Update endpoint policies for system admin
The endpoint policies were not taking the default roles work we did last release into account. This commit changes the default policies to rely on the ``admin`` role to create and delete endpoints. Subsequent patches will incorporate: - domain user test coverage - project user test coverage Change-Id: Ia6dc4526ece07e7fee614ec91b0953db8f180c2e Related-Bug: 1804482 Closes-Bug: 1804483
This commit is contained in:
parent
7e028774ac
commit
cdbdcf85f7
@ -21,6 +21,15 @@ deprecated_get_endpoint = policy.DeprecatedRule(
|
|||||||
deprecated_list_endpoints = policy.DeprecatedRule(
|
deprecated_list_endpoints = policy.DeprecatedRule(
|
||||||
name=base.IDENTITY % 'list_endpoints', check_str=base.RULE_ADMIN_REQUIRED,
|
name=base.IDENTITY % 'list_endpoints', check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
)
|
)
|
||||||
|
deprecated_update_endpoint = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'update_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
)
|
||||||
|
deprecated_create_endpoint = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'create_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
)
|
||||||
|
deprecated_delete_endpoint = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
)
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
As of the Stein release, the endpoint API now understands default roles and
|
As of the Stein release, the endpoint API now understands default roles and
|
||||||
@ -54,25 +63,34 @@ endpoint_policies = [
|
|||||||
deprecated_since=versionutils.deprecated.STEIN),
|
deprecated_since=versionutils.deprecated.STEIN),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_endpoint',
|
name=base.IDENTITY % 'create_endpoint',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
description='Create endpoint.',
|
description='Create endpoint.',
|
||||||
operations=[{'path': '/v3/endpoints',
|
operations=[{'path': '/v3/endpoints',
|
||||||
'method': 'POST'}]),
|
'method': 'POST'}],
|
||||||
|
deprecated_rule=deprecated_create_endpoint,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_endpoint',
|
name=base.IDENTITY % 'update_endpoint',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
description='Update endpoint.',
|
description='Update endpoint.',
|
||||||
operations=[{'path': '/v3/endpoints/{endpoint_id}',
|
operations=[{'path': '/v3/endpoints/{endpoint_id}',
|
||||||
'method': 'PATCH'}]),
|
'method': 'PATCH'}],
|
||||||
|
deprecated_rule=deprecated_update_endpoint,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_endpoint',
|
name=base.IDENTITY % 'delete_endpoint',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
description='Delete endpoint.',
|
description='Delete endpoint.',
|
||||||
operations=[{'path': '/v3/endpoints/{endpoint_id}',
|
operations=[{'path': '/v3/endpoints/{endpoint_id}',
|
||||||
'method': 'DELETE'}])
|
'method': 'DELETE'}],
|
||||||
|
deprecated_rule=deprecated_delete_endpoint,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.STEIN)
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
@ -177,3 +177,76 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
|
|||||||
r = c.post('/v3/auth/tokens', json=auth)
|
r = c.post('/v3/auth/tokens', json=auth)
|
||||||
self.token_id = r.headers['X-Subject-Token']
|
self.token_id = r.headers['X-Subject-Token']
|
||||||
self.headers = {'X-Auth-Token': self.token_id}
|
self.headers = {'X-Auth-Token': self.token_id}
|
||||||
|
|
||||||
|
|
||||||
|
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
|
||||||
|
common_auth.AuthTestMixin,
|
||||||
|
_SystemUserEndpointTests):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(SystemAdminTests, self).setUp()
|
||||||
|
self.loadapp()
|
||||||
|
self.useFixture(ksfixtures.Policy(self.config_fixture))
|
||||||
|
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
||||||
|
|
||||||
|
# Reuse the system administrator account created during
|
||||||
|
# ``keystone-manage bootstrap``
|
||||||
|
self.user_id = self.bootstrapper.admin_user_id
|
||||||
|
auth = self.build_authentication_request(
|
||||||
|
user_id=self.user_id,
|
||||||
|
password=self.bootstrapper.admin_password,
|
||||||
|
system=True
|
||||||
|
)
