Merge "Update registered limit policies for system admin"

This commit is contained in:
Zuul 2018-12-12 19:29:09 +00:00 committed by Gerrit Code Review
commit 36b7e7e5bc
3 changed files with 150 additions and 3 deletions

View File

@ -41,21 +41,21 @@ registered_limit_policies = [
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_registered_limits',
check_str=base.RULE_ADMIN_REQUIRED,
check_str='role:admin',
scope_types=['system'],
description='Create registered limits.',
operations=[{'path': '/v3/registered_limits',
'method': 'POST'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_registered_limit',
check_str=base.RULE_ADMIN_REQUIRED,
check_str='role:admin',
scope_types=['system'],
description='Update registered limit.',
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
'method': 'PATCH'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_registered_limit',
check_str=base.RULE_ADMIN_REQUIRED,
check_str='role:admin',
scope_types=['system'],
description='Delete registered limit.',
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',

View File

@ -193,3 +193,125 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin):
def setUp(self):
super(SystemAdminTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
# Reuse the system administrator account created during
# ``keystone-manage bootstrap``
self.user_id = self.bootstrapper.admin_user_id
auth = self.build_authentication_request(
user_id=self.user_id,
password=self.bootstrapper.admin_password,
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_get_a_registered_limit(self):
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
registered_limit = unit.new_registered_limit_ref(
service_id=service['id'], id=uuid.uuid4().hex
)
limits = PROVIDERS.unified_limit_api.create_registered_limits(
[registered_limit]
)
limit_id = limits[0]['id']
with self.test_client() as c:
r = c.get(
'/v3/registered_limits/%s' % limit_id, headers=self.headers
)
self.assertEqual(limit_id, r.json['registered_limit']['id'])
def test_user_can_list_registered_limits(self):
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
registered_limit = unit.new_registered_limit_ref(
service_id=service['id'], id=uuid.uuid4().hex
)
limits = PROVIDERS.unified_limit_api.create_registered_limits(
[registered_limit]
)
limit_id = limits[0]['id']
with self.test_client() as c:
r = c.get(
'/v3/registered_limits', headers=self.headers
)
self.assertTrue(len(r.json['registered_limits']) == 1)
self.assertEqual(limit_id, r.json['registered_limits'][0]['id'])
def test_user_can_create_registered_limits(self):
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
create = {
'registered_limits': [
unit.new_registered_limit_ref(
service_id=service['id']
)
]
}
with self.test_client() as c:
c.post('/v3/registered_limits', json=create, headers=self.headers)
def test_user_can_update_registered_limits(self):
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
registered_limit = unit.new_registered_limit_ref(
service_id=service['id'], id=uuid.uuid4().hex
)
limits = PROVIDERS.unified_limit_api.create_registered_limits(
[registered_limit]
)
limit_id = limits[0]['id']
with self.test_client() as c:
update = {
'registered_limit': {'default_limit': 5}
}
c.patch(
'/v3/registered_limits/%s' % limit_id, json=update,
headers=self.headers
)
def test_user_can_delete_registered_limits(self):
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
registered_limit = unit.new_registered_limit_ref(
service_id=service['id'], id=uuid.uuid4().hex
)
limits = PROVIDERS.unified_limit_api.create_registered_limits(
[registered_limit]
)
limit_id = limits[0]['id']
with self.test_client() as c:
c.delete(
'/v3/registered_limits/%s' % limit_id, headers=self.headers
)

View File

@ -0,0 +1,25 @@
---
features:
- |
[`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
The registered limit API now supports the ``admin``, ``member``, and
``reader`` default roles.
upgrade:
- |
[`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
The following registered limit policy check strings have changed
in favor of more clear and concise defaults:
* ``identity:create_registered_limits``
* ``identity:update_registered_limit``
* ``identity:delete_registered_limit``
These policies are not being formally deprecated because the
unified limits API is still considered experiemental. Please
consider these new defaults if your deployment overrides the
registered limit policies.
security:
- |
[`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
The registered limit API now uses system-scope and default
roles to provide better accessibility to users in a secure way.