=self.project_admin_user['password'],
+            project_id=self.project['id'])
+        entity_url = '/domains/%s' % self.domainA['id']
+        self.get(entity_url, auth=self.auth)
+
+    def test_project_admin_get_other_domain_failed(self):
+        self.auth = self.build_authentication_request(
+            user_id=self.project_admin_user['id'],
+            password=self.project_admin_user['password'],
+            project_id=self.project['id'])
+        entity_url = '/domains/%s' % self.domainB['id']
+        self.get(entity_url, auth=self.auth,
+                 expected_status=exception.ForbiddenAction.code)
+
    def test_list_user_credentials(self):
        credential_user = unit.new_credential_ref(self.just_a_user['id'])
        PROVIDERS.credential_api.create_credential(
--- a/releasenotes/notes/fix-policy-for-get-domain-api-c48f4a23adc044cd.yaml
+++ b/releasenotes/notes/fix-policy-for-get-domain-api-c48f4a23adc044cd.yaml
@ -0,0 +1,14 @@
+---
+fixes:
+  - |
+    [`bug 1810983 <https://bugs.launchpad.net/keystone/+bug/1810983>`_]
+    With the removal of KeystoneToken from the token model, we longer
+    have the ability to use the token data syntax in the policy rules.
+    This change broke backward compatibility for anyone deploying
+    customized Keystone policies. Unfortunately, we can't go back
+    to KeystoneToken model as the change was tightly coupled with
+    the other refactored authorization functionalities.
+
+    Since the scope information is now available in the credential
+    dictionary, we can just make use of it instead. Those who have
+    custom policies must update their policy files accordingly.