From f62f73c548d7a1cb4fe557e457a49d77322968c4 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Mon, 17 Dec 2018 23:05:08 +0000 Subject: [PATCH] Implement system admin role in groups API The commit introduces the system admin role to the group API, making it consistent with other system-admin policy definitions. Subsequent patches will incorporate: - domain reader functionality - domain member test coverage - domain admin functionality Change-Id: Ib0ff05396bed2bfefefa712491aeb0b9b5f2c1d0 Related-Bug: 968696 Related-Bug: 1808859 Closes-Bug: 1805369 --- keystone/common/policies/group.py | 55 +++++++-- .../tests/unit/protection/v3/test_groups.py | 105 ++++++++++++++++++ .../notes/bug-1805369-ed98d3fcfafb5c43.yaml | 36 ++++++ 3 files changed, 186 insertions(+), 10 deletions(-) create mode 100644 releasenotes/notes/bug-1805369-ed98d3fcfafb5c43.yaml diff --git a/keystone/common/policies/group.py b/keystone/common/policies/group.py index 105e3668c8..4e19d41f46 100644 --- a/keystone/common/policies/group.py +++ b/keystone/common/policies/group.py @@ -46,6 +46,26 @@ deprecated_check_user_in_group = policy.DeprecatedRule( name=base.IDENTITY % 'check_user_in_group', check_str=base.RULE_ADMIN_REQUIRED ) +deprecated_create_group = policy.DeprecatedRule( + name=base.IDENTITY % 'create_group', + check_str=base.RULE_ADMIN_REQUIRED +) +deprecated_update_group = policy.DeprecatedRule( + name=base.IDENTITY % 'update_group', + check_str=base.RULE_ADMIN_REQUIRED +) +deprecated_delete_group = policy.DeprecatedRule( + name=base.IDENTITY % 'delete_group', + check_str=base.RULE_ADMIN_REQUIRED +) +deprecated_remove_user_from_group = policy.DeprecatedRule( + name=base.IDENTITY % 'remove_user_from_group', + check_str=base.RULE_ADMIN_REQUIRED +) +deprecated_add_user_to_group = policy.DeprecatedRule( + name=base.IDENTITY % 'add_user_to_group', + check_str=base.RULE_ADMIN_REQUIRED +) group_policies = [ policy.DocumentedRuleDefault( @@ -92,25 +112,34 @@ group_policies = [ deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_group', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Create group.', operations=[{'path': '/v3/groups', - 'method': 'POST'}]), + 'method': 'POST'}], + deprecated_rule=deprecated_create_group, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_group', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Update group.', operations=[{'path': '/v3/groups/{group_id}', - 'method': 'PATCH'}]), + 'method': 'PATCH'}], + deprecated_rule=deprecated_update_group, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_group', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Delete group.', operations=[{'path': '/v3/groups/{group_id}', - 'method': 'DELETE'}]), + 'method': 'DELETE'}], + deprecated_rule=deprecated_delete_group, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_users_in_group', check_str=base.SYSTEM_READER, @@ -125,11 +154,14 @@ group_policies = [ deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'remove_user_from_group', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Remove user from group.', operations=[{'path': '/v3/groups/{group_id}/users/{user_id}', - 'method': 'DELETE'}]), + 'method': 'DELETE'}], + deprecated_rule=deprecated_remove_user_from_group, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_user_in_group', check_str=base.SYSTEM_READER, @@ -144,11 +176,14 @@ group_policies = [ deprecated_since=versionutils.deprecated.STEIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'add_user_to_group', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Add user to group.', operations=[{'path': '/v3/groups/{group_id}/users/{user_id}', - 'method': 'PUT'}]) + 'method': 'PUT'}], + deprecated_rule=deprecated_add_user_to_group, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.STEIN) ] diff --git a/keystone/tests/unit/protection/v3/test_groups.py b/keystone/tests/unit/protection/v3/test_groups.py index 23a6b5fd96..0201d6060c 100644 --- a/keystone/tests/unit/protection/v3/test_groups.py +++ b/keystone/tests/unit/protection/v3/test_groups.py @@ -280,6 +280,111 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap, self.headers = {'X-Auth-Token': self.token_id} +class SystemAdminTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemUserGroupTests): + + def