Remove policy.v3cloudsample.json
We've make all the default policies keystone supports better by incorporating default roles and scope types. These changes have made the ``policy.v3cloudsample.json`` file obsolete. Let's simply things for users, operators, and develpers by removing it. A follow-on patch will remove the test_v3_protection.py file since those behaviors are passing all the protection tests with the default policies in code. Related-Bug: 1805880 Closes-Bug: 1630434 Closes-Bug: 1806762 Change-Id: Ie45955f5cc54563cc9704d7cb2b656b5544ae030
This commit is contained in:
parent
e860c69831
commit
d4a6023de5
@ -1,30 +0,0 @@
|
||||
{
|
||||
"admin_required": "role:admin",
|
||||
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
|
||||
"owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
||||
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
|
||||
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
|
||||
"service_admin_or_owner": "rule:service_or_admin or rule:owner",
|
||||
|
||||
"default": "rule:admin_required",
|
||||
|
||||
"domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
|
||||
"get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
|
||||
"domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
|
||||
"project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s",
|
||||
"list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles",
|
||||
"domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
|
||||
"project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
|
||||
"admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
|
||||
"implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
|
||||
|
||||
"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
|
||||
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
|
||||
"admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
||||
"identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
|
||||
|
||||
"identity:check_token": "rule:admin_or_owner",
|
||||
"identity:validate_token": "rule:service_admin_or_owner",
|
||||
"identity:validate_token_head": "rule:service_or_admin",
|
||||
"identity:revoke_token": "rule:admin_or_owner"
|
||||
}
|
@ -13,7 +13,6 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import json
|
||||
import os
|
||||
import subprocess
|
||||
import uuid
|
||||
@ -21,7 +20,6 @@ import uuid
|
||||
import mock
|
||||
from oslo_policy import policy as common_policy
|
||||
import six
|
||||
from testtools import matchers
|
||||
|
||||
from keystone.common import policies
|
||||
from keystone.common.rbac_enforcer import policy
|
||||
@ -177,215 +175,6 @@ class PolicyJsonTestCase(unit.TestCase):
|
||||
rules[rule.name] = rule.check_str
|
||||
return rules
|
||||
|
||||
def test_json_examples_have_matching_entries(self):
|
||||
# TODO(lbragstad): Once all policies have been removed from
|
||||
# policy.v3cloudsample.json, remove this test.
|
||||
removed_policies = [
|
||||
'identity:add_endpoint_group_to_project',
|
||||
'identity:add_endpoint_to_project',
|
||||
'identity:add_user_to_group',
|
||||
'identity:authorize_request_token',
|
||||
'identity:check_grant',
|
||||
'identity:check_endpoint_in_project',
|
||||
'identity:check_implied_role',
|
||||
'identity:check_policy_association_for_endpoint',
|
||||
'identity:check_policy_association_for_region_and_service',
|
||||
'identity:check_policy_association_for_service',
|
||||
'identity:check_system_grant_for_group',
|
||||
'identity:check_system_grant_for_user',
|
||||
'identity:check_user_in_group',
|
||||
'identity:create_application_credential',
|
||||
'identity:create_consumer',
|
||||
'identity:create_credential',
|
||||
'identity:create_domain',
|
||||
'identity:create_domain_config',
|
||||
'identity:create_domain_role',
|
||||
'identity:create_endpoint',
|
||||
'identity:create_endpoint_group',
|
||||
'identity:create_grant',
|
||||
'identity:create_group',
|
||||
'identity:create_identity_provider',
|
||||
'identity:create_implied_role',
|
||||
'identity:create_limits',
|
||||
'identity:create_mapping',
|
||||
'identity:create_policy',
|
||||
'identity:create_policy_association_for_endpoint',
|
||||
'identity:create_policy_association_for_region_and_service',
|
||||
'identity:create_policy_association_for_service',
|
||||
'identity:create_project',
|
||||
'identity:create_project_tag',
|
||||
'identity:create_protocol',
|
||||
'identity:create_region',
|
||||
'identity:create_registered_limits',
