Update service policies for system admin

The service policies were not taking the default roles work we did last release into account. This commit changes the default policies to rely on the ``admin`` role to create and delete services. Subsequent patches will incorporate: - domain user test coverage - project user test coverage Change-Id: I58bbe6848c9e8e63656a6c706c84d1747c72a71e Related-Bug: 1804462 Closes-Bug: 1804463
2018-11-21 15:15:11 +00:00 · 2018-11-21 15:15:11 +00:00 · f377351ac8
commit f377351ac8
parent 2a380f001e
3 changed files with 115 additions and 6 deletions
--- a/keystone/common/policies/service.py
+++ b/keystone/common/policies/service.py
@ -23,6 +23,18 @@ deprecated_list_service = policy.DeprecatedRule(
    name=base.IDENTITY % 'list_services',
    check_str=base.RULE_ADMIN_REQUIRED
 )
+deprecated_update_service = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_service',
+    check_str=base.RULE_ADMIN_REQUIRED
+)
+deprecated_create_service = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_service',
+    check_str=base.RULE_ADMIN_REQUIRED
+)
+deprecated_delete_service = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_service',
+    check_str=base.RULE_ADMIN_REQUIRED
+)

 DEPRECATED_REASON = """
 As of the Stein release, the service API now understands default roles and
@ -55,25 +67,34 @@ service_policies = [
        deprecated_since=versionutils.deprecated.STEIN),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'create_service',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
        scope_types=['system'],
        description='Create service.',
        operations=[{'path': '/v3/services',
-                     'method': 'POST'}]),
+                     'method': 'POST'}],
+        deprecated_rule=deprecated_create_service,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'update_service',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
        scope_types=['system'],
        description='Update service.',
        operations=[{'path': '/v3/services/{service_id}',
-                     'method': 'PATCH'}]),
+                     'method': 'PATCH'}],
+        deprecated_rule=deprecated_update_service,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_service',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
        scope_types=['system'],
        description='Delete service.',
        operations=[{'path': '/v3/services/{service_id}',
-                     'method': 'DELETE'}])
+                     'method': 'DELETE'}],
+        deprecated_rule=deprecated_delete_service,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN)
 ]


--- a/keystone/tests/unit/protection/v3/test_services.py
+++ b/keystone/tests/unit/protection/v3/test_services.py
@ -161,3 +161,60 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
            r = c.post('/v3/auth/tokens', json=auth)
            self.token_id = r.headers['X-Subject-Token']
            self.headers = {'X-Auth-Token': self.token_id}
+
+
+class SystemAdminTests(base_classes.TestCaseWithBootstrap,
+                       common_auth.AuthTestMixin,
+                       _SystemUserServiceTests):
+
+    def setUp(self):
+        super(SystemAdminTests, self).setUp()
+        self.loadapp()
+        self.useFixture(ksfixtures.Policy(self.config_fixture))
+        self.config_fixture.config(group='oslo_policy', enforce_scope=True)
+
+        # Reuse the system administrator account created during
+        # ``keystone-manage bootstrap``
+        self.user_id = self.bootstrapper.admin_user_id
+        auth = self.build_authentication_request(
+            user_id=self.user_id,
+            password=self.bootstrapper.admin_password,
+            system=True
+        )
+
+        # Grab a token using the persona we're testing and prepare headers
+        # for requests we'll be making in the tests.
+        with self.test_client() as c:
+            r = c.post('/v3/auth/tokens', json=auth)
+            self.token_id = r.headers['X-Subject-Token']
+            self.headers = {'X-Auth-Token': self.token_id}
+
+    def test_user_can_create_services(self):
+        create = {
+            'service': {
+                'type': uuid.uuid4().hex,
+                'name': uuid.uuid4().hex,
+            }
+        }
+
+        with self.test_client() as c:
+            c.post('/v3/services', json=create, headers=self.headers)
+
+    def test_user_can_update_services(self):
+        service = unit.new_service_ref()
+        service = PROVIDERS.catalog_api.create_service(service['id'], service)
+
+        update = {'service': {'description': uuid.uuid4().hex}}
+
+        with self.test_client() as c:
+            c.patch(
+                '/v3/services/%s' % service['id'], json=update,
+                headers=self.headers
+            )
+
+    def test_user_can_delete_services(self):
+        service = unit.new_service_ref()
+        service = PROVIDERS.catalog_api.create_service(service['id'], service)
+
+        with self.test_client() as c:
+            c.delete('/v3/services/%s' % service['id'], headers=self.headers)
--- a/releasenotes/notes/bug-1804463-74537652166cf656.yaml
+++ b/releasenotes/notes/bug-1804463-74537652166cf656.yaml
@ -0,0 +1,31 @@
+---
+features:
+  - |
+    [`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
+    The services API now supports the ``admin``, ``member``, and
+    ``reader`` default roles.
+upgrade:
+  - |
+    [`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
+    The services API uses new default policies that make it more
+    accessible to end users and administrators in a secure way. Please
+    consider these new defaults if your deployment overrides
+    service policies.
+deprecations:
+  - |
+    [`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
+    The service policies have been deprecated. The ``identity:get_service`` and
+    ``identity:list_services`` policies now use ``(role:reader and
+    system_scope:all)`` instead of ``rule:admin_required``. The
+    ``identity:create_service``, ``identity:update_service``, and
+    ``identity:delete_service`` policies now use ``(role:admin and
+    system_scope:all)`` instead of ``rule:admin_required``. These new defaults
+    automatically account for system-scope and support a read-only role, making
+    it easier for system administrators to delegate subsets of responsibility
+    without compromising security. Please consider these new defaults if your
+    deployment overrides service policies.
+security:
+  - |
+    [`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
+    The services API now uses system-scope and default roles to
+    provide better accessibility to users in a secure way.