diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index 92fc8dd179..4647e72ec6 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -195,12 +195,6 @@ "identity:list_protocols": "rule:cloud_admin", "identity:delete_protocol": "rule:cloud_admin", - "identity:create_mapping": "rule:cloud_admin", - "identity:get_mapping": "rule:cloud_admin", - "identity:list_mappings": "rule:cloud_admin", - "identity:delete_mapping": "rule:cloud_admin", - "identity:update_mapping": "rule:cloud_admin", - "identity:get_auth_catalog": "", "identity:get_auth_projects": "", "identity:get_auth_domains": "", diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index eeeb2371de..608dcbf246 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -200,7 +200,12 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:get_region', 'identity:list_regions', 'identity:update_region', - 'identity:delete_region' + 'identity:delete_region', + 'identity:create_mapping', + 'identity:get_mapping', + 'identity:list_mappings', + 'identity:update_mapping', + 'identity:delete_mapping' ] policy_keys = self._get_default_policy_rules() for p in removed_policies: diff --git a/releasenotes/notes/bug-1804519-8384a9ead261d4c2.yaml b/releasenotes/notes/bug-1804519-8384a9ead261d4c2.yaml new file mode 100644 index 0000000000..c2f4e0bac2 --- /dev/null +++ b/releasenotes/notes/bug-1804519-8384a9ead261d4c2.yaml @@ -0,0 +1,14 @@ +--- +upgrade: + - | + [`bug 1804519 `_] + The federated mapping policies defined in ``policy.v3cloudsample.json`` + have been removed. These policies are now obsolete after incorporating + system-scope into the mapping API and implementing default roles. +fixes: + - | + [`bug 1804519 `_] + The federated mapping policies in ``policy.v3cloudsample.json`` policy file + have been removed in favor of better defaults in code. These policies + weren't tested exhaustively and were misleading to users and operators. +