|
||||||
|
|
||||||
|
# Grab a token using the persona we're testing and prepare headers
|
||||||
|
# for requests we'll be making in the tests.
|
||||||
|
with self.test_client() as c:
|
||||||
|
r = c.post('/v3/auth/tokens', json=auth)
|
||||||
|
self.token_id = r.headers['X-Subject-Token']
|
||||||
|
self.headers = {'X-Auth-Token': self.token_id}
|
||||||
|
|
||||||
|
def test_user_can_create_endpoints(self):
|
||||||
|
service = PROVIDERS.catalog_api.create_service(
|
||||||
|
uuid.uuid4().hex, unit.new_service_ref()
|
||||||
|
)
|
||||||
|
create = {
|
||||||
|
'endpoint': {
|
||||||
|
'interface': 'public',
|
||||||
|
'service_id': service['id'],
|
||||||
|
'url': 'https://' + uuid.uuid4().hex + '.com'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
c.post('/v3/endpoints', json=create, headers=self.headers)
|
||||||
|
|
||||||
|
def test_user_can_update_endpoints(self):
|
||||||
|
service = PROVIDERS.catalog_api.create_service(
|
||||||
|
uuid.uuid4().hex, unit.new_service_ref()
|
||||||
|
)
|
||||||
|
endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
|
||||||
|
endpoint = PROVIDERS.catalog_api.create_endpoint(
|
||||||
|
endpoint['id'], endpoint
|
||||||
|
)
|
||||||
|
|
||||||
|
update = {'endpoint': {'interface': 'internal'}}
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
c.patch(
|
||||||
|
'/v3/endpoints/%s' % endpoint['id'], json=update,
|
||||||
|
headers=self.headers
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_user_can_delete_endpoints(self):
|
||||||
|
service = PROVIDERS.catalog_api.create_service(
|
||||||
|
uuid.uuid4().hex, unit.new_service_ref()
|
||||||
|
)
|
||||||
|
endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
|
||||||
|
endpoint = PROVIDERS.catalog_api.create_endpoint(
|
||||||
|
endpoint['id'], endpoint
|
||||||
|
)
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
c.delete(
|
||||||
|
'/v3/endpoints/%s' % endpoint['id'], headers=self.headers,
|
||||||
|
)
|
||||||
|
31
releasenotes/notes/bug-1804483-1d9ccfcb24f25f51.yaml
Normal file
31
releasenotes/notes/bug-1804483-1d9ccfcb24f25f51.yaml
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
[`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
|
||||||
|
The endpoint API now supports the ``admin``, ``member``, and
|
||||||
|
``reader`` default roles.
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
[`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
|
||||||
|
The endpoint API uses new default policies that make it more
|
||||||
|
accessible to end users and administrators in a secure way. Please
|
||||||
|
consider these new defaults if your deployment overrides
|
||||||
|
endpoint policies.
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
[`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
|
||||||
|
The endpoint policies have been deprecated. The ``identity:list_endpoints``
|
||||||
|
and ``identity:get_endpoint`` policies now use ``role:reader and system_scope:all``
|
||||||
|
instead of ``rule:admin_required``. The ``identity:create_endpoint``,
|
||||||
|
``identity:update_endpoint``, and ``identity:delete_endpoint`` policies
|
||||||
|
now use ``role:admin and system_scope:all`` instead of ``rule:admin_required``.
|
||||||
|
These new defaults automatically account
|
||||||
|
for system-scope and support a read-only role, making it easier
|
||||||
|
for system administrators to delegate subsets of responsibility
|
||||||
|
without compromising security. Please consider these new defaults
|
||||||
|
if your deployment overrides the endpoint policies.
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
[`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
|
||||||
|
The endpoint API now uses system-scope and default roles to
|
||||||
|
provide better accessibility to users in a secure way.
|
Loading…
x
Reference in New Issue
Block a user