Update mapping policies for system admin

This change makes the policy definitions for admin mapping operations consistent with the other mapping policies. Subsequent patches will incorporate: - testing for domain users - testing for project users Change-Id: Iad665112c73de41e2c1727a557fe5255e89b3fb6 Related-Bug: 1804519 Closes-Bug: 1804521
2018-11-22 16:09:43 +00:00 · 2018-11-22 16:09:43 +00:00 · e94dff934a
commit e94dff934a
parent 57b3eb0162
3 changed files with 144 additions and 7 deletions
--- a/keystone/common/policies/mapping.py
+++ b/keystone/common/policies/mapping.py
@ -23,6 +23,18 @@ deprecated_list_mappings = policy.DeprecatedRule(
    name=base.IDENTITY % 'list_mappings',
    check_str=base.RULE_ADMIN_REQUIRED
 )
+deprecated_update_mapping = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_mapping',
+    check_str=base.RULE_ADMIN_REQUIRED
+)
+deprecated_create_mapping = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_mapping',
+    check_str=base.RULE_ADMIN_REQUIRED
+)
+deprecated_delete_mapping = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_mapping',
+    check_str=base.RULE_ADMIN_REQUIRED
+)

 DEPRECATED_REASON = """
 As of the Stein release, the federated mapping API now understands default
@ -35,7 +47,7 @@ relying on overrides in your deployment for the federated mapping API.
 mapping_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'create_mapping',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
        # FIXME(lbragstad): Today, keystone doesn't support federation unless
        # the person create identity providers, service providers, or mappings
        # has the ability to modify keystone and Apache configuration files.
@ -46,7 +58,10 @@ mapping_policies = [
        description=('Create a new federated mapping containing one or '
                     'more sets of rules.'),
        operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
-                     'method': 'PUT'}]),
+                     'method': 'PUT'}],
+        deprecated_rule=deprecated_create_mapping,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_mapping',
        check_str=base.SYSTEM_READER,
@ -87,18 +102,24 @@ mapping_policies = [
    ),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_mapping',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
        scope_types=['system'],
        description='Delete a federated mapping.',
        operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
-                     'method': 'DELETE'}]),
+                     'method': 'DELETE'}],
+        deprecated_rule=deprecated_delete_mapping,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'update_mapping',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
        scope_types=['system'],
        description='Update a federated mapping.',
        operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
-                     'method': 'PATCH'}])
+                     'method': 'PATCH'}],
+        deprecated_rule=deprecated_update_mapping,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN)
 ]


--- a/keystone/tests/unit/protection/v3/test_mappings.py
+++ b/keystone/tests/unit/protection/v3/test_mappings.py
@ -25,7 +25,8 @@ CONF = keystone.conf.CONF
 PROVIDERS = provider_api.ProviderAPIs


-class _SystemReaderAndMemberUserMappingTests(object):
+class _SystemUserMappingTests(object):
+    """Common default functionality for all system users."""

    def test_user_can_list_mappings(self):
        mapping = unit.new_mapping_ref()
@ -50,6 +51,10 @@ class _SystemReaderAndMemberUserMappingTests(object):
                headers=self.headers
            )

+
+class _SystemReaderAndMemberUserMappingTests(object):
+    """Common default functionality for system readers and system members."""
+
    def test_user_cannot_create_mappings(self):
        create = {
            'mapping': {
@ -107,6 +112,7 @@ class _SystemReaderAndMemberUserMappingTests(object):

 class SystemReaderTests(base_classes.TestCaseWithBootstrap,
                        common_auth.AuthTestMixin,
+                        _SystemUserMappingTests,
                        _SystemReaderAndMemberUserMappingTests):

    def setUp(self):
@ -140,6 +146,7 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,

 class SystemMemberTests(base_classes.TestCaseWithBootstrap,
                        common_auth.AuthTestMixin,
+                        _SystemUserMappingTests,
                        _SystemReaderAndMemberUserMappingTests):

