We've make all the default policies keystone supports better by
incorporating default roles and scope types. These changes have made
the ``policy.v3cloudsample.json`` file obsolete.
Let's simply things for users, operators, and develpers by removing
it.
A follow-on patch will remove the test_v3_protection.py file since
those behaviors are passing all the protection tests with the default
policies in code.
Related-Bug: 1805880
Closes-Bug: 1630434
Closes-Bug: 1806762
Change-Id: Ie45955f5cc54563cc9704d7cb2b656b5544ae030
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default limit
behavior by removing them.
Change-Id: Ie0f333a9e8b60154711a24ba7d9ade531217eb71
Closes-Bug: 1805880
This commit makes it so that project tags adhere to system-scope and
also incorporates default roles into the policy checks by default.
Change-Id: Ie36df5677a08d7d95f056f3ea00eda05e1315ea5
Closes-Bug: 1844194
Closes-Bug: 1844193
Related-Bug: 1806762
By relying on system-scope and default roles, these policies are now
obsolete.
Change-Id: Ie6be658a8e4dd028834a3fee956689f9513a37e9
Partial-Bug: #1806762
Closes-Bug: #1750678
By relying on system-scope and default roles, these policies are now
obsolete.
Change-Id: I21473f757611cfd3299d0227eddef89d4ef624ff
Partial-Bug: #1806762
Closes-Bug: #1805366
This commit also removes an obsolete test case from
test_v3_protection.py.
Co-Authored-By: Colleen Murphy <colleen@gazlene.net>
Change-Id: Ic0a654494f96d5dffa0c4d4d96766ab4a2e090b1
Related-Bug: 1806762
The roles API was partially converted to use default roles and system
scope but that work did not include converting the domain roles actions.
This commit completes the rest of the work and closes out the system
scope work for the roles API.
Change-Id: Iea5a1559e9bece2c0f310170f05260a978e27b47
Closes-bug: #1805400
Partial-bug: #1805880
By incorporating system scope and default roles into keystone's default
policies for implied roles, we've effectively made these policies
obsolete.
Change-Id: I75515d3491517ea6e6fa17473a7890ce4653b481
Partial-bug: #1806762
Closes-bug: #1805371
By relying on system-scope and default roles, these policies are now
obsolete.
Change-Id: Ib2aa3e9023194ee578c617cdf2d53c6264c0e785
Partial-Bug: #1806762
Closes-Bug: #1805409
The policies contained in policy.v3cloudsample.json pre-dated any of
the work to move policy defaults into code. Since deploying a policy
file is now optional, we can remove the redundant policies from this
file and make it more maintainable by not repeating ourselves and
violating the DRY principal.
The only policies left are ones that are testing workarounds for bug
968696. Meanwhile, we're pursuing fixes for scope types and default
roles:
http://tinyurl.com/y5kj6fn9
These fixes are specific to certain resources to make reviews more
understandable for reviewers. As fixes for those bugs land, we will
be removing the remaining checks in this file, since the behavior will
be captured in new default check strings or in code.
Eventually, we will delete this file entirely since we will have
defaults in code that work for `admins`, `members`, and `readers` on
projects, domains, and the deployment system.
Change-Id: Ibbabe8fdc7989f15aa0edda2bf7b550a0dc16f83
Partial-Bug: 1806762
By incorporating system and domain scope and default roles into
keystone's default policies for domains, we've effectively made these
policies obsolete. This change also removes the redundant group
management tests from the v3cloudsample tests.
Change-Id: I4e3b19f9cc025a472fb27a33955856c2cd17fd1d
Partial-Bug: #1806762
This commit removes user policies from policy.v3cloudsample.json. By
incorporating system-scope, domain-scope, project-scope, and default
roles, we've effectively made these policies obsolete. We can simplify
what we maintain and provide a more consistent, unified view of
default user behavior by removing them.
This commit also adds an important filter to the GET /v3/users API by
making sure the users in the response are filtered properly if the API
was called with a domain-scoped token. This is needed in case domain
configuration isn't setup and short-circuits normalization of the
domain ID, which sometimes comes from the token if it is
domain-scoped. Regardless of domain configuration being used, we
should protect against cases where data leaks across domains in the
name of security.
