Add scope checks to common system role definitions

Until keystone defaults
``keystone.conf [oslo_policy] enforce_scope=True`` we really should
make sure we explicitly declare a system specific scope check in the
new system policies.

This is important because it prevents an authoritative regression when
operators upgrade. For example, if the identity:get_domain's current
check string is `rule:admin_require` and it's deprecated to be
`role:reader` with enforce_scope=True, then we've successfully exposed
more functionality to system users who have enforce_scope set to True.
If they don't, which is likely since enforce_scope defaults to False,
then it is possible for users with the reader role on a project to
access an API that was traditionally meant for only system
administrators. This is because oslo.policy will OR the old default
and the new default on upgrade to smooth the transition.

Note that the explicit scope checks in the actual check strings should
be removed once keystone sets enforce_scope = True by default. Until
then, we'll need to have something like this from opening up
administrative APIs.

Change-Id: I0e1f55dc6c18437b3356f9a2facfc95ecd1864e0

keystone/common/policies/base.py

@@ -29,8 +29,21 @@ RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin'
 RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
 RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
 RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'
-READER_ROLE = 'role:reader'
-ADMIN_ROLE = 'role:admin'
+
+# We are explicitly setting system_scope:all in these check strings because
+# they provide backwards compatibility in the event a deployment sets
+# ``keystone.conf [oslo_policy] enforce_scope = False``, which the default.
+# Otherwise, this might open up APIs to be more permissive unintentionally if a
+# deployment isn't enforcing scope. For example, the identity:get_endpoint
+# policy might be ``rule:admin_required`` today and eventually ``role:reader``
+# enforcing system scoped tokens. Until enforce_scope=True by default, it would
+# be possible for users with the ``reader`` role on a project to access an API
+# traditionally reserved for system administrators. Once keystone defaults
+# ``keystone.conf [oslo_policy] enforce_scope=True``, the ``system_scope:all``
+# bits of these check strings can be removed since that will be handled
+# automatically by scope_types in oslo.policy's RuleDefault objects.
+SYSTEM_READER = 'role:reader and system_scope:all'
+SYSTEM_ADMIN = 'role:admin and system_scope:all'
 
 
 rules = [

keystone/common/policies/domain.py

@@ -64,7 +64,7 @@ domain_policies = [
         deprecated_since=versionutils.deprecated.STEIN),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_domains',
-        check_str=base.READER_ROLE,
+        check_str=base.SYSTEM_READER,
         scope_types=['system'],
         description='List domains.',
         operations=[{'path': '/v3/domains',
@@ -74,7 +74,7 @@ domain_policies = [
         deprecated_since=versionutils.deprecated.STEIN),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_domain',
-        check_str=base.ADMIN_ROLE,
+        check_str=base.SYSTEM_ADMIN,
         scope_types=['system'],
         description='Create domain.',
         operations=[{'path': '/v3/domains',
@@ -84,7 +84,7 @@ domain_policies = [
         deprecated_since=versionutils.deprecated.STEIN),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_domain',
-        check_str=base.ADMIN_ROLE,
+        check_str=base.SYSTEM_ADMIN,
         scope_types=['system'],
         description='Update domain.',
         operations=[{'path': '/v3/domains/{domain_id}',
@@ -94,7 +94,7 @@ domain_policies = [
         deprecated_since=versionutils.deprecated.STEIN),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_domain',
-        check_str=base.ADMIN_ROLE,
+        check_str=base.SYSTEM_ADMIN,
         scope_types=['system'],
         description='Delete domain.',
         operations=[{'path': '/v3/domains/{domain_id}',