summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZuul <zuul@review.openstack.org>2018-12-12 19:29:09 +0000
committerGerrit Code Review <review@openstack.org>2018-12-12 19:29:09 +0000
commit36b7e7e5bc13b0931ae1a9e69a44cabd5d672368 (patch)
tree83e6e239a5d1aec8b1aaf09c429b97169cf631e3
parent334262d67ee6dadadc199724877fbadb021bd8bc (diff)
parent4f5e462844b6bebf112b54b75db87165f9e3919b (diff)
Merge "Update registered limit policies for system admin"HEADmaster
-rw-r--r--keystone/common/policies/registered_limit.py6
-rw-r--r--keystone/tests/unit/protection/v3/test_registered_limits.py122
-rw-r--r--releasenotes/notes/bug-1805372-af4ebf4b19500b72.yaml25
3 files changed, 150 insertions, 3 deletions
diff --git a/keystone/common/policies/registered_limit.py b/keystone/common/policies/registered_limit.py
index 92ac3cd..b3c19a9 100644
--- a/keystone/common/policies/registered_limit.py
+++ b/keystone/common/policies/registered_limit.py
@@ -41,21 +41,21 @@ registered_limit_policies = [
41 'method': 'HEAD'}]), 41 'method': 'HEAD'}]),
42 policy.DocumentedRuleDefault( 42 policy.DocumentedRuleDefault(
43 name=base.IDENTITY % 'create_registered_limits', 43 name=base.IDENTITY % 'create_registered_limits',
44 check_str=base.RULE_ADMIN_REQUIRED, 44 check_str='role:admin',
45 scope_types=['system'], 45 scope_types=['system'],
46 description='Create registered limits.', 46 description='Create registered limits.',
47 operations=[{'path': '/v3/registered_limits', 47 operations=[{'path': '/v3/registered_limits',
48 'method': 'POST'}]), 48 'method': 'POST'}]),
49 policy.DocumentedRuleDefault( 49 policy.DocumentedRuleDefault(
50 name=base.IDENTITY % 'update_registered_limit', 50 name=base.IDENTITY % 'update_registered_limit',
51 check_str=base.RULE_ADMIN_REQUIRED, 51 check_str='role:admin',
52 scope_types=['system'], 52 scope_types=['system'],
53 description='Update registered limit.', 53 description='Update registered limit.',
54 operations=[{'path': '/v3/registered_limits/{registered_limit_id}', 54 operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
55 'method': 'PATCH'}]), 55 'method': 'PATCH'}]),
56 policy.DocumentedRuleDefault( 56 policy.DocumentedRuleDefault(
57 name=base.IDENTITY % 'delete_registered_limit', 57 name=base.IDENTITY % 'delete_registered_limit',
58 check_str=base.RULE_ADMIN_REQUIRED, 58 check_str='role:admin',
59 scope_types=['system'], 59 scope_types=['system'],
60 description='Delete registered limit.', 60 description='Delete registered limit.',
61 operations=[{'path': '/v3/registered_limits/{registered_limit_id}', 61 operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
diff --git a/keystone/tests/unit/protection/v3/test_registered_limits.py b/keystone/tests/unit/protection/v3/test_registered_limits.py
index 42a4713..c99ace0 100644
--- a/keystone/tests/unit/protection/v3/test_registered_limits.py
+++ b/keystone/tests/unit/protection/v3/test_registered_limits.py
@@ -193,3 +193,125 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
193 r = c.post('/v3/auth/tokens', json=auth) 193 r = c.post('/v3/auth/tokens', json=auth)
194 self.token_id = r.headers['X-Subject-Token'] 194 self.token_id = r.headers['X-Subject-Token']
195 self.headers = {'X-Auth-Token': self.token_id} 195 self.headers = {'X-Auth-Token': self.token_id}
196
197
198class SystemAdminTests(base_classes.TestCaseWithBootstrap,
199 common_auth.AuthTestMixin):
200
201 def setUp(self):
202 super(SystemAdminTests, self).setUp()
203 self.loadapp()
204 self.useFixture(ksfixtures.Policy(self.config_fixture))
205 self.config_fixture.config(group='oslo_policy', enforce_scope=True)
206
207 # Reuse the system administrator account created during
208 # ``keystone-manage bootstrap``
209 self.user_id = self.bootstrapper.admin_user_id
210 auth = self.build_authentication_request(
211 user_id=self.user_id,
212 password=self.bootstrapper.admin_password,
213 system=True
214 )
215
216 # Grab a token using the persona we're testing and prepare headers
217 # for requests we'll be making in the tests.
