From 6bac9930ebd0f5882247879c3d9b04b732ba6fb4 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Mon, 26 Nov 2018 20:57:53 +0000 Subject: [PATCH] Remove service provider policies from v3cloudsample.json By incorporating system-scope and default roles, we've effectively made these policies obsolete. We can simplify what we maintain and provide a more consistent, unified view of default service provider behavior by removing them. Change-Id: I01b0e7152ae282c49644b3bad1bcb2c8119aed58 Closes-Bug: 1804520 --- etc/policy.v3cloudsample.json | 6 ------ keystone/tests/unit/test_policy.py | 7 ++++++- .../notes/bug-1804520-d124599967923052.yaml | 13 +++++++++++++ 3 files changed, 19 insertions(+), 7 deletions(-) create mode 100644 releasenotes/notes/bug-1804520-d124599967923052.yaml diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index ab36cbb6a3..3ac94c6876 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -207,12 +207,6 @@ "identity:delete_mapping": "rule:cloud_admin", "identity:update_mapping": "rule:cloud_admin", - "identity:create_service_provider": "rule:cloud_admin", - "identity:list_service_providers": "rule:cloud_admin", - "identity:get_service_provider": "rule:cloud_admin", - "identity:update_service_provider": "rule:cloud_admin", - "identity:delete_service_provider": "rule:cloud_admin", - "identity:get_auth_catalog": "", "identity:get_auth_projects": "", "identity:get_auth_domains": "", diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index 63f6f1aa25..d2d7ea038c 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -190,7 +190,12 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:get_registered_limit', 'identity:list_registered_limits', 'identity:update_registered_limit', - 'identity:delete_registered_limit' + 'identity:delete_registered_limit', + 'identity:create_service_provider', + 'identity:get_service_provider', + 'identity:list_service_providers', + 'identity:update_service_provider', + 'identity:delete_service_provider' ] policy_keys = self._get_default_policy_rules() for p in removed_policies: diff --git a/releasenotes/notes/bug-1804520-d124599967923052.yaml b/releasenotes/notes/bug-1804520-d124599967923052.yaml new file mode 100644 index 0000000000..c21f352e55 --- /dev/null +++ b/releasenotes/notes/bug-1804520-d124599967923052.yaml @@ -0,0 +1,13 @@ +--- +upgrade: + - | + [`bug 1804520 `_] + The federated service provider policies defined in ``policy.v3cloudsample.json`` + have been removed. These policies are now obsolete after incorporating + system-scope into the service provider API and implementing default roles. +fixes: + - | + [`bug 1804520 `_] + The federated service provider policies in ``policy.v3cloudsample.json`` policy file + have been removed in favor of better defaults in code. These policies + weren't tested exhaustively and were misleading to users and operators.