diff options
| author | Lance Bragstad <lbragstad@gmail.com> | 2019-09-16 02:52:12 +0000 |
|---|---|---|
| committer | Lance Bragstad <lbragstad@gmail.com> | 2019-10-09 17:49:28 +0000 |
| commit | d9217f07b83399373c6e0879a71d943b73632ff5 (patch) | |
| tree | fa1eb60c2f959706b9d1dfef13b13ab18883ce43 | |
| parent | e860c69831289a800a1d7bb52e8621fc460f260b (diff) | |
| download | keystone-d9217f07b83399373c6e0879a71d943b73632ff5.tar.gz | |
Remove policy.v3cloudsample.json
We've make all the default policies keystone supports better by
incorporating default roles and scope types. These changes have made
the ``policy.v3cloudsample.json`` file obsolete.
Let's simply things for users, operators, and develpers by removing
it.
A follow-on patch will remove the test_v3_protection.py file since
those behaviors are passing all the protection tests with the default
policies in code.
Related-Bug: 1805880
Closes-Bug: 1630434
Closes-Bug: 1806762
Change-Id: Ie45955f5cc54563cc9704d7cb2b656b5544ae030
(cherry picked from commit d4a6023de5bdfe5a6e9214579a35e083a45c1151)
| -rw-r--r-- | etc/policy.v3cloudsample.json | 30 | ||||
| -rw-r--r-- | keystone/tests/unit/test_policy.py | 216 | ||||
| -rw-r--r-- | keystone/tests/unit/test_v3_auth.py | 37 | ||||
| -rw-r--r-- | keystone/tests/unit/test_v3_protection.py | 55 | ||||
| -rw-r--r-- | releasenotes/notes/bug-1806762-08ff9eecdc03c554.yaml | 21 |
5 files changed, 21 insertions, 338 deletions
diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json deleted file mode 100644 index 8e1273227..000000000 --- a/etc/policy.v3cloudsample.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "admin_required": "role:admin", - "cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)", - "owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s", - "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner", - "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s", - "service_admin_or_owner": "rule:service_or_admin or rule:owner", - - "default": "rule:admin_required", - - "domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s", - "get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role", - "domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s", - "project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s", - "list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles", - "domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s", - "project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s", - "admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s", - "implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)", - - "admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s", - "admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s", - "admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s", - "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter", - - "identity:check_token": "rule:admin_or_owner", - "identity:validate_token": "rule:service_admin_or_owner", - "identity:validate_token_head": "rule:service_or_admin", - "identity:revoke_token": "rule:admin_or_owner" -} diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index fe0b8bba2..a67e10090 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -13,7 +13,6 @@ # License for the specific language governing permissions and limitations # under the License. -import json import os import subprocess import uuid @@ -21,7 +20,6 @@ import uuid import mock from oslo_policy import policy as common_policy import six -from testtools import matchers from keystone.common import policies from keystone.common.rbac_enforcer import policy @@ -177,215 +175,6 @@ class PolicyJsonTestCase(unit.TestCase): rules[rule.name] = rule.check_str return rules - def test_json_examples_have_matching_entries(self): - # TODO(lbragstad): Once all policies have been removed from - # policy.v3cloudsample.json, remove this test. - removed_policies = [ - 'identity:add_endpoint_group_to_project', - 'identity:add_endpoint_to_project', - 'identity:add_user_to_group', - 'identity:authorize_request_token', - 'identity:check_grant', - 'identity:check_endpoint_in_project', - 'identity:check_implied_role', - 'identity:check_policy_association_for_endpoint', - 'identity:check_policy_association_for_region_and_service', - 