diff --git a/keystone/tests/unit/protection/v3/test_system_assignments.py b/keystone/tests/unit/protection/v3/test_system_assignments.py index 5f27431f3e..72adc1d675 100644 --- a/keystone/tests/unit/protection/v3/test_system_assignments.py +++ b/keystone/tests/unit/protection/v3/test_system_assignments.py @@ -229,6 +229,68 @@ class _DomainAndProjectUserSystemAssignmentTests(object): expected_status_code=http_client.FORBIDDEN ) + def test_user_cannot_list_group_system_role_assignments(self): + group = PROVIDERS.identity_api.create_group( + unit.new_group_ref(CONF.identity.default_domain_id) + ) + + PROVIDERS.assignment_api.create_system_grant_for_group( + group['id'], self.bootstrapper.member_role_id + ) + + with self.test_client() as c: + c.get( + '/v3/system/groups/%s/roles' % group['id'], headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_check_group_system_role_assignments(self): + group = PROVIDERS.identity_api.create_group( + unit.new_group_ref(CONF.identity.default_domain_id) + ) + + PROVIDERS.assignment_api.create_system_grant_for_group( + group['id'], self.bootstrapper.member_role_id + ) + + with self.test_client() as c: + c.get( + '/v3/system/groups/%s/roles/%s' % ( + group['id'], self.bootstrapper.member_role_id + ), headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_grant_group_system_assignments(self): + group = PROVIDERS.identity_api.create_group( + unit.new_group_ref(CONF.identity.default_domain_id) + ) + + with self.test_client() as c: + c.put( + '/v3/system/groups/%s/roles/%s' % ( + group['id'], self.bootstrapper.member_role_id + ), headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_revoke_group_system_assignments(self): + group = PROVIDERS.identity_api.create_group( + unit.new_group_ref(CONF.identity.default_domain_id) + ) + + PROVIDERS.assignment_api.create_system_grant_for_group( + group['id'], self.bootstrapper.member_role_id + ) + + with self.test_client() as c: + c.delete( + '/v3/system/groups/%s/roles/%s' % ( + group['id'], self.bootstrapper.member_role_id + ), headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + class SystemReaderTests(base_classes.TestCaseWithBootstrap, common_auth.AuthTestMixin, diff --git a/releasenotes/notes/bug-1750669-dfce859550126f03.yaml b/releasenotes/notes/bug-1750669-dfce859550126f03.yaml index a5aed56ce1..6405f86f3d 100644 --- a/releasenotes/notes/bug-1750669-dfce859550126f03.yaml +++ b/releasenotes/notes/bug-1750669-dfce859550126f03.yaml @@ -19,18 +19,20 @@ deprecations: [`bug 1805368 `_] [`bug 1750669 `_] The system assignment policies have been deprecated. The - ``identity:list_system_grants_for_user`` and - ``identity:check_system_grant_for_user`` policies now use + ``identity:list_system_grants_for_user``, + ``identity:check_system_grant_for_user``, + ``identity:list_system_grants_for_group``, and + ``identity:check_system_grant_for_group`` policies now use ``role:reader and system_scope:all`` instead of - ``rule:admin_required``. The - ``identity:create_system_grant_for_user`` and - ``identity:revoke_system_grant_for_user`` policies now use - ``role:admin and system_scope:all`` instead of - ``rule:admin_required``. These new defaults automatically include - support for a read-only role and allow for more granular access to - the system assignment API, making it easier for administrators to - delegate authorization, safely. Please consider these new defaults - if your deployment overrides the system assignment APIs. + ``rule:admin_required``. The ``identity:create_system_grant_for_user``, + ``identity:revoke_system_grant_for_user``, + ``identity:create_system_grant_for_group``, and + ``identity:revoke_system_grant_for_group`` policies now use ``role:admin + and system_scope:all`` instead of ``rule:admin_required``. These new + defaults automatically include support for a read-only role and allow for + more granular access to the system assignment API, making it easier for + administrators to delegate authorization, safely. Please consider these new + defaults if your deployment overrides the system assignment APIs. security: - | [`bug 1805368 `_]