Update endpoint policies for system admin

The endpoint policies were not taking the default roles work we did last release into account. This commit changes the default policies to rely on the ``admin`` role to create and delete endpoints. Subsequent patches will incorporate: - domain user test coverage - project user test coverage Change-Id: Ia6dc4526ece07e7fee614ec91b0953db8f180c2e Related-Bug: 1804482 Closes-Bug: 1804483
2018-11-21 17:32:45 +00:00 · 2018-11-21 17:32:45 +00:00 · cdbdcf85f7
commit cdbdcf85f7
parent 7e028774ac
3 changed files with 128 additions and 6 deletions
--- a/keystone/common/policies/endpoint.py
+++ b/keystone/common/policies/endpoint.py
@ -21,6 +21,15 @@ deprecated_get_endpoint = policy.DeprecatedRule(
 deprecated_list_endpoints = policy.DeprecatedRule(
    name=base.IDENTITY % 'list_endpoints', check_str=base.RULE_ADMIN_REQUIRED,
 )
+deprecated_update_endpoint = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
+)
+deprecated_create_endpoint = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
+)
+deprecated_delete_endpoint = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
+)

 DEPRECATED_REASON = """
 As of the Stein release, the endpoint API now understands default roles and
@ -54,25 +63,34 @@ endpoint_policies = [
        deprecated_since=versionutils.deprecated.STEIN),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'create_endpoint',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
        scope_types=['system'],
        description='Create endpoint.',
        operations=[{'path': '/v3/endpoints',
-                     'method': 'POST'}]),
+                     'method': 'POST'}],
+        deprecated_rule=deprecated_create_endpoint,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'update_endpoint',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
        scope_types=['system'],
        description='Update endpoint.',
        operations=[{'path': '/v3/endpoints/{endpoint_id}',
-                     'method': 'PATCH'}]),
+                     'method': 'PATCH'}],
+        deprecated_rule=deprecated_update_endpoint,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_endpoint',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
        scope_types=['system'],
        description='Delete endpoint.',
        operations=[{'path': '/v3/endpoints/{endpoint_id}',
-                     'method': 'DELETE'}])
+                     'method': 'DELETE'}],
+        deprecated_rule=deprecated_delete_endpoint,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN)
 ]


--- a/keystone/tests/unit/protection/v3/test_endpoints.py
+++ b/keystone/tests/unit/protection/v3/test_endpoints.py
@ -177,3 +177,76 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
            r = c.post('/v3/auth/tokens', json=auth)
            self.token_id = r.headers['X-Subject-Token']
            self.headers = {'X-Auth-Token': self.token_id}
+
+
+class SystemAdminTests(base_classes.TestCaseWithBootstrap,
+                       common_auth.AuthTestMixin,
+                       _SystemUserEndpointTests):
+
+    def setUp(self):
+        super(SystemAdminTests, self).setUp()
+        self.loadapp()
+        self.useFixture(ksfixtures.Policy(self.config_fixture))
+        self.config_fixture.config(group='oslo_policy', enforce_scope=True)
+
+        # Reuse the system administrator account created during
+        # ``keystone-manage bootstrap``
+        self.user_id = self.bootstrapper.admin_user_id
+        auth = self.build_authentication_request(
+            user_id=self.user_id,
+            password=self.bootstrapper.admin_password,
+            system=True
+        )
+
+        # Grab a token using the persona we're testing and prepare headers
+        # for requests we'll be making in the tests.
+        with self.test_client() as c:
+            r = c.post('/v3/auth/tokens', json=auth)
+            self.token_id = r.headers['X-Subject-Token']
+            self.headers = {'X-Auth-Token': self.token_id}
+
+    def test_user_can_create_endpoints(self):
+        service = PROVIDERS.catalog_api.create_service(
+            uuid.uuid4().hex, unit.new_service_ref()
+        )
+        create = {
+            'endpoint': {
+                'interface': 'public',
+                'service_id': service['id'],
+                'url': 'https://' + uuid.uuid4().hex + '.com'
+            }
+        }
+
+        with self.test_client() as c:
+            c.post('/v3/endpoints', json=create, headers=self.headers)
+
+    def test_user_can_update_endpoints(self):
+        service = PROVIDERS.catalog_api.create_service(
+            uuid.uuid4().hex, unit.new_service_ref()
+        )
+        endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
+        endpoint = PROVIDERS.catalog_api.create_endpoint(
+            endpoint['id'], endpoint
+        )
+
+        update = {'endpoint': {'interface': 'internal'}}
+
+        with self.test_client() as c:
+            c.patch(
+                '/v3/endpoints/%s' % endpoint['id'], json=update,
+                headers=self.headers
+            )
+
+    def test_user_can_delete_endpoints(self):
+        service = PROVIDERS.catalog_api.create_service(
+            uuid.uuid4().hex, unit.new_service_ref()
+        )
+        endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
+        endpoint = PROVIDERS.catalog_api.create_endpoint(
+            endpoint['id'], endpoint
+        )
+
+        with self.test_client() as c:
+            c.delete(
+                '/v3/endpoints/%s' % endpoint['id'], headers=self.headers,
+            )
--- a/releasenotes/notes/bug-1804483-1d9ccfcb24f25f51.yaml
+++ b/releasenotes/notes/bug-1804483-1d9ccfcb24f25f51.yaml
@ -0,0 +1,31 @@
+---
+features:
+  - |
+    [`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
+    The endpoint API now supports the ``admin``, ``member``, and
+    ``reader`` default roles.
+upgrade:
+  - |
+    [`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
+    The endpoint API uses new default policies that make it more
+    accessible to end users and administrators in a secure way. Please
+    consider these new defaults if your deployment overrides
+    endpoint policies.
+deprecations:
+  - |
+    [`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
+    The endpoint policies have been deprecated. The ``identity:list_endpoints``
+    and ``identity:get_endpoint`` policies now use ``role:reader and system_scope:all``
+    instead of ``rule:admin_required``. The ``identity:create_endpoint``,
+    ``identity:update_endpoint``, and ``identity:delete_endpoint`` policies
+    now use ``role:admin and system_scope:all`` instead of ``rule:admin_required``.
+    These new defaults automatically account
+    for system-scope and support a read-only role, making it easier
+    for system administrators to delegate subsets of responsibility
+    without compromising security. Please consider these new defaults
+    if your deployment overrides the endpoint policies.
+security:
+  - |
+    [`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
+    The endpoint API now uses system-scope and default roles to
+    provide better accessibility to users in a secure way.