    def setUp(self):
@ -169,3 +176,81 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
            r = c.post('/v3/auth/tokens', json=auth)
            self.token_id = r.headers['X-Subject-Token']
            self.headers = {'X-Auth-Token': self.token_id}
+
+
+class SystemAdminTests(base_classes.TestCaseWithBootstrap,
+                       common_auth.AuthTestMixin,
+                       _SystemUserMappingTests):
+
+    def setUp(self):
+        super(SystemAdminTests, self).setUp()
+        self.loadapp()
+        self.useFixture(ksfixtures.Policy(self.config_fixture))
+        self.config_fixture.config(group='oslo_policy', enforce_scope=True)
+
+        # Reuse the system administrator account created during
+        # ``keystone-manage bootstrap``
+        self.user_id = self.bootstrapper.admin_user_id
+        auth = self.build_authentication_request(
+            user_id=self.user_id,
+            password=self.bootstrapper.admin_password,
+            system=True
+        )
+
+        # Grab a token using the persona we're testing and prepare headers
+        # for requests we'll be making in the tests.
+        with self.test_client() as c:
+            r = c.post('/v3/auth/tokens', json=auth)
+            self.token_id = r.headers['X-Subject-Token']
+            self.headers = {'X-Auth-Token': self.token_id}
+
+    def test_user_can_create_mappings(self):
+        create = {
+            'mapping': {
+                'id': uuid.uuid4().hex,
+                'rules': [{
+                    'local': [{'user': {'name': '{0}'}}],
+                    'remote': [{'type': 'UserName'}],
+                }]
+            }
+        }
+        mapping_id = create['mapping']['id']
+
+        with self.test_client() as c:
+            c.put(
+                '/v3/OS-FEDERATION/mappings/%s' % mapping_id, json=create,
+                headers=self.headers, expected_status_code=http_client.CREATED
+            )
+
+    def test_user_can_update_mappings(self):
+        mapping = unit.new_mapping_ref()
+        mapping = PROVIDERS.federation_api.create_mapping(
+            mapping['id'], mapping
+        )
+
+        update = {
+            'mapping': {
+                'rules': [{
+                    'local': [{'user': {'name': '{0}'}}],
+                    'remote': [{'type': 'UserName'}],
+                }]
+            }
+        }
+
+        with self.test_client() as c:
+            c.patch(
+                '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
+                json=update, headers=self.headers
+            )
+
+    def test_user_can_delete_mappings(self):
+        mapping = unit.new_mapping_ref()
+        mapping = PROVIDERS.federation_api.create_mapping(
+            mapping['id'], mapping
+        )
+
+        with self.test_client() as c:
+            c.delete(
+                '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
+                headers=self.headers
+            )
--- a/releasenotes/notes/bug-1804521-3c0d9f567e8f532f.yaml
+++ b/releasenotes/notes/bug-1804521-3c0d9f567e8f532f.yaml
@ -0,0 +1,31 @@
+features:
+  - |
+    [`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
+    The federated mapping API now supports the ``admin``, ``member``,
+    and ``reader`` default roles.
+upgrade:
+  - |
+    [`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
+    The federated mapping API uses new default policies that
+    make it more accessible to end users and administrators in a
+    secure way. Please consider these new defaults if your deployment
+    overrides federated mapping policies.
+deprecations:
+  - |
+    [`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
+    The federated mapping policies have been deprecated. The
+    ``identity:list_mappings`` and ``identity:get_mapping`` policies now
+    use ``role:reader and system_scope:all`` instead of ``rule:admin_required``.
+    The ``identity:create_mapping``, ``identity:update_mapping``, and
+    ``identity:delete_mapping`` policies now use ``role:admin and
+    system_scope:all`` instead of ``rule:admin_required``.
+    These new defaults automatically account for system-scope and support
+    a read-only role, making it easier for system administrators to
+    delegate subsets of responsibility without compromising security.
+    Please consider these new defaults if your deployment overrides the
+    federated mapping policies.
+security:
+  - |
+    [`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
+    The federated mapping API now uses system-scope and default roles
+    to provide better accessibility to users in a secure way.