Merge "Update registered limit policies for system admin"
This commit is contained in:
commit
36b7e7e5bc
|
@ -41,21 +41,21 @@ registered_limit_policies = [
|
|||
'method': 'HEAD'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_registered_limits',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
check_str='role:admin',
|
||||
scope_types=['system'],
|
||||
description='Create registered limits.',
|
||||
operations=[{'path': '/v3/registered_limits',
|
||||
'method': 'POST'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'update_registered_limit',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
check_str='role:admin',
|
||||
scope_types=['system'],
|
||||
description='Update registered limit.',
|
||||
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
|
||||
'method': 'PATCH'}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'delete_registered_limit',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
check_str='role:admin',
|
||||
scope_types=['system'],
|
||||
description='Delete registered limit.',
|
||||
operations=[{'path': '/v3/registered_limits/{registered_limit_id}',
|
||||
|
|
|
@ -193,3 +193,125 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
|
|||
r = c.post('/v3/auth/tokens', json=auth)
|
||||
self.token_id = r.headers['X-Subject-Token']
|
||||
self.headers = {'X-Auth-Token': self.token_id}
|
||||
|
||||
|
||||
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemAdminTests, self).setUp()
|
||||
self.loadapp()
|
||||
self.useFixture(ksfixtures.Policy(self.config_fixture))
|
||||
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
||||
|
||||
# Reuse the system administrator account created during
|
||||
# ``keystone-manage bootstrap``
|
||||
self.user_id = self.bootstrapper.admin_user_id
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.user_id,
|
||||
password=self.bootstrapper.admin_password,
|
||||
system=True
|
||||
)
|
||||
|
||||
# Grab a token using the persona we're testing and prepare headers
|
||||
# for requests we'll be making in the tests.
|
||||
with self.test_client() as c:
|
||||
r = c.post('/v3/auth/tokens', json=auth)
|
||||
self.token_id = r.headers['X-Subject-Token']
|
||||
self.headers = {'X-Auth-Token': self.token_id}
|
||||
|
||||
def test_user_can_get_a_registered_limit(self):
|
||||
service = PROVIDERS.catalog_api.create_service(
|
||||
uuid.uuid4().hex, unit.new_service_ref()
|
||||
)
|
||||
|
||||
registered_limit = unit.new_registered_limit_ref(
|
||||
service_id=service['id'], id=uuid.uuid4().hex
|
||||
)
|
||||
limits = PROVIDERS.unified_limit_api.create_registered_limits(
|
||||
[registered_limit]
|
||||
)
|
||||
limit_id = limits[0]['id']
|
||||
|
||||
with self.test_client() as c:
|
||||
r = c.get(
|
||||
'/v3/registered_limits/%s' % limit_id, headers=self.headers
|
||||
)
|
||||
self.assertEqual(limit_id, r.json['registered_limit']['id'])
|
||||
|
||||
def test_user_can_list_registered_limits(self):
|
||||
service = PROVIDERS.catalog_api.create_service(
|
||||
uuid.uuid4().hex, unit.new_service_ref()
|
||||
)
|
||||
|
||||
registered_limit = unit.new_registered_limit_ref(
|
||||
service_id=service['id'], id=uuid.uuid4().hex
|
||||
)
|
||||
limits = PROVIDERS.unified_limit_api.create_registered_limits(
|
||||
[registered_limit]
|
||||
)
|
||||
limit_id = limits[0]['id']
|
||||
|
||||
with self.test_client() as c:
|
||||
r = c.get(
|
||||
'/v3/registered_limits', headers=self.headers
|
||||
)
|
||||
self.assertTrue(len(r.json['registered_limits']) == 1)
|
||||
self.assertEqual(limit_id, r.json['registered_limits'][0]['id'])
|
||||
|
||||
def test_user_can_create_registered_limits(self):
|
||||
service = PROVIDERS.catalog_api.create_service(
|
||||
uuid.uuid4().hex, unit.new_service_ref()
|
||||
)
|
||||
|
||||
create = {
|
||||
'registered_limits': [
|
||||
unit.new_registered_limit_ref(
|
||||
service_id=service['id']
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
with self.test_client() as c:
|
||||
c.post('/v3/registered_limits', json=create, headers=self.headers)
|
||||
|
||||
def test_user_can_update_registered_limits(self):
|
||||
service = PROVIDERS.catalog_api.create_service(
|
||||
uuid.uuid4().hex, unit.new_service_ref()
|
||||
)
|
||||
|
||||
registered_limit = unit.new_registered_limit_ref(
|
||||
service_id=service['id'], id=uuid.uuid4().hex
|
||||
)
|
||||
limits = PROVIDERS.unified_limit_api.create_registered_limits(
|
||||
[registered_limit]
|
||||
)
|
||||
limit_id = limits[0]['id']
|
||||
|
||||
with self.test_client() as c:
|
||||
update = {
|
||||
'registered_limit': {'default_limit': 5}
|
||||
}
|
||||
|
||||
c.patch(
|
||||
'/v3/registered_limits/%s' % limit_id, json=update,
|
||||
headers=self.headers
|
||||
)
|
||||
|
||||
def test_user_can_delete_registered_limits(self):
|
||||
service = PROVIDERS.catalog_api.create_service(
|
||||
uuid.uuid4().hex, unit.new_service_ref()
|
||||
)
|
||||
|
||||
registered_limit = unit.new_registered_limit_ref(
|
||||
service_id=service['id'], id=uuid.uuid4().hex
|
||||
)
|
||||
limits = PROVIDERS.unified_limit_api.create_registered_limits(
|
||||
[registered_limit]
|
||||
)
|
||||
limit_id = limits[0]['id']
|
||||
|
||||
with self.test_client() as c:
|
||||
c.delete(
|
||||
'/v3/registered_limits/%s' % limit_id, headers=self.headers
|
||||
)
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
[`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
|
||||
The registered limit API now supports the ``admin``, ``member``, and
|
||||
``reader`` default roles.
|
||||
upgrade:
|
||||
- |
|
||||
[`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
|
||||
The following registered limit policy check strings have changed
|
||||
in favor of more clear and concise defaults:
|
||||
|
||||
* ``identity:create_registered_limits``
|
||||
* ``identity:update_registered_limit``
|
||||
* ``identity:delete_registered_limit``
|
||||
|
||||
These policies are not being formally deprecated because the
|
||||
unified limits API is still considered experiemental. Please
|
||||
consider these new defaults if your deployment overrides the
|
||||
registered limit policies.
|
||||
security:
|
||||
- |
|
||||
[`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
|
||||
The registered limit API now uses system-scope and default
|
||||
roles to provide better accessibility to users in a secure way.
|
Loading…
Reference in New Issue