Remove obsolete grant policies from policy.v3cloudsample.json
This commit also removes an obsolete test case from test_v3_protection.py. Co-Authored-By: Colleen Murphy <colleen@gazlene.net> Change-Id: Ic0a654494f96d5dffa0c4d4d96766ab4a2e090b1 Related-Bug: 1806762
This commit is contained in:
parent
d7c424d220
commit
cf22f8004e
|
@ -29,20 +29,6 @@
|
||||||
"admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
|
"admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
|
||||||
"implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
|
"implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
|
||||||
|
|
||||||
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
|
||||||
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
|
|
||||||
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
|
||||||
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
|
||||||
"domain_admin_for_grants": "rule:domain_admin_for_global_role_grants or rule:domain_admin_for_domain_role_grants",
|
|
||||||
"domain_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and rule:domain_admin_grant_match",
|
|
||||||
"domain_admin_for_domain_role_grants": "rule:admin_required and domain_id:%(target.role.domain_id)s and rule:domain_admin_grant_match",
|
|
||||||
"domain_admin_grant_match": "domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s",
|
|
||||||
"project_admin_for_grants": "rule:project_admin_for_global_role_grants or rule:project_admin_for_domain_role_grants",
|
|
||||||
"project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s",
|
|
||||||
"project_admin_for_domain_role_grants": "rule:admin_required and project_domain_id:%(target.role.domain_id)s and project_id:%(project_id)s",
|
|
||||||
"domain_admin_for_list_grants": "rule:admin_required and rule:domain_admin_grant_match",
|
|
||||||
"project_admin_for_list_grants": "rule:admin_required and project_id:%(project_id)s",
|
|
||||||
|
|
||||||
"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
|
"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
|
||||||
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
|
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
|
||||||
"admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
"admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
||||||
|
|
|
@ -185,6 +185,7 @@ class PolicyJsonTestCase(unit.TestCase):
|
||||||
'identity:add_endpoint_to_project',
|
'identity:add_endpoint_to_project',
|
||||||
'identity:add_user_to_group',
|
'identity:add_user_to_group',
|
||||||
'identity:authorize_request_token',
|
'identity:authorize_request_token',
|
||||||
|
'identity:check_grant',
|
||||||
'identity:check_endpoint_in_project',
|
'identity:check_endpoint_in_project',
|
||||||
'identity:check_implied_role',
|
'identity:check_implied_role',
|
||||||
'identity:check_policy_association_for_endpoint',
|
'identity:check_policy_association_for_endpoint',
|
||||||
|
@ -200,6 +201,7 @@ class PolicyJsonTestCase(unit.TestCase):
|
||||||
'identity:create_domain_role',
|
'identity:create_domain_role',
|
||||||
'identity:create_endpoint',
|
'identity:create_endpoint',
|
||||||
'identity:create_endpoint_group',
|
'identity:create_endpoint_group',
|
||||||
|
'identity:create_grant',
|
||||||
'identity:create_group',
|
'identity:create_group',
|
||||||
'identity:create_identity_provider',
|
'identity:create_identity_provider',
|
||||||
'identity:create_implied_role',
|
'identity:create_implied_role',
|
||||||
|
@ -295,6 +297,7 @@ class PolicyJsonTestCase(unit.TestCase):
|
||||||
'identity:list_endpoints_associated_with_endpoint_group',
|
'identity:list_endpoints_associated_with_endpoint_group',
|
||||||
'identity:list_endpoints_for_policy',
|
'identity:list_endpoints_for_policy',
|
||||||
'identity:list_endpoints_for_project',
|
'identity:list_endpoints_for_project',
|
||||||
|
'identity:list_grants',
|
||||||
'identity:list_groups',
|
'identity:list_groups',
|
||||||
'identity:list_groups_for_user',
|
'identity:list_groups_for_user',
|
||||||
'identity:list_identity_providers',
|
'identity:list_identity_providers',
|
||||||
|
@ -328,6 +331,7 @@ class PolicyJsonTestCase(unit.TestCase):
|
||||||
'identity:remove_endpoint_group_from_project',
|
'identity:remove_endpoint_group_from_project',
|
||||||
'identity:remove_user_from_group',
|
'identity:remove_user_from_group',
|
||||||
'identity:revocation_list',
|
'identity:revocation_list',
|
||||||
|
'identity:revoke_grant',
|
||||||
'identity:revoke_system_grant_for_group',
|
'identity:revoke_system_grant_for_group',
|
||||||
'identity:revoke_system_grant_for_user',
|
'identity:revoke_system_grant_for_user',
|
||||||
'identity:update_consumer',
|
'identity:update_consumer',
|
||||||
|
|
|
@ -964,28 +964,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
||||||
# other than its own domain or not
|
# other than its own domain or not
|
||||||
self._test_project_management(self.domainA['id'])
|
self._test_project_management(self.domainA['id'])
|
||||||
|
|
||||||
def test_domain_grants(self):
|
|
||||||
self.auth = self.build_authentication_request(
|
|
||||||
user_id=self.just_a_user['id'],
|
|
||||||
password=self.just_a_user['password'],
|
|
||||||
domain_id=self.domainA['id'])
|
|
||||||
|
|
||||||
self._test_grants('domains', self.domainA['id'],
|
|
||||||
expected=exception.ForbiddenAction.code)
|
|
||||||
|
|
||||||
# Now, authenticate with a user that does have the domain admin role
|
|
||||||
self.auth = self.build_authentication_request(
|
|
||||||
user_id=self.domain_admin_user['id'],
|
|
||||||
password=self.domain_admin_user['password'],
|
|
||||||
domain_id=self.domainA['id'])
|
|
||||||
|
|
||||||
self._test_grants('domains', self.domainA['id'])
|
|
||||||
|
|
||||||
# Check that with such a token we cannot modify grants on a
|
|
||||||
# different domain
|
|
||||||
self._test_grants('domains', self.domainB['id'],
|
|
||||||
expected=exception.ForbiddenAction.code)
|
|
||||||
|
|
||||||
def test_domain_grants_by_cloud_admin(self):
|
def test_domain_grants_by_cloud_admin(self):
