Allow admin to access tokens and credentials
This patch modifies a few policies to allow users with the "admin" role to access /v3/auth/tokens and /v3/credentials. These policies were missed when we implemented Phase 1 of Secure RBAC. Change-Id: Id789c09121f1405f7ba5e4926498dab4ad98e057
This commit is contained in:
parent
a050129384
commit
b31007e1b2
|
@ -46,7 +46,7 @@ deprecated_delete_application_credentials_for_user = policy.DeprecatedRule(
|
||||||
application_credential_policies = [
|
application_credential_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_application_credential',
|
name=base.IDENTITY % 'get_application_credential',
|
||||||
check_str=base.RULE_SYSTEM_READER_OR_OWNER,
|
check_str=base.ADMIN_OR_SYSTEM_READER_OR_OWNER,
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
description='Show application credential details.',
|
description='Show application credential details.',
|
||||||
operations=[{'path': resource_path,
|
operations=[{'path': resource_path,
|
||||||
|
@ -56,7 +56,7 @@ application_credential_policies = [
|
||||||
deprecated_rule=deprecated_get_application_credentials_for_user),
|
deprecated_rule=deprecated_get_application_credentials_for_user),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_application_credentials',
|
name=base.IDENTITY % 'list_application_credentials',
|
||||||
check_str=base.RULE_SYSTEM_READER_OR_OWNER,
|
check_str=base.ADMIN_OR_SYSTEM_READER_OR_OWNER,
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
description='List application credentials for a user.',
|
description='List application credentials for a user.',
|
||||||
operations=[{'path': collection_path,
|
operations=[{'path': collection_path,
|
||||||
|
@ -73,7 +73,7 @@ application_credential_policies = [
|
||||||
'method': 'POST'}]),
|
'method': 'POST'}]),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_application_credential',
|
name=base.IDENTITY % 'delete_application_credential',
|
||||||
check_str=base.RULE_SYSTEM_ADMIN_OR_OWNER,
|
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
description='Delete an application credential.',
|
description='Delete an application credential.',
|
||||||
operations=[{'path': resource_path,
|
operations=[{'path': resource_path,
|
||||||
|
|
|
@ -48,16 +48,20 @@ SYSTEM_READER = 'role:reader and system_scope:all'
|
||||||
SYSTEM_ADMIN = 'role:admin and system_scope:all'
|
SYSTEM_ADMIN = 'role:admin and system_scope:all'
|
||||||
DOMAIN_READER = 'role:reader and domain_id:%(target.domain_id)s'
|
DOMAIN_READER = 'role:reader and domain_id:%(target.domain_id)s'
|
||||||
RULE_SYSTEM_ADMIN_OR_OWNER = '(' + SYSTEM_ADMIN + ') or rule:owner'
|
RULE_SYSTEM_ADMIN_OR_OWNER = '(' + SYSTEM_ADMIN + ') or rule:owner'
|
||||||
RULE_SYSTEM_READER_OR_OWNER = '(' + SYSTEM_READER + ') or rule:owner'
|
ADMIN_OR_SYSTEM_READER_OR_OWNER = (
|
||||||
|
'(' + RULE_ADMIN_REQUIRED + ') or '
|
||||||
|
'(' + SYSTEM_READER + ') or rule:owner'
|
||||||
|
)
|
||||||
RULE_ADMIN_OR_SYSTEM_READER = 'rule:admin_required or (' + SYSTEM_READER + ')'
|
RULE_ADMIN_OR_SYSTEM_READER = 'rule:admin_required or (' + SYSTEM_READER + ')'
|
||||||
|
|
||||||
# Credential and EC2 Credential policies
|
# Credential and EC2 Credential policies
|
||||||
SYSTEM_READER_OR_CRED_OWNER = (
|
ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER = (
|
||||||
|
'(' + RULE_ADMIN_REQUIRED + ') or '
|
||||||
'(' + SYSTEM_READER + ') '
|
'(' + SYSTEM_READER + ') '
|
||||||
'or user_id:%(target.credential.user_id)s'
|
'or user_id:%(target.credential.user_id)s'
|
||||||
)
|
)
|
||||||
SYSTEM_ADMIN_OR_CRED_OWNER = (
|
ADMIN_OR_CRED_OWNER = (
|
||||||
'(' + SYSTEM_ADMIN + ') '
|
'(' + RULE_ADMIN_REQUIRED + ') '
|
||||||
'or user_id:%(target.credential.user_id)s'
|
'or user_id:%(target.credential.user_id)s'
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -54,7 +54,7 @@ deprecated_delete_credential = policy.DeprecatedRule(
|
||||||
credential_policies = [
|
credential_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_credential',
|
name=base.IDENTITY % 'get_credential',
|
||||||
check_str=base.SYSTEM_READER_OR_CRED_OWNER,
|
check_str=base.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
description='Show credentials details.',
|
description='Show credentials details.',
|
||||||
operations=[{'path': '/v3/credentials/{credential_id}',
|
operations=[{'path': '/v3/credentials/{credential_id}',
|
||||||
|
@ -63,7 +63,7 @@ credential_policies = [
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_credentials',
|
name=base.IDENTITY % 'list_credentials',
|
||||||
check_str=base.SYSTEM_READER_OR_CRED_OWNER,
|
check_str=base.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