'identity:check_policy_association_for_service', - 'identity:check_system_grant_for_group', - 'identity:check_system_grant_for_user', - 'identity:check_user_in_group', - 'identity:create_application_credential', - 'identity:create_consumer', - 'identity:create_credential', - 'identity:create_domain', - 'identity:create_domain_config', - 'identity:create_domain_role', - 'identity:create_endpoint', - 'identity:create_endpoint_group', - 'identity:create_grant', - 'identity:create_group', - 'identity:create_identity_provider', - 'identity:create_implied_role', - 'identity:create_limits', - 'identity:create_mapping', - 'identity:create_policy', - 'identity:create_policy_association_for_endpoint', - 'identity:create_policy_association_for_region_and_service', - 'identity:create_policy_association_for_service', - 'identity:create_project', - 'identity:create_project_tag', - 'identity:create_protocol', - 'identity:create_region', - 'identity:create_registered_limits', - 'identity:create_role', - 'identity:create_service', - 'identity:create_service_provider', - 'identity:create_system_grant_for_group', - 'identity:create_system_grant_for_user', - 'identity:create_trust', - 'identity:create_user', - 'identity:delete_access_rule', - 'identity:delete_access_token', - 'identity:delete_application_credential', - 'identity:delete_consumer', - 'identity:delete_credential', - 'identity:delete_domain', - 'identity:delete_domain_config', - 'identity:delete_domain_role', - 'identity:delete_endpoint', - 'identity:delete_endpoint_group', - 'identity:delete_group', - 'identity:delete_identity_provider', - 'identity:delete_implied_role', - 'identity:delete_mapping', - 'identity:delete_limit', - 'identity:delete_policy', - 'identity:delete_policy_association_for_endpoint', - 'identity:delete_policy_association_for_region_and_service', - 'identity:delete_policy_association_for_service', - 'identity:delete_project', - 'identity:delete_project_tag', - 'identity:delete_project_tags', - 'identity:delete_protocol', - 'identity:delete_region', - 'identity:delete_registered_limit', - 'identity:delete_role', - 'identity:delete_service', - 'identity:delete_service_provider', - 'identity:delete_trust', - 'identity:delete_user', - 'identity:ec2_create_credential', - 'identity:ec2_delete_credential', - 'identity:ec2_get_credential', - 'identity:ec2_list_credentials', - 'identity:get_access_rule', - 'identity:get_access_token', - 'identity:get_access_token_role', - 'identity:get_application_credential', - 'identity:get_auth_catalog', - 'identity:get_auth_domains', - 'identity:get_auth_projects', - 'identity:get_auth_system', - 'identity:get_consumer', - 'identity:get_credential', - 'identity:get_domain', - 'identity:get_domain_config', - 'identity:get_domain_config_default', - 'identity:get_domain_role', - 'identity:get_endpoint', - 'identity:get_endpoint_group', - 'identity:get_endpoint_group_in_project', - 'identity:get_group', - 'identity:get_identity_provider', - 'identity:get_implied_role', - 'identity:get_limit', - 'identity:get_limit_model', - 'identity:get_mapping', - 'identity:get_policy', - 'identity:get_policy_for_endpoint', - 'identity:get_project_tag', - 'identity:get_project', - 'identity:get_protocol', - 'identity:get_region', - 'identity:get_registered_limit', - 'identity:get_role', - 'identity:get_role_for_trust', - 'identity:get_security_compliance_domain_config', - 'identity:get_service', - 'identity:get_service_provider', - 'identity:get_trust', - 'identity:get_user', - 'identity:list_access_rules', - 'identity:list_access_token_roles', - 'identity:list_access_tokens', - 'identity:list_application_credentials', - 'identity:list_consumers', - 'identity:list_credentials', - 'identity:list_domain_roles', - 'identity:list_domains', - 'identity:list_domains_for_user', - 'identity:list_endpoint_groups', - 'identity:list_endpoint_groups_for_project', - 'identity:list_endpoints', - 'identity:list_endpoints_associated_with_endpoint_group', - 'identity:list_endpoints_for_policy', - 'identity:list_endpoints_for_project', - 'identity:list_grants', - 'identity:list_groups', - 'identity:list_groups_for_user', - 'identity:list_identity_providers', - 'identity:list_implied_roles', - 'identity:list_limits', - 'identity:list_mappings', - 'identity:list_policies', - 