listing revoke events should be admin only

Currently any user can list revocation events, this data contains
IDs for users and projects. It should not be made available to
any user that is able to authenticate, it should be an admin
only API call.

Change-Id: I4290163c67c84ef0e1a2f6ee967ddf2acb2c3212
Closes-Bug: 1649446
This commit is contained in:
Steve Martinelli 2017-01-05 00:41:34 -05:00
parent 0e1a6260be
commit d4a890a6c8
4 changed files with 57 additions and 2 deletions

View File

@ -176,7 +176,7 @@
"identity:list_projects_for_user": "",
"identity:list_domains_for_user": "",
"identity:list_revoke_events": "",
"identity:list_revoke_events": "rule:service_or_admin",
"identity:create_policy_association_for_endpoint": "rule:admin_required",
"identity:check_policy_association_for_endpoint": "rule:admin_required",

View File

@ -203,7 +203,7 @@
"identity:list_projects_for_user": "",
"identity:list_domains_for_user": "",
"identity:list_revoke_events": "",
"identity:list_revoke_events": "rule:service_or_admin",
"identity:create_policy_association_for_endpoint": "rule:cloud_admin",
"identity:check_policy_association_for_endpoint": "rule:cloud_admin",

View File

@ -605,6 +605,24 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
self.delete('/auth/tokens', token=admin_token,
headers={'X-Subject-Token': user_token})
def test_list_revoke_events_is_protected(self):
# An admin can list revoke events, a regular user cannot
# This is GET /v3/OS-REVOKE/events
admin_auth = self.build_authentication_request(
user_id=self.admin_user['id'],
password=self.admin_user['password'],
project_id=self.project['id'])
admin_token = self.get_requested_token(admin_auth)
user_auth = self.build_authentication_request(
user_id=self.just_a_user['id'],
password=self.just_a_user['password'])
user_token = self.get_requested_token(user_auth)
self.get('/OS-REVOKE/events', token=admin_token)
self.get('/OS-REVOKE/events', token=user_token, expected_status=403)
class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
test_v3.AssignmentTestMixin):
@ -1778,6 +1796,24 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.delete('/auth/tokens', token=admin_token,
headers={'X-Subject-Token': user_token})
def test_list_revoke_events_is_protected(self):
# An admin can list revoke events, a regular user cannot
# This is GET /v3/OS-REVOKE/events
admin_auth = self.build_authentication_request(
user_id=self.cloud_admin_user['id'],
password=self.cloud_admin_user['password'],
project_id=self.admin_project['id'])
admin_token = self.get_requested_token(admin_auth)
user_auth = self.build_authentication_request(
user_id=self.just_a_user['id'],
password=self.just_a_user['password'])
user_token = self.get_requested_token(user_auth)
self.get('/OS-REVOKE/events', token=admin_token)
self.get('/OS-REVOKE/events', token=user_token, expected_status=403)
def test_user_with_a_role_get_project(self):
user_auth = self.build_authentication_request(
user_id=self.just_a_user['id'],

View File

@ -0,0 +1,19 @@
---
fixes:
- |
[`Bug 1649446 <https://bugs.launchpad.net/keystone/+bug/1651989>`_]
The default policy for listing revocation events has changed. Previously,
any authenticated user could list revocation events; it is now, by default,
an admin or service user only function. This can be changed by modifying
the policy file being used by keystone.
upgrade:
- |
[`Related to Bug 1649446 <https://bugs.launchpad.net/keystone/+bug/1649446>`_]
The ``identity:list_revoke_events`` rule has been changed in both sample
policy files, ``policy.json`` and ``policy.v3cloudsample.json``. From::
"identity:list_revoke_events": ""
To::
"identity:list_revoke_events": "rule:service_or_admin"