Merge "Fix cloud_admin rule and ensure only project tokens can be cloud admin"
This commit is contained in:
commit
068b1df841
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
"admin_required": "role:admin",
|
"admin_required": "role:admin",
|
||||||
"cloud_admin": "role:admin and (token.is_admin_project:True or domain_id:admin_domain_id)",
|
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
|
||||||
"service_role": "role:service",
|
"service_role": "role:service",
|
||||||
"service_or_admin": "rule:admin_required or rule:service_role",
|
"service_or_admin": "rule:admin_required or rule:service_role",
|
||||||
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
||||||
|
|
|
@ -194,7 +194,13 @@ class KeystoneToken(dict):
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def is_admin_project(self):
|
def is_admin_project(self):
|
||||||
|
if self.domain_scoped:
|
||||||
|
# Currently, domain scoped tokens cannot act as is_admin_project
|
||||||
|
return False
|
||||||
|
|
||||||
# True gets returned by default for compatibility with older versions
|
# True gets returned by default for compatibility with older versions
|
||||||
|
# TODO(henry-nash): This seems inherently dangerous, and we should
|
||||||
|
# investigate how we can default this to False.
|
||||||
return self.get('is_admin_project', True)
|
return self.get('is_admin_project', True)
|
||||||
|
|
||||||
@property
|
@property
|
||||||
|
|
|
@ -209,8 +209,8 @@ class PolicyJsonTestCase(unit.TestCase):
|
||||||
|
|
||||||
domain_policy = unit.dirs.etc('policy.v3cloudsample.json')
|
domain_policy = unit.dirs.etc('policy.v3cloudsample.json')
|
||||||
enforcer = common_policy.Enforcer(CONF, policy_file=domain_policy)
|
enforcer = common_policy.Enforcer(CONF, policy_file=domain_policy)
|
||||||
self.assertRaises(TypeError, enforcer.enforce,
|
result = enforcer.enforce(action, target, credentials)
|
||||||
action, target, credentials)
|
self.assertTrue(result)
|
||||||
|
|
||||||
def test_all_targets_documented(self):
|
def test_all_targets_documented(self):
|
||||||
# All the targets in the sample policy file must be documented in
|
# All the targets in the sample policy file must be documented in
|
||||||
|
|
|
@ -72,6 +72,7 @@ class TestKeystoneTokenModel(core.TestCase):
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
self.v3_sample_token['token']['OS-TRUST:trust']['trustee_user_id'],
|
self.v3_sample_token['token']['OS-TRUST:trust']['trustee_user_id'],
|
||||||
token_data.trustee_user_id)
|
token_data.trustee_user_id)
|
||||||
|
|
||||||
# Project Scoped Token
|
# Project Scoped Token
|
||||||
self.assertRaises(exception.UnexpectedError, getattr, token_data,
|
self.assertRaises(exception.UnexpectedError, getattr, token_data,
|
||||||
'domain_id')
|
'domain_id')
|
||||||
|
@ -85,12 +86,18 @@ class TestKeystoneTokenModel(core.TestCase):
|
||||||
self.assertTrue(token_data.project_scoped)
|
self.assertTrue(token_data.project_scoped)
|
||||||
self.assertTrue(token_data.scoped)
|
self.assertTrue(token_data.scoped)
|
||||||
self.assertTrue(token_data.trust_scoped)
|
self.assertTrue(token_data.trust_scoped)
|
||||||
|
|
||||||
|
# by default admin project is True for project scoped tokens
|
||||||
|
self.assertTrue(token_data.is_admin_project)
|
||||||
|
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
[r['id'] for r in self.v3_sample_token['token']['roles']],
|
[r['id'] for r in self.v3_sample_token['token']['roles']],
|
||||||
token_data.role_ids)
|
token_data.role_ids)
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
[r['name'] for r in self.v3_sample_token['token']['roles']],
|
[r['name'] for r in self.v3_sample_token['token']['roles']],
|
||||||
token_data.role_names)
|
token_data.role_names)
|
||||||
|
|
||||||
|
# Domain Scoped Token
|
||||||
token_data.pop('project')
|
token_data.pop('project')
|
||||||
self.assertFalse(token_data.project_scoped)
|
self.assertFalse(token_data.project_scoped)
|
||||||
self.assertFalse(token_data.scoped)
|
self.assertFalse(token_data.scoped)
|
||||||
|
@ -119,8 +126,8 @@ class TestKeystoneTokenModel(core.TestCase):
|
||||||
self.assertIsNone(token_data.audit_id)
|
self.assertIsNone(token_data.audit_id)
|
||||||
self.assertIsNone(token_data.audit_chain_id)
|
self.assertIsNone(token_data.audit_chain_id)
|
||||||
|
|
||||||
# by default admin project is True
|
# by default admin project is False for domain scoped tokens
|
||||||
self.assertTrue(token_data.is_admin_project)
|
self.assertFalse(token_data.is_admin_project)
|
||||||
|
|
||||||
def test_token_model_v3_federated_user(self):
|
def test_token_model_v3_federated_user(self):
|
||||||
token_data = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
|
token_data = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1651989 <https://bugs.launchpad.net/keystone/+bug/1651989>`_]
|
||||||
|
Due to ``bug 1547684``, when using the ``policy.v3cloudsample.json``
|
||||||
|
sample file, a domain admin token was being treated as a cloud admin.
|
||||||
|
Since the ``is_admin_project`` functionality only supports project-
|
||||||
|
scoped tokens, we automatically set any domain scoped token to have
|
||||||
|
the property ``is_admin_project`` to ``False``.
|
||||||
|
|
||||||
|
[`bug 1547684 <https://bugs.launchpad.net/keystone/+bug/1547684>`_]
|
||||||
|
A typo in the ``policy.v3cloudsample.json`` sample file was causing
|
||||||
|
`oslo.policy` to not load the file. See the ``upgrades`` section for
|
||||||
|
more details.
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
[`bug 1547684 <https://bugs.launchpad.net/keystone/+bug/1547684>`_]
|
||||||
|
A minor change to the ``policy.v3cloudsample.json`` sample file was
|
||||||
|
performed so the sample file loads correctly. The ``cloud_admin``
|
||||||
|
rule has changed from::
|
||||||
|
|
||||||
|
"role:admin and (token.is_admin_project:True or domain_id:admin_domain_id)"
|
||||||
|
|
||||||
|
To the properly written::
|
||||||
|
|
||||||
|
"role:admin and (is_admin_project:True or domain_id:admin_domain_id)"
|
||||||
|
|
||||||
|
Adjust configuration tools as necessary, see the ``fixes`` section for more
|
||||||
|
details on this change.
|
Loading…
Reference in New Issue