Remove project policies from policy.v3cloudsample.json

By incorporating system-scope, domain-scope, project-scope, and
default roles, we've effectively made these policies obsolete. We can
simplify what we maintain and provide a more consistent, unified view
of default project behavior by removing them.

Change-Id: I80221b72ce0f234440e6d6aaea51869bd5f1c6e7
Related-Bug: 1806762
(cherry picked from commit 546b7f1bba)
This commit is contained in:
Lance Bragstad 2018-12-10 22:22:52 +00:00
parent 24c875fe76
commit 3d3fa99a05
2 changed files with 6 additions and 8 deletions

View File

@ -17,14 +17,6 @@
"identity:update_limit": "rule:admin_required",
"identity:delete_limit": "rule:admin_required",
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
"identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
"identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
"identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
"identity:create_project_tag": "rule:admin_required",
"identity:delete_project_tag": "rule:admin_required",
"identity:get_project_tag": "rule:admin_required",

View File

@ -231,6 +231,12 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:list_domains',
'identity:update_domain',
'identity:delete_domain',
'identity:create_project',
'identity:get_project',
'identity:list_projects',
'identity:update_project',
'identity:delete_project',
'identity:list_user_projects',
'identity:create_service',
'identity:get_service',
'identity:list_services',