218 with self.test_client() as c:
219 r = c.post('/v3/auth/tokens', json=auth)
220 self.token_id = r.headers['X-Subject-Token']
221 self.headers = {'X-Auth-Token': self.token_id}
222
223 def test_user_can_get_a_registered_limit(self):
224 service = PROVIDERS.catalog_api.create_service(
225 uuid.uuid4().hex, unit.new_service_ref()
226 )
227
228 registered_limit = unit.new_registered_limit_ref(
229 service_id=service['id'], id=uuid.uuid4().hex
230 )
231 limits = PROVIDERS.unified_limit_api.create_registered_limits(
232 [registered_limit]
233 )
234 limit_id = limits[0]['id']
235
236 with self.test_client() as c:
237 r = c.get(
238 '/v3/registered_limits/%s' % limit_id, headers=self.headers
239 )
240 self.assertEqual(limit_id, r.json['registered_limit']['id'])
241
242 def test_user_can_list_registered_limits(self):
243 service = PROVIDERS.catalog_api.create_service(
244 uuid.uuid4().hex, unit.new_service_ref()
245 )
246
247 registered_limit = unit.new_registered_limit_ref(
248 service_id=service['id'], id=uuid.uuid4().hex
249 )
250 limits = PROVIDERS.unified_limit_api.create_registered_limits(
251 [registered_limit]
252 )
253 limit_id = limits[0]['id']
254
255 with self.test_client() as c:
256 r = c.get(
257 '/v3/registered_limits', headers=self.headers
258 )
259 self.assertTrue(len(r.json['registered_limits']) == 1)
260 self.assertEqual(limit_id, r.json['registered_limits'][0]['id'])
261
262 def test_user_can_create_registered_limits(self):
263 service = PROVIDERS.catalog_api.create_service(
264 uuid.uuid4().hex, unit.new_service_ref()
265 )
266
267 create = {
268 'registered_limits': [
269 unit.new_registered_limit_ref(
270 service_id=service['id']
271 )
272 ]
273 }
274
275 with self.test_client() as c:
276 c.post('/v3/registered_limits', json=create, headers=self.headers)
277
278 def test_user_can_update_registered_limits(self):
279 service = PROVIDERS.catalog_api.create_service(
280 uuid.uuid4().hex, unit.new_service_ref()
281 )
282
283 registered_limit = unit.new_registered_limit_ref(
284 service_id=service['id'], id=uuid.uuid4().hex
285 )
286 limits = PROVIDERS.unified_limit_api.create_registered_limits(
287 [registered_limit]
288 )
289 limit_id = limits[0]['id']
290
291 with self.test_client() as c:
292 update = {
293 'registered_limit': {'default_limit': 5}
294 }
295
296 c.patch(
297 '/v3/registered_limits/%s' % limit_id, json=update,
298 headers=self.headers
299 )
300
301 def test_user_can_delete_registered_limits(self):
302 service = PROVIDERS.catalog_api.create_service(
303 uuid.uuid4().hex, unit.new_service_ref()
304 )
305
306 registered_limit = unit.new_registered_limit_ref(
307 service_id=service['id'], id=uuid.uuid4().hex
308 )
309 limits = PROVIDERS.unified_limit_api.create_registered_limits(
310 [registered_limit]
311 )
312 limit_id = limits[0]['id']
313
314 with self.test_client() as c:
315 c.delete(
316 '/v3/registered_limits/%s' % limit_id, headers=self.headers
317 )
diff --git a/releasenotes/notes/bug-1805372-af4ebf4b19500b72.yaml b/releasenotes/notes/bug-1805372-af4ebf4b19500b72.yaml
new file mode 100644
index 0000000..7cab01b
--- /dev/null
+++ b/releasenotes/notes/bug-1805372-af4ebf4b19500b72.yaml
@@ -0,0 +1,25 @@
1---
2features:
3 - |
4 [`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
5 The registered limit API now supports the ``admin``, ``member``, and
6 ``reader`` default roles.
7upgrade:
8 - |
9 [`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
10 The following registered limit policy check strings have changed
11 in favor of more clear and concise defaults:
12
13 * ``identity:create_registered_limits``
14 * ``identity:update_registered_limit``
15 * ``identity:delete_registered_limit``
16
17 These policies are not being formally deprecated because the
18 unified limits API is still considered experiemental. Please
19 consider these new defaults if your deployment overrides the
20 registered limit policies.
21security:
22 - |
23 [`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
24 The registered limit API now uses system-scope and default
25 roles to provide better accessibility to users in a secure way.