Browse Source

Remove policy.v3cloudsample.json

We've make all the default policies keystone supports better by
incorporating default roles and scope types. These changes have made
the ``policy.v3cloudsample.json`` file obsolete.

Let's simply things for users, operators, and develpers by removing
it.

A follow-on patch will remove the test_v3_protection.py file since
those behaviors are passing all the protection tests with the default
policies in code.

Related-Bug: 1805880
Closes-Bug: 1630434
Closes-Bug: 1806762
Change-Id: Ie45955f5cc54563cc9704d7cb2b656b5544ae030
(cherry picked from commit d4a6023de5)
changes/39/687639/1
Lance Bragstad 2 years ago
parent
commit
d9217f07b8
  1. 30
      etc/policy.v3cloudsample.json
  2. 216
      keystone/tests/unit/test_policy.py
  3. 37
      keystone/tests/unit/test_v3_auth.py
  4. 55
      keystone/tests/unit/test_v3_protection.py
  5. 21
      releasenotes/notes/bug-1806762-08ff9eecdc03c554.yaml

30
etc/policy.v3cloudsample.json

@ -1,30 +0,0 @@
{
"admin_required": "role:admin",
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
"owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
"service_admin_or_owner": "rule:service_or_admin or rule:owner",
"default": "rule:admin_required",
"domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
"get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
"domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
"project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s",
"list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles",
"domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
"project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
"admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
"implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
"admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
"identity:check_token": "rule:admin_or_owner",
"identity:validate_token": "rule:service_admin_or_owner",
"identity:validate_token_head": "rule:service_or_admin",
"identity:revoke_token": "rule:admin_or_owner"
}