|
||||
'identity:create_role',
|
||||
'identity:create_service',
|
||||
'identity:create_service_provider',
|
||||
'identity:create_system_grant_for_group',
|
||||
'identity:create_system_grant_for_user',
|
||||
'identity:create_trust',
|
||||
'identity:create_user',
|
||||
'identity:delete_access_rule',
|
||||
'identity:delete_access_token',
|
||||
'identity:delete_application_credential',
|
||||
'identity:delete_consumer',
|
||||
'identity:delete_credential',
|
||||
'identity:delete_domain',
|
||||
'identity:delete_domain_config',
|
||||
'identity:delete_domain_role',
|
||||
'identity:delete_endpoint',
|
||||
'identity:delete_endpoint_group',
|
||||
'identity:delete_group',
|
||||
'identity:delete_identity_provider',
|
||||
'identity:delete_implied_role',
|
||||
'identity:delete_mapping',
|
||||
'identity:delete_limit',
|
||||
'identity:delete_policy',
|
||||
'identity:delete_policy_association_for_endpoint',
|
||||
'identity:delete_policy_association_for_region_and_service',
|
||||
'identity:delete_policy_association_for_service',
|
||||
'identity:delete_project',
|
||||
'identity:delete_project_tag',
|
||||
'identity:delete_project_tags',
|
||||
'identity:delete_protocol',
|
||||
'identity:delete_region',
|
||||
'identity:delete_registered_limit',
|
||||
'identity:delete_role',
|
||||
'identity:delete_service',
|
||||
'identity:delete_service_provider',
|
||||
'identity:delete_trust',
|
||||
'identity:delete_user',
|
||||
'identity:ec2_create_credential',
|
||||
'identity:ec2_delete_credential',
|
||||
'identity:ec2_get_credential',
|
||||
'identity:ec2_list_credentials',
|
||||
'identity:get_access_rule',
|
||||
'identity:get_access_token',
|
||||
'identity:get_access_token_role',
|
||||
'identity:get_application_credential',
|
||||
'identity:get_auth_catalog',
|
||||
'identity:get_auth_domains',
|
||||
'identity:get_auth_projects',
|
||||
'identity:get_auth_system',
|
||||
'identity:get_consumer',
|
||||
'identity:get_credential',
|
||||
'identity:get_domain',
|
||||
'identity:get_domain_config',
|
||||
'identity:get_domain_config_default',
|
||||
'identity:get_domain_role',
|
||||
'identity:get_endpoint',
|
||||
'identity:get_endpoint_group',
|
||||
'identity:get_endpoint_group_in_project',
|
||||
'identity:get_group',
|
||||
'identity:get_identity_provider',
|
||||
'identity:get_implied_role',
|
||||
'identity:get_limit',
|
||||
'identity:get_limit_model',
|
||||
'identity:get_mapping',
|
||||
'identity:get_policy',
|
||||
'identity:get_policy_for_endpoint',
|
||||
'identity:get_project_tag',
|
||||
'identity:get_project',
|
||||
'identity:get_protocol',
|
||||
'identity:get_region',
|
||||
'identity:get_registered_limit',
|
||||
'identity:get_role',
|
||||
'identity:get_role_for_trust',
|
||||
'identity:get_security_compliance_domain_config',
|
||||
'identity:get_service',
|
||||
'identity:get_service_provider',
|
||||
'identity:get_trust',
|
||||
'identity:get_user',
|
||||
'identity:list_access_rules',
|
||||
'identity:list_access_token_roles',
|
||||
'identity:list_access_tokens',
|
||||
'identity:list_application_credentials',
|
||||
'identity:list_consumers',
|
||||
'identity:list_credentials',
|
||||
'identity:list_domain_roles',
|
||||
'identity:list_domains',
|
||||
'identity:list_domains_for_user',
|
||||
'identity:list_endpoint_groups',
|
||||
'identity:list_endpoint_groups_for_project',
|
||||
'identity:list_endpoints',
|
||||
'identity:list_endpoints_associated_with_endpoint_group',
|
||||
'identity:list_endpoints_for_policy',
|
||||
'identity:list_endpoints_for_project',
|
||||
'identity:list_grants',
|
||||
'identity:list_groups',
|
||||
'identity:list_groups_for_user',
|
||||
'identity:list_identity_providers',
|
||||
'identity:list_implied_roles',
|
||||
'identity:list_limits',
|
||||
'identity:list_mappings',
|
||||
'identity:list_policies',
|
||||
'identity:list_projects',
|
||||
'identity:list_projects_associated_with_endpoint_group',
|
||||
'identity:list_projects_for_endpoint',
|
||||
'identity:list_projects_for_user',
|
||||
'identity:list_project_tags',
|
||||
'identity:list_protocols',
|
||||
'identity:list_regions',
|
||||
'identity:list_registered_limits',
|
||||
'identity:list_revoke_events',
|
||||
'identity:list_role_assignments',
|
||||
'identity:list_role_inference_rules',
|
||||
'identity:list_roles',
|
||||
'identity:list_roles_for_trust',
|
||||
'identity:list_service_providers',
|
||||
'identity:list_services',