description='List credentials.',
|
description='List credentials.',
|
||||||
operations=[{'path': '/v3/credentials',
|
operations=[{'path': '/v3/credentials',
|
||||||
|
@ -72,7 +72,7 @@ credential_policies = [
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_credential',
|
name=base.IDENTITY % 'create_credential',
|
||||||
check_str=base.SYSTEM_ADMIN_OR_CRED_OWNER,
|
check_str=base.ADMIN_OR_CRED_OWNER,
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
description='Create credential.',
|
description='Create credential.',
|
||||||
operations=[{'path': '/v3/credentials',
|
operations=[{'path': '/v3/credentials',
|
||||||
|
@ -81,7 +81,7 @@ credential_policies = [
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'update_credential',
|
name=base.IDENTITY % 'update_credential',
|
||||||
check_str=base.SYSTEM_ADMIN_OR_CRED_OWNER,
|
check_str=base.ADMIN_OR_CRED_OWNER,
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
description='Update credential.',
|
description='Update credential.',
|
||||||
operations=[{'path': '/v3/credentials/{credential_id}',
|
operations=[{'path': '/v3/credentials/{credential_id}',
|
||||||
|
@ -90,7 +90,7 @@ credential_policies = [
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_credential',
|
name=base.IDENTITY % 'delete_credential',
|
||||||
check_str=base.SYSTEM_ADMIN_OR_CRED_OWNER,
|
check_str=base.ADMIN_OR_CRED_OWNER,
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
description='Delete credential.',
|
description='Delete credential.',
|
||||||
operations=[{'path': '/v3/credentials/{credential_id}',
|
operations=[{'path': '/v3/credentials/{credential_id}',
|
||||||
|
|
|
@ -48,7 +48,7 @@ deprecated_ec2_delete_credential = policy.DeprecatedRule(
|
||||||
ec2_credential_policies = [
|
ec2_credential_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'ec2_get_credential',
|
name=base.IDENTITY % 'ec2_get_credential',
|
||||||
check_str=base.SYSTEM_READER_OR_CRED_OWNER,
|
check_str=base.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
description='Show ec2 credential details.',
|
description='Show ec2 credential details.',
|
||||||
operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/'
|
operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/'
|
||||||
|
@ -58,7 +58,7 @@ ec2_credential_policies = [
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'ec2_list_credentials',
|
name=base.IDENTITY % 'ec2_list_credentials',
|
||||||
check_str=base.RULE_SYSTEM_READER_OR_OWNER,
|
check_str=base.ADMIN_OR_SYSTEM_READER_OR_OWNER,
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
description='List ec2 credentials.',
|
description='List ec2 credentials.',
|
||||||
operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
|
operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
|
||||||
|
@ -67,7 +67,7 @@ ec2_credential_policies = [
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'ec2_create_credential',
|
name=base.IDENTITY % 'ec2_create_credential',
|
||||||
check_str=base.RULE_SYSTEM_ADMIN_OR_OWNER,
|
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
description='Create ec2 credential.',
|
description='Create ec2 credential.',
|
||||||
operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
|
operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
|
||||||
|
@ -76,7 +76,7 @@ ec2_credential_policies = [
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'ec2_delete_credential',
|
name=base.IDENTITY % 'ec2_delete_credential',
|
||||||
check_str=base.SYSTEM_ADMIN_OR_CRED_OWNER,
|
check_str=base.ADMIN_OR_CRED_OWNER,
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
description='Delete ec2 credential.',
|
description='Delete ec2 credential.',
|
||||||
operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/'
|
operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/'
|
||||||
|
|
|
@ -38,13 +38,15 @@ deprecated_revoke_token = policy.DeprecatedRule(
|
||||||
deprecated_since=versionutils.deprecated.TRAIN
|
deprecated_since=versionutils.deprecated.TRAIN
|
||||||
)
|
)
|
||||||
|
|
||||||
SYSTEM_ADMIN_OR_TOKEN_SUBJECT = (
|
ADMIN_OR_TOKEN_SUBJECT = (
|
||||||
'(role:admin and system_scope:all) or rule:token_subject' # nosec
|
base.RULE_ADMIN_REQUIRED + ' or rule:token_subject' # nosec
|
||||||
)
|
)
|
||||||
SYSTEM_USER_OR_TOKEN_SUBJECT = (
|
ADMIN_OR_SYSTEM_USER_OR_TOKEN_SUBJECT = (
|
||||||
|
base.RULE_ADMIN_REQUIRED + ' or '
|
||||||
'(role:reader and system_scope:all) or rule:token_subject' # nosec
|
'(role:reader and system_scope:all) or rule:token_subject' # nosec
|
||||||
)
|
)
|
||||||
SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT = (
|