Finally, this commit moves a couple of tests from test_v3_protection
to test_users protection tests that ensures we do reasonable filtering
while normalizing domain IDs. The remaining tests from
test_v3_protection have been removed because they are no longer
applicable. These tests were testing an HTTP 403 was returned when a
domain users attempted to filter users for domains they didn't have
authorization on. We don't use this approach consistently in keystone.
Most other places where filtering is implemented, we ignore invalid
filters and instead return an empty list. For domain users attempting
to fish information out of another domain, they will receive an empty
list to be consistent with other parts of the API.
Change-Id: I60b2e2b8af172c369eab0eb2c29f056f5c98ad16
Parial-Bug: 1806762
By incorporating system-scope and default roles, we've
effectively made these policies obsolete. We can simplify
what we maintain and provide a more consistent, unified
view of default service behavior by removing them.
This commit also removes some redundant tests in test_v3_protection
or corrects them.
Partial-Bug: 1806762
Change-Id: I008aed9c01b9e834a197444ff2dc1f6eb1ba25b1
By relying on system-scope and default roles, these policies are now
obsolete.
Change-Id: I7a17c2baa6e23b6a5d8fe21668a66ea8c8a89232
Partial-Bug: 1806762
By incorporating system-scope, domain-scope, project-scope, and
default roles, we've effectively made these policies obsolete. We can
simplify what we maintain and provide a more consistent, unified view
of default project behavior by removing them.
Change-Id: I80221b72ce0f234440e6d6aaea51869bd5f1c6e7
Related-Bug: 1806762
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default service behavior by
removing them.
Change-Id: Ifa2282481ee3fc544c1d50ac8e8972b0d3a5332e
Closes-Bug: 1804462
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default protocol
behavior by removing them.
Related-Bug: 1806762
Closes-Bug: 1804518
Change-Id: Ia839555d8211596213311c4246135cdae4f46ab2
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default role behavior by
removing them.
Note that these changes are slightly different from the
policy.v3cloudsample.json role policies, hence the removed tests. In
policy.v3cloudsample.json, domain users were allowed to get and list
global roles. So were project users. This behavior is changing because
global roles are considered global resources of the deployment, and
they should be managed by system users. Domain users should be able to
add and remove domain specific roles, which will come in a subsequent
series of patches. This approach is being taken because it is a safer
default for a system level resource (global roles) and still allows
the same functionality for domain users through domain-specific roles.
Change-Id: Iddaa59024a1dcefd4d791b95413602865888c1ff
Closes-Bug: 1806713
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default endpoint behavior
by removing them.
Change-Id: I423e54c359b787efdda70f5d141f21e9103f3524
Closes-Bug: 1804482
By incorporating system scope and default roles into keystone's
default policies for domains, we've effectively made these policies
obsolete.
Related-Bug: 1806762
Change-Id: I96079b15c980de6a4ba71f49d7b39790c1115767
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default idp behavior
by removing them.
Change-Id: I6091d1cdbc4e1fa3a3d5f83a707f003416a43ea0
Closes-Bug: 1804517
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default mapping
behavior by removing them.
Change-Id: Ie01b5a79aaf363b3783c92578f56654b993b5e76
Closes-Bug: 1804519
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default region behavior
by removing them.
Change-Id: I0f982d71fc4a5d33ed66cb34d7388f3c4655e3ef
Closes-Bug: 1804292
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default service provider
behavior by removing them.
Change-Id: I01b0e7152ae282c49644b3bad1bcb2c8119aed58
Closes-Bug: 1804520
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default registered limit
behavior by removing them.
Change-Id: I1ee7fb53a71361966584363687051615dc832329
Related-Bug: 1805880
The policy.v3cloudsample.json policy file attempted to solve
admin-ness issues with elaborate policy checks. These checks are no
longer needed with advent of system scope and incorporating system
scope into keystone APIs.
This commit removes the credential policies from the
policy.v3cloudsample.conf policy file since the new defaults introduce
more flexibility by consuming scope, rendering the policies in
policy.v3cloudsample.conf obsolete. More specific test coverage has
also been added for each new case in
keystone.tests.unit.protection.v3.test_credentials.
