Update mapping policies for system admin

This change makes the policy definitions for admin mapping operations
consistent with the other mapping policies. Subsequent patches will
incorporate:

 - testing for domain users
 - testing for project users

Change-Id: Iad665112c73de41e2c1727a557fe5255e89b3fb6
Related-Bug: 1804519
Closes-Bug: 1804521
This commit is contained in:
Lance Bragstad 2018-11-22 16:09:43 +00:00
parent 57b3eb0162
commit e94dff934a
3 changed files with 144 additions and 7 deletions

View File

@ -23,6 +23,18 @@ deprecated_list_mappings = policy.DeprecatedRule(
name=base.IDENTITY % 'list_mappings',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_update_mapping = policy.DeprecatedRule(
name=base.IDENTITY % 'update_mapping',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_create_mapping = policy.DeprecatedRule(
name=base.IDENTITY % 'create_mapping',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_delete_mapping = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_mapping',
check_str=base.RULE_ADMIN_REQUIRED
)
DEPRECATED_REASON = """
As of the Stein release, the federated mapping API now understands default
@ -35,7 +47,7 @@ relying on overrides in your deployment for the federated mapping API.
mapping_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_mapping',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
# FIXME(lbragstad): Today, keystone doesn't support federation unless
# the person create identity providers, service providers, or mappings
# has the ability to modify keystone and Apache configuration files.
@ -46,7 +58,10 @@ mapping_policies = [
description=('Create a new federated mapping containing one or '
'more sets of rules.'),
operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
'method': 'PUT'}]),
'method': 'PUT'}],
deprecated_rule=deprecated_create_mapping,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_mapping',
check_str=base.SYSTEM_READER,
@ -87,18 +102,24 @@ mapping_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_mapping',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Delete a federated mapping.',
operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
'method': 'DELETE'}]),
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_mapping,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_mapping',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Update a federated mapping.',
operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
'method': 'PATCH'}])
'method': 'PATCH'}],
deprecated_rule=deprecated_update_mapping,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN)
]

View File

@ -25,7 +25,8 @@ CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class _SystemReaderAndMemberUserMappingTests(object):
class _SystemUserMappingTests(object):
"""Common default functionality for all system users."""
def test_user_can_list_mappings(self):
mapping = unit.new_mapping_ref()
@ -50,6 +51,10 @@ class _SystemReaderAndMemberUserMappingTests(object):
headers=self.headers
)
class _SystemReaderAndMemberUserMappingTests(object):
"""Common default functionality for system readers and system members."""
def test_user_cannot_create_mappings(self):
create = {
'mapping': {
@ -107,6 +112,7 @@ class _SystemReaderAndMemberUserMappingTests(object):
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserMappingTests,
_SystemReaderAndMemberUserMappingTests):
def setUp(self):
@ -140,6 +146,7 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
class SystemMemberTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserMappingTests,
_SystemReaderAndMemberUserMappingTests):
def setUp(self):
@ -169,3 +176,81 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserMappingTests):
def setUp(self):
super(SystemAdminTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
# Reuse the system administrator account created during
# ``keystone-manage bootstrap``
self.user_id = self.bootstrapper.admin_user_id
auth = self.build_authentication_request(
user_id=self.user_id,
password=self.bootstrapper.admin_password,
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_create_mappings(self):
create = {
'mapping': {
'id': uuid.uuid4().hex,
'rules': [{
'local': [{'user': {'name': '{0}'}}],
'remote': [{'type': 'UserName'}],
}]
}
}
mapping_id = create['mapping']['id']
with self.test_client() as c:
c.put(
'/v3/OS-FEDERATION/mappings/%s' % mapping_id, json=create,
headers=self.headers, expected_status_code=http_client.CREATED
)
def test_user_can_update_mappings(self):
mapping = unit.new_mapping_ref()
mapping = PROVIDERS.federation_api.create_mapping(
mapping['id'], mapping
)
update = {
'mapping': {
'rules': [{
'local': [{'user': {'name': '{0}'}}],
'remote': [{'type': 'UserName'}],
}]
}
}
with self.test_client() as c:
c.patch(
'/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
json=update, headers=self.headers
)
def test_user_can_delete_mappings(self):
mapping = unit.new_mapping_ref()
mapping = PROVIDERS.federation_api.create_mapping(
mapping['id'], mapping
)
with self.test_client() as c:
c.delete(
'/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
headers=self.headers
)

View File

@ -0,0 +1,31 @@
features:
- |
[`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
The federated mapping API now supports the ``admin``, ``member``,
and ``reader`` default roles.
upgrade:
- |
[`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
The federated mapping API uses new default policies that
make it more accessible to end users and administrators in a
secure way. Please consider these new defaults if your deployment
overrides federated mapping policies.
deprecations:
- |
[`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
The federated mapping policies have been deprecated. The
``identity:list_mappings`` and ``identity:get_mapping`` policies now
use ``role:reader and system_scope:all`` instead of ``rule:admin_required``.
The ``identity:create_mapping``, ``identity:update_mapping``, and
``identity:delete_mapping`` policies now use ``role:admin and
system_scope:all`` instead of ``rule:admin_required``.
These new defaults automatically account for system-scope and support
a read-only role, making it easier for system administrators to
delegate subsets of responsibility without compromising security.
Please consider these new defaults if your deployment overrides the
federated mapping policies.
security:
- |
[`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
The federated mapping API now uses system-scope and default roles
to provide better accessibility to users in a secure way.