216
keystone/tests/unit/test_policy.py

@ -13,7 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
import json
import os
import subprocess
import uuid
@ -21,7 +20,6 @@ import uuid
import mock
from oslo_policy import policy as common_policy
import six
from testtools import matchers
from keystone.common import policies
from keystone.common.rbac_enforcer import policy
@ -177,215 +175,6 @@ class PolicyJsonTestCase(unit.TestCase):
rules[rule.name] = rule.check_str
return rules
def test_json_examples_have_matching_entries(self):
# TODO(lbragstad): Once all policies have been removed from
# policy.v3cloudsample.json, remove this test.
removed_policies = [
'identity:add_endpoint_group_to_project',
'identity:add_endpoint_to_project',
'identity:add_user_to_group',
'identity:authorize_request_token',
'identity:check_grant',
'identity:check_endpoint_in_project',
'identity:check_implied_role',
'identity:check_policy_association_for_endpoint',
'identity:check_policy_association_for_region_and_service',
'identity:check_policy_association_for_service',
'identity:check_system_grant_for_group',
'identity:check_system_grant_for_user',
'identity:check_user_in_group',
'identity:create_application_credential',
'identity:create_consumer',
'identity:create_credential',
'identity:create_domain',
'identity:create_domain_config',
'identity:create_domain_role',
'identity:create_endpoint',
'identity:create_endpoint_group',
'identity:create_grant',
'identity:create_group',
'identity:create_identity_provider',
'identity:create_implied_role',
'identity:create_limits',
'identity:create_mapping',
'identity:create_policy',
'identity:create_policy_association_for_endpoint',
'identity:create_policy_association_for_region_and_service',
'identity:create_policy_association_for_service',
'identity:create_project',
'identity:create_project_tag',
'identity:create_protocol',
'identity:create_region',
'identity:create_registered_limits',
'identity:create_role',
'identity:create_service',
'identity:create_service_provider',
'identity:create_system_grant_for_group',
'identity:create_system_grant_for_user',
'identity:create_trust',
'identity:create_user',
'identity:delete_access_rule',
'identity:delete_access_token',
'identity:delete_application_credential',
'identity:delete_consumer',
'identity:delete_credential',
'identity:delete_domain',
'identity:delete_domain_config',
'identity:delete_domain_role',
'identity:delete_endpoint',
'identity:delete_endpoint_group',
'identity:delete_group',
'identity:delete_identity_provider',
'identity:delete_implied_role',
'identity:delete_mapping',
'identity:delete_limit',
'identity:delete_policy',
'identity:delete_policy_association_for_endpoint',
'identity:delete_policy_association_for_region_and_service',
'identity:delete_policy_association_for_service',
'identity:delete_project',
'identity:delete_project_tag',
'identity:delete_project_tags',
'identity:delete_protocol',
'identity:delete_region',
'identity:delete_registered_limit',
'identity:delete_role',
'identity:delete_service',
'identity:delete_service_provider',
'identity:delete_trust',
'identity:delete_user',
'identity:ec2_create_credential',
'identity:ec2_delete_credential',
'identity:ec2_get_credential',
'identity:ec2_list_credentials',
'identity:get_access_rule',
'identity:get_access_token',
'identity:get_access_token_role',
'identity:get_application_credential',
'identity:get_auth_catalog',
'identity:get_auth_domains',
'identity:get_auth_projects',
'identity:get_auth_system',
'identity:get_consumer',
'identity:get_credential',
'identity:get_domain',
'identity:get_domain_config',
'identity:get_domain_config_default',
'identity:get_domain_role',
'identity:get_endpoint',
'identity:get_endpoint_group',
'identity:get_endpoint_group_in_project',
'identity:get_group',
'identity:get_identity_provider',
'identity:get_implied_role',
'identity:get_limit',
'identity:get_limit_model',
'identity:get_mapping',
'identity:get_policy',
'identity:get_policy_for_endpoint',
'identity:get_project_tag',
'identity:get_project',
'identity:get_protocol',
'identity:get_region',
'identity:get_registered_limit',
'identity:get_role',
'identity:get_role_for_trust',
'identity:get_security_compliance_domain_config',
'identity:get_service',
'identity:get_service_provider',
'identity:get_trust',
'identity:get_user',
'identity:list_access_rules',
'identity:list_access_token_roles',
'identity:list_access_tokens',
'identity:list_application_credentials',
'identity:list_consumers',
'identity:list_credentials',
'identity:list_domain_roles',
'identity:list_domains',
'identity:list_domains_for_user',
'identity:list_endpoint_groups',
'identity:list_endpoint_groups_for_project',
'identity:list_endpoints',
'identity:list_endpoints_associated_with_endpoint_group',
'identity:list_endpoints_for_policy',
'identity:list_endpoints_for_project',
'identity:list_grants',
'identity:list_groups',
'identity:list_groups_for_user',
'identity:list_identity_providers',
'identity:list_implied_roles',
'identity:list_limits',
'identity:list_mappings',
'identity:list_policies',
'identity:list_projects',
'identity:list_projects_associated_with_endpoint_group',
'identity:list_projects_for_endpoint',
'identity:list_projects_for_user',
'identity:list_project_tags',
'identity:list_protocols',
'identity:list_regions',
'identity:list_registered_limits',
'identity:list_revoke_events',
'identity:list_role_assignments',
'identity:list_role_inference_rules',
'identity:list_roles',
'identity:list_roles_for_trust',
'identity:list_service_providers',
'identity:list_services',
'identity:list_system_grants_for_group',
'identity:list_system_grants_for_user',
'identity:list_trusts',
'identity:list_trusts_for_trustee',
'identity:list_trusts_for_trustor',
'identity:list_user_projects',
'identity:list_users',
'identity:list_users_in_group',
'identity:remove_endpoint_from_project',
'identity:remove_endpoint_group_from_project',
'identity:remove_user_from_group',
'identity:revocation_list',
'identity:revoke_grant',
'identity:revoke_system_grant_for_group',
'identity:revoke_system_grant_for_user',
'identity:update_consumer',
'identity:update_credential',
'identity:update_domain',
'identity:update_domain_config',
'identity:update_domain_role',
'identity:update_endpoint',
'identity:update_endpoint_group',
'identity:update_group',
'identity:update_identity_provider',
'identity:update_limit',
'identity:update_mapping',
'identity:update_policy',
'identity:update_project',
'identity:update_project_tags',
'identity:update_protocol',
'identity:update_region',
'identity:update_registered_limit',
'identity:update_role',
'identity:update_service',
'identity:update_service_provider',
'identity:update_user',
'service_or_admin',
'service_role',
]
policy_keys = self._get_default_policy_rules()
for p in removed_policies:
del policy_keys[p]
cloud_policy_keys = set(
json.load(open(unit.dirs.etc('policy.v3cloudsample.json'))))
policy_extra_keys = ['admin_or_token_subject',
'service_admin_or_token_subject',
'token_subject', ]
expected_policy_keys = list(cloud_policy_keys) + policy_extra_keys
diffs = set(policy_keys).difference(set(expected_policy_keys))
self.assertThat(diffs, matchers.Equals(set()))
def test_policies_loads(self):
action = 'identity:list_projects'
target = {'user_id': uuid.uuid4().hex,
@ -406,11 +195,6 @@ class PolicyJsonTestCase(unit.TestCase):
credentials)
self.assertTrue(result)
domain_policy = unit.dirs.etc('policy.v3cloudsample.json')
enforcer = common_policy.Enforcer(CONF, policy_file=domain_policy)
result = enforcer.enforce(action, target, credentials)
self.assertTrue(result)
def test_all_targets_documented(self):
policy_keys = self._get_default_policy_rules()

