From 5b995cc8fbf0bb654ed0f6a88091c48548f53f6e Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Thu, 29 Nov 2018 21:30:06 +0000 Subject: [PATCH] Remove limit policies from policy.v3cloudsample.json By incorporating system-scope and default roles, we've effectively made these policies obsolete. We can simplify what we maintain and provide a more consistent, unified view of default limit behavior by removing them. Change-Id: Ie0f333a9e8b60154711a24ba7d9ade531217eb71 Closes-Bug: 1805880 --- etc/policy.v3cloudsample.json | 5 ----- keystone/tests/unit/test_policy.py | 4 ++++ .../notes/bug-1805880-0032024ea6b83563.yaml | 14 ++++++++++++++ 3 files changed, 18 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/bug-1805880-0032024ea6b83563.yaml diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index 8b82c1cf62..8e12732272 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -8,11 +8,6 @@ "default": "rule:admin_required", - "identity:get_limit": "", - "identity:create_limits": "rule:admin_required", - "identity:update_limit": "rule:admin_required", - "identity:delete_limit": "rule:admin_required", - "domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s", "get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role", "domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s", diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index bc1e1805e3..fe0b8bba27 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -206,6 +206,7 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:create_group', 'identity:create_identity_provider', 'identity:create_implied_role', + 'identity:create_limits', 'identity:create_mapping', 'identity:create_policy', 'identity:create_policy_association_for_endpoint', @@ -237,6 +238,7 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:delete_identity_provider', 'identity:delete_implied_role', 'identity:delete_mapping', + 'identity:delete_limit', 'identity:delete_policy', 'identity:delete_policy_association_for_endpoint', 'identity:delete_policy_association_for_region_and_service', @@ -276,6 +278,7 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:get_group', 'identity:get_identity_provider', 'identity:get_implied_role', + 'identity:get_limit', 'identity:get_limit_model', 'identity:get_mapping', 'identity:get_policy', @@ -354,6 +357,7 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:update_endpoint_group', 'identity:update_group', 'identity:update_identity_provider', + 'identity:update_limit', 'identity:update_mapping', 'identity:update_policy', 'identity:update_project', diff --git a/releasenotes/notes/bug-1805880-0032024ea6b83563.yaml b/releasenotes/notes/bug-1805880-0032024ea6b83563.yaml new file mode 100644 index 0000000000..b00e4f6805 --- /dev/null +++ b/releasenotes/notes/bug-1805880-0032024ea6b83563.yaml @@ -0,0 +1,14 @@ +--- +upgrade: + - | + [`bug 1805880 `_] + The limit policies defined in ``policy.v3cloudsample.json`` + have been removed. These policies are now obsolete after incorporating + system-scope into the limit API and implementing default roles. +fixes: + - | + [`bug 1805880 `_] + The limit policies in ``policy.v3cloudsample.json`` policy + file have been removed in favor of better defaults in code. These + policies weren't tested exhaustively and were misleading to users + and operators.