setUp(self): + super(SystemAdminTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + self.user_id = self.bootstrapper.admin_user_id + auth = self.build_authentication_request( + user_id=self.user_id, + password=self.bootstrapper.admin_password, + system=True + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id} + + def test_user_can_create_group(self): + domain = PROVIDERS.resource_api.create_domain( + uuid.uuid4().hex, unit.new_domain_ref() + ) + + create = { + 'group': { + 'name': uuid.uuid4().hex, + 'domain_id': domain['id'] + } + } + + with self.test_client() as c: + c.post('/v3/groups', json=create, headers=self.headers) + + def test_user_can_update_group(self): + domain = PROVIDERS.resource_api.create_domain( + uuid.uuid4().hex, unit.new_domain_ref() + ) + group = PROVIDERS.identity_api.create_group( + unit.new_group_ref(domain_id=domain['id']) + ) + + update = {'group': {'description': uuid.uuid4().hex}} + + with self.test_client() as c: + c.patch( + '/v3/groups/%s' % group['id'], json=update, + headers=self.headers + ) + + def test_user_can_delete_group(self): + domain = PROVIDERS.resource_api.create_domain( + uuid.uuid4().hex, unit.new_domain_ref() + ) + group = PROVIDERS.identity_api.create_group( + unit.new_group_ref(domain_id=domain['id']) + ) + + with self.test_client() as c: + c.delete( + '/v3/groups/%s' % group['id'], headers=self.headers + ) + + def test_user_can_add_users_to_group(self): + domain = PROVIDERS.resource_api.create_domain( + uuid.uuid4().hex, unit.new_domain_ref() + ) + group = PROVIDERS.identity_api.create_group( + unit.new_group_ref(domain_id=domain['id']) + ) + user = PROVIDERS.identity_api.create_user( + unit.new_user_ref(domain_id=domain['id']) + ) + + with self.test_client() as c: + c.put( + '/v3/groups/%s/users/%s' % (group['id'], user['id']), + headers=self.headers + ) + + def test_user_can_remove_users_from_group(self): + domain = PROVIDERS.resource_api.create_domain( + uuid.uuid4().hex, unit.new_domain_ref() + ) + group = PROVIDERS.identity_api.create_group( + unit.new_group_ref(domain_id=domain['id']) + ) + user = PROVIDERS.identity_api.create_user( + unit.new_user_ref(domain_id=domain['id']) + ) + + PROVIDERS.identity_api.add_user_to_group(user['id'], group['id']) + + with self.test_client() as c: + c.delete( + '/v3/groups/%s/users/%s' % (group['id'], user['id']), + headers=self.headers + ) + + class ProjectUserTests(base_classes.TestCaseWithBootstrap, common_auth.AuthTestMixin): diff --git a/releasenotes/notes/bug-1805369-ed98d3fcfafb5c43.yaml b/releasenotes/notes/bug-1805369-ed98d3fcfafb5c43.yaml new file mode 100644 index 0000000000..04eece69ee --- /dev/null +++ b/releasenotes/notes/bug-1805369-ed98d3fcfafb5c43.yaml @@ -0,0 +1,36 @@ +--- +features: + - | + [`bug 1805369 `_] + The group API now supports the ``admin``, ``member``, and + ``reader`` default roles. +upgrade: + - | + [`bug 1805369 `_] + The group API uses new default policies that make it more + accessible to end users and administrators in a secure way. Please + consider these new defaults if your deployment overrides + group policies. +deprecations: + - | + [`bug 1805369 `_] + The group policies have been deprecated. The ``identity:get_group``, + ``identity:list_groups``, ``identity:list_users_in_group``, and + ``identity:check_user_in_group`` policies now use ``role:reader and + system_scope:all`` instead of ``rule:admin_required``. The + ``identity:list_groups_for_user`` policy now uses ``(role:reader and + system_scope:all) or user_id:%(user_id)s`` instead of + ``rule:admin_or_owner``. The ``identity:create_group``, + ``identity:update_group``, ``identity:delete_group``, + ``identity:remove_user_from_group``, and + ``identity:add_user_to_group`` policies now use ``role:admin and + system_scope:all`` instead of ``rule:admin_required``. These new defaults + automatically account for system-scope and support a read-only role, making + it easier for system administrators to delegate subsets of responsibility + without compromising security. Please consider these new defaults if your + deployment overrides group policies. +security: + - | + [`bug 1805369 `_] + The group API now uses system-scope and default roles to + provide better accessibility to users in a secure way.