Merge "Test domain and project users against group system assignment API"
This commit is contained in:
commit
140a0110c0
|
@ -229,6 +229,68 @@ class _DomainAndProjectUserSystemAssignmentTests(object):
|
|||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_list_group_system_role_assignments(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_group(
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/system/groups/%s/roles' % group['id'], headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_check_group_system_role_assignments(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_group(
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/system/groups/%s/roles/%s' % (
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_grant_group_system_assignments(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.put(
|
||||
'/v3/system/groups/%s/roles/%s' % (
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_revoke_group_system_assignments(self):
|
||||
group = PROVIDERS.identity_api.create_group(
|
||||
unit.new_group_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_group(
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.delete(
|
||||
'/v3/system/groups/%s/roles/%s' % (
|
||||
group['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
|
||||
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin,
|
||||
|
|
|
@ -19,18 +19,20 @@ deprecations:
|
|||
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
||||
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
|
||||
The system assignment policies have been deprecated. The
|
||||
``identity:list_system_grants_for_user`` and
|
||||
``identity:check_system_grant_for_user`` policies now use
|
||||
``identity:list_system_grants_for_user``,
|
||||
``identity:check_system_grant_for_user``,
|
||||
``identity:list_system_grants_for_group``, and
|
||||
``identity:check_system_grant_for_group`` policies now use
|
||||
``role:reader and system_scope:all`` instead of
|
||||
``rule:admin_required``. The
|
||||
``identity:create_system_grant_for_user`` and
|
||||
``identity:revoke_system_grant_for_user`` policies now use
|
||||
``role:admin and system_scope:all`` instead of
|
||||
``rule:admin_required``. These new defaults automatically include
|
||||
support for a read-only role and allow for more granular access to
|
||||
the system assignment API, making it easier for administrators to
|
||||
delegate authorization, safely. Please consider these new defaults
|
||||
if your deployment overrides the system assignment APIs.
|
||||
``rule:admin_required``. The ``identity:create_system_grant_for_user``,
|
||||
``identity:revoke_system_grant_for_user``,
|
||||
``identity:create_system_grant_for_group``, and
|
||||
``identity:revoke_system_grant_for_group`` policies now use ``role:admin
|
||||
and system_scope:all`` instead of ``rule:admin_required``. These new
|
||||
defaults automatically include support for a read-only role and allow for
|
||||
more granular access to the system assignment API, making it easier for
|
||||
administrators to delegate authorization, safely. Please consider these new
|
||||
defaults if your deployment overrides the system assignment APIs.
|
||||
security:
|
||||
- |
|
||||
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
||||
|
|
Loading…
Reference in New Issue