Change-Id: I6c74f40640da23375574f4a26ee60779ef08d120
Related-Bug: 1788415
We plan to expose the enforcement model a deployment is using via
the limit API. This commit prepares for that implementation by
introducing the policy for it.
Change-Id: I03c9cec3646ee354ebcdd4ddc1168e00d611171b
Related-Bug: 1765193
According to the API-WG's suggestion, the update registered
limit/project limit APIs should be refactored as:
1. Change PUT to PATCH
2. Remove batch update limits support for PATCH
Closes-Bug: #1754184
Change-Id: I1102166ab425a55d8eaf85c75d8fd3a7dfbaceb6
Add the controller, router, schema, and policies for application
credentials. If a secret is not provided, one is generated at the
controller layer.
bp application-credentials
Depends-on: Id26a2790acae25f80bd28a8cb121c80cb5064645
Depends-on: Icbd58464182b082854fb5d73ccc93c900ede020c
Change-Id: I7a371d59c19a11e55f17baf12d92327c1258533d
This commit lays down the policies needed to protect the unified limit
API. A subsequent patch will expose the implementation.
bp unified-limits
Change-Id: I952fe6213adce86a92d7d607c9b639076b279f6c
Keystone has APIs for retrieving projects and domains based on the
role assignments a user has on projects and domains. We should
introduce similar functionality for system assignments. This will
make discovering system access for users and client easier.
bp system-scope
Change-Id: Iab577fcd1b57b8b5593c3f9d50a772466383a999
This commit introduces new policies that control RBAC for assigning
groups roles on the system. Since the management of system roles is a
system-level operation, each policy has `system` set for scope_types.
bp system-scope
Change-Id: Ide491be9563f74f758c5de55990916292228e0d9
This commit introduces new policies that control RBAC for assigning
users roles on the system. Since the management of system roles is a
system-level operation, each policy has `system` set as scope_types.
bp system-scope
Change-Id: Ie606e769427a5ca422997efe92402e712f3cf45f
This change adds policy rules for project tags. The default
rules for both project updating and project tags will share
the same admin_required rule since tags are an attribute
of project.
Depends-On: Ibcf158f1b8082fbffeb48fa48c6592c87e056d01
Change-Id: Ieb68bd2c9c216b25ad74d320a1c9a297d2b251e7
Partially-Implements: bp project-tags
The self-service password API was left intentionally
unprotected in a change during the stable/ocata cycle:
I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1
The default policy was not removed from the same config and as a
result it was migrated into code during the policy-in-code work.
This isn't necessary since it's not used to protect anything. Policy
should still be enforced on administrative password resets, but that
is done using the `update_user` API.
Change-Id: I431f5ef9d6d5d689a06736640d22997fbddb869c
Closes-Bug: 1705485
A new policy class was introduced that requires
additional parameters when defining policy objects.
This patch switches our trust policy object to
the policy.DocumentedRuleDefault and fills the
required policy parameters as needed.
Implements: bp policy-docs
Change-Id: I7d4bab14ff257ede59a1b49088e16842e5b59a64
Changes identity:get_identity_providers policy rule to
identity:get_identity_provider to match what is checked by the code.
Change-Id: I0841abd30fd15c034b5836e42a18938634b509b1
Closes-Bug: #1703369
Currently any user can list revocation events, this data contains
IDs for users and projects. It should not be made available to
any user that is able to authenticate, it should be an admin
only API call.
Change-Id: I4290163c67c84ef0e1a2f6ee967ddf2acb2c3212
Closes-Bug: 1649446
The current rule fails to load with oslo.policy, the correct
value used to determine the admin project for the cloud_admin should
simply be: `is_admin_project:True`, since that is what is stored
in oslo.context.
This problem was masking a more serious issue that domain admin tokens
could be misinterpreted as cloud admin tokens.
Change-Id: I3ea562c01e06e6c519fdaec3ab6e1dac204ced71
Closes-Bug: 1547684
Closes-Bug: 1651989
Add an API for retrieving password requirement information from
``keystone.conf``. This should be used by user interfaces and clients
if/when they enforce PCI-DSS requirements.
Change-Id: I4c405da3a59e510cda5b46222cc3a20d568c7437
implements: bp pci-dss-password-requirements-api
Lance Bragstad