From 6d756ad61247828319b184b6894fe8cabd7a5968 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Tue, 4 Dec 2018 18:23:36 +0000
Subject: [PATCH] Remove role policies from policy.v3cloudsample.json

By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default role behavior by
removing them.

Note that these changes are slightly different from the
policy.v3cloudsample.json role policies, hence the removed tests. In
policy.v3cloudsample.json, domain users were allowed to get and list
global roles. So were project users. This behavior is changing because
global roles are considered global resources of the deployment, and
they should be managed by system users. Domain users should be able to
add and remove domain specific roles, which will come in a subsequent
series of patches. This approach is being taken because it is a safer
default for a system level resource (global roles) and still allows
the same functionality for domain users through domain-specific roles.

Change-Id: Iddaa59024a1dcefd4d791b95413602865888c1ff
Closes-Bug: 1806713
---
 etc/policy.v3cloudsample.json                 |  6 -----
 keystone/tests/unit/test_policy.py            |  5 +++++
 keystone/tests/unit/test_v3_protection.py     | 22 -------------------
 .../notes/bug-1806713-cf5feab23fc78a23.yaml   | 16 ++++++++++++++
 4 files changed, 21 insertions(+), 28 deletions(-)
 create mode 100644 releasenotes/notes/bug-1806713-cf5feab23fc78a23.yaml

diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index 40e32550c2..a8450d6a10 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -76,12 +76,6 @@
     "identity:ec2_create_credential": "rule:admin_required or rule:owner",
     "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
 
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:cloud_admin",
-    "identity:update_role": "rule:cloud_admin",
-    "identity:delete_role": "rule:cloud_admin",
-
     "identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles",
     "identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles",
     "identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role",
diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py
index 5cefa70b20..ec54f98a71 100644
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@@ -196,6 +196,11 @@ class PolicyJsonTestCase(unit.TestCase):
             'identity:list_service_providers',
             'identity:update_service_provider',
             'identity:delete_service_provider',
+            'identity:create_role',
+            'identity:get_role',
+            'identity:list_roles',
+            'identity:update_role',
+            'identity:delete_role',
             'identity:create_region',
             'identity:get_region',
             'identity:list_regions',
diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py
index ad637fd06e..000d80608a 100644
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@@ -1867,28 +1867,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
 
         self._role_management_cases(expected=exception.ForbiddenAction.code)
 
-    def test_role_management_with_project_admin(self):
-        # A project admin user should be able to get and list, but not be able
-        # to create/update/delete global roles
-        self.auth = self.build_authentication_request(
-            user_id=self.project_admin_user['id'],
-            password=self.project_admin_user['password'],
-            project_id=self.project['id'])
-
-        self._role_management_cases(read_status_OK=True,
-                                    expected=exception.ForbiddenAction.code)
-
-    def test_role_management_with_domain_admin(self):
-        # A domain admin user should be able to get and list, but not be able
-        # to create/update/delete global roles
-        self.auth = self.build_authentication_request(
-            user_id=self.domain_admin_user['id'],
-            password=self.domain_admin_user['password'],
-            domain_id=self.domainA['id'])
-
-        self._role_management_cases(read_status_OK=True,
-                                    expected=exception.ForbiddenAction.code)
-
     def test_role_management_with_cloud_admin(self):
         # A cloud admin user should have rights to manipulate global roles
         self.auth = self.build_authentication_request(
diff --git a/releasenotes/notes/bug-1806713-cf5feab23fc78a23.yaml b/releasenotes/notes/bug-1806713-cf5feab23fc78a23.yaml
new file mode 100644
index 0000000000..ee35ae5791
--- /dev/null
+++ b/releasenotes/notes/bug-1806713-cf5feab23fc78a23.yaml
@@ -0,0 +1,16 @@
+---
+upgrade:
+  - |
+    [`bug 1806713 <https://bugs.launchpad.net/keystone/+bug/1806713>`_]
+    The role policies defined in ``policy.v3cloudsample.json`` have
+    been removed. These policies are now obsolete after incorporating
+    system-scope into the role API and implementing default roles.
+fixes:
+  - |
+    [`bug 1806713 <https://bugs.launchpad.net/keystone/+bug/1806713>`_]
+    The role policies in ``policy.v3cloudsample.json`` policy file
+    have been removed in favor of better defaults in code. These
+    policies weren't tested exhaustively and were misleading to users
+    and operators.
+
+