ADMIN_OR_SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT = (
|
||||||
|
base.RULE_ADMIN_REQUIRED + ' or '
|
||||||
'(role:reader and system_scope:all) ' # nosec
|
'(role:reader and system_scope:all) ' # nosec
|
||||||
'or rule:service_role or rule:token_subject' # nosec
|
'or rule:service_role or rule:token_subject' # nosec
|
||||||
)
|
)
|
||||||
|
@ -53,7 +55,7 @@ SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT = (
|
||||||
token_policies = [
|
token_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'check_token',
|
name=base.IDENTITY % 'check_token',
|
||||||
check_str=SYSTEM_USER_OR_TOKEN_SUBJECT,
|
check_str=ADMIN_OR_SYSTEM_USER_OR_TOKEN_SUBJECT,
|
||||||
scope_types=['system', 'domain', 'project'],
|
scope_types=['system', 'domain', 'project'],
|
||||||
description='Check a token.',
|
description='Check a token.',
|
||||||
operations=[{'path': '/v3/auth/tokens',
|
operations=[{'path': '/v3/auth/tokens',
|
||||||
|
@ -61,7 +63,7 @@ token_policies = [
|
||||||
deprecated_rule=deprecated_check_token),
|
deprecated_rule=deprecated_check_token),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'validate_token',
|
name=base.IDENTITY % 'validate_token',
|
||||||
check_str=SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT,
|
check_str=ADMIN_OR_SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT,
|
||||||
scope_types=['system', 'domain', 'project'],
|
scope_types=['system', 'domain', 'project'],
|
||||||
description='Validate a token.',
|
description='Validate a token.',
|
||||||
operations=[{'path': '/v3/auth/tokens',
|
operations=[{'path': '/v3/auth/tokens',
|
||||||
|
@ -69,7 +71,7 @@ token_policies = [
|
||||||
deprecated_rule=deprecated_validate_token),
|
deprecated_rule=deprecated_validate_token),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'revoke_token',
|
name=base.IDENTITY % 'revoke_token',
|
||||||
check_str=SYSTEM_ADMIN_OR_TOKEN_SUBJECT,
|
check_str=ADMIN_OR_TOKEN_SUBJECT,
|
||||||
scope_types=['system', 'domain', 'project'],
|
scope_types=['system', 'domain', 'project'],
|
||||||
description='Revoke a token.',
|
description='Revoke a token.',
|
||||||
operations=[{'path': '/v3/auth/tokens',
|
operations=[{'path': '/v3/auth/tokens',
|
||||||
|
|
|
@ -1131,11 +1131,13 @@ class ProjectAdminTests(base_classes.TestCaseWithBootstrap,
|
||||||
# broken behavior with better scope checking.
|
# broken behavior with better scope checking.
|
||||||
with open(self.policy_file_name, 'w') as f:
|
with open(self.policy_file_name, 'w') as f:
|
||||||
overridden_policies = {
|
overridden_policies = {
|
||||||
'identity:get_credential': bp.SYSTEM_READER_OR_CRED_OWNER,
|
'identity:get_credential':
|
||||||
'identity:list_credentials': bp.SYSTEM_READER_OR_CRED_OWNER,
|
bp.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,
|
||||||
'identity:create_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER,
|
'identity:list_credentials':
|
||||||
'identity:update_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER,
|
bp.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,
|
||||||
'identity:delete_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER
|
'identity:create_credential': bp.ADMIN_OR_CRED_OWNER,
|
||||||
|
'identity:update_credential': bp.ADMIN_OR_CRED_OWNER,
|
||||||
|
'identity:delete_credential': bp.ADMIN_OR_CRED_OWNER
|
||||||
}
|
}
|
||||||
f.write(jsonutils.dumps(overridden_policies))
|
f.write(jsonutils.dumps(overridden_policies))
|
||||||
|
|
||||||
|
|
|
@ -402,9 +402,9 @@ class ProjectAdminTests(base_classes.TestCaseWithBootstrap,
|
||||||
# update permissions or update policies without breaking users. This
|
# update permissions or update policies without breaking users. This
|
||||||
# will cause these specific tests to fail since we're trying to correct
|
# will cause these specific tests to fail since we're trying to correct
|
||||||
# this broken behavior with better scope checking.
|
# this broken behavior with better scope checking.
|
||||||
reader_or_cred_owner = bp.SYSTEM_READER_OR_CRED_OWNER
|
reader_or_cred_owner = bp.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER
|
||||||
reader_or_owner = bp.RULE_SYSTEM_READER_OR_OWNER
|
reader_or_owner = bp.RULE_SYSTEM_READER_OR_OWNER
|
||||||
admin_or_cred_owner = bp.SYSTEM_ADMIN_OR_CRED_OWNER
|
admin_or_cred_owner = bp.ADMIN_OR_CRED_OWNER
|
||||||
with open(self.policy_file_name, 'w') as f:
|
with open(self.policy_file_name, 'w') as f:
|
||||||
overridden_policies = {
|
overridden_policies = {
|
||||||
'identity:ec2_get_credential': reader_or_cred_owner,
|
'identity:ec2_get_credential': reader_or_cred_owner,
|
||||||
|
|
Loading…
Reference in New Issue