Skip to content

Commit

Permalink
Address linter errors
Browse files Browse the repository at this point in the history
Signed-off-by: Markus Hentsch <markus.hentsch@secustack.com>
  • Loading branch information
markus-hentsch committed Oct 11, 2023
1 parent 14029ba commit 6d75ff2
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 12 deletions.
10 changes: 5 additions & 5 deletions Standards/scs-0302-v1-domain-manager-role.md
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ This results in special permissions being granted to users possessing the role w
This poses severe security risks as the proper scoping of the `admin` role is impossible.
**Due to this, this approach was discarded early.**

Upstream is in the process of addressing this across the services but it has not been fully implemented yet, especially for domains[^3].
Upstream (OpenStack) is in the process of addressing this across the services but it has not been fully implemented yet, especially for domains[^3].

[^2]: [Launchpad bug: "admin"-ness not properly scoped](https://bugs.launchpad.net/keystone/+bug/968696)

Expand Down Expand Up @@ -195,7 +195,7 @@ The "`is_domain_managed_role`" rule of the above policy template may be adjusted
- the "`is_domain_managed_role`" rule MUST NOT contain the "`admin`" role, neither directly nor transitively
- the "`is_domain_managed_role`" rule MUST define all applicable roles directly, it MUST NOT contain a "`rule:`" reference within itself

**Example: permitting multiple roles**
##### Example: permitting multiple roles

The following example permits both the "`member`" and "`reader`" role to be assigned/revoked by a Domain Manager.
Further roles can be appended using the logical `or` directive.
Expand Down Expand Up @@ -229,10 +229,10 @@ Aims to introduce support for a scoped `manager` role by 2024 but only focuses o

## Conformance Tests

There is a test suite in [`domain-manager-check.py`](../Tests/iam/domain-manager/domain-manager-check.py).
There is a test suite in [`domain-manager-check.py`](https://github.com/SovereignCloudStack/standards/blob/main/Tests/iam/domain-manager/domain-manager-check.py).
The test suite connects to the OpenStack API using two sample domains and corresponding Domain Manager accounts.
It verifies the compliance to the standard and the proper domain-scoping as defined by the Keystone policy.
Please consult the associated [README.md](../Tests/iam/domain-manager/README.md) for detailed setup and testing instructions.
Please consult the associated [README.md](https://github.com/SovereignCloudStack/standards/blob/main/Tests/iam/domain-manager/README.md) for detailed setup and testing instructions.

## Appendix

Expand Down Expand Up @@ -292,7 +292,7 @@ Decision:

Rationale:

- avoid confusion with the unscoped admin role and to be inline with the upstream plan: https://specs.openstack.org/openstack/keystone-specs/specs/keystone/2023.1/default-service-role.html
- avoid confusion with the unscoped admin role and to be inline with the upstream plan: [Default Service Role - Identity Specs](https://specs.openstack.org/openstack/keystone-specs/specs/keystone/2023.1/default-service-role.html)

Links / Comments / References:

Expand Down
11 changes: 4 additions & 7 deletions Tests/iam/domain-manager/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@ The following things are required:

The creation of these resources is described below.

> **NOTE:** The following steps require cloud admin rights.
**NOTE:** The following steps require cloud admin rights.

> **WARNING:** Replace the `<REPLACEME>` password placeholders by securely generated passwords in the code blocks below.
**WARNING:** Replace the `<REPLACEME>` password placeholders by securely generated passwords in the code blocks below.

First, create two testing domains and a domain manager for each domain:

Expand Down Expand Up @@ -61,7 +61,6 @@ The content of the file is structured as follows:
| `domains.*.manager` | Login credentials for a user with the `domain-manager` role within the respective domain |
| `domains.*.member_role` | Role that a domain manager is permitted to assign users within the respective domain (default: `member`) |


### Test Execution Environment

> **NOTE:** The test execution procedure does not require cloud admin rights.
Expand All @@ -87,12 +86,11 @@ Within this environment execute the test suite.

[^2]: [Python 3 Documentation: Virtual Environments and Packages](https://docs.python.org/3/tutorial/venv.html)


## Test Execution

The test suite is executed as follows:

```
```bash
python3 domain-manager-check.py --os-cloud mycloud
```

Expand All @@ -112,13 +110,12 @@ clouds:

If the test suite fails and leaves test resources behind, the "`--cleanup-only`" flag may be used to delete those resources from the domains:

```
```bash
python3 domain-manager-check.py --os-cloud mycloud --cleanup-only
```

For any further options consult the output of "`python3 domain-manager-check.py --help`".


### Script Behavior & Test Results

> **NOTE:** Before any execution of test batches, the script will automatically perform a cleanup of the configured domains, deleting all users, projects and groups matching a special prefix (see the "`--prefix`" flag).
Expand Down

0 comments on commit 6d75ff2

Please sign in to comment.