Browse Source

Remove redundant policies from v3cloudsample

By incorporating system and domain scope and default roles into
keystone's default policies for domains, we've effectively made these
policies obsolete. This change also removes the redundant group
management tests from the v3cloudsample tests.

Change-Id: I4e3b19f9cc025a472fb27a33955856c2cd17fd1d
Partial-Bug: #1806762
(cherry picked from commit 8877e9f01c)
changes/97/649297/1
Colleen Murphy 3 years ago
parent
commit
2c102cad47
  1. 14
      etc/policy.v3cloudsample.json
  2. 12
      keystone/tests/unit/test_policy.py
  3. 25
      keystone/tests/unit/test_v3_protection.py
  4. 15
      releasenotes/notes/bug-1806762-2092fee9f6c87dc3.yaml

14
etc/policy.v3cloudsample.json

@ -24,20 +24,6 @@
"identity:delete_project_tags": "rule:admin_required",
"identity:update_project_tags": "rule:admin_required",
"admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
"admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
"admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
"identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_target_user_domain_id",
"identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
"identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:ec2_list_credentials": "rule:admin_required or rule:owner",
"identity:ec2_create_credential": "rule:admin_required or rule:owner",

12
keystone/tests/unit/test_policy.py

@ -255,7 +255,17 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:get_user',
'identity:list_users',
'identity:update_user',
'identity:delete_user'
'identity:delete_user',
'identity:get_group',
'identity:list_groups',
'identity:list_groups_for_user',
'identity:create_group',
'identity:update_group',
'identity:delete_group',
'identity:list_users_in_group',
'identity:remove_user_from_group',
'identity:check_user_in_group',
'identity:add_user_to_group'
]
policy_keys = self._get_default_policy_rules()
for p in removed_policies:

25
keystone/tests/unit/test_v3_protection.py

@ -919,31 +919,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.post('/roles', auth=self.auth, body={'role': role_ref},
expected_status=status_created)
def test_group_management(self):
# First, authenticate with a user that does not have the domain
# admin role - shouldn't be able to do much.
self.auth = self.build_authentication_request(
user_id=self.just_a_user['id'],
password=self.just_a_user['password'],
domain_id=self.domainA['id'])
self._test_group_management(
self.group1, expected=exception.ForbiddenAction.code)
# ...but should be able to list groups of which they are a member
url = '/users/%s/groups' % self.just_a_user['id']
self.get(url, auth=self.auth)
# Now, authenticate with a user that does have the domain admin role
self.auth = self.build_authentication_request(
user_id=self.domain_admin_user['id'],
password=self.domain_admin_user['password'],
domain_id=self.domainA['id'])
self._test_group_management(self.group1)
self._test_group_management(self.group3,
expected=exception.ForbiddenAction.code)
def test_group_management_by_cloud_admin(self):
# Test groups management with a cloud admin. This user should
# be able to manage groups in any domain.

15
releasenotes/notes/bug-1806762-2092fee9f6c87dc3.yaml

@ -0,0 +1,15 @@
---
upgrade:
- |
[`bug 1804462 <https://bugs.launchpad.net/keystone/+bug/1804462>`_]
The group policies defined in ``policy.v3cloudsample.json`` have
been removed. These policies are now obsolete after incorporating
system-scope and domain-scope into the groups API and implementing default
roles.
fixes:
- |
[`bug 1804462 <https://bugs.launchpad.net/keystone/+bug/1804462>`_]
The group policies in ``policy.v3cloudsample.json`` policy file
have been removed in favor of better defaults in code. These
policies weren't tested exhaustively and were misleading to users
and operators.
Loading…
Cancel
Save