openstack
/
keystone
Code Issues Proposed changes

Merge "Implement system admin for policy association"

This commit is contained in:
Zuul 2019-08-30 02:20:01 +00:00 committed by Gerrit Code Review
parent ecc2450c82 2d185a5a91
commit fe39838f71
3 changed files with 258 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
keystone/common/policies/policy_association.py
View File

@ -44,6 +44,36 @@ deprecated_list_endpoints_for_policy = policy.DeprecatedRule(
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_create_policy_association_for_endpoint = policy.DeprecatedRule(
name=base.IDENTITY % 'create_policy_association_for_endpoint',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_delete_policy_association_for_endpoint = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_policy_association_for_endpoint',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_create_policy_association_for_service = policy.DeprecatedRule(
name=base.IDENTITY % 'create_policy_association_for_service',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_delete_policy_association_for_service = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_policy_association_for_service',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_create_policy_association_for_region_and_service = policy.DeprecatedRule(
name=base.IDENTITY % 'create_policy_association_for_region_and_service',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_delete_policy_association_for_region_and_service = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_policy_association_for_region_and_service',
check_str=base.RULE_ADMIN_REQUIRED,
)
DEPRECATED_REASON = """
As of the Train release, the policy association API now understands default
roles and system-scoped tokens, making the API more granular by default without
@ -55,12 +85,15 @@ relying on overrides in your deployment for the policy association API.
policy_association_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_policy_association_for_endpoint',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Associate a policy to a specific endpoint.',
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'endpoints/{endpoint_id}'),
'method': 'PUT'}]),
'method': 'PUT'}],
deprecated_rule=deprecated_create_policy_association_for_endpoint,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'check_policy_association_for_endpoint',
check_str=base.SYSTEM_READER,
@ -77,20 +110,26 @@ policy_association_policies = [
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_policy_association_for_endpoint',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Delete policy association for endpoint.',
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'endpoints/{endpoint_id}'),
'method': 'DELETE'}]),
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_policy_association_for_endpoint,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_policy_association_for_service',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Associate a policy to a specific service.',
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'services/{service_id}'),
'method': 'PUT'}]),
'method': 'PUT'}],
deprecated_rule=deprecated_create_policy_association_for_service,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'check_policy_association_for_service',
check_str=base.SYSTEM_READER,
@ -107,22 +146,28 @@ policy_association_policies = [
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_policy_association_for_service',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Delete policy association for service.',
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'services/{service_id}'),
'method': 'DELETE'}]),
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_policy_association_for_service,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % (
'create_policy_association_for_region_and_service'),
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description=('Associate a policy to a specific region and service '
'combination.'),
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'services/{service_id}/regions/{region_id}'),
'method': 'PUT'}]),
'method': 'PUT'}],
deprecated_rule=deprecated_create_policy_association_for_region_and_service,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'check_policy_association_for_region_and_service',
check_str=base.SYSTEM_READER,
@ -140,12 +185,15 @@ policy_association_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % (
'delete_policy_association_for_region_and_service'),
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Delete policy association for region and service.',
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'services/{service_id}/regions/{region_id}'),
'method': 'DELETE'}]),
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_policy_association_for_region_and_service,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_policy_for_endpoint',
check_str=base.SYSTEM_READER,

126
keystone/tests/unit/protection/v3/test_policy_association.py
View File

@ -292,3 +292,129 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserPoliciesAssociationTests):
def setUp(self):
super(SystemAdminTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
# Reuse the system administrator account created during
# ``keystone-manage bootstrap``
self.user_id = self.bootstrapper.admin_user_id
auth = self.build_authentication_request(
user_id=self.user_id,
password=self.bootstrapper.admin_password,
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_create_policy_association_for_endpoint(self):
policy = unit.new_policy_ref()
policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
endpoint = PROVIDERS.catalog_api.create_endpoint(
endpoint['id'], endpoint
)
with self.test_client() as c:
c.put(
'/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints/%s'
% (policy['id'], endpoint['id']),
headers=self.headers,
expected_status_code=http_client.NO_CONTENT
)
def test_user_can_delete_policy_association_for_endpoint(self):
policy = unit.new_policy_ref()
policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
endpoint = PROVIDERS.catalog_api.create_endpoint(
endpoint['id'], endpoint
)
with self.test_client() as c:
c.delete(
'/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints/%s'
% (policy['id'], endpoint['id']),
headers=self.headers,
expected_status_code=http_client.NO_CONTENT
)
def test_user_can_create_policy_association_for_service(self):
policy = unit.new_policy_ref()
policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
with self.test_client() as c:
c.put(
'/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s'
% (policy['id'], service['id']),
headers=self.headers,
expected_status_code=http_client.NO_CONTENT
)
def test_user_can_delete_policy_association_for_service(self):
policy = unit.new_policy_ref()
policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
with self.test_client() as c:
c.delete(
'/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s'
% (policy['id'], service['id']),
headers=self.headers,
expected_status_code=http_client.NO_CONTENT
)
def test_user_can_create_policy_association_for_region_and_service(self):
policy = unit.new_policy_ref()
policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
with self.test_client() as c:
c.put(
'/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s/regions/%s'
% (policy['id'], service['id'], region['id']),
headers=self.headers,
expected_status_code=http_client.NO_CONTENT
)
def test_user_can_delete_policy_association_for_region_and_service(self):
policy = unit.new_policy_ref()
policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
with self.test_client() as c:
c.delete(
'/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s/regions/%s'
% (policy['id'], service['id'], region['id']),
headers=self.headers,
expected_status_code=http_client.NO_CONTENT
)

72
releasenotes/notes/bug-1805409-8bc6cc9f1c5bc672.yaml Normal file
View File

@ -0,0 +1,72 @@
---
features:
- |
[`bug 1805409 <https://bugs.launchpad.net/keystone/+bug/1805409>`_]
The policy and policy associations API now supports the ``admin``,
``member``, and ``reader`` default roles.
upgrade:
- |
[`bug 1805409 <https://bugs.launchpad.net/keystone/+bug/1805409>`_]
The policy and policy associations API uses new default policies to
make it more accessible to end users and administrators in a secure way.
Please consider these new defaults if your deployment overrides policy
and policy associations policies.
deprecations:
- |
[`bug 1805409 <https://bugs.launchpad.net/keystone/+bug/1805409>`_]
The policy and policy associations policies have been deprecated. The
``identity:get_policy`` policy now uses
``role:reader and system_scope:all`` instead of
``rule:admin_required``. The ``identity:list_policies`` policy
now uses ``role:reader and system_scope:all`` instead of
``rule:admin_required``. The ``identity:update_policy`` policy
now use ``role:admin and system_scope:all`` instead of
``rule:admin_required``.The ``identity:create_policy`` policy
now use ``role:admin and system_scope:all`` instead of
``rule:admin_required``. The ``identity:delete_policy`` policy
now use ``role:admin and system_scope:all`` instead of
``rule:admin_required``.
The ``identity:check_policy_association_for_endpoint`` policy
now uses ``role:reader and system_scope:all`` instead of
``rule:admin_required``.
The ``identity:check_policy_association_for_service`` policy
now uses ``role:reader and system_scope:all`` instead of
``role:reader and system_scope:all``.
The ``identity:check_policy_association_for_region_and_service`` policy
now uses ``role:reader and system_scope:all`` instead of
``rule:admin_required``.
The ``identity:get_policy_for_endpoint`` policy
now uses ``role:reader and system_scope:all`` instead of
``rule:admin_required``.
The ``identity:list_endpoints_for_policy`` policy
now use ``role:reader and system_scope:all`` instead of
``rule:admin_required``.
The ``identity:create_policy_association_for_endpoint`` policy
now use ``role:admin and system_scope:all`` instead of
``rule:admin_required``.
The ``identity:delete_policy_association_for_endpoint`` policy
now use ``role:admin and system_scope:all`` instead of
``rule:admin_required``.
The ``identity:create_policy_association_for_service`` policy
now use ``role:admin and system_scope:all`` instead of
``rule:admin_required``.
The ``identity:delete_policy_association_for_service`` policy
now use ``role:admin and system_scope:all`` instead of
``rule:admin_required``.
The ``identity:create_policy_association_for_region_and_service`` policy
now use ``role:admin and system_scope:all`` instead of
``rule:admin_required``.
The ``identity:delete_policy_association_for_region_and_service`` policy
now use ``role:admin and system_scope:all`` instead of
``rule:admin_required``.
These new defaults automatically account for system-scope and support
a read-only role, making it easier for system administrators to delegate
subsets of responsibility without compromising security. Please consider
these new defaults if your deployment overrides the policy and policy
associations policies.
security:
- |
[`bug 1805409 <https://bugs.launchpad.net/keystone/+bug/1805409>`_]
The policy and policy associations API now uses system-scope and default
roles to provide better accessibility to users in a secure manner.