diff --git a/keystone/common/policies/service.py b/keystone/common/policies/service.py index a0610ae449..ef433e6043 100644 --- a/keystone/common/policies/service.py +++ b/keystone/common/policies/service.py @@ -23,6 +23,18 @@ deprecated_list_service = policy.DeprecatedRule( name=base.IDENTITY % 'list_services', check_str=base.RULE_ADMIN_REQUIRED ) +deprecated_update_service = policy.DeprecatedRule( + name=base.IDENTITY % 'update_service', + check_str=base.RULE_ADMIN_REQUIRED +) +deprecated_create_service = policy.DeprecatedRule( + name=base.IDENTITY % 'create_service', + check_str=base.RULE_ADMIN_REQUIRED +) +deprecated_delete_service = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_service', + check_str=base.RULE_ADMIN_REQUIRED +) DEPRECATED_REASON = """ As of the Stein release, the service API now understands default roles and @@ -55,25 +67,34 @@ service_policies = [ deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_service', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Create service.', operations=[{'path': '/v3/services', - 'method': 'POST'}]), + 'method': 'POST'}], + deprecated_rule=deprecated_create_service, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_service', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Update service.', operations=[{'path': '/v3/services/{service_id}', - 'method': 'PATCH'}]), + 'method': 'PATCH'}], + deprecated_rule=deprecated_update_service, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_service', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Delete service.', operations=[{'path': '/v3/services/{service_id}', - 'method': 'DELETE'}]) + 'method': 'DELETE'}], + deprecated_rule=deprecated_delete_service, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN) ] diff --git a/keystone/tests/unit/protection/v3/test_services.py b/keystone/tests/unit/protection/v3/test_services.py index 502c163eaf..4b5d60e797 100644 --- a/keystone/tests/unit/protection/v3/test_services.py +++ b/keystone/tests/unit/protection/v3/test_services.py @@ -161,3 +161,60 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap, r = c.post('/v3/auth/tokens', json=auth) self.token_id = r.headers['X-Subject-Token'] self.headers = {'X-Auth-Token': self.token_id} + + +class SystemAdminTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemUserServiceTests): + + def setUp(self): + super(SystemAdminTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + # Reuse the system administrator account created during + # ``keystone-manage bootstrap`` + self.user_id = self.bootstrapper.admin_user_id + auth = self.build_authentication_request( + user_id=self.user_id, + password=self.bootstrapper.admin_password, + system=True + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id} + + def test_user_can_create_services(self): + create = { + 'service': { + 'type': uuid.uuid4().hex, + 'name': uuid.uuid4().hex, + } + } + + with self.test_client() as c: + c.post('/v3/services', json=create, headers=self.headers) + + def test_user_can_update_services(self): + service = unit.new_service_ref() + service = PROVIDERS.catalog_api.create_service(service['id'], service) + + update = {'service': {'description': uuid.uuid4().hex}} + + with self.test_client() as c: + c.patch( + '/v3/services/%s' % service['id'], json=update, + headers=self.headers + ) + + def test_user_can_delete_services(self): + service = unit.new_service_ref() + service = PROVIDERS.catalog_api.create_service(service['id'], service) + + with self.test_client() as c: + c.delete('/v3/services/%s' % service['id'], headers=self.headers) diff --git a/releasenotes/notes/bug-1804463-74537652166cf656.yaml b/releasenotes/notes/bug-1804463-74537652166cf656.yaml new file mode 100644 index 0000000000..8bf4dabdef --- /dev/null +++ b/releasenotes/notes/bug-1804463-74537652166cf656.yaml @@ -0,0 +1,31 @@ +--- +features: + - | + [`bug 1804463 `_] + The services API now supports the ``admin``, ``member``, and + ``reader`` default roles. +upgrade: + - | + [`bug 1804463 `_] + The services API uses new default policies that make it more + accessible to end users and administrators in a secure way. Please + consider these new defaults if your deployment overrides + service policies. +deprecations: + - | + [`bug 1804463 `_] + The service policies have been deprecated. The ``identity:get_service`` and + ``identity:list_services`` policies now use ``(role:reader and + system_scope:all)`` instead of ``rule:admin_required``. The + ``identity:create_service``, ``identity:update_service``, and + ``identity:delete_service`` policies now use ``(role:admin and + system_scope:all)`` instead of ``rule:admin_required``. These new defaults + automatically account for system-scope and support a read-only role, making + it easier for system administrators to delegate subsets of responsibility + without compromising security. Please consider these new defaults if your + deployment overrides service policies. +security: + - | + [`bug 1804463 `_] + The services API now uses system-scope and default roles to + provide better accessibility to users in a secure way.