Merge "Fix cloud_admin rule and ensure only project tokens can be cloud admin"
This commit is contained in:
commit
068b1df841
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"admin_required": "role:admin",
|
||||
"cloud_admin": "role:admin and (token.is_admin_project:True or domain_id:admin_domain_id)",
|
||||
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
|
||||
"service_role": "role:service",
|
||||
"service_or_admin": "rule:admin_required or rule:service_role",
|
||||
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
||||
|
|
|
@ -194,7 +194,13 @@ class KeystoneToken(dict):
|
|||
|
||||
@property
|
||||
def is_admin_project(self):
|
||||
if self.domain_scoped:
|
||||
# Currently, domain scoped tokens cannot act as is_admin_project
|
||||
return False
|
||||
|
||||
# True gets returned by default for compatibility with older versions
|
||||
# TODO(henry-nash): This seems inherently dangerous, and we should
|
||||
# investigate how we can default this to False.
|
||||
return self.get('is_admin_project', True)
|
||||
|
||||
@property
|
||||
|
|
|
@ -209,8 +209,8 @@ class PolicyJsonTestCase(unit.TestCase):
|
|||
|
||||
domain_policy = unit.dirs.etc('policy.v3cloudsample.json')
|
||||
enforcer = common_policy.Enforcer(CONF, policy_file=domain_policy)
|
||||
self.assertRaises(TypeError, enforcer.enforce,
|
||||
action, target, credentials)
|
||||
result = enforcer.enforce(action, target, credentials)
|
||||
self.assertTrue(result)
|
||||
|
||||
def test_all_targets_documented(self):
|
||||
# All the targets in the sample policy file must be documented in
|
||||
|
|
|
@ -72,6 +72,7 @@ class TestKeystoneTokenModel(core.TestCase):
|
|||
self.assertEqual(
|
||||
self.v3_sample_token['token']['OS-TRUST:trust']['trustee_user_id'],
|
||||
token_data.trustee_user_id)
|
||||
|
||||
# Project Scoped Token
|
||||
self.assertRaises(exception.UnexpectedError, getattr, token_data,
|
||||
'domain_id')
|
||||
|
@ -85,12 +86,18 @@ class TestKeystoneTokenModel(core.TestCase):
|
|||
self.assertTrue(token_data.project_scoped)
|
||||
self.assertTrue(token_data.scoped)
|
||||
self.assertTrue(token_data.trust_scoped)
|
||||
|
||||
# by default admin project is True for project scoped tokens
|
||||
self.assertTrue(token_data.is_admin_project)
|
||||
|
||||
self.assertEqual(
|
||||
[r['id'] for r in self.v3_sample_token['token']['roles']],
|
||||
token_data.role_ids)
|
||||
self.assertEqual(
|
||||
[r['name'] for r in self.v3_sample_token['token']['roles']],
|
||||
token_data.role_names)
|
||||
|
||||
# Domain Scoped Token
|
||||
token_data.pop('project')
|
||||
self.assertFalse(token_data.project_scoped)
|
||||
self.assertFalse(token_data.scoped)
|
||||
|
@ -119,8 +126,8 @@ class TestKeystoneTokenModel(core.TestCase):
|
|||
self.assertIsNone(token_data.audit_id)
|
||||
self.assertIsNone(token_data.audit_chain_id)
|
||||
|
||||
# by default admin project is True
|
||||
self.assertTrue(token_data.is_admin_project)
|
||||
# by default admin project is False for domain scoped tokens
|
||||
self.assertFalse(token_data.is_admin_project)
|
||||
|
||||
def test_token_model_v3_federated_user(self):
|
||||
token_data = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1651989 <https://bugs.launchpad.net/keystone/+bug/1651989>`_]
|
||||
Due to ``bug 1547684``, when using the ``policy.v3cloudsample.json``
|
||||
sample file, a domain admin token was being treated as a cloud admin.
|
||||
Since the ``is_admin_project`` functionality only supports project-
|
||||
scoped tokens, we automatically set any domain scoped token to have
|
||||
the property ``is_admin_project`` to ``False``.
|
||||
|
||||
[`bug 1547684 <https://bugs.launchpad.net/keystone/+bug/1547684>`_]
|
||||
A typo in the ``policy.v3cloudsample.json`` sample file was causing
|
||||
`oslo.policy` to not load the file. See the ``upgrades`` section for
|
||||
more details.
|
||||
upgrade:
|
||||
- |
|
||||
[`bug 1547684 <https://bugs.launchpad.net/keystone/+bug/1547684>`_]
|
||||
A minor change to the ``policy.v3cloudsample.json`` sample file was
|
||||
performed so the sample file loads correctly. The ``cloud_admin``
|
||||
rule has changed from::
|
||||
|
||||
"role:admin and (token.is_admin_project:True or domain_id:admin_domain_id)"
|
||||
|
||||
To the properly written::
|
||||
|
||||
"role:admin and (is_admin_project:True or domain_id:admin_domain_id)"
|
||||
|
||||
Adjust configuration tools as necessary, see the ``fixes`` section for more
|
||||
details on this change.
|
Loading…
Reference in New Issue