openstack
/
keystone
Code Issues Proposed changes

Merge "Allow user to get themself and their domain"

This commit is contained in:
Jenkins 2016-06-27 16:04:41 +00:00 committed by Gerrit Code Review
parent ae2656efb7 c990ec5c14
commit e2639e4b2e
3 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
etc/policy.json
View File

@ -28,7 +28,7 @@
"identity:update_endpoint": "rule:admin_required",
"identity:delete_endpoint": "rule:admin_required",
"identity:get_domain": "rule:admin_required",
"identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
"identity:list_domains": "rule:admin_required",
"identity:create_domain": "rule:admin_required",
"identity:update_domain": "rule:admin_required",
@ -41,7 +41,7 @@
"identity:update_project": "rule:admin_required",
"identity:delete_project": "rule:admin_required",
"identity:get_user": "rule:admin_required",
"identity:get_user": "rule:admin_or_owner",
"identity:list_users": "rule:admin_required",
"identity:create_user": "rule:admin_required",
"identity:update_user": "rule:admin_required",

4
etc/policy.v3cloudsample.json
View File

@ -28,7 +28,7 @@
"identity:update_endpoint": "rule:cloud_admin",
"identity:delete_endpoint": "rule:cloud_admin",
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
"identity:list_domains": "rule:cloud_admin",
"identity:create_domain": "rule:cloud_admin",
"identity:update_domain": "rule:cloud_admin",
@ -45,7 +45,7 @@
"admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
"admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
"identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
"identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule:owner",
"identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
"identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",

11
keystone/tests/unit/test_v3_protection.py
View File

@ -688,9 +688,9 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
else:
return (expected_status, expected_status, expected_status)
def _test_user_management(self, domain_id, expected=None):
def _test_user_management(self, user_id, domain_id, expected=None):
status_OK, status_created, status_no_data = self._stati(expected)
entity_url = '/users/%s' % self.just_a_user['id']
entity_url = '/users/%s' % user_id
list_url = '/users?domain_id=%s' % domain_id
self.get(entity_url, auth=self.auth,
@ -861,7 +861,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
domain_id=self.domainA['id'])
self._test_user_management(
self.domainA['id'], expected=exception.ForbiddenAction.code)
self.domain_admin_user['id'], self.domainA['id'],
expected=exception.ForbiddenAction.code)
# Now, authenticate with a user that does have the domain admin role
self.auth = self.build_authentication_request(
@ -869,7 +870,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
password=self.domain_admin_user['password'],
domain_id=self.domainA['id'])
self._test_user_management(self.domainA['id'])
self._test_user_management(self.just_a_user['id'], self.domainA['id'])
def test_user_management_normalized_keys(self):
"""Illustrate the inconsistent handling of hyphens in keys.
@ -956,7 +957,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
password=self.cloud_admin_user['password'],
project_id=self.admin_project['id'])
self._test_user_management(self.domainA['id'])
self._test_user_management(self.just_a_user['id'], self.domainA['id'])
def test_group_management(self):
# First, authenticate with a user that does not have the domain