Update endpoint policies for system admin

The endpoint policies were not taking the default roles work we did
last release into account. This commit changes the default policies
to rely on the ``admin`` role to create and delete endpoints.
Subsequent patches will incorporate:

 - domain user test coverage
 - project user test coverage

Change-Id: Ia6dc4526ece07e7fee614ec91b0953db8f180c2e
Related-Bug: 1804482
Closes-Bug: 1804483
This commit is contained in:
Lance Bragstad 2018-11-21 17:32:45 +00:00
parent 7e028774ac
commit cdbdcf85f7
3 changed files with 128 additions and 6 deletions

View File

@ -21,6 +21,15 @@ deprecated_get_endpoint = policy.DeprecatedRule(
deprecated_list_endpoints = policy.DeprecatedRule(
name=base.IDENTITY % 'list_endpoints', check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_update_endpoint = policy.DeprecatedRule(
name=base.IDENTITY % 'update_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_create_endpoint = policy.DeprecatedRule(
name=base.IDENTITY % 'create_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_delete_endpoint = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
)
DEPRECATED_REASON = """
As of the Stein release, the endpoint API now understands default roles and
@ -54,25 +63,34 @@ endpoint_policies = [
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_endpoint',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Create endpoint.',
operations=[{'path': '/v3/endpoints',
'method': 'POST'}]),
'method': 'POST'}],
deprecated_rule=deprecated_create_endpoint,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_endpoint',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Update endpoint.',
operations=[{'path': '/v3/endpoints/{endpoint_id}',
'method': 'PATCH'}]),
'method': 'PATCH'}],
deprecated_rule=deprecated_update_endpoint,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_endpoint',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Delete endpoint.',
operations=[{'path': '/v3/endpoints/{endpoint_id}',
'method': 'DELETE'}])
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_endpoint,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN)
]

View File

@ -177,3 +177,76 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserEndpointTests):
def setUp(self):
super(SystemAdminTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
# Reuse the system administrator account created during
# ``keystone-manage bootstrap``
self.user_id = self.bootstrapper.admin_user_id
auth = self.build_authentication_request(
user_id=self.user_id,
password=self.bootstrapper.admin_password,
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_create_endpoints(self):
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
create = {
'endpoint': {
'interface': 'public',
'service_id': service['id'],
'url': 'https://' + uuid.uuid4().hex + '.com'
}
}
with self.test_client() as c:
c.post('/v3/endpoints', json=create, headers=self.headers)
def test_user_can_update_endpoints(self):
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
endpoint = PROVIDERS.catalog_api.create_endpoint(
endpoint['id'], endpoint
)
update = {'endpoint': {'interface': 'internal'}}
with self.test_client() as c:
c.patch(
'/v3/endpoints/%s' % endpoint['id'], json=update,
headers=self.headers
)
def test_user_can_delete_endpoints(self):
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
endpoint = PROVIDERS.catalog_api.create_endpoint(
endpoint['id'], endpoint
)
with self.test_client() as c:
c.delete(
'/v3/endpoints/%s' % endpoint['id'], headers=self.headers,
)

View File

@ -0,0 +1,31 @@
---
features:
- |
[`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
The endpoint API now supports the ``admin``, ``member``, and
``reader`` default roles.
upgrade:
- |
[`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
The endpoint API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides
endpoint policies.
deprecations:
- |
[`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
The endpoint policies have been deprecated. The ``identity:list_endpoints``
and ``identity:get_endpoint`` policies now use ``role:reader and system_scope:all``
instead of ``rule:admin_required``. The ``identity:create_endpoint``,
``identity:update_endpoint``, and ``identity:delete_endpoint`` policies
now use ``role:admin and system_scope:all`` instead of ``rule:admin_required``.
These new defaults automatically account
for system-scope and support a read-only role, making it easier
for system administrators to delegate subsets of responsibility
without compromising security. Please consider these new defaults
if your deployment overrides the endpoint policies.
security:
- |
[`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
The endpoint API now uses system-scope and default roles to
provide better accessibility to users in a secure way.