Browse Source

Remove project policies from policy.v3cloudsample.json

By incorporating system-scope, domain-scope, project-scope, and
default roles, we've effectively made these policies obsolete. We can
simplify what we maintain and provide a more consistent, unified view
of default project behavior by removing them.

Change-Id: I80221b72ce0f234440e6d6aaea51869bd5f1c6e7
Related-Bug: 1806762
changes/22/624222/6
Lance Bragstad 3 years ago
parent
commit
546b7f1bba
  1. 8
      etc/policy.v3cloudsample.json
  2. 6
      keystone/tests/unit/test_policy.py

8
etc/policy.v3cloudsample.json

@ -17,14 +17,6 @@
"identity:update_limit": "rule:admin_required",
"identity:delete_limit": "rule:admin_required",
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
"identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
"identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
"identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
"identity:create_project_tag": "rule:admin_required",
"identity:delete_project_tag": "rule:admin_required",
"identity:get_project_tag": "rule:admin_required",

6
keystone/tests/unit/test_policy.py

@ -231,6 +231,12 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:list_domains',
'identity:update_domain',
'identity:delete_domain',
'identity:create_project',
'identity:get_project',
'identity:list_projects',
'identity:update_project',
'identity:delete_project',
'identity:list_user_projects',
'identity:create_service',
'identity:get_service',
'identity:list_services',

Loading…
Cancel
Save