Update region policies to use system admin

This change updates the policies for the regions API to include
system administrators and includes appropriate test coverage. A
subsequent set of patches will introduce test coverage for:

 - domains user test coverage
 - project users test coverage

 Related-Bug: 1804292
 Closes-Bug: 1804446

Change-Id: I84dd7fc69a2eab9ab8c2130f26a2fb664d5663a5
This commit is contained in:
Lance Bragstad 2018-11-21 12:57:14 +00:00
parent 833b00e57e
commit f3b69e4b4c
3 changed files with 116 additions and 6 deletions

View File

@ -10,10 +10,33 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from keystone.common.policies import base
deprecated_create_region = policy.DeprecatedRule(
name=base.IDENTITY % 'create_region',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_update_region = policy.DeprecatedRule(
name=base.IDENTITY % 'update_region',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_delete_region = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_region',
check_str=base.RULE_ADMIN_REQUIRED
)
DEPRECATED_REASON = (
'As of the Stein release, the region API now understands default roles '
'and system-scoped tokens, making the API more granular without '
'compromising security. The new policies for this API account for these '
'changes automatically. Be sure to take these new defaults into '
'consideration if you are relying on overrides in your deployment for the '
'region API.'
)
region_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_region',
@ -41,27 +64,36 @@ region_policies = [
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_region',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Create region.',
operations=[{'path': '/v3/regions',
'method': 'POST'},
{'path': '/v3/regions/{region_id}',
'method': 'PUT'}]),
'method': 'PUT'}],
deprecated_rule=deprecated_create_region,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_region',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Update region.',
operations=[{'path': '/v3/regions/{region_id}',
'method': 'PATCH'}]),
'method': 'PATCH'}],
deprecated_rule=deprecated_update_region,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_region',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Delete region.',
operations=[{'path': '/v3/regions/{region_id}',
'method': 'DELETE'}])
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_region,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
]

View File

@ -146,3 +146,52 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_UserRegionTests):
def setUp(self):
super(SystemAdminTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
# Reuse the system administrator account created during
# ``keystone-manage bootstrap``
self.user_id = self.bootstrapper.admin_user_id
auth = self.build_authentication_request(
user_id=self.user_id,
password=self.bootstrapper.admin_password,
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_create_regions(self):
create = {'region': {'description': uuid.uuid4().hex}}
with self.test_client() as c:
c.post('/v3/regions', json=create, headers=self.headers)
def test_user_can_update_regions(self):
region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
with self.test_client() as c:
update = {'region': {'description': uuid.uuid4().hex}}
c.patch(
'/v3/regions/%s' % region['id'], json=update,
headers=self.headers
)
def test_user_can_delete_regions(self):
region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
with self.test_client() as c:
c.delete('/v3/regions/%s' % region['id'], headers=self.headers)

View File

@ -0,0 +1,29 @@
---
features:
- |
[`bug 1804446 <https://bugs.launchpad.net/keystone/+bug/1804446>`_]
The regions API now supports the ``admin``, ``member``, and
``reader`` default roles.
upgrade:
- |
[`bug 1804446 <https://bugs.launchpad.net/keystone/+bug/1804446>`_]
The regions API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides
region policies.
deprecations:
- |
[`bug 1804446 <https://bugs.launchpad.net/keystone/+bug/1804446>`_]
The ``identity:create_region``, ``identity:update_region``, and
``identity:delete_region`` policies now use ``role:admin and
system_scope:all`` instead of ``rule:admin_required``. These new
defaults automatically account for system-scope and support a
read-only role, making it easier for system administrators to delegate
subsets of responsibility without compromising security. Please
consider these new defaults if your deployment overrides the region
policies.
security:
- |
[`bug 1804446 <https://bugs.launchpad.net/keystone/+bug/1804446>`_]
The regions API now uses system-scope and default roles to
provide better accessibility to users in a secure way.