Merge "Remove redundant policies from v3cloudsample"

2019-04-01 05:41:18 +00:00 · 2019-04-01 05:41:18 +00:00 · af4ec20f83
parent 2b9d69d1d3 8877e9f01c
commit af4ec20f83
4 changed files with 26 additions and 40 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -24,20 +24,6 @@
    "identity:delete_project_tags": "rule:admin_required",
    "identity:update_project_tags": "rule:admin_required",

-    "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
-    "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
-    "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
-    "identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
-    "identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_target_user_domain_id",
-    "identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
-    "identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-
    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
    "identity:ec2_list_credentials": "rule:admin_required or rule:owner",
    "identity:ec2_create_credential": "rule:admin_required or rule:owner",
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@ -255,7 +255,17 @@ class PolicyJsonTestCase(unit.TestCase):
            'identity:get_user',
            'identity:list_users',
            'identity:update_user',
-            'identity:delete_user'
+            'identity:delete_user',
+            'identity:get_group',
+            'identity:list_groups',
+            'identity:list_groups_for_user',
+            'identity:create_group',
+            'identity:update_group',
+            'identity:delete_group',
+            'identity:list_users_in_group',
+            'identity:remove_user_from_group',
+            'identity:check_user_in_group',
+            'identity:add_user_to_group'
        ]
        policy_keys = self._get_default_policy_rules()
        for p in removed_policies:
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@ -919,31 +919,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
        self.post('/roles', auth=self.auth, body={'role': role_ref},
                  expected_status=status_created)

-    def test_group_management(self):
-        # First, authenticate with a user that does not have the domain
-        # admin role - shouldn't be able to do much.
-        self.auth = self.build_authentication_request(
-            user_id=self.just_a_user['id'],
-            password=self.just_a_user['password'],
-            domain_id=self.domainA['id'])
-
-        self._test_group_management(
-            self.group1, expected=exception.ForbiddenAction.code)
-
-        # ...but should be able to list groups of which they are a member
-        url = '/users/%s/groups' % self.just_a_user['id']
-        self.get(url, auth=self.auth)
-
-        # Now, authenticate with a user that does have the domain admin role
-        self.auth = self.build_authentication_request(
-            user_id=self.domain_admin_user['id'],
-            password=self.domain_admin_user['password'],
-            domain_id=self.domainA['id'])
-
-        self._test_group_management(self.group1)
-        self._test_group_management(self.group3,
-                                    expected=exception.ForbiddenAction.code)
-
    def test_group_management_by_cloud_admin(self):
        # Test groups management with a cloud admin. This user should
        # be able to manage groups in any domain.
--- a/releasenotes/notes/bug-1806762-2092fee9f6c87dc3.yaml
+++ b/releasenotes/notes/bug-1806762-2092fee9f6c87dc3.yaml
@ -0,0 +1,15 @@
+---
+upgrade:
+  - |
+    [`bug 1804462 <https://bugs.launchpad.net/keystone/+bug/1804462>`_]
+    The group policies defined in ``policy.v3cloudsample.json`` have
+    been removed. These policies are now obsolete after incorporating
+    system-scope and domain-scope into the groups API and implementing default
+    roles.
+fixes:
+  - |
+    [`bug 1804462 <https://bugs.launchpad.net/keystone/+bug/1804462>`_]
+    The group policies in ``policy.v3cloudsample.json`` policy file
+    have been removed in favor of better defaults in code. These
+    policies weren't tested exhaustively and were misleading to users
+    and operators.