From c78581b4608f3dc10e945d358963000f284f188a Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Tue, 2 Apr 2019 15:17:18 +0000 Subject: [PATCH] DRY: Remove redundant policies from policy.v3cloudsample.json The policies contained in policy.v3cloudsample.json pre-dated any of the work to move policy defaults into code. Since deploying a policy file is now optional, we can remove the redundant policies from this file and make it more maintainable by not repeating ourselves and violating the DRY principal. The only policies left are ones that are testing workarounds for bug 968696. Meanwhile, we're pursuing fixes for scope types and default roles: http://tinyurl.com/y5kj6fn9 These fixes are specific to certain resources to make reviews more understandable for reviewers. As fixes for those bugs land, we will be removing the remaining checks in this file, since the behavior will be captured in new default check strings or in code. Eventually, we will delete this file entirely since we will have defaults in code that work for `admins`, `members`, and `readers` on projects, domains, and the deployment system. Change-Id: Ibbabe8fdc7989f15aa0edda2bf7b550a0dc16f83 Partial-Bug: 1806762 (cherry picked from commit bb141b1fb49c5391530399777586611f2a4b2e6d) --- etc/policy.v3cloudsample.json | 67 +------------------ keystone/tests/unit/test_policy.py | 56 ++++++++++++++++ .../notes/bug-1806762-c3bfc71cb9bb94f3.yaml | 8 +++ 3 files changed, 65 insertions(+), 66 deletions(-) diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index 188eb0d8e6..fdbe357bea 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -1,8 +1,6 @@ { "admin_required": "role:admin", "cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)", - "service_role": "role:service", - "service_or_admin": "rule:admin_required or rule:service_role", "owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s", "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner", "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s", @@ -10,24 +8,16 @@ "default": "rule:admin_required", - "identity:get_limit_model": "", "identity:get_limit": "", - "identity:list_limits": "", "identity:create_limits": "rule:admin_required", "identity:update_limit": "rule:admin_required", "identity:delete_limit": "rule:admin_required", - "identity:create_project_tag": "rule:admin_required", - "identity:delete_project_tag": "rule:admin_required", "identity:get_project_tag": "rule:admin_required", "identity:list_project_tags": "rule:admin_required", - "identity:delete_project_tags": "rule:admin_required", - "identity:update_project_tags": "rule:admin_required", - "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", "identity:ec2_list_credentials": "rule:admin_required or rule:owner", "identity:ec2_create_credential": "rule:admin_required or rule:owner", - "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", "identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles", "identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles", @@ -78,57 +68,8 @@ "identity:check_token": "rule:admin_or_owner", "identity:validate_token": "rule:service_admin_or_owner", "identity:validate_token_head": "rule:service_or_admin", - "identity:revocation_list": "rule:service_or_admin", "identity:revoke_token": "rule:admin_or_owner", - "identity:create_trust": "user_id:%(trust.trustor_user_id)s", - "identity:list_trusts": "", - "identity:list_roles_for_trust": "", - "identity:get_role_for_trust": "", - "identity:delete_trust": "", - "identity:get_trust": "", - - "identity:create_consumer": "rule:admin_required", - "identity:get_consumer": "rule:admin_required", - "identity:list_consumers": "rule:admin_required", - "identity:delete_consumer": "rule:admin_required", - "identity:update_consumer": "rule:admin_required", - - "identity:authorize_request_token": "rule:admin_required", - "identity:list_access_token_roles": "rule:admin_required", - "identity:get_access_token_role": "rule:admin_required", - "identity:list_access_tokens": "rule:admin_required", - "identity:get_access_token": "rule:admin_required", - "identity:delete_access_token": "rule:admin_required", - - "identity:list_projects_for_endpoint": "rule:admin_required", - "identity:add_endpoint_to_project": "rule:admin_required", - "identity:check_endpoint_in_project": "rule:admin_required", - "identity:list_endpoints_for_project": "rule:admin_required", - "identity:remove_endpoint_from_project": "rule:admin_required", - - "identity:create_endpoint_group": "rule:admin_required", - "identity:list_endpoint_groups": "rule:admin_required", - "identity:get_endpoint_group": "rule:admin_required", - "identity:update_endpoint_group": "rule:admin_required", - "identity:delete_endpoint_group": "rule:admin_required", - "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", - "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", - "identity:get_endpoint_group_in_project": "rule:admin_required", - "identity:list_endpoint_groups_for_project": "rule:admin_required", - "identity:add_endpoint_group_to_project": "rule:admin_required", - "identity:remove_endpoint_group_from_project": "rule:admin_required", - - "identity:get_auth_catalog": "", - "identity:get_auth_projects": "", - "identity:get_auth_domains": "", - "identity:get_auth_system": "", - - "identity:list_projects_for_user": "", - "identity:list_domains_for_user": "", - - "identity:list_revoke_events": "rule:service_or_admin", - "identity:create_policy_association_for_endpoint": "rule:cloud_admin", "identity:check_policy_association_for_endpoint": "rule:cloud_admin", "identity:delete_policy_association_for_endpoint": "rule:cloud_admin", @@ -143,13 +84,7 @@ "identity:create_domain_config": "rule:cloud_admin", "identity:get_domain_config": "rule:cloud_admin", - "identity:get_security_compliance_domain_config": "", "identity:update_domain_config": "rule:cloud_admin", "identity:delete_domain_config": "rule:cloud_admin", - "identity:get_domain_config_default": "rule:cloud_admin", - - "identity:get_application_credential": "rule:admin_or_owner", - "identity:list_application_credentials": "rule:admin_or_owner", - "identity:create_application_credential": "rule:admin_or_owner", - "identity:delete_application_credential": "rule:admin_or_owner" + "identity:get_domain_config_default": "rule:cloud_admin" } diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index 79f02897ab..db8db5ffd5 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -181,6 +181,62 @@ class PolicyJsonTestCase(unit.TestCase): # TODO(lbragstad): Once all policies have been removed from # policy.v3cloudsample.json, remove this test. removed_policies = [ + 'service_role', + 'service_or_admin', + 'identity:get_limit_model', + 'identity:list_limits', + 'identity:create_project_tag', + 'identity:delete_project_tag', + 'identity:delete_project_tags', + 'identity:update_project_tags', + 'identity:ec2_get_credential', + 'identity:ec2_delete_credential', + 'identity:revocation_list', + 'identity:create_trust', + 'identity:list_trusts', + 'identity:list_roles_for_trust', + 'identity:get_role_for_trust', + 'identity:delete_trust', + 'identity:get_trust', + 'identity:create_consumer', + 'identity:get_consumer', + 'identity:list_consumers', + 'identity:delete_consumer', + 'identity:update_consumer', + 'identity:authorize_request_token', + 'identity:list_access_token_roles', + 'identity:get_access_token_role', + 'identity:list_access_tokens', + 'identity:get_access_token', + 'identity:delete_access_token', + 'identity:list_projects_for_endpoint', + 'identity:add_endpoint_to_project', + 'identity:check_endpoint_in_project', + 'identity:list_endpoints_for_project', + 'identity:remove_endpoint_from_project', + 'identity:create_endpoint_group', + 'identity:list_endpoint_groups', + 'identity:get_endpoint_group', + 'identity:update_endpoint_group', + 'identity:delete_endpoint_group', + 'identity:list_projects_associated_with_endpoint_group', + 'identity:list_endpoints_associated_with_endpoint_group', + 'identity:get_endpoint_group_in_project', + 'identity:list_endpoint_groups_for_project', + 'identity:add_endpoint_group_to_project', + 'identity:remove_endpoint_group_from_project', + 'identity:get_auth_catalog', + 'identity:get_auth_projects', + 'identity:get_auth_domains', + 'identity:get_auth_system', + 'identity:list_projects_for_user', + 'identity:list_domains_for_user', + 'identity:list_revoke_events', + 'identity:get_security_compliance_domain_config', + 'identity:get_application_credential', + 'identity:list_application_credentials', + 'identity:create_application_credential', + 'identity:delete_application_credential', 'identity:create_credential', 'identity:get_credential', 'identity:list_credentials', diff --git a/releasenotes/notes/bug-1806762-c3bfc71cb9bb94f3.yaml b/releasenotes/notes/bug-1806762-c3bfc71cb9bb94f3.yaml index 61240a573a..a0b1e1be93 100644 --- a/releasenotes/notes/bug-1806762-c3bfc71cb9bb94f3.yaml +++ b/releasenotes/notes/bug-1806762-c3bfc71cb9bb94f3.yaml @@ -10,6 +10,14 @@ upgrade: users with role assignments on a domain to retrieve that domain, as opposed to only allowing users with the ``admin`` role to access that policy. + + All policies in ``policy.v3cloudsample.json`` that are redundant with the + defaults in code have been removed. This improves maintainability and + leaves the ``policy.v3cloudsample.json`` policy file with only + overrides. These overrides will eventually be moved into code or new + defaults in keystone directly. If you're using the policies removed + from ``policy.v3cloudsample.json`` please check to see if you can migrate + to the new defaults or continue maintaining the policy as an override. fixes: - | [`bug 1806762 `_]