37
keystone/tests/unit/test_v3_auth.py

@ -2906,12 +2906,6 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
domain_id=self.domainA['id']
)
def _policy_fixture(self):
return ksfixtures.Policy(
self.config_fixture,
policy_file=unit.dirs.etc('policy.v3cloudsample.json')
)
def test_user_revokes_own_token(self):
user_token = self.get_requested_token(
self.build_authentication_request(
@ -2988,37 +2982,6 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
expected_status=http_client.NOT_FOUND,
token=adminA_token)
def test_adminB_fails_revoking_userA_token(self):
# DomainB setup
self.domainB = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(self.domainB['id'], self.domainB)
userAdminB = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainB['id'])
PROVIDERS.assignment_api.create_grant(
self.role['id'], user_id=userAdminB['id'],
domain_id=self.domainB['id']
)
user_token = self.get_requested_token(
self.build_authentication_request(
user_id=self.userNormalA['id'],
password=self.userNormalA['password'],
user_domain_id=self.domainA['id']))
headers = {'X-Subject-Token': user_token}
adminB_token = self.get_requested_token(
self.build_authentication_request(
user_id=userAdminB['id'],
password=userAdminB['password'],
domain_name=self.domainB['name']))
self.head('/auth/tokens', headers=headers,
expected_status=http_client.FORBIDDEN,
token=adminB_token)
self.delete('/auth/tokens', headers=headers,
expected_status=http_client.FORBIDDEN,
token=adminB_token)
class TestTokenRevokeById(test_v3.RestfulTestCase):
"""Test token revocation on the v3 Identity API."""

55
keystone/tests/unit/test_v3_protection.py

@ -643,12 +643,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
test_v3.AssignmentTestMixin):
"""Test policy enforcement of the sample v3 cloud policy file."""
def _policy_fixture(self):
return ksfixtures.Policy(
self.config_fixture,
policy_file=unit.dirs.etc('policy.v3cloudsample.json')
)
def setUp(self):
"""Setup for v3 Cloud Policy Sample Test Cases.
@ -1167,55 +1161,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
self.assertRoleAssignmentInListResponse(r, project_user_entity)
def test_domain_admin_list_assignment_tree(self):
# Add a child project to the standard test data
sub_project = unit.new_project_ref(domain_id=self.domainA['id'],
parent_id=self.project['id'])
PROVIDERS.resource_api.create_project(sub_project['id'], sub_project)
PROVIDERS.assignment_api.create_grant(
self.role['id'], user_id=self.just_a_user['id'],
project_id=sub_project['id']
)
collection_url = self.build_role_assignment_query_url(
project_id=self.project['id'])
collection_url += '&include_subtree=True'
# The domain admin should be able to list the assignment tree
auth = self.build_authentication_request(
user_id=self.domain_admin_user['id'],
password=self.domain_admin_user['password'],
domain_id=self.domainA['id'])
r = self.get(collection_url, auth=auth)
self.assertValidRoleAssignmentListResponse(
r, expected_length=3, resource_url=collection_url)
# A project admin should not be able to
auth = self.build_authentication_request(
user_id=self.project_admin_user['id'],
password=self.project_admin_user['password'],
project_id=self.project['id'])
r = self.get(collection_url, auth=auth,
expected_status=http_client.FORBIDDEN)
# A neither should a domain admin from a different domain
domainB_admin_user = unit.create_user(
PROVIDERS.identity_api,
domain_id=self.domainB['id'])
PROVIDERS.assignment_api.create_grant(
self.admin_role['id'], user_id=domainB_admin_user['id'],
domain_id=self.domainB['id']
)
auth = self.build_authentication_request(
user_id=domainB_admin_user['id'],
password=domainB_admin_user['password'],
domain_id=self.domainB['id'])
r = self.get(collection_url, auth=auth,
expected_status=http_client.FORBIDDEN)
def test_domain_user_list_assignments_of_project_failed(self):
self.auth = self.build_authentication_request(
user_id=self.just_a_user['id'],

21
releasenotes/notes/bug-1806762-08ff9eecdc03c554.yaml

@ -0,0 +1,21 @@
---
upgrade:
- |
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
[`bug 1630434 <https://bugs.launchpad.net/keystone/+bug/1630434>`_]
The entire ``policy.v3cloudsample.json`` file has been removed. If you
were using this policy file to supply overrides in your deployment, you
should consider using the defaults in code and setting ``keystone.conf
[oslo_policy] enforce_scope=True``. The new policy defaults are more
flexible, they're tested extensively, and they solve all the problems the
``policy.v3cloudsample.json`` file was trying to solve.
fixes:
- |
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
[`bug 1630434 <https://bugs.launchpad.net/keystone/+bug/1630434>`_]
The entire ``policy.v3cloudsample.json`` file has been removed. If you
were using this policy file to supply overrides in your deployment, you
should consider using the defaults in code and setting ``keystone.conf
[oslo_policy] enforce_scope=True``. The new policy defaults are more
flexible, they're tested extensively, and they solve all the problems the
``policy.v3cloudsample.json`` file was trying to solve.
Loading…
Cancel
Save