fix identity:get_identity_providers typo

Changes identity:get_identity_providers policy rule to identity:get_identity_provider to match what is checked by the code. Change-Id: I0841abd30fd15c034b5836e42a18938634b509b1 Closes-Bug: #1703369
2017-07-10 09:20:18 -04:00 · 2017-07-10 09:20:18 -04:00 · b7119637a0
commit b7119637a0
parent 805b42ac4e
4 changed files with 14 additions and 3 deletions
--- a/doc/source/getting-started/policy_mapping.rst
+++ b/doc/source/getting-started/policy_mapping.rst
@ -146,7 +146,7 @@ identity:remove_endpoint_group_from_project                DELETE /v3/OS-EP-FILT

 identity:create_identity_provider                          PUT /v3/OS-FEDERATION/identity_providers/{idp_id}
 identity:list_identity_providers                           GET /v3/OS-FEDERATION/identity_providers
-identity:get_identity_providers                            GET /v3/OS-FEDERATION/identity_providers/{idp_id}
+identity:get_identity_provider                             GET /v3/OS-FEDERATION/identity_providers/{idp_id}
 identity:update_identity_provider                          PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}
 identity:delete_identity_provider                          DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}

--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -174,7 +174,7 @@

    "identity:create_identity_provider": "rule:cloud_admin",
    "identity:list_identity_providers": "rule:cloud_admin",
-    "identity:get_identity_providers": "rule:cloud_admin",
+    "identity:get_identity_provider": "rule:cloud_admin",
    "identity:update_identity_provider": "rule:cloud_admin",
    "identity:delete_identity_provider": "rule:cloud_admin",

--- a/keystone/common/policies/identity_provider.py
+++ b/keystone/common/policies/identity_provider.py
@ -37,7 +37,7 @@ identity_provider_policies = [
        ]
    ),
    policy.DocumentedRuleDefault(
-        name=base.IDENTITY % 'get_identity_providers',
+        name=base.IDENTITY % 'get_identity_provider',
        check_str=base.RULE_ADMIN_REQUIRED,
        description='Get identity provider.',
        operations=[
--- a/releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml
+++ b/releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml
@ -0,0 +1,11 @@
+---
+security:
+  - |
+    [`bug 1703369 <https://bugs.launchpad.net/keystone/+bug/1703369>`_]
+    There was a typo for the identity:get_identity_provider rule in the
+    default ``policy.json`` file in previous releases. The default value for
+    that rule was the same as the default value for the default rule
+    (restricted to admin) so this typo was not readily apparent. Anyone
+    customizing this rule should review their settings and confirm that
+    they did not copy that typo. Particularly given that the default rule
+    is being removed in Pike with the move of policy into code.