Merge "Remove redundant policies from v3cloudsample"
This commit is contained in:
commit
af4ec20f83
|
@ -24,20 +24,6 @@
|
|||
"identity:delete_project_tags": "rule:admin_required",
|
||||
"identity:update_project_tags": "rule:admin_required",
|
||||
|
||||
"admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
|
||||
"admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
|
||||
"admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
|
||||
"identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
|
||||
"identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_target_user_domain_id",
|
||||
"identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
|
||||
"identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
"identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||
|
||||
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
"identity:ec2_list_credentials": "rule:admin_required or rule:owner",
|
||||
"identity:ec2_create_credential": "rule:admin_required or rule:owner",
|
||||
|
|
|
@ -255,7 +255,17 @@ class PolicyJsonTestCase(unit.TestCase):
|
|||
'identity:get_user',
|
||||
'identity:list_users',
|
||||
'identity:update_user',
|
||||
'identity:delete_user'
|
||||
'identity:delete_user',
|
||||
'identity:get_group',
|
||||
'identity:list_groups',
|
||||
'identity:list_groups_for_user',
|
||||
'identity:create_group',
|
||||
'identity:update_group',
|
||||
'identity:delete_group',
|
||||
'identity:list_users_in_group',
|
||||
'identity:remove_user_from_group',
|
||||
'identity:check_user_in_group',
|
||||
'identity:add_user_to_group'
|
||||
]
|
||||
policy_keys = self._get_default_policy_rules()
|
||||
for p in removed_policies:
|
||||
|
|
|
@ -919,31 +919,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
|||
self.post('/roles', auth=self.auth, body={'role': role_ref},
|
||||
expected_status=status_created)
|
||||
|
||||
def test_group_management(self):
|
||||
# First, authenticate with a user that does not have the domain
|
||||
# admin role - shouldn't be able to do much.
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.just_a_user['id'],
|
||||
password=self.just_a_user['password'],
|
||||
domain_id=self.domainA['id'])
|
||||
|
||||
self._test_group_management(
|
||||
self.group1, expected=exception.ForbiddenAction.code)
|
||||
|
||||
# ...but should be able to list groups of which they are a member
|
||||
url = '/users/%s/groups' % self.just_a_user['id']
|
||||
self.get(url, auth=self.auth)
|
||||
|
||||
# Now, authenticate with a user that does have the domain admin role
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.domain_admin_user['id'],
|
||||
password=self.domain_admin_user['password'],
|
||||
domain_id=self.domainA['id'])
|
||||
|
||||
self._test_group_management(self.group1)
|
||||
self._test_group_management(self.group3,
|
||||
expected=exception.ForbiddenAction.code)
|
||||
|
||||
def test_group_management_by_cloud_admin(self):
|
||||
# Test groups management with a cloud admin. This user should
|
||||
# be able to manage groups in any domain.
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
upgrade:
|
||||
- |
|
||||
[`bug 1804462 <https://bugs.launchpad.net/keystone/+bug/1804462>`_]
|
||||
The group policies defined in ``policy.v3cloudsample.json`` have
|
||||
been removed. These policies are now obsolete after incorporating
|
||||
system-scope and domain-scope into the groups API and implementing default
|
||||
roles.
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1804462 <https://bugs.launchpad.net/keystone/+bug/1804462>`_]
|
||||
The group policies in ``policy.v3cloudsample.json`` policy file
|
||||
have been removed in favor of better defaults in code. These
|
||||
policies weren't tested exhaustively and were misleading to users
|
||||
and operators.
|
Loading…
Reference in New Issue