Update idp policies for system admin

This change makes the policy definitions for admin idp operations
consistent with the other idp policies. Subsequent patches will
incorporate:

 - domain users test coverage
 - project users test coverage

 Related-Bug: 1804517
 Closes-Bug: 1804516

Change-Id: I6d6a19d95d8970362993c83e70cf23c989ae45e3
This commit is contained in:
Lance Bragstad 2018-11-21 21:58:24 +00:00
parent c347c4ff2f
commit a4c5d80439
3 changed files with 120 additions and 6 deletions

View File

@ -23,6 +23,18 @@ deprecated_list_idp = policy.DeprecatedRule(
name=base.IDENTITY % 'list_identity_providers',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_update_idp = policy.DeprecatedRule(
name=base.IDENTITY % 'update_identity_providers',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_create_idp = policy.DeprecatedRule(
name=base.IDENTITY % 'create_identity_providers',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_delete_idp = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_identity_providers',
check_str=base.RULE_ADMIN_REQUIRED
)
DEPRECATED_REASON = """
As of the Stein release, the identity provider API now understands default
@ -35,7 +47,7 @@ relying on overrides in your deployment for the identity provider API.
identity_provider_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_identity_provider',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
# FIXME(lbragstad): All `scope_types` for identity provider policies
# should be updated to include project scope if, or when, it becomes
# possible to manage federated identity providers without modifying
@ -45,7 +57,10 @@ identity_provider_policies = [
scope_types=['system'],
description='Create identity provider.',
operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
'method': 'PUT'}]),
'method': 'PUT'}],
deprecated_rule=deprecated_create_idp,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_identity_providers',
check_str=base.SYSTEM_READER,
@ -86,18 +101,24 @@ identity_provider_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_identity_provider',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Update identity provider.',
operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
'method': 'PATCH'}]),
'method': 'PATCH'}],
deprecated_rule=deprecated_update_idp,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_identity_provider',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Delete identity provider.',
operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
'method': 'DELETE'}])
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_idp,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
]

View File

@ -161,3 +161,64 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserIdentityProviderTests):
def setUp(self):
super(SystemAdminTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
# Reuse the system administrator account created during
# ``keystone-manage bootstrap``
self.user_id = self.bootstrapper.admin_user_id
auth = self.build_authentication_request(
user_id=self.user_id,
password=self.bootstrapper.admin_password,
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_create_identity_providers(self):
create = {'identity_provider': {'remote_ids': [uuid.uuid4().hex]}}
with self.test_client() as c:
c.put(
'/v3/OS-FEDERATION/identity_providers/%s' % uuid.uuid4().hex,
json=create, headers=self.headers,
expected_status_code=http_client.CREATED
)
def test_user_can_update_identity_providers(self):
idp = PROVIDERS.federation_api.create_idp(
uuid.uuid4().hex, unit.new_identity_provider_ref()
)
update = {'identity_provider': {'enabled': False}}
with self.test_client() as c:
c.patch(
'/v3/OS-FEDERATION/identity_providers/%s' % idp['id'],
json=update, headers=self.headers
)
def test_user_can_delete_identity_providers(self):
idp = PROVIDERS.federation_api.create_idp(
uuid.uuid4().hex, unit.new_identity_provider_ref()
)
with self.test_client() as c:
c.delete(
'/v3/OS-FEDERATION/identity_providers/%s' % idp['id'],
headers=self.headers
)

View File

@ -0,0 +1,32 @@
features:
- |
[`bug 1804516 <https://bugs.launchpad.net/keystone/+bug/1804516>`_]
The federated identity provider API now supports the ``admin``,
``member``, and ``reader`` default roles.
upgrade:
- |
[`bug 1804516 <https://bugs.launchpad.net/keystone/+bug/1804516>`_]
The federated identity provider API uses new default policies that
make it more accessible to end users and administrators in a
secure way. Please consider these new defaults if your deployment
overrides federated identity provider policies.
deprecations:
- |
[`bug 1804516 <https://bugs.launchpad.net/keystone/+bug/1804516>`_]
The federated identity provider policies have been deprecated.
The ``identity:list_identity_providers`` and
``identity:get_identity_provider`` policies now use ``role:reader
and system_scope:all`` instead of ``rule:admin_required``. The
``identity:create_identity_provider``, ``identity:update_identity_provider``,
``identity:delete_identity_provider`` policies now use ``role:admin and
system_scope:all`` instead of ``rule:admin_required``.
These new defaults automatically account for system-scope and support
a read-only role, making it easier for system administrators to
delegate subsets of responsibility without compromising security.
Please consider these new defaults if your deployment overrides the
federated identity provider policies.
security:
- |
[`bug 1804516 <https://bugs.launchpad.net/keystone/+bug/1804516>`_]
The federated identity provider API now uses system-scope and
default roles to provide better accessibility to users in a secure way.