Implement system admin for implied roles
This change updates the create and delete actions for the implied roles policies to support the system-specific admin check string. For the time being, we're deferring adding support for the domain scope type and domain-specific check strings, but may add it in the future. Change-Id: I649f8f919fffc751aea750a5228f71cec8c6e184 Partial-bug: #1805371
This commit is contained in:
parent
a73e057e25
commit
ee60db6f33
|
@ -31,6 +31,14 @@ deprecated_check_implied_role = policy.DeprecatedRule(
|
|||
name=base.IDENTITY % 'check_implied_role',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
)
|
||||
deprecated_create_implied_role = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'create_implied_role',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
)
|
||||
deprecated_delete_implied_role = policy.DeprecatedRule(
|
||||
name=base.IDENTITY % 'delete_implied_role',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
As of the Train release, the implied role API understands how to
|
||||
|
@ -78,7 +86,7 @@ implied_role_policies = [
|
|||
deprecated_since=versionutils.deprecated.TRAIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_implied_role',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Create an association between two roles. When a '
|
||||
'relationship exists between a prior role and an implied '
|
||||
|
@ -86,10 +94,13 @@ implied_role_policies = [
|
|||
'also assumes the implied role.',
|
||||
operations=[
|
||||
{'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
|
||||
'method': 'PUT'}]),
|
||||
'method': 'PUT'}],
|
||||
deprecated_rule=deprecated_create_implied_role,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.TRAIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'delete_implied_role',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Delete the association between two roles. When a '
|
||||
'relationship exists between a prior role and an implied '
|
||||
|
@ -98,7 +109,10 @@ implied_role_policies = [
|
|||
'will cause that effect to be eliminated.',
|
||||
operations=[
|
||||
{'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
|
||||
'method': 'DELETE'}]),
|
||||
'method': 'DELETE'}],
|
||||
deprecated_rule=deprecated_delete_implied_role,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.TRAIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_role_inference_rules',
|
||||
check_str=base.SYSTEM_READER,
|
||||
|
|
|
@ -169,3 +169,53 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
|
|||
r = c.post('/v3/auth/tokens', json=auth)
|
||||
self.token_id = r.headers['X-Subject-Token']
|
||||
self.headers = {'X-Auth-Token': self.token_id}
|
||||
|
||||
|
||||
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin,
|
||||
_ImpliedRolesSetupMixin,
|
||||
_SystemUserImpliedRoleTests):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemAdminTests, self).setUp()
|
||||
self.loadapp()
|
||||
self.useFixture(ksfixtures.Policy(self.config_fixture))
|
||||
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
||||
|
||||
self._create_test_roles()
|
||||
|
||||
# Reuse the system administrator account created during
|
||||
# ``keystone-manage bootstrap``
|
||||
self.user_id = self.bootstrapper.admin_user_id
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.user_id,
|
||||
password=self.bootstrapper.admin_password,
|
||||
system=True
|
||||
)
|
||||
|
||||
# Grab a token using the persona we're testing and prepare headers
|
||||
# for requests we'll be making in the tests.
|
||||
with self.test_client() as c:
|
||||
r = c.post('/v3/auth/tokens', json=auth)
|
||||
self.token_id = r.headers['X-Subject-Token']
|
||||
self.headers = {'X-Auth-Token': self.token_id}
|
||||
|
||||
def test_user_can_create_implied_roles(self):
|
||||
with self.test_client() as c:
|
||||
c.put(
|
||||
'/v3/roles/%s/implies/%s' % (
|
||||
self.prior_role_id, self.implied_role_id),
|
||||
headers=self.headers,
|
||||
expected_status_code=http_client.CREATED
|
||||
)
|
||||
|
||||
def test_user_can_delete_implied_roles(self):
|
||||
PROVIDERS.role_api.create_implied_role(self.prior_role_id,
|
||||
self.implied_role_id)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.delete(
|
||||
'/v3/roles/%s/implies/%s' % (
|
||||
self.prior_role_id, self.implied_role_id),
|
||||
headers=self.headers
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue