diff --git a/keystone/common/policies/identity_provider.py b/keystone/common/policies/identity_provider.py index 943480165c..fb9fe75d03 100644 --- a/keystone/common/policies/identity_provider.py +++ b/keystone/common/policies/identity_provider.py @@ -23,6 +23,18 @@ deprecated_list_idp = policy.DeprecatedRule( name=base.IDENTITY % 'list_identity_providers', check_str=base.RULE_ADMIN_REQUIRED ) +deprecated_update_idp = policy.DeprecatedRule( + name=base.IDENTITY % 'update_identity_providers', + check_str=base.RULE_ADMIN_REQUIRED +) +deprecated_create_idp = policy.DeprecatedRule( + name=base.IDENTITY % 'create_identity_providers', + check_str=base.RULE_ADMIN_REQUIRED +) +deprecated_delete_idp = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_identity_providers', + check_str=base.RULE_ADMIN_REQUIRED +) DEPRECATED_REASON = """ As of the Stein release, the identity provider API now understands default @@ -35,7 +47,7 @@ relying on overrides in your deployment for the identity provider API. identity_provider_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_identity_provider', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, # FIXME(lbragstad): All `scope_types` for identity provider policies # should be updated to include project scope if, or when, it becomes # possible to manage federated identity providers without modifying @@ -45,7 +57,10 @@ identity_provider_policies = [ scope_types=['system'], description='Create identity provider.', operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', - 'method': 'PUT'}]), + 'method': 'PUT'}], + deprecated_rule=deprecated_create_idp, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_identity_providers', check_str=base.SYSTEM_READER, @@ -86,18 +101,24 @@ identity_provider_policies = [ ), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_identity_provider', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Update identity provider.', operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', - 'method': 'PATCH'}]), + 'method': 'PATCH'}], + deprecated_rule=deprecated_update_idp, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_identity_provider', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Delete identity provider.', operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}', - 'method': 'DELETE'}]) + 'method': 'DELETE'}], + deprecated_rule=deprecated_delete_idp, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN), ] diff --git a/keystone/tests/unit/protection/v3/test_identity_providers.py b/keystone/tests/unit/protection/v3/test_identity_providers.py index 7a89a038c8..63812215a1 100644 --- a/keystone/tests/unit/protection/v3/test_identity_providers.py +++ b/keystone/tests/unit/protection/v3/test_identity_providers.py @@ -161,3 +161,64 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap, r = c.post('/v3/auth/tokens', json=auth) self.token_id = r.headers['X-Subject-Token'] self.headers = {'X-Auth-Token': self.token_id} + + +class SystemAdminTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemUserIdentityProviderTests): + + def setUp(self): + super(SystemAdminTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + # Reuse the system administrator account created during + # ``keystone-manage bootstrap`` + self.user_id = self.bootstrapper.admin_user_id + auth = self.build_authentication_request( + user_id=self.user_id, + password=self.bootstrapper.admin_password, + system=True + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id} + + def test_user_can_create_identity_providers(self): + create = {'identity_provider': {'remote_ids': [uuid.uuid4().hex]}} + + with self.test_client() as c: + c.put( + '/v3/OS-FEDERATION/identity_providers/%s' % uuid.uuid4().hex, + json=create, headers=self.headers, + expected_status_code=http_client.CREATED + ) + + def test_user_can_update_identity_providers(self): + idp = PROVIDERS.federation_api.create_idp( + uuid.uuid4().hex, unit.new_identity_provider_ref() + ) + + update = {'identity_provider': {'enabled': False}} + + with self.test_client() as c: + c.patch( + '/v3/OS-FEDERATION/identity_providers/%s' % idp['id'], + json=update, headers=self.headers + ) + + def test_user_can_delete_identity_providers(self): + idp = PROVIDERS.federation_api.create_idp( + uuid.uuid4().hex, unit.new_identity_provider_ref() + ) + + with self.test_client() as c: + c.delete( + '/v3/OS-FEDERATION/identity_providers/%s' % idp['id'], + headers=self.headers + ) diff --git a/releasenotes/notes/bug-1804516-24b0b10ed6fe0589.yaml b/releasenotes/notes/bug-1804516-24b0b10ed6fe0589.yaml new file mode 100644 index 0000000000..ee7cbc9e04 --- /dev/null +++ b/releasenotes/notes/bug-1804516-24b0b10ed6fe0589.yaml @@ -0,0 +1,32 @@ +features: + - | + [`bug 1804516 `_] + The federated identity provider API now supports the ``admin``, + ``member``, and ``reader`` default roles. +upgrade: + - | + [`bug 1804516 `_] + The federated identity provider API uses new default policies that + make it more accessible to end users and administrators in a + secure way. Please consider these new defaults if your deployment + overrides federated identity provider policies. +deprecations: + - | + [`bug 1804516 `_] + The federated identity provider policies have been deprecated. + The ``identity:list_identity_providers`` and + ``identity:get_identity_provider`` policies now use ``role:reader + and system_scope:all`` instead of ``rule:admin_required``. The + ``identity:create_identity_provider``, ``identity:update_identity_provider``, + ``identity:delete_identity_provider`` policies now use ``role:admin and + system_scope:all`` instead of ``rule:admin_required``. + These new defaults automatically account for system-scope and support + a read-only role, making it easier for system administrators to + delegate subsets of responsibility without compromising security. + Please consider these new defaults if your deployment overrides the + federated identity provider policies. +security: + - | + [`bug 1804516 `_] + The federated identity provider API now uses system-scope and + default roles to provide better accessibility to users in a secure way.