diff options
| author | Lance Bragstad <lbragstad@gmail.com> | 2018-12-06 21:14:44 +0000 |
|---|---|---|
| committer | Lance Bragstad <lbragstad@gmail.com> | 2019-03-26 12:58:15 +0000 |
| commit | d2cc4c83c00256440eed0ed5b8d7131cc02d72d4 (patch) | |
| tree | 88fb633d0c5567bd0275edd74a1bc0c37c3e97ed /etc | |
| parent | e7a64ed1797ae14ce62389437d1e752e88e30f9f (diff) | |
| download | keystone-d2cc4c83c00256440eed0ed5b8d7131cc02d72d4.tar.gz | |
Consolidate user protection tests
This commit removes user policies from policy.v3cloudsample.json. By
incorporating system-scope, domain-scope, project-scope, and default
roles, we've effectively made these policies obsolete. We can simplify
what we maintain and provide a more consistent, unified view of
default user behavior by removing them.
This commit also adds an important filter to the GET /v3/users API by
making sure the users in the response are filtered properly if the API
was called with a domain-scoped token. This is needed in case domain
configuration isn't setup and short-circuits normalization of the
domain ID, which sometimes comes from the token if it is
domain-scoped. Regardless of domain configuration being used, we
should protect against cases where data leaks across domains in the
name of security.
Finally, this commit moves a couple of tests from test_v3_protection
to test_users protection tests that ensures we do reasonable filtering
while normalizing domain IDs. The remaining tests from
test_v3_protection have been removed because they are no longer
applicable. These tests were testing an HTTP 403 was returned when a
domain users attempted to filter users for domains they didn't have
authorization on. We don't use this approach consistently in keystone.
Most other places where filtering is implemented, we ignore invalid
filters and instead return an empty list. For domain users attempting
to fish information out of another domain, they will receive an empty
list to be consistent with other parts of the API.
Change-Id: I60b2e2b8af172c369eab0eb2c29f056f5c98ad16
Parial-Bug: 1806762
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/policy.v3cloudsample.json | 7 |
1 files changed, 0 insertions, 7 deletions
diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index 2366de76c..fc912bcbb 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -25,13 +25,6 @@ "identity:update_project_tags": "rule:admin_required", "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s", - "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s", - "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule:owner", - "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id", - "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id", - "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id", - "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id", - "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s", "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s", "identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", |