|
||||
'identity:list_system_grants_for_group',
|
||||
'identity:list_system_grants_for_user',
|
||||
'identity:list_trusts',
|
||||
'identity:list_trusts_for_trustee',
|
||||
'identity:list_trusts_for_trustor',
|
||||
'identity:list_user_projects',
|
||||
'identity:list_users',
|
||||
'identity:list_users_in_group',
|
||||
'identity:remove_endpoint_from_project',
|
||||
'identity:remove_endpoint_group_from_project',
|
||||
'identity:remove_user_from_group',
|
||||
'identity:revocation_list',
|
||||
'identity:revoke_grant',
|
||||
'identity:revoke_system_grant_for_group',
|
||||
'identity:revoke_system_grant_for_user',
|
||||
'identity:update_consumer',
|
||||
'identity:update_credential',
|
||||
'identity:update_domain',
|
||||
'identity:update_domain_config',
|
||||
'identity:update_domain_role',
|
||||
'identity:update_endpoint',
|
||||
'identity:update_endpoint_group',
|
||||
'identity:update_group',
|
||||
'identity:update_identity_provider',
|
||||
'identity:update_limit',
|
||||
'identity:update_mapping',
|
||||
'identity:update_policy',
|
||||
'identity:update_project',
|
||||
'identity:update_project_tags',
|
||||
'identity:update_protocol',
|
||||
'identity:update_region',
|
||||
'identity:update_registered_limit',
|
||||
'identity:update_role',
|
||||
'identity:update_service',
|
||||
'identity:update_service_provider',
|
||||
'identity:update_user',
|
||||
'service_or_admin',
|
||||
'service_role',
|
||||
]
|
||||
policy_keys = self._get_default_policy_rules()
|
||||
for p in removed_policies:
|
||||
del policy_keys[p]
|
||||
cloud_policy_keys = set(
|
||||
json.load(open(unit.dirs.etc('policy.v3cloudsample.json'))))
|
||||
|
||||
policy_extra_keys = ['admin_or_token_subject',
|
||||
'service_admin_or_token_subject',
|
||||
'token_subject', ]
|
||||
expected_policy_keys = list(cloud_policy_keys) + policy_extra_keys
|
||||
diffs = set(policy_keys).difference(set(expected_policy_keys))
|
||||
|
||||
self.assertThat(diffs, matchers.Equals(set()))
|
||||
|
||||
def test_policies_loads(self):
|
||||
action = 'identity:list_projects'
|
||||
target = {'user_id': uuid.uuid4().hex,
|
||||
@ -406,11 +195,6 @@ class PolicyJsonTestCase(unit.TestCase):
|
||||
credentials)
|
||||
self.assertTrue(result)
|
||||
|
||||
domain_policy = unit.dirs.etc('policy.v3cloudsample.json')
|
||||
enforcer = common_policy.Enforcer(CONF, policy_file=domain_policy)
|
||||
result = enforcer.enforce(action, target, credentials)
|
||||
self.assertTrue(result)
|
||||
|
||||
def test_all_targets_documented(self):
|
||||
policy_keys = self._get_default_policy_rules()
|
||||
|
||||
|
@ -2906,12 +2906,6 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
|
||||
domain_id=self.domainA['id']
|
||||
)
|
||||
|
||||
def _policy_fixture(self):
|
||||
return ksfixtures.Policy(
|
||||
self.config_fixture,
|
||||
policy_file=unit.dirs.etc('policy.v3cloudsample.json')
|
||||
)
|
||||
|
||||
def test_user_revokes_own_token(self):
|
||||
user_token = self.get_requested_token(
|
||||
self.build_authentication_request(
|
||||
@ -2988,37 +2982,6 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
|
||||
expected_status=http_client.NOT_FOUND,
|
||||
token=adminA_token)
|
||||
|
||||
def test_adminB_fails_revoking_userA_token(self):
|
||||
# DomainB setup
|
||||
self.domainB = unit.new_domain_ref()
|
||||
PROVIDERS.resource_api.create_domain(self.domainB['id'], self.domainB)
|
||||
userAdminB = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domainB['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role['id'], user_id=userAdminB['id'],
|
||||
domain_id=self.domainB['id']
|
||||
)
|
||||
|
||||
user_token = self.get_requested_token(
|
||||
self.build_authentication_request(
|
||||
user_id=self.userNormalA['id'],
|
||||
password=self.userNormalA['password'],
|
||||
user_domain_id=self.domainA['id']))
|
||||
headers = {'X-Subject-Token': user_token}
|
||||
|
||||
adminB_token = self.get_requested_token(
|
||||
self.build_authentication_request(
|
||||
user_id=userAdminB['id'],
|
||||
password=userAdminB['password'],
|
||||
domain_name=self.domainB['name']))
|
||||
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.FORBIDDEN,
|
||||
token=adminB_token)
|
||||
self.delete('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.FORBIDDEN,
|
||||
token=adminB_token)
|
||||
|
||||
|
||||
class TestTokenRevokeById(test_v3.RestfulTestCase):
|
||||
"""Test token revocation on the v3 Identity API."""
