Remove implied roles policies from v3cloudsample

By incorporating system scope and default roles into keystone's default policies for implied roles, we've effectively made these policies obsolete. Change-Id: I75515d3491517ea6e6fa17473a7890ce4653b481 Partial-bug: #1806762 Closes-bug: #1805371
2019-09-06 21:02:44 -07:00 · 2019-09-06 21:02:44 -07:00 · afb312529b
commit afb312529b
parent ee60db6f33
4 changed files with 40 additions and 37 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -34,13 +34,6 @@
    "admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
    "implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",

-    "identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
-    "identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
-    "identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)",
-    "identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
-    "identity:list_role_inference_rules": "rule:cloud_admin",
-    "identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
-
    "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
    "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
    "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@ -339,7 +339,13 @@ class PolicyJsonTestCase(unit.TestCase):
            'identity:check_policy_association_for_region_and_service',
            'identity:delete_policy_association_for_region_and_service',
            'identity:get_policy_for_endpoint',
-            'identity:list_endpoints_for_policy'
+            'identity:list_endpoints_for_policy',
+            'identity:get_implied_role',
+            'identity:list_implied_roles',
+            'identity:create_implied_role',
+            'identity:delete_implied_role',
+            'identity:list_role_inference_rules',
+            'identity:check_implied_role',
        ]
        policy_keys = self._get_default_policy_rules()
        for p in removed_policies:
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@ -1775,32 +1775,3 @@ class IdentityTestImpliedDomainSpecificRoles(IdentityTestv3CloudPolicySample):
        self.delete('/roles/%s/implies/%s'
                    % (self.appadmin_role['id'], self.appdev_role['id']),
                    token=self.admin_token)
-
-    def test_forbidden_role_implication_from_different_domain(self):
-        domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex)
-        PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
-
-        role2 = unit.new_role_ref(domain_id=domain2['id'])
-        implied = PROVIDERS.role_api.create_role(role2['id'], role2)
-
-        self.put('/roles/%s/implies/%s'
-                 % (self.appdev_role['id'], implied['id']),
-                 token=self.admin_token,
-                 expected_status=http_client.FORBIDDEN)
-
-    def test_allowed_role_implication_different_domains_as_cloud_admin(self):
-        self.auth = self.build_authentication_request(
-            user_id=self.cloud_admin_user['id'],
-            password=self.cloud_admin_user['password'],
-            project_id=self.admin_project['id'])
-
-        domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex)
-        PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
-
-        role2 = unit.new_role_ref(domain_id=domain2['id'])
-        implied = PROVIDERS.role_api.create_role(role2['id'], role2)
-
-        self.put('/roles/%s/implies/%s'
-                 % (self.appdev_role['id'], implied['id']),
-                 auth=self.auth,
-                 expected_status=http_client.CREATED)
--- a/releasenotes/notes/bug-1805371-249c8c9b562ab371.yaml
+++ b/releasenotes/notes/bug-1805371-249c8c9b562ab371.yaml
@ -0,0 +1,33 @@
+---
+features:
+  - |
+    [`bug 1805371 <https://bugs.launchpad.net/keystone/+bug/1805371>`_]
+    The implied roles API now supports the ``admin``, ``member``, and
+    ``reader`` default roles.
+
+upgrade:
+  - |
+    [`bug 1805371 <https://bugs.launchpad.net/keystone/+bug/1805371>`_]
+    The implied roles API uses new default policies to
+    make it more accessible to end users and administrators in a secure way.
+    Please consider these new defaults if your deployment overrides implied
+    roles policies.
+deprecations:
+  - |
+    [`bug 1805371 <https://bugs.launchpad.net/keystone/+bug/1805371>`_]
+    The implied roles policies have been deprecated. The
+    ``identity:get_implied_role``, ``identity:list_implied_roles``,
+    ``identity:list_role_inference_rules``, and ``identity:check_implied_role``
+    policies now use ``role:reader and system_scope:all`` instead of
+    ``rule:admin_required``. The ``identity:create_implied_role`` and
+    ``identity:delete_implied_role`` policies now use ``role:admin and
+    system_scope:all`` instead of ``rule:admin_required``.
+    These new defaults automatically account for system-scope and support
+    a read-only role, making it easier for system administrators to delegate
+    subsets of responsibility without compromising security. Please consider
+    these new defaults if your deployment overrides the implied roles policies.
+security:
+  - |
+    [`bug 1805371 <https://bugs.launchpad.net/keystone/+bug/1805371>`_]
+    The implied role API now uses system-scope and default
+    roles to provide better accessibility to users in a secure manner.