|
||||||
# Test domain grants with a cloud admin. This user should be
|
# Test domain grants with a cloud admin. This user should be
|
||||||
# able to manage roles on any domain.
|
# able to manage roles on any domain.
|
||||||
|
@ -1021,27 +999,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
||||||
role_domain_id=self.domainB['id'],
|
role_domain_id=self.domainB['id'],
|
||||||
expected=exception.ForbiddenAction.code)
|
expected=exception.ForbiddenAction.code)
|
||||||
|
|
||||||
def test_domain_grants_by_domain_admin_for_domain_specific_role(self):
|
|
||||||
# Authenticate with a user that does have the domain admin role,
|
|
||||||
# should not be able to assign a domain_specific role from another
|
|
||||||
# domain
|
|
||||||
self.auth = self.build_authentication_request(
|
|
||||||
user_id=self.domain_admin_user['id'],
|
|
||||||
password=self.domain_admin_user['password'],
|
|
||||||
domain_id=self.domainA['id'])
|
|
||||||
|
|
||||||
self._test_grants('domains', self.domainA['id'],
|
|
||||||
role_domain_id=self.domainB['id'],
|
|
||||||
# List status will always be OK, since we are not
|
|
||||||
# granting/checking/deleting assignments
|
|
||||||
list_status_OK=True,
|
|
||||||
expected=exception.ForbiddenAction.code)
|
|
||||||
|
|
||||||
# They should be able to assign a domain specific role from the same
|
|
||||||
# domain
|
|
||||||
self._test_grants('domains', self.domainA['id'],
|
|
||||||
role_domain_id=self.domainA['id'])
|
|
||||||
|
|
||||||
def test_project_grants(self):
|
def test_project_grants(self):
|
||||||
self.auth = self.build_authentication_request(
|
self.auth = self.build_authentication_request(
|
||||||
user_id=self.just_a_user['id'],
|
user_id=self.just_a_user['id'],
|
||||||
|
@ -1084,48 +1041,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
||||||
role_domain_id=self.domainB['id'],
|
role_domain_id=self.domainB['id'],
|
||||||
expected=exception.ForbiddenAction.code)
|
expected=exception.ForbiddenAction.code)
|
||||||
|
|
||||||
def test_project_grants_by_project_admin_for_domain_specific_role(self):
|
|
||||||
# Authenticate with a user that does have the project admin role,
|
|
||||||
# should not be able to assign a domain_specific role from another
|
|
||||||
# domain
|
|
||||||
self.auth = self.build_authentication_request(
|
|
||||||
user_id=self.project_admin_user['id'],
|
|
||||||
password=self.project_admin_user['password'],
|
|
||||||
project_id=self.project['id'])
|
|
||||||
|
|
||||||
self._test_grants('projects', self.project['id'],
|
|
||||||
role_domain_id=self.domainB['id'],
|
|
||||||
# List status will always be OK, since we are not
|
|
||||||
# granting/checking/deleting assignments
|
|
||||||
list_status_OK=True,
|
|
||||||
expected=exception.ForbiddenAction.code)
|
|
||||||
|
|
||||||
# They should be able to assign a domain specific role from the same
|
|
||||||
# domain
|
|
||||||
self._test_grants('projects', self.project['id'],
|
|
||||||
role_domain_id=self.domainA['id'])
|
|
||||||
|
|
||||||
def test_project_grants_by_domain_admin_for_domain_specific_role(self):
|
|
||||||
# Authenticate with a user that does have the domain admin role,
|
|
||||||
# should not be able to assign a domain_specific role from another
|
|
||||||
# domain
|
|
||||||
self.auth = self.build_authentication_request(
|
|
||||||
user_id=self.domain_admin_user['id'],
|
|
||||||
password=self.domain_admin_user['password'],
|
|
||||||
domain_id=self.domainA['id'])
|
|
||||||
|
|
||||||
self._test_grants('projects', self.project['id'],
|
|
||||||
role_domain_id=self.domainB['id'],
|
|
||||||
# List status will always be OK, since we are not
|
|
||||||
# granting/checking/deleting assignments
|
|
||||||
list_status_OK=True,
|
|
||||||
expected=exception.ForbiddenAction.code)
|
|
||||||
|
|
||||||
# They should be able to assign a domain specific role from the same
|
|
||||||
# domain
|
|
||||||
self._test_grants('projects', self.project['id'],
|
|
||||||
role_domain_id=self.domainA['id'])
|
|
||||||
|
|
||||||
def test_cloud_admin_list_assignments_of_domain(self):
|
def test_cloud_admin_list_assignments_of_domain(self):
|
||||||
self.auth = self.build_authentication_request(
|
self.auth = self.build_authentication_request(
|
||||||
user_id=self.cloud_admin_user['id'],
|
user_id=self.cloud_admin_user['id'],
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
|
||||||
|
The grant policies defined in ``policy.v3cloudsample.json`` have been
|
||||||
|
removed. These policies are now obsolete after incorporating system-scope
|
||||||
|
and domain-scope into the grant API and implementing default roles.
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
|
||||||
|
The grant policies in ``policy.v3cloudsample.json`` policy file have been
|
||||||
|
removed in favor of better defaults in code. These policies weren't tested
|
||||||
|
exhaustively and were misleading to users and operators.
|
Loading…
Reference in New Issue