|
||||
|
@ -643,12 +643,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
||||
test_v3.AssignmentTestMixin):
|
||||
"""Test policy enforcement of the sample v3 cloud policy file."""
|
||||
|
||||
def _policy_fixture(self):
|
||||
return ksfixtures.Policy(
|
||||
self.config_fixture,
|
||||
policy_file=unit.dirs.etc('policy.v3cloudsample.json')
|
||||
)
|
||||
|
||||
def setUp(self):
|
||||
"""Setup for v3 Cloud Policy Sample Test Cases.
|
||||
|
||||
@ -1167,55 +1161,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
||||
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
|
||||
self.assertRoleAssignmentInListResponse(r, project_user_entity)
|
||||
|
||||
def test_domain_admin_list_assignment_tree(self):
|
||||
# Add a child project to the standard test data
|
||||
sub_project = unit.new_project_ref(domain_id=self.domainA['id'],
|
||||
parent_id=self.project['id'])
|
||||
PROVIDERS.resource_api.create_project(sub_project['id'], sub_project)
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role['id'], user_id=self.just_a_user['id'],
|
||||
project_id=sub_project['id']
|
||||
)
|
||||
|
||||
collection_url = self.build_role_assignment_query_url(
|
||||
project_id=self.project['id'])
|
||||
collection_url += '&include_subtree=True'
|
||||
|
||||
# The domain admin should be able to list the assignment tree
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.domain_admin_user['id'],
|
||||
password=self.domain_admin_user['password'],
|
||||
domain_id=self.domainA['id'])
|
||||
|
||||
r = self.get(collection_url, auth=auth)
|
||||
self.assertValidRoleAssignmentListResponse(
|
||||
r, expected_length=3, resource_url=collection_url)
|
||||
|
||||
# A project admin should not be able to
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.project_admin_user['id'],
|
||||
password=self.project_admin_user['password'],
|
||||
project_id=self.project['id'])
|
||||
|
||||
r = self.get(collection_url, auth=auth,
|
||||
expected_status=http_client.FORBIDDEN)
|
||||
|
||||
# A neither should a domain admin from a different domain
|
||||
domainB_admin_user = unit.create_user(
|
||||
PROVIDERS.identity_api,
|
||||
domain_id=self.domainB['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.admin_role['id'], user_id=domainB_admin_user['id'],
|
||||
domain_id=self.domainB['id']
|
||||
)
|
||||
auth = self.build_authentication_request(
|
||||
user_id=domainB_admin_user['id'],
|
||||
password=domainB_admin_user['password'],
|
||||
domain_id=self.domainB['id'])
|
||||
|
||||
r = self.get(collection_url, auth=auth,
|
||||
expected_status=http_client.FORBIDDEN)
|
||||
|
||||
def test_domain_user_list_assignments_of_project_failed(self):
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.just_a_user['id'],
|
||||
|
21
releasenotes/notes/bug-1806762-08ff9eecdc03c554.yaml
Normal file
21
releasenotes/notes/bug-1806762-08ff9eecdc03c554.yaml
Normal file
@ -0,0 +1,21 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
|
||||
[`bug 1630434 <https://bugs.launchpad.net/keystone/+bug/1630434>`_]
|
||||
The entire ``policy.v3cloudsample.json`` file has been removed. If you
|
||||
were using this policy file to supply overrides in your deployment, you
|
||||
should consider using the defaults in code and setting ``keystone.conf
|
||||
[oslo_policy] enforce_scope=True``. The new policy defaults are more
|
||||
flexible, they're tested extensively, and they solve all the problems the
|
||||
``policy.v3cloudsample.json`` file was trying to solve.
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
|
||||
[`bug 1630434 <https://bugs.launchpad.net/keystone/+bug/1630434>`_]
|
||||
The entire ``policy.v3cloudsample.json`` file has been removed. If you
|
||||
were using this policy file to supply overrides in your deployment, you
|
||||
should consider using the defaults in code and setting ``keystone.conf
|
||||
[oslo_policy] enforce_scope=True``. The new policy defaults are more
|
||||
flexible, they're tested extensively, and they solve all the problems the
|
||||
``policy.v3cloudsample.json`` file was trying to solve.
|
Loading…
Reference in New Issue
Block a user