diff options
author | Zuul <zuul@review.openstack.org> | 2019-03-26 16:27:31 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2019-03-26 16:27:31 +0000 |
commit | ddf9be4b06ab417fb98a021374c7b7873784c060 (patch) | |
tree | c2d16341846af5853c964af6dd9348e258da79ea | |
parent | 31460775f264a0e451fd659dd58da87d59c5ab82 (diff) | |
parent | 56e48127938be2d67b984d00b155833532233713 (diff) | |
download | keystone-ddf9be4b06ab417fb98a021374c7b7873784c060.tar.gz |
Merge "Test domain and project users against group system assignment API" into stable/stein
-rw-r--r-- | keystone/tests/unit/protection/v3/test_system_assignments.py | 62 | ||||
-rw-r--r-- | releasenotes/notes/bug-1750669-dfce859550126f03.yaml | 24 |
2 files changed, 75 insertions, 11 deletions
diff --git a/keystone/tests/unit/protection/v3/test_system_assignments.py b/keystone/tests/unit/protection/v3/test_system_assignments.py index 5f27431f3..72adc1d67 100644 --- a/keystone/tests/unit/protection/v3/test_system_assignments.py +++ b/keystone/tests/unit/protection/v3/test_system_assignments.py @@ -229,6 +229,68 @@ class _DomainAndProjectUserSystemAssignmentTests(object): expected_status_code=http_client.FORBIDDEN ) + def test_user_cannot_list_group_system_role_assignments(self): + group = PROVIDERS.identity_api.create_group( + unit.new_group_ref(CONF.identity.default_domain_id) + ) + + PROVIDERS.assignment_api.create_system_grant_for_group( + group['id'], self.bootstrapper.member_role_id + ) + + with self.test_client() as c: + c.get( + '/v3/system/groups/%s/roles' % group['id'], headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_check_group_system_role_assignments(self): + group = PROVIDERS.identity_api.create_group( + unit.new_group_ref(CONF.identity.default_domain_id) + ) + + PROVIDERS.assignment_api.create_system_grant_for_group( + group['id'], self.bootstrapper.member_role_id + ) + + with self.test_client() as c: + c.get( + '/v3/system/groups/%s/roles/%s' % ( + group['id'], self.bootstrapper.member_role_id + ), headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_grant_group_system_assignments(self): + group = PROVIDERS.identity_api.create_group( + unit.new_group_ref(CONF.identity.default_domain_id) + ) + + with self.test_client() as c: + c.put( + '/v3/system/groups/%s/roles/%s' % ( + group['id'], self.bootstrapper.member_role_id + ), headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_revoke_group_system_assignments(self): + group = PROVIDERS.identity_api.create_group( + unit.new_group_ref(CONF.identity.default_domain_id) + ) + + PROVIDERS.assignment_api.create_system_grant_for_group( + group['id'], self.bootstrapper.member_role_id + ) + + with self.test_client() as c: + c.delete( + '/v3/system/groups/%s/roles/%s' % ( + group['id'], self.bootstrapper.member_role_id + ), headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + class SystemReaderTests(base_classes.TestCaseWithBootstrap, common_auth.AuthTestMixin, diff --git a/releasenotes/notes/bug-1750669-dfce859550126f03.yaml b/releasenotes/notes/bug-1750669-dfce859550126f03.yaml index a5aed56ce..6405f86f3 100644 --- a/releasenotes/notes/bug-1750669-dfce859550126f03.yaml +++ b/releasenotes/notes/bug-1750669-dfce859550126f03.yaml @@ -19,18 +19,20 @@ deprecations: [`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_] [`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_] The system assignment policies have been deprecated. The - ``identity:list_system_grants_for_user`` and - ``identity:check_system_grant_for_user`` policies now use + ``identity:list_system_grants_for_user``, + ``identity:check_system_grant_for_user``, + ``identity:list_system_grants_for_group``, and + ``identity:check_system_grant_for_group`` policies now use ``role:reader and system_scope:all`` instead of - ``rule:admin_required``. The - ``identity:create_system_grant_for_user`` and - ``identity:revoke_system_grant_for_user`` policies now use - ``role:admin and system_scope:all`` instead of - ``rule:admin_required``. These new defaults automatically include - support for a read-only role and allow for more granular access to - the system assignment API, making it easier for administrators to - delegate authorization, safely. Please consider these new defaults - if your deployment overrides the system assignment APIs. + ``rule:admin_required``. The ``identity:create_system_grant_for_user``, + ``identity:revoke_system_grant_for_user``, + ``identity:create_system_grant_for_group``, and + ``identity:revoke_system_grant_for_group`` policies now use ``role:admin + and system_scope:all`` instead of ``rule:admin_required``. These new + defaults automatically include support for a read-only role and allow for + more granular access to the system assignment API, making it easier for + administrators to delegate authorization, safely. Please consider these new + defaults if your deployment overrides the system assignment APIs. security: - | [`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_] |