Ensure v3policysample correctly limits domain_admin access
Recent changes tidied up the v3 sample policy, but unfortunately this introduced a defect that meant a domain admin could create roles on other domains. In addition, in an attempt to simplify the policies, these changes increased the risk of a user being able to spoof the policy by using bogus url options. This patch fixes these issues. Limitations: - The current code + policy does not prevent a domain admin updating the domain_id of a user/group/project to some other domain. Ideally we would prevent this via policy, but this requires an enhancement to our policy engine (to be be able to check for existance of a member in an object). Such a change of domain_id is, with this patch, at least now benign - since if the user acting as domain admin does not have a role on the new domain, then there is nothing they can do. A separate bug (1291393) has been raised for this. Closes-Bug: 1287219 Change-Id: I9d4380ac8586b2af0d7ba945ae5e38cc0d2adbd5
This commit is contained in:
Henry Nash
@ -6,14 +6,7 @@
|
||||
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
||||
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
|
||||
"admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
|
||||
|
||||
"user_domain_id": "domain_id:%(target.user.domain_id)s or domain_id:%(user.domain_id)s",
|
||||
"project_domain_id": "domain_id:%(target.project.domain_id)s or domain_id:%(project.domain_id)s",
|
||||
"groups_domain_id": "domain_id:%(group.domain_id)s or domain_id:%(target.group.domain_id)s",
|
||||
"same_domain_id": "domain_id:%(domain_id)s or domain_id:%(target.domain.id)s",
|
||||
"match_domain_id": "rule:same_domain_id or rule:user_domain_id or rule:project_domain_id or rule:groups_domain_id",
|
||||
"domain_admin": "rule:admin_required and rule:match_domain_id",
|
||||
"project_admin": "rule:admin_required and project_id:%(target.project.id)s",
|
||||
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
|
||||
|
||||
"default": "rule:admin_required",
|
||||
|
||||
@ -41,29 +34,35 @@
|
||||
"identity:update_domain": "rule:cloud_admin",
|
||||
"identity:delete_domain": "rule:cloud_admin",
|
||||
|
||||
"identity:get_project": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
||||
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
||||
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
|
||||
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
|
||||
"identity:list_projects": "rule:admin_required and domain_id:%(domain_id)s",
|
||||
"identity:list_user_projects": "rule:owner or (rule:admin_required and domain_id:%(domain_id)s)",
|
||||
"identity:create_project": "rule:admin_required and domain_id:%(project.domain_id)s",
|
||||
"identity:update_project": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
||||
"identity:delete_project": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
||||
"identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
|
||||
"identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
|
||||
"identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
|
||||
"identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
|
||||
|
||||
"identity:get_user": "rule:cloud_admin or rule:domain_admin",
|
||||
"identity:list_users": "rule:cloud_admin or rule:domain_admin",
|
||||
"identity:create_user": "rule:cloud_admin or rule:domain_admin",
|
||||
"identity:update_user": "rule:cloud_admin or rule:domain_admin",
|
||||
"identity:delete_user": "rule:cloud_admin or rule:domain_admin",
|
||||
"admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
|
||||
"admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
|
||||
"identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
|
||||
"identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
|
||||
"identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
|
||||
"identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
|
||||
"identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
|
||||
|
||||
"identity:get_group": "rule:admin_required and domain_id:%(target.group.domain_id)s",
|
||||
"identity:list_groups": "rule:admin_required and domain_id:%(domain_id)s",
|
||||
"admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
|
||||
"admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
|
||||
"identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
|
||||
"identity:list_groups_for_user": "rule:owner or (rule:admin_required and domain_id:%(domain_id)s)",
|
||||
"identity:create_group": "rule:admin_required and domain_id:%(group.domain_id)s",
|
||||
"identity:update_group": "rule:admin_required and domain_id:%(target.group.domain_id)s",
|
||||
"identity:delete_group": "rule:admin_required and domain_id:%(target.group.domain_id)s",
|
||||
"identity:list_users_in_group": "rule:admin_required and domain_id:%(target.group.domain_id)s",
|
||||
"identity:remove_user_from_group": "rule:admin_required and domain_id:%(target.group.domain_id)s",
|
||||
"identity:check_user_in_group": "rule:admin_required and domain_id:%(target.group.domain_id)s",
|
||||
"identity:add_user_to_group": "rule:admin_required and domain_id:%(target.group.domain_id)s",
|
||||
"identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
|
||||
"identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
|
||||
"identity:get_credential": "rule:admin_required",
|
||||
"identity:list_credentials": "rule:admin_required",
|
||||
@ -82,13 +81,15 @@
|
||||
"identity:update_role": "rule:cloud_admin",
|
||||
"identity:delete_role": "rule:cloud_admin",
|
||||
|
||||
"identity:check_grant": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
|
||||
"identity:list_grants": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
|
||||
"identity:create_grant": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
|
||||
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
|
||||
"domain_admin_for_grants": "rule:admin_required and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s)",
|
||||
"project_admin_for_grants": "rule:admin_required and project_id:%(project_id)s",
|
||||
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
||||
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
||||
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
||||
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
||||
|
||||
"admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s",
|
||||
"admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s",
|
||||
"admin_on_domain_filter" : "rule:cloud_admin or (rule:admin_required and domain_id:%(scope.domain.id)s)",
|
||||
"admin_on_project_filter" : "rule:cloud_admin or (rule:admin_required and project_id:%(scope.project.id)s)",
|
||||
"identity:list_role_assignments": "rule:admin_on_domain_filter or rule:admin_on_project_filter",
|
||||
|
||||
"identity:get_policy": "rule:cloud_admin",
|
||||
|
||||
@ -587,6 +587,11 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
|
||||
|
||||
self._test_grants('domains', self.domainA['id'])
|
||||
|
||||
# Check that with such a token we cannot modify grants on a
|
||||
# different domain
|
||||
self._test_grants('domains', self.domainB['id'],
|
||||
expected=exception.ForbiddenAction.code)
|
||||
|
||||
def test_domain_grants_by_cloud_admin(self):
|
||||
# Test domain grants with a cloud admin. This user should be
|
||||
# able to manage roles on any domain.
|
||||
|
||||
Reference in New Issue
Block a user