Remove domain policies from policy.v3cloudsample.json
By incorporating system scope and default roles into keystone's default policies for domains, we've effectively made these policies obsolete. Related-Bug: 1806762 Change-Id: I96079b15c980de6a4ba71f49d7b39790c1115767
This commit is contained in:
parent
00663f93b7
commit
87e50c029e
|
@ -29,12 +29,6 @@
|
|||
"identity:update_limit": "rule:admin_required",
|
||||
"identity:delete_limit": "rule:admin_required",
|
||||
|
||||
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
|
||||
"identity:list_domains": "rule:cloud_admin",
|
||||
"identity:create_domain": "rule:cloud_admin",
|
||||
"identity:update_domain": "rule:cloud_admin",
|
||||
"identity:delete_domain": "rule:cloud_admin",
|
||||
|
||||
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
||||
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
|
||||
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
|
||||
|
|
|
@ -210,7 +210,12 @@ class PolicyJsonTestCase(unit.TestCase):
|
|||
'identity:get_identity_provider',
|
||||
'identity:list_identity_providers',
|
||||
'identity:update_identity_provider',
|
||||
'identity:delete_identity_provider'
|
||||
'identity:delete_identity_provider',
|
||||
'identity:create_domain',
|
||||
'identity:get_domain',
|
||||
'identity:list_domains',
|
||||
'identity:update_domain',
|
||||
'identity:delete_domain'
|
||||
]
|
||||
policy_keys = self._get_default_policy_rules()
|
||||
for p in removed_policies:
|
||||
|
|
|
@ -859,25 +859,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
|||
self.post('/projects', auth=self.auth, body={'project': proj_ref},
|
||||
expected_status=status_created)
|
||||
|
||||
def _test_domain_management(self, expected=None):
|
||||
status_OK, status_created, status_no_data = self._stati(expected)
|
||||
entity_url = '/domains/%s' % self.domainB['id']
|
||||
list_url = '/domains'
|
||||
|
||||
self.get(entity_url, auth=self.auth,
|
||||
expected_status=status_OK)
|
||||
self.get(list_url, auth=self.auth,
|
||||
expected_status=status_OK)
|
||||
domain = {'description': 'Updated', 'enabled': False}
|
||||
self.patch(entity_url, auth=self.auth, body={'domain': domain},
|
||||
expected_status=status_OK)
|
||||
self.delete(entity_url, auth=self.auth,
|
||||
expected_status=status_no_data)
|
||||
|
||||
domain_ref = unit.new_domain_ref()
|
||||
self.post('/domains', auth=self.auth, body={'domain': domain_ref},
|
||||
expected_status=status_created)
|
||||
|
||||
def _test_grants(self, target, entity_id, role_domain_id=None,
|
||||
list_status_OK=False, expected=None):
|
||||
status_OK, status_created, status_no_data = self._stati(expected)
|
||||
|
@ -1523,38 +1504,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
|||
self.get(collection_url, auth=self.auth,
|
||||
expected_status=http_client.FORBIDDEN)
|
||||
|
||||
def test_cloud_admin(self):
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.domain_admin_user['id'],
|
||||
password=self.domain_admin_user['password'],
|
||||
domain_id=self.domainA['id'])
|
||||
|
||||
self._test_domain_management(
|
||||
expected=exception.ForbiddenAction.code)
|
||||
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.cloud_admin_user['id'],
|
||||
password=self.cloud_admin_user['password'],
|
||||
project_id=self.admin_project['id'])
|
||||
|
||||
self._test_domain_management()
|
||||
|
||||
def test_admin_project(self):
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.project_admin_user['id'],
|
||||
password=self.project_admin_user['password'],
|
||||
project_id=self.project['id'])
|
||||
|
||||
self._test_domain_management(
|
||||
expected=exception.ForbiddenAction.code)
|
||||
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.cloud_admin_user['id'],
|
||||
password=self.cloud_admin_user['password'],
|
||||
project_id=self.admin_project['id'])
|
||||
|
||||
self._test_domain_management()
|
||||
|
||||
def test_domain_admin_get_domain(self):
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.domain_admin_user['id'],
|
||||
|
|
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
upgrade:
|
||||
- |
|
||||
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
|
||||
The domain policies defined in ``policy.v3cloudsample.json``
|
||||
have been removed. These policies are now obsolete after incorporating
|
||||
system-scope into the domain API and implementing default roles.
|
||||
Additionally, the ``identity:get_domain`` policy in
|
||||
``policy.v3cloudsample.json`` has been relaxed slightly to allow all
|
||||
users with role assignments on a domain to retrieve that domain,
|
||||
as opposed to only allowing users with the ``admin`` role to access
|
||||
that policy.
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
|
||||
The domain policies in ``policy.v3cloudsample.json`` policy file
|
||||
have been removed in favor of better defaults in code. These policies
|
||||
weren't tested exhaustively and were misleading to users and operators.
|
Loading…
Reference in New Issue