Allow user to get themself and their domain

Current policy.json allows a user to do get_project on their current project (taken from the token), but does not allow the same for get_user and get_domain. This extends the behavior to get_user and get_domain. This is also necessary for the openstackclient changes under https://review.openstack.org/#/c/311206/ to work for users and domains with the default policy file. Change-Id: Ia20e7f109c7b032be99154c84a80d882b9a77ba3 Closes-Bug: #1561599
2016-06-23 13:18:46 -04:00 · 2016-06-23 13:18:46 -04:00 · c990ec5c14
commit c990ec5c14
parent 4ac3c86eb6
3 changed files with 10 additions and 9 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@ -28,7 +28,7 @@
    "identity:update_endpoint": "rule:admin_required",
    "identity:delete_endpoint": "rule:admin_required",

-    "identity:get_domain": "rule:admin_required",
+    "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
    "identity:list_domains": "rule:admin_required",
    "identity:create_domain": "rule:admin_required",
    "identity:update_domain": "rule:admin_required",
@ -41,7 +41,7 @@
    "identity:update_project": "rule:admin_required",
    "identity:delete_project": "rule:admin_required",

-    "identity:get_user": "rule:admin_required",
+    "identity:get_user": "rule:admin_or_owner",
    "identity:list_users": "rule:admin_required",
    "identity:create_user": "rule:admin_required",
    "identity:update_user": "rule:admin_required",
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -28,7 +28,7 @@
    "identity:update_endpoint": "rule:cloud_admin",
    "identity:delete_endpoint": "rule:cloud_admin",

-    "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+    "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
    "identity:list_domains": "rule:cloud_admin",
    "identity:create_domain": "rule:cloud_admin",
    "identity:update_domain": "rule:cloud_admin",
@ -45,7 +45,7 @@

    "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
    "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
-    "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
+    "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule:owner",
    "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
    "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
    "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@ -688,9 +688,9 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
        else:
            return (expected_status, expected_status, expected_status)

-    def _test_user_management(self, domain_id, expected=None):
+    def _test_user_management(self, user_id, domain_id, expected=None):
        status_OK, status_created, status_no_data = self._stati(expected)
-        entity_url = '/users/%s' % self.just_a_user['id']
+        entity_url = '/users/%s' % user_id
        list_url = '/users?domain_id=%s' % domain_id

        self.get(entity_url, auth=self.auth,
@ -861,7 +861,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
            domain_id=self.domainA['id'])

        self._test_user_management(
-            self.domainA['id'], expected=exception.ForbiddenAction.code)
+            self.domain_admin_user['id'], self.domainA['id'],
+            expected=exception.ForbiddenAction.code)

        # Now, authenticate with a user that does have the domain admin role
        self.auth = self.build_authentication_request(
@ -869,7 +870,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
            password=self.domain_admin_user['password'],
            domain_id=self.domainA['id'])

-        self._test_user_management(self.domainA['id'])
+        self._test_user_management(self.just_a_user['id'], self.domainA['id'])

    def test_user_management_normalized_keys(self):
        """Illustrate the inconsistent handling of hyphens in keys.
@ -956,7 +957,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
            password=self.cloud_admin_user['password'],
            project_id=self.admin_project['id'])

-        self._test_user_management(self.domainA['id'])
+        self._test_user_management(self.just_a_user['id'], self.domainA['id'])

    def test_group_management(self):
        # First, authenticate with a user that does not have the domain