Browse Source

Update idp policies for system admin

This change makes the policy definitions for admin idp operations
consistent with the other idp policies. Subsequent patches will
incorporate:

 - domain users test coverage
 - project users test coverage

 Related-Bug: 1804517
 Closes-Bug: 1804516

Change-Id: I6d6a19d95d8970362993c83e70cf23c989ae45e3
tags/15.0.0.0rc1
Lance Bragstad 1 year ago
parent
commit
a4c5d80439
3 changed files with 120 additions and 6 deletions
  1. +27
    -6
      keystone/common/policies/identity_provider.py
  2. +61
    -0
      keystone/tests/unit/protection/v3/test_identity_providers.py
  3. +32
    -0
      releasenotes/notes/bug-1804516-24b0b10ed6fe0589.yaml

+ 27
- 6
keystone/common/policies/identity_provider.py View File

@@ -23,6 +23,18 @@ deprecated_list_idp = policy.DeprecatedRule(
name=base.IDENTITY % 'list_identity_providers',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_update_idp = policy.DeprecatedRule(
name=base.IDENTITY % 'update_identity_providers',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_create_idp = policy.DeprecatedRule(
name=base.IDENTITY % 'create_identity_providers',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_delete_idp = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_identity_providers',
check_str=base.RULE_ADMIN_REQUIRED
)

DEPRECATED_REASON = """
As of the Stein release, the identity provider API now understands default
@@ -35,7 +47,7 @@ relying on overrides in your deployment for the identity provider API.
identity_provider_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_identity_provider',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
# FIXME(lbragstad): All `scope_types` for identity provider policies
# should be updated to include project scope if, or when, it becomes
# possible to manage federated identity providers without modifying
@@ -45,7 +57,10 @@ identity_provider_policies = [
scope_types=['system'],
description='Create identity provider.',
operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
'method': 'PUT'}]),
'method': 'PUT'}],
deprecated_rule=deprecated_create_idp,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_identity_providers',
check_str=base.SYSTEM_READER,
@@ -86,18 +101,24 @@ identity_provider_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_identity_provider',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Update identity provider.',
operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
'method': 'PATCH'}]),
'method': 'PATCH'}],
deprecated_rule=deprecated_update_idp,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_identity_provider',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Delete identity provider.',
operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
'method': 'DELETE'}])
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_idp,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
]



+ 61
- 0
keystone/tests/unit/protection/v3/test_identity_providers.py View File

@@ -161,3 +161,64 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}


class SystemAdminTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserIdentityProviderTests):

def setUp(self):
super(SystemAdminTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)

# Reuse the system administrator account created during
# ``keystone-manage bootstrap``
self.user_id = self.bootstrapper.admin_user_id
auth = self.build_authentication_request(
user_id=self.user_id,
password=self.bootstrapper.admin_password,
system=True
)

# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}

def test_user_can_create_identity_providers(self):
create = {'identity_provider': {'remote_ids': [uuid.uuid4().hex]}}

with self.test_client() as c:
c.put(
'/v3/OS-FEDERATION/identity_providers/%s' % uuid.uuid4().hex,
json=create, headers=self.headers,
expected_status_code=http_client.CREATED
)

def test_user_can_update_identity_providers(self):
idp = PROVIDERS.federation_api.create_idp(
uuid.uuid4().hex, unit.new_identity_provider_ref()
)

update = {'identity_provider': {'enabled': False}}

with self.test_client() as c:
c.patch(
'/v3/OS-FEDERATION/identity_providers/%s' % idp['id'],
json=update, headers=self.headers
)

def test_user_can_delete_identity_providers(self):
idp = PROVIDERS.federation_api.create_idp(
uuid.uuid4().hex, unit.new_identity_provider_ref()
)

with self.test_client() as c:
c.delete(
'/v3/OS-FEDERATION/identity_providers/%s' % idp['id'],
headers=self.headers
)

+ 32
- 0
releasenotes/notes/bug-1804516-24b0b10ed6fe0589.yaml View File

@@ -0,0 +1,32 @@
features:
- |
[`bug 1804516 <https://bugs.launchpad.net/keystone/+bug/1804516>`_]
The federated identity provider API now supports the ``admin``,
``member``, and ``reader`` default roles.
upgrade:
- |
[`bug 1804516 <https://bugs.launchpad.net/keystone/+bug/1804516>`_]
The federated identity provider API uses new default policies that
make it more accessible to end users and administrators in a
secure way. Please consider these new defaults if your deployment
overrides federated identity provider policies.
deprecations:
- |
[`bug 1804516 <https://bugs.launchpad.net/keystone/+bug/1804516>`_]
The federated identity provider policies have been deprecated.
The ``identity:list_identity_providers`` and
``identity:get_identity_provider`` policies now use ``role:reader
and system_scope:all`` instead of ``rule:admin_required``. The
``identity:create_identity_provider``, ``identity:update_identity_provider``,
``identity:delete_identity_provider`` policies now use ``role:admin and
system_scope:all`` instead of ``rule:admin_required``.
These new defaults automatically account for system-scope and support
a read-only role, making it easier for system administrators to
delegate subsets of responsibility without compromising security.
Please consider these new defaults if your deployment overrides the
federated identity provider policies.
security:
- |
[`bug 1804516 <https://bugs.launchpad.net/keystone/+bug/1804516>`_]
The federated identity provider API now uses system-scope and
default roles to provide better accessibility to users in a secure way.

Loading…
Cancel
Save