Merge "Add scope checks to common system role definitions"

2018-12-25 05:56:31 +00:00 · 2018-12-25 05:56:31 +00:00 · 7aa948242f
parent e2df5e0631 f4162e3680
commit 7aa948242f
2 changed files with 19 additions and 6 deletions
--- a/keystone/common/policies/base.py
+++ b/keystone/common/policies/base.py
@ -29,8 +29,21 @@ RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin'
 RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
 RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
 RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'
-READER_ROLE = 'role:reader'
-ADMIN_ROLE = 'role:admin'
+
+# We are explicitly setting system_scope:all in these check strings because
+# they provide backwards compatibility in the event a deployment sets
+# ``keystone.conf [oslo_policy] enforce_scope = False``, which the default.
+# Otherwise, this might open up APIs to be more permissive unintentionally if a
+# deployment isn't enforcing scope. For example, the identity:get_endpoint
+# policy might be ``rule:admin_required`` today and eventually ``role:reader``
+# enforcing system scoped tokens. Until enforce_scope=True by default, it would
+# be possible for users with the ``reader`` role on a project to access an API
+# traditionally reserved for system administrators. Once keystone defaults
+# ``keystone.conf [oslo_policy] enforce_scope=True``, the ``system_scope:all``
+# bits of these check strings can be removed since that will be handled
+# automatically by scope_types in oslo.policy's RuleDefault objects.
+SYSTEM_READER = 'role:reader and system_scope:all'
+SYSTEM_ADMIN = 'role:admin and system_scope:all'


 rules = [
--- a/keystone/common/policies/domain.py
+++ b/keystone/common/policies/domain.py
@ -64,7 +64,7 @@ domain_policies = [
        deprecated_since=versionutils.deprecated.STEIN),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_domains',
-        check_str=base.READER_ROLE,
+        check_str=base.SYSTEM_READER,
        scope_types=['system'],
        description='List domains.',
        operations=[{'path': '/v3/domains',
@ -74,7 +74,7 @@ domain_policies = [
        deprecated_since=versionutils.deprecated.STEIN),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'create_domain',
-        check_str=base.ADMIN_ROLE,
+        check_str=base.SYSTEM_ADMIN,
        scope_types=['system'],
        description='Create domain.',
        operations=[{'path': '/v3/domains',
@ -84,7 +84,7 @@ domain_policies = [
        deprecated_since=versionutils.deprecated.STEIN),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'update_domain',
-        check_str=base.ADMIN_ROLE,
+        check_str=base.SYSTEM_ADMIN,
        scope_types=['system'],
        description='Update domain.',
        operations=[{'path': '/v3/domains/{domain_id}',
@ -94,7 +94,7 @@ domain_policies = [
        deprecated_since=versionutils.deprecated.STEIN),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_domain',
-        check_str=base.ADMIN_ROLE,
+        check_str=base.SYSTEM_ADMIN,
        scope_types=['system'],
        description='Delete domain.',
        operations=[{'path': '/v3/domains/{domain_id}',