From afb312529ba1e1eb5acb9598d792f39f5a2500d7 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Fri, 6 Sep 2019 21:02:44 -0700 Subject: [PATCH] Remove implied roles policies from v3cloudsample By incorporating system scope and default roles into keystone's default policies for implied roles, we've effectively made these policies obsolete. Change-Id: I75515d3491517ea6e6fa17473a7890ce4653b481 Partial-bug: #1806762 Closes-bug: #1805371 --- etc/policy.v3cloudsample.json | 7 ---- keystone/tests/unit/test_policy.py | 8 ++++- keystone/tests/unit/test_v3_protection.py | 29 ---------------- .../notes/bug-1805371-249c8c9b562ab371.yaml | 33 +++++++++++++++++++ 4 files changed, 40 insertions(+), 37 deletions(-) create mode 100644 releasenotes/notes/bug-1805371-249c8c9b562ab371.yaml diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index f4aca1d0b2..f0b337a95d 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -34,13 +34,6 @@ "admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s", "implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)", - "identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", - "identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", - "identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)", - "identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", - "identity:list_role_inference_rules": "rule:cloud_admin", - "identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", - "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants", "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index 8ba35a90b3..3e4cf8481a 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -339,7 +339,13 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:check_policy_association_for_region_and_service', 'identity:delete_policy_association_for_region_and_service', 'identity:get_policy_for_endpoint', - 'identity:list_endpoints_for_policy' + 'identity:list_endpoints_for_policy', + 'identity:get_implied_role', + 'identity:list_implied_roles', + 'identity:create_implied_role', + 'identity:delete_implied_role', + 'identity:list_role_inference_rules', + 'identity:check_implied_role', ] policy_keys = self._get_default_policy_rules() for p in removed_policies: diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py index 6d3d66666b..e24f639cbd 100644 --- a/keystone/tests/unit/test_v3_protection.py +++ b/keystone/tests/unit/test_v3_protection.py @@ -1775,32 +1775,3 @@ class IdentityTestImpliedDomainSpecificRoles(IdentityTestv3CloudPolicySample): self.delete('/roles/%s/implies/%s' % (self.appadmin_role['id'], self.appdev_role['id']), token=self.admin_token) - - def test_forbidden_role_implication_from_different_domain(self): - domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex) - PROVIDERS.resource_api.create_domain(domain2['id'], domain2) - - role2 = unit.new_role_ref(domain_id=domain2['id']) - implied = PROVIDERS.role_api.create_role(role2['id'], role2) - - self.put('/roles/%s/implies/%s' - % (self.appdev_role['id'], implied['id']), - token=self.admin_token, - expected_status=http_client.FORBIDDEN) - - def test_allowed_role_implication_different_domains_as_cloud_admin(self): - self.auth = self.build_authentication_request( - user_id=self.cloud_admin_user['id'], - password=self.cloud_admin_user['password'], - project_id=self.admin_project['id']) - - domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex) - PROVIDERS.resource_api.create_domain(domain2['id'], domain2) - - role2 = unit.new_role_ref(domain_id=domain2['id']) - implied = PROVIDERS.role_api.create_role(role2['id'], role2) - - self.put('/roles/%s/implies/%s' - % (self.appdev_role['id'], implied['id']), - auth=self.auth, - expected_status=http_client.CREATED) diff --git a/releasenotes/notes/bug-1805371-249c8c9b562ab371.yaml b/releasenotes/notes/bug-1805371-249c8c9b562ab371.yaml new file mode 100644 index 0000000000..0eaacf6e2e --- /dev/null +++ b/releasenotes/notes/bug-1805371-249c8c9b562ab371.yaml @@ -0,0 +1,33 @@ +--- +features: + - | + [`bug 1805371 `_] + The implied roles API now supports the ``admin``, ``member``, and + ``reader`` default roles. + +upgrade: + - | + [`bug 1805371 `_] + The implied roles API uses new default policies to + make it more accessible to end users and administrators in a secure way. + Please consider these new defaults if your deployment overrides implied + roles policies. +deprecations: + - | + [`bug 1805371 `_] + The implied roles policies have been deprecated. The + ``identity:get_implied_role``, ``identity:list_implied_roles``, + ``identity:list_role_inference_rules``, and ``identity:check_implied_role`` + policies now use ``role:reader and system_scope:all`` instead of + ``rule:admin_required``. The ``identity:create_implied_role`` and + ``identity:delete_implied_role`` policies now use ``role:admin and + system_scope:all`` instead of ``rule:admin_required``. + These new defaults automatically account for system-scope and support + a read-only role, making it easier for system administrators to delegate + subsets of responsibility without compromising security. Please consider + these new defaults if your deployment overrides the implied roles policies. +security: + - | + [`bug 1805371 `_] + The implied role API now uses system-scope and default + roles to provide better accessibility to users in a secure manner.