From 2c102cad4769c1a6f6713c1379a1760f03ea0172 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Mon, 25 Mar 2019 20:39:08 +0100 Subject: [PATCH] Remove redundant policies from v3cloudsample By incorporating system and domain scope and default roles into keystone's default policies for domains, we've effectively made these policies obsolete. This change also removes the redundant group management tests from the v3cloudsample tests. Change-Id: I4e3b19f9cc025a472fb27a33955856c2cd17fd1d Partial-Bug: #1806762 (cherry picked from commit 8877e9f01caf01fa66528afd78f32195d35d3b4a) --- etc/policy.v3cloudsample.json | 14 ----------- keystone/tests/unit/test_policy.py | 12 ++++++++- keystone/tests/unit/test_v3_protection.py | 25 ------------------- .../notes/bug-1806762-2092fee9f6c87dc3.yaml | 15 +++++++++++ 4 files changed, 26 insertions(+), 40 deletions(-) create mode 100644 releasenotes/notes/bug-1806762-2092fee9f6c87dc3.yaml diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index fc912bcbb2..188eb0d8e6 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -24,20 +24,6 @@ "identity:delete_project_tags": "rule:admin_required", "identity:update_project_tags": "rule:admin_required", - "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s", - "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s", - "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s", - "identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", - "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id", - "identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_target_user_domain_id", - "identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id", - "identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", - "identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", - "identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", - "identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", - "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", - "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", - "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", "identity:ec2_list_credentials": "rule:admin_required or rule:owner", "identity:ec2_create_credential": "rule:admin_required or rule:owner", diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index cc0a897492..79f02897ab 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -255,7 +255,17 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:get_user', 'identity:list_users', 'identity:update_user', - 'identity:delete_user' + 'identity:delete_user', + 'identity:get_group', + 'identity:list_groups', + 'identity:list_groups_for_user', + 'identity:create_group', + 'identity:update_group', + 'identity:delete_group', + 'identity:list_users_in_group', + 'identity:remove_user_from_group', + 'identity:check_user_in_group', + 'identity:add_user_to_group' ] policy_keys = self._get_default_policy_rules() for p in removed_policies: diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py index 0ee91c7144..6d3d66666b 100644 --- a/keystone/tests/unit/test_v3_protection.py +++ b/keystone/tests/unit/test_v3_protection.py @@ -919,31 +919,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, self.post('/roles', auth=self.auth, body={'role': role_ref}, expected_status=status_created) - def test_group_management(self): - # First, authenticate with a user that does not have the domain - # admin role - shouldn't be able to do much. - self.auth = self.build_authentication_request( - user_id=self.just_a_user['id'], - password=self.just_a_user['password'], - domain_id=self.domainA['id']) - - self._test_group_management( - self.group1, expected=exception.ForbiddenAction.code) - - # ...but should be able to list groups of which they are a member - url = '/users/%s/groups' % self.just_a_user['id'] - self.get(url, auth=self.auth) - - # Now, authenticate with a user that does have the domain admin role - self.auth = self.build_authentication_request( - user_id=self.domain_admin_user['id'], - password=self.domain_admin_user['password'], - domain_id=self.domainA['id']) - - self._test_group_management(self.group1) - self._test_group_management(self.group3, - expected=exception.ForbiddenAction.code) - def test_group_management_by_cloud_admin(self): # Test groups management with a cloud admin. This user should # be able to manage groups in any domain. diff --git a/releasenotes/notes/bug-1806762-2092fee9f6c87dc3.yaml b/releasenotes/notes/bug-1806762-2092fee9f6c87dc3.yaml new file mode 100644 index 0000000000..ec6d88fc48 --- /dev/null +++ b/releasenotes/notes/bug-1806762-2092fee9f6c87dc3.yaml @@ -0,0 +1,15 @@ +--- +upgrade: + - | + [`bug 1804462 `_] + The group policies defined in ``policy.v3cloudsample.json`` have + been removed. These policies are now obsolete after incorporating + system-scope and domain-scope into the groups API and implementing default + roles. +fixes: + - | + [`bug 1804462 `_] + The group policies in ``policy.v3cloudsample.json`` policy file + have been removed in favor of better defaults in code. These + policies weren't tested exhaustively and were misleading to users + and operators.