'identity:list_projects', - 'identity:list_projects_associated_with_endpoint_group', - 'identity:list_projects_for_endpoint', - 'identity:list_projects_for_user', - 'identity:list_project_tags', - 'identity:list_protocols', - 'identity:list_regions', - 'identity:list_registered_limits', - 'identity:list_revoke_events', - 'identity:list_role_assignments', - 'identity:list_role_inference_rules', - 'identity:list_roles', - 'identity:list_roles_for_trust', - 'identity:list_service_providers', - 'identity:list_services', - 'identity:list_system_grants_for_group', - 'identity:list_system_grants_for_user', - 'identity:list_trusts', - 'identity:list_trusts_for_trustee', - 'identity:list_trusts_for_trustor', - 'identity:list_user_projects', - 'identity:list_users', - 'identity:list_users_in_group', - 'identity:remove_endpoint_from_project', - 'identity:remove_endpoint_group_from_project', - 'identity:remove_user_from_group', - 'identity:revocation_list', - 'identity:revoke_grant', - 'identity:revoke_system_grant_for_group', - 'identity:revoke_system_grant_for_user', - 'identity:update_consumer', - 'identity:update_credential', - 'identity:update_domain', - 'identity:update_domain_config', - 'identity:update_domain_role', - 'identity:update_endpoint', - 'identity:update_endpoint_group', - 'identity:update_group', - 'identity:update_identity_provider', - 'identity:update_limit', - 'identity:update_mapping', - 'identity:update_policy', - 'identity:update_project', - 'identity:update_project_tags', - 'identity:update_protocol', - 'identity:update_region', - 'identity:update_registered_limit', - 'identity:update_role', - 'identity:update_service', - 'identity:update_service_provider', - 'identity:update_user', - 'service_or_admin', - 'service_role', - ] - policy_keys = self._get_default_policy_rules() - for p in removed_policies: - del policy_keys[p] - cloud_policy_keys = set( - json.load(open(unit.dirs.etc('policy.v3cloudsample.json')))) - - policy_extra_keys = ['admin_or_token_subject', - 'service_admin_or_token_subject', - 'token_subject', ] - expected_policy_keys = list(cloud_policy_keys) + policy_extra_keys - diffs = set(policy_keys).difference(set(expected_policy_keys)) - - self.assertThat(diffs, matchers.Equals(set())) - def test_policies_loads(self): action = 'identity:list_projects' target = {'user_id': uuid.uuid4().hex, @@ -406,11 +195,6 @@ class PolicyJsonTestCase(unit.TestCase): credentials) self.assertTrue(result) - domain_policy = unit.dirs.etc('policy.v3cloudsample.json') - enforcer = common_policy.Enforcer(CONF, policy_file=domain_policy) - result = enforcer.enforce(action, target, credentials) - self.assertTrue(result) - def test_all_targets_documented(self): policy_keys = self._get_default_policy_rules() diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index e8da2e946..d499992f9 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -2906,12 +2906,6 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase): domain_id=self.domainA['id'] ) - def _policy_fixture(self): - return ksfixtures.Policy( - self.config_fixture, - policy_file=unit.dirs.etc('policy.v3cloudsample.json') - ) - def test_user_revokes_own_token(self): user_token = self.get_requested_token( self.build_authentication_request( @@ -2988,37 +2982,6 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase): expected_status=http_client.NOT_FOUND, token=adminA_token) - def test_adminB_fails_revoking_userA_token(self): - # DomainB setup - self.domainB = unit.new_domain_ref() - PROVIDERS.resource_api.create_domain(self.domainB['id'], self.domainB) - userAdminB = unit.create_user(PROVIDERS.identity_api, - domain_id=self.domainB['id']) - PROVIDERS.assignment_api.create_grant( - self.role['id'], user_id=userAdminB['id'], - domain_id=self.domainB['id'] - ) - - user_token = self.get_requested_token( - self.build_authentication_request( - user_id=self.userNormalA['id'], - password=self.userNormalA['password'], - user_domain_id=self.domainA['id'])) - headers = {'X-Subject-Token': user_token} - - adminB_token = self.get_requested_token( - self.build_authentication_request( - user_id=userAdminB['id'], - password=userAdminB['password'], - domain_name=self.domainB['name'])) - - self.head('/auth/tokens', headers=headers, - expected_status=http_client.FORBIDDEN, - token=adminB_token) - self.delete('/auth/tokens', headers=headers, - expected_status=http_client.FORBIDDEN, - token=adminB_token) - class TestTokenRevokeById(test_v3.RestfulTestCase): """Test token revocation on the v3 Identity API.""" diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py index 9c131898b..b5df044db 100644 --- a/keystone/tests/unit/test_v3_protection.py +++ b/keystone/tests/unit/test_v3_protection.py @@ -643,12 +643,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin): """Test policy enforcement of the sample v3 cloud policy file.""" - def _policy_fixture(self): - return ksfixtures.Policy( - self.config_fixture, - policy_file=unit.dirs.etc('policy.v3cloudsample.json') - ) - def setUp(self): """Setup for v3 Cloud Policy Sample Test Cases. @@ -1167,55 +1161,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, self.assertRoleAssignmentInListResponse(r, project_admin_entity) self.assertRoleAssignmentInListResponse(r, project_user_entity) - def test_domain_admin_list_assignment_tree(self): - # Add a child project to the standard test data - sub_project = unit.new_project_ref(domain_id=self.domainA['id'], - parent_id=self.project['id']) - PROVIDERS.resource_api.create_project(sub_project['id'], sub_project) - PROVIDERS.assignment_api.create_grant( - self.role['id'], user_id=self.just_a_user['id'], - project_id=sub_project['id'] - ) - - collection_url = self.build_role_assignment_query_url( - project_id=self.project['id']) - collection_url += '&include_subtree=True' - - # The domain admin should be able to list the assignment tree - auth = self.build_authentication_request( - user_id=self.domain_admin_user['id'], - password=self.domain_admin_user['password'], - domain_id=self.domainA['id']) - - r = self.get(collection_url, auth=auth) - self.assertValidRoleAssignmentListResponse( - r, expected_length=3, resource_url=collection_url) - - # A project admin should not be able to - auth = self.build_authentication_request( - user_id=self.project_admin_user['id'], - password=self.project_admin_user['password'], - project_id=self.project['id']) - - r = self.get(collection_url, auth=auth, - expected_status=http_client.FORBIDDEN) - - # A neither should a domain admin from a different domain - domainB_admin_user = unit.create_user( - PROVIDERS.identity_api, - domain_id=self.domainB['id']) - PROVIDERS.assignment_api.create_grant( - self.admin_role['id'], user_id=domainB_admin_user['id'], - domain_id=self.domainB['id'] - ) - auth = self.build_authentication_request( - user_id=domainB_admin_user['id'], - password=domainB_admin_user['password'], - domain_id=self.domainB['id']) - - r = self.get(collection_url, auth=auth, - expected_status=http_client.FORBIDDEN) - def test_domain_user_list_assignments_of_project_failed(self): self.auth = self.build_authentication_request( user_id=self.just_a_user['id'], diff --git a/releasenotes/notes/bug-1806762-08ff9eecdc03c554.yaml b/releasenotes/notes/bug-1806762-08ff9eecdc03c554.yaml new file mode 100644 index 000000000..614ffcacf --- /dev/null +++ b/releasenotes/notes/bug-1806762-08ff9eecdc03c554.yaml @@ -0,0 +1,21 @@ +--- +upgrade: + - | + [`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_] + [`bug 1630434 <https://bugs.launchpad.net/keystone/+bug/1630434>`_] + The entire ``policy.v3cloudsample.json`` file has been removed. If you + were using this policy file to supply overrides in your deployment, you + should consider using the defaults in code and setting ``keystone.conf + [oslo_policy] enforce_scope=True``. The new policy defaults are more + flexible, they're tested extensively, and they solve all the problems the + ``policy.v3cloudsample.json`` file was trying to solve. +fixes: + - | + [`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_] + [`bug 1630434 <https://bugs.launchpad.net/keystone/+bug/1630434>`_] + The entire ``policy.v3cloudsample.json`` file has been removed. If you + were using this policy file to supply overrides in your deployment, you + should consider using the defaults in code and setting ``keystone.conf + [oslo_policy] enforce_scope=True``. The new policy defaults are more + flexible, they're tested extensively, and they solve all the problems the + ``policy.v3cloudsample.json`` file was trying to solve. |