Update service policies for system admin

The service policies were not taking the default roles work we did
last release into account. This commit changes the default policies
to rely on the ``admin`` role to create and delete services.
Subsequent patches will incorporate:

 - domain user test coverage
 - project user test coverage

Change-Id: I58bbe6848c9e8e63656a6c706c84d1747c72a71e
Related-Bug: 1804462
Closes-Bug: 1804463
This commit is contained in:
Lance Bragstad 2018-11-21 15:15:11 +00:00
parent 2a380f001e
commit f377351ac8
3 changed files with 115 additions and 6 deletions

View File

@ -23,6 +23,18 @@ deprecated_list_service = policy.DeprecatedRule(
name=base.IDENTITY % 'list_services',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_update_service = policy.DeprecatedRule(
name=base.IDENTITY % 'update_service',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_create_service = policy.DeprecatedRule(
name=base.IDENTITY % 'create_service',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_delete_service = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_service',
check_str=base.RULE_ADMIN_REQUIRED
)
DEPRECATED_REASON = """
As of the Stein release, the service API now understands default roles and
@ -55,25 +67,34 @@ service_policies = [
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_service',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Create service.',
operations=[{'path': '/v3/services',
'method': 'POST'}]),
'method': 'POST'}],
deprecated_rule=deprecated_create_service,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_service',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Update service.',
operations=[{'path': '/v3/services/{service_id}',
'method': 'PATCH'}]),
'method': 'PATCH'}],
deprecated_rule=deprecated_update_service,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_service',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Delete service.',
operations=[{'path': '/v3/services/{service_id}',
'method': 'DELETE'}])
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_service,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN)
]

View File

@ -161,3 +161,60 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserServiceTests):
def setUp(self):
super(SystemAdminTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
# Reuse the system administrator account created during
# ``keystone-manage bootstrap``
self.user_id = self.bootstrapper.admin_user_id
auth = self.build_authentication_request(
user_id=self.user_id,
password=self.bootstrapper.admin_password,
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_create_services(self):
create = {
'service': {
'type': uuid.uuid4().hex,
'name': uuid.uuid4().hex,
}
}
with self.test_client() as c:
c.post('/v3/services', json=create, headers=self.headers)
def test_user_can_update_services(self):
service = unit.new_service_ref()
service = PROVIDERS.catalog_api.create_service(service['id'], service)
update = {'service': {'description': uuid.uuid4().hex}}
with self.test_client() as c:
c.patch(
'/v3/services/%s' % service['id'], json=update,
headers=self.headers
)
def test_user_can_delete_services(self):
service = unit.new_service_ref()
service = PROVIDERS.catalog_api.create_service(service['id'], service)
with self.test_client() as c:
c.delete('/v3/services/%s' % service['id'], headers=self.headers)

View File

@ -0,0 +1,31 @@
---
features:
- |
[`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
The services API now supports the ``admin``, ``member``, and
``reader`` default roles.
upgrade:
- |
[`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
The services API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides
service policies.
deprecations:
- |
[`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
The service policies have been deprecated. The ``identity:get_service`` and
``identity:list_services`` policies now use ``(role:reader and
system_scope:all)`` instead of ``rule:admin_required``. The
``identity:create_service``, ``identity:update_service``, and
``identity:delete_service`` policies now use ``(role:admin and
system_scope:all)`` instead of ``rule:admin_required``. These new defaults
automatically account for system-scope and support a read-only role, making
it easier for system administrators to delegate subsets of responsibility
without compromising security. Please consider these new defaults if your
deployment overrides service policies.
security:
- |
[`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
The services API now uses system-scope and default roles to
provide better accessibility to users in a secure way.