diff --git a/keystone/common/policies/policy_association.py b/keystone/common/policies/policy_association.py index 4449482858..9217d86479 100644 --- a/keystone/common/policies/policy_association.py +++ b/keystone/common/policies/policy_association.py @@ -44,6 +44,36 @@ deprecated_list_endpoints_for_policy = policy.DeprecatedRule( check_str=base.RULE_ADMIN_REQUIRED, ) +deprecated_create_policy_association_for_endpoint = policy.DeprecatedRule( + name=base.IDENTITY % 'create_policy_association_for_endpoint', + check_str=base.RULE_ADMIN_REQUIRED, +) + +deprecated_delete_policy_association_for_endpoint = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_policy_association_for_endpoint', + check_str=base.RULE_ADMIN_REQUIRED, +) + +deprecated_create_policy_association_for_service = policy.DeprecatedRule( + name=base.IDENTITY % 'create_policy_association_for_service', + check_str=base.RULE_ADMIN_REQUIRED, +) + +deprecated_delete_policy_association_for_service = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_policy_association_for_service', + check_str=base.RULE_ADMIN_REQUIRED, +) + +deprecated_create_policy_association_for_region_and_service = policy.DeprecatedRule( + name=base.IDENTITY % 'create_policy_association_for_region_and_service', + check_str=base.RULE_ADMIN_REQUIRED, +) + +deprecated_delete_policy_association_for_region_and_service = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_policy_association_for_region_and_service', + check_str=base.RULE_ADMIN_REQUIRED, +) + DEPRECATED_REASON = """ As of the Train release, the policy association API now understands default roles and system-scoped tokens, making the API more granular by default without @@ -55,12 +85,15 @@ relying on overrides in your deployment for the policy association API. policy_association_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_policy_association_for_endpoint', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Associate a policy to a specific endpoint.', operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'endpoints/{endpoint_id}'), - 'method': 'PUT'}]), + 'method': 'PUT'}], + deprecated_rule=deprecated_create_policy_association_for_endpoint, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_policy_association_for_endpoint', check_str=base.SYSTEM_READER, @@ -77,20 +110,26 @@ policy_association_policies = [ deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_policy_association_for_endpoint', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Delete policy association for endpoint.', operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'endpoints/{endpoint_id}'), - 'method': 'DELETE'}]), + 'method': 'DELETE'}], + deprecated_rule=deprecated_delete_policy_association_for_endpoint, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_policy_association_for_service', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Associate a policy to a specific service.', operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}'), - 'method': 'PUT'}]), + 'method': 'PUT'}], + deprecated_rule=deprecated_create_policy_association_for_service, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_policy_association_for_service', check_str=base.SYSTEM_READER, @@ -107,22 +146,28 @@ policy_association_policies = [ deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_policy_association_for_service', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Delete policy association for service.', operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}'), - 'method': 'DELETE'}]), + 'method': 'DELETE'}], + deprecated_rule=deprecated_delete_policy_association_for_service, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % ( 'create_policy_association_for_region_and_service'), - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description=('Associate a policy to a specific region and service ' 'combination.'), operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}/regions/{region_id}'), - 'method': 'PUT'}]), + 'method': 'PUT'}], + deprecated_rule=deprecated_create_policy_association_for_region_and_service, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_policy_association_for_region_and_service', check_str=base.SYSTEM_READER, @@ -140,12 +185,15 @@ policy_association_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % ( 'delete_policy_association_for_region_and_service'), - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Delete policy association for region and service.', operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}/regions/{region_id}'), - 'method': 'DELETE'}]), + 'method': 'DELETE'}], + deprecated_rule=deprecated_delete_policy_association_for_region_and_service, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_policy_for_endpoint', check_str=base.SYSTEM_READER, diff --git a/keystone/tests/unit/protection/v3/test_policy_association.py b/keystone/tests/unit/protection/v3/test_policy_association.py index dd8ab211d1..35c7293a03 100644 --- a/keystone/tests/unit/protection/v3/test_policy_association.py +++ b/keystone/tests/unit/protection/v3/test_policy_association.py @@ -292,3 +292,129 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap, r = c.post('/v3/auth/tokens', json=auth) self.token_id = r.headers['X-Subject-Token'] self.headers = {'X-Auth-Token': self.token_id} + + +class SystemAdminTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemUserPoliciesAssociationTests): + + def setUp(self): + super(SystemAdminTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + # Reuse the system administrator account created during + # ``keystone-manage bootstrap`` + self.user_id = self.bootstrapper.admin_user_id + auth = self.build_authentication_request( + user_id=self.user_id, + password=self.bootstrapper.admin_password, + system=True + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id} + + def test_user_can_create_policy_association_for_endpoint(self): + policy = unit.new_policy_ref() + policy = PROVIDERS.policy_api.create_policy(policy['id'], policy) + service = PROVIDERS.catalog_api.create_service( + uuid.uuid4().hex, unit.new_service_ref() + ) + endpoint = unit.new_endpoint_ref(service['id'], region_id=None) + endpoint = PROVIDERS.catalog_api.create_endpoint( + endpoint['id'], endpoint + ) + + with self.test_client() as c: + c.put( + '/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints/%s' + % (policy['id'], endpoint['id']), + headers=self.headers, + expected_status_code=http_client.NO_CONTENT + ) + + def test_user_can_delete_policy_association_for_endpoint(self): + policy = unit.new_policy_ref() + policy = PROVIDERS.policy_api.create_policy(policy['id'], policy) + service = PROVIDERS.catalog_api.create_service( + uuid.uuid4().hex, unit.new_service_ref() + ) + endpoint = unit.new_endpoint_ref(service['id'], region_id=None) + endpoint = PROVIDERS.catalog_api.create_endpoint( + endpoint['id'], endpoint + ) + + with self.test_client() as c: + c.delete( + '/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints/%s' + % (policy['id'], endpoint['id']), + headers=self.headers, + expected_status_code=http_client.NO_CONTENT + ) + + def test_user_can_create_policy_association_for_service(self): + policy = unit.new_policy_ref() + policy = PROVIDERS.policy_api.create_policy(policy['id'], policy) + service = PROVIDERS.catalog_api.create_service( + uuid.uuid4().hex, unit.new_service_ref() + ) + with self.test_client() as c: + c.put( + '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s' + % (policy['id'], service['id']), + headers=self.headers, + expected_status_code=http_client.NO_CONTENT + ) + + def test_user_can_delete_policy_association_for_service(self): + policy = unit.new_policy_ref() + policy = PROVIDERS.policy_api.create_policy(policy['id'], policy) + service = PROVIDERS.catalog_api.create_service( + uuid.uuid4().hex, unit.new_service_ref() + ) + + with self.test_client() as c: + c.delete( + '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s' + % (policy['id'], service['id']), + headers=self.headers, + expected_status_code=http_client.NO_CONTENT + ) + + def test_user_can_create_policy_association_for_region_and_service(self): + policy = unit.new_policy_ref() + policy = PROVIDERS.policy_api.create_policy(policy['id'], policy) + service = PROVIDERS.catalog_api.create_service( + uuid.uuid4().hex, unit.new_service_ref() + ) + region = PROVIDERS.catalog_api.create_region(unit.new_region_ref()) + + with self.test_client() as c: + c.put( + '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s/regions/%s' + % (policy['id'], service['id'], region['id']), + headers=self.headers, + expected_status_code=http_client.NO_CONTENT + ) + + def test_user_can_delete_policy_association_for_region_and_service(self): + policy = unit.new_policy_ref() + policy = PROVIDERS.policy_api.create_policy(policy['id'], policy) + service = PROVIDERS.catalog_api.create_service( + uuid.uuid4().hex, unit.new_service_ref() + ) + region = PROVIDERS.catalog_api.create_region(unit.new_region_ref()) + + with self.test_client() as c: + c.delete( + '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s/regions/%s' + % (policy['id'], service['id'], region['id']), + headers=self.headers, + expected_status_code=http_client.NO_CONTENT + ) diff --git a/releasenotes/notes/bug-1805409-8bc6cc9f1c5bc672.yaml b/releasenotes/notes/bug-1805409-8bc6cc9f1c5bc672.yaml new file mode 100644 index 0000000000..fbf96efa8d --- /dev/null +++ b/releasenotes/notes/bug-1805409-8bc6cc9f1c5bc672.yaml @@ -0,0 +1,72 @@ +--- +features: + - | + [`bug 1805409 `_] + The policy and policy associations API now supports the ``admin``, + ``member``, and ``reader`` default roles. + +upgrade: + - | + [`bug 1805409 `_] + The policy and policy associations API uses new default policies to + make it more accessible to end users and administrators in a secure way. + Please consider these new defaults if your deployment overrides policy + and policy associations policies. +deprecations: + - | + [`bug 1805409 `_] + The policy and policy associations policies have been deprecated. The + ``identity:get_policy`` policy now uses + ``role:reader and system_scope:all`` instead of + ``rule:admin_required``. The ``identity:list_policies`` policy + now uses ``role:reader and system_scope:all`` instead of + ``rule:admin_required``. The ``identity:update_policy`` policy + now use ``role:admin and system_scope:all`` instead of + ``rule:admin_required``.The ``identity:create_policy`` policy + now use ``role:admin and system_scope:all`` instead of + ``rule:admin_required``. The ``identity:delete_policy`` policy + now use ``role:admin and system_scope:all`` instead of + ``rule:admin_required``. + The ``identity:check_policy_association_for_endpoint`` policy + now uses ``role:reader and system_scope:all`` instead of + ``rule:admin_required``. + The ``identity:check_policy_association_for_service`` policy + now uses ``role:reader and system_scope:all`` instead of + ``role:reader and system_scope:all``. + The ``identity:check_policy_association_for_region_and_service`` policy + now uses ``role:reader and system_scope:all`` instead of + ``rule:admin_required``. + The ``identity:get_policy_for_endpoint`` policy + now uses ``role:reader and system_scope:all`` instead of + ``rule:admin_required``. + The ``identity:list_endpoints_for_policy`` policy + now use ``role:reader and system_scope:all`` instead of + ``rule:admin_required``. + The ``identity:create_policy_association_for_endpoint`` policy + now use ``role:admin and system_scope:all`` instead of + ``rule:admin_required``. + The ``identity:delete_policy_association_for_endpoint`` policy + now use ``role:admin and system_scope:all`` instead of + ``rule:admin_required``. + The ``identity:create_policy_association_for_service`` policy + now use ``role:admin and system_scope:all`` instead of + ``rule:admin_required``. + The ``identity:delete_policy_association_for_service`` policy + now use ``role:admin and system_scope:all`` instead of + ``rule:admin_required``. + The ``identity:create_policy_association_for_region_and_service`` policy + now use ``role:admin and system_scope:all`` instead of + ``rule:admin_required``. + The ``identity:delete_policy_association_for_region_and_service`` policy + now use ``role:admin and system_scope:all`` instead of + ``rule:admin_required``. + These new defaults automatically account for system-scope and support + a read-only role, making it easier for system administrators to delegate + subsets of responsibility without compromising security. Please consider + these new defaults if your deployment overrides the policy and policy + associations policies. +security: + - | + [`bug 1805409 `_] + The policy and policy associations API now uses system-scope and default + roles to provide better accessibility to users in a secure manner.