Browse Source

Remove implied roles policies from v3cloudsample

By incorporating system scope and default roles into keystone's default
policies for implied roles, we've effectively made these policies
obsolete.

Change-Id: I75515d3491517ea6e6fa17473a7890ce4653b481
Partial-bug: #1806762
Closes-bug: #1805371
changes/97/680797/4
Colleen Murphy 2 years ago
parent
commit
afb312529b
  1. 7
      etc/policy.v3cloudsample.json
  2. 8
      keystone/tests/unit/test_policy.py
  3. 29
      keystone/tests/unit/test_v3_protection.py
  4. 33
      releasenotes/notes/bug-1805371-249c8c9b562ab371.yaml

7
etc/policy.v3cloudsample.json

@ -34,13 +34,6 @@
"admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
"implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
"identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
"identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
"identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)",
"identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
"identity:list_role_inference_rules": "rule:cloud_admin",
"identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",

8
keystone/tests/unit/test_policy.py

@ -339,7 +339,13 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:check_policy_association_for_region_and_service',
'identity:delete_policy_association_for_region_and_service',
'identity:get_policy_for_endpoint',
'identity:list_endpoints_for_policy'
'identity:list_endpoints_for_policy',
'identity:get_implied_role',
'identity:list_implied_roles',
'identity:create_implied_role',
'identity:delete_implied_role',
'identity:list_role_inference_rules',
'identity:check_implied_role',
]
policy_keys = self._get_default_policy_rules()
for p in removed_policies:

29
keystone/tests/unit/test_v3_protection.py

@ -1775,32 +1775,3 @@ class IdentityTestImpliedDomainSpecificRoles(IdentityTestv3CloudPolicySample):
self.delete('/roles/%s/implies/%s'
% (self.appadmin_role['id'], self.appdev_role['id']),
token=self.admin_token)
def test_forbidden_role_implication_from_different_domain(self):
domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex)
PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
role2 = unit.new_role_ref(domain_id=domain2['id'])
implied = PROVIDERS.role_api.create_role(role2['id'], role2)
self.put('/roles/%s/implies/%s'
% (self.appdev_role['id'], implied['id']),
token=self.admin_token,
expected_status=http_client.FORBIDDEN)
def test_allowed_role_implication_different_domains_as_cloud_admin(self):
self.auth = self.build_authentication_request(
user_id=self.cloud_admin_user['id'],
password=self.cloud_admin_user['password'],
project_id=self.admin_project['id'])
domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex)
PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
role2 = unit.new_role_ref(domain_id=domain2['id'])
implied = PROVIDERS.role_api.create_role(role2['id'], role2)
self.put('/roles/%s/implies/%s'
% (self.appdev_role['id'], implied['id']),
auth=self.auth,
expected_status=http_client.CREATED)

33
releasenotes/notes/bug-1805371-249c8c9b562ab371.yaml

@ -0,0 +1,33 @@
---
features:
- |
[`bug 1805371 <https://bugs.launchpad.net/keystone/+bug/1805371>`_]
The implied roles API now supports the ``admin``, ``member``, and
``reader`` default roles.
upgrade:
- |
[`bug 1805371 <https://bugs.launchpad.net/keystone/+bug/1805371>`_]
The implied roles API uses new default policies to
make it more accessible to end users and administrators in a secure way.
Please consider these new defaults if your deployment overrides implied
roles policies.
deprecations:
- |
[`bug 1805371 <https://bugs.launchpad.net/keystone/+bug/1805371>`_]
The implied roles policies have been deprecated. The
``identity:get_implied_role``, ``identity:list_implied_roles``,
``identity:list_role_inference_rules``, and ``identity:check_implied_role``
policies now use ``role:reader and system_scope:all`` instead of
``rule:admin_required``. The ``identity:create_implied_role`` and
``identity:delete_implied_role`` policies now use ``role:admin and
system_scope:all`` instead of ``rule:admin_required``.
These new defaults automatically account for system-scope and support
a read-only role, making it easier for system administrators to delegate
subsets of responsibility without compromising security. Please consider
these new defaults if your deployment overrides the implied roles policies.
security:
- |
[`bug 1805371 <https://bugs.launchpad.net/keystone/+bug/1805371>`_]
The implied role API now uses system-scope and default
roles to provide better accessibility to users in a secure manner.
Loading…
Cancel
Save