Remove region policies from policy.v3cloudsample.json

By incorporating system-scope and default roles, we've effectively made these policies obsolete. We can simplify what we maintain and provide a more consistent, unified view of default region behavior by removing them. Change-Id: I0f982d71fc4a5d33ed66cb34d7388f3c4655e3ef Closes-Bug: 1804292
2018-11-21 13:30:14 +00:00 · 2018-11-21 13:30:14 +00:00 · 1b7db4a062
commit 1b7db4a062
parent bb8ebfd659
3 changed files with 20 additions and 7 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -10,12 +10,6 @@

    "default": "rule:admin_required",

-    "identity:get_region": "",
-    "identity:list_regions": "",
-    "identity:create_region": "rule:cloud_admin",
-    "identity:update_region": "rule:cloud_admin",
-    "identity:delete_region": "rule:cloud_admin",
-
    "identity:get_service": "rule:admin_required",
    "identity:list_services": "rule:admin_required",
    "identity:create_service": "rule:cloud_admin",
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@ -195,7 +195,12 @@ class PolicyJsonTestCase(unit.TestCase):
            'identity:get_service_provider',
            'identity:list_service_providers',
            'identity:update_service_provider',
-            'identity:delete_service_provider'
+            'identity:delete_service_provider',
+            'identity:create_region',
+            'identity:get_region',
+            'identity:list_regions',
+            'identity:update_region',
+            'identity:delete_region'
        ]
        policy_keys = self._get_default_policy_rules()
        for p in removed_policies:
--- a/releasenotes/notes/bug-1804292-0107869c7029f79e.yaml
+++ b/releasenotes/notes/bug-1804292-0107869c7029f79e.yaml
@ -0,0 +1,14 @@
+---
+upgrade:
+  - |
+    [`bug 1804292 <https://bugs.launchpad.net/keystone/+bug/1804292>`_]
+    The region policies defined in ``policy.v3cloudsample.json`` have
+    been removed. These policies are now obsolete after incorporating
+    system-scope into the region API and implementing default roles.
+fixes:
+  - |
+    [`bug 1804292 <https://bugs.launchpad.net/keystone/+bug/1804292>`_]
+    The region policies in ``policy.v3cloudsample.json`` policy file
+    have been removed in favor of better defaults in code. These
+    policies weren't tested exhaustively and were misleading to users
+    and operators.