Remove system Domain Config from policy.v3cloudsample.json
By relying on system-scope and default roles, these policies are now obsolete. Change-Id: I21473f757611cfd3299d0227eddef89d4ef624ff Partial-Bug: #1806762 Closes-Bug: #1805366
This commit is contained in:
Vishakha Agarwal
parent
1e8b0491d4
commit
566f8e734d
@ -51,11 +51,5 @@
|
|||||||
"identity:check_token": "rule:admin_or_owner",
|
"identity:check_token": "rule:admin_or_owner",
|
||||||
"identity:validate_token": "rule:service_admin_or_owner",
|
"identity:validate_token": "rule:service_admin_or_owner",
|
||||||
"identity:validate_token_head": "rule:service_or_admin",
|
"identity:validate_token_head": "rule:service_or_admin",
|
||||||
"identity:revoke_token": "rule:admin_or_owner",
|
"identity:revoke_token": "rule:admin_or_owner"
|
||||||
|
|
||||||
"identity:create_domain_config": "rule:cloud_admin",
|
|
||||||
"identity:get_domain_config": "rule:cloud_admin",
|
|
||||||
"identity:update_domain_config": "rule:cloud_admin",
|
|
||||||
"identity:delete_domain_config": "rule:cloud_admin",
|
|
||||||
"identity:get_domain_config_default": "rule:cloud_admin"
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -197,6 +197,7 @@ class PolicyJsonTestCase(unit.TestCase):
|
|||||||
'identity:create_consumer',
|
'identity:create_consumer',
|
||||||
'identity:create_credential',
|
'identity:create_credential',
|
||||||
'identity:create_domain',
|
'identity:create_domain',
|
||||||
|
'identity:create_domain_config',
|
||||||
'identity:create_domain_role',
|
'identity:create_domain_role',
|
||||||
'identity:create_endpoint',
|
'identity:create_endpoint',
|
||||||
'identity:create_endpoint_group',
|
'identity:create_endpoint_group',
|
||||||
@ -226,6 +227,7 @@ class PolicyJsonTestCase(unit.TestCase):
|
|||||||
'identity:delete_consumer',
|
'identity:delete_consumer',
|
||||||
'identity:delete_credential',
|
'identity:delete_credential',
|
||||||
'identity:delete_domain',
|
'identity:delete_domain',
|
||||||
|
'identity:delete_domain_config',
|
||||||
'identity:delete_domain_role',
|
'identity:delete_domain_role',
|
||||||
'identity:delete_endpoint',
|
'identity:delete_endpoint',
|
||||||
'identity:delete_endpoint_group',
|
'identity:delete_endpoint_group',
|
||||||
@ -261,6 +263,8 @@ class PolicyJsonTestCase(unit.TestCase):
|
|||||||
'identity:get_consumer',
|
'identity:get_consumer',
|
||||||
'identity:get_credential',
|
'identity:get_credential',
|
||||||
'identity:get_domain',
|
'identity:get_domain',
|
||||||
|
'identity:get_domain_config',
|
||||||
|
'identity:get_domain_config_default',
|
||||||
'identity:get_domain_role',
|
'identity:get_domain_role',
|
||||||
'identity:get_endpoint',
|
'identity:get_endpoint',
|
||||||
'identity:get_endpoint_group',
|
'identity:get_endpoint_group',
|
||||||
@ -336,6 +340,7 @@ class PolicyJsonTestCase(unit.TestCase):
|
|||||||
'identity:update_consumer',
|
'identity:update_consumer',
|
||||||
'identity:update_credential',
|
'identity:update_credential',
|
||||||
'identity:update_domain',
|
'identity:update_domain',
|
||||||
|
'identity:update_domain_config',
|
||||||
'identity:update_domain_role',
|
'identity:update_domain_role',
|
||||||
'identity:update_endpoint',
|
'identity:update_endpoint',
|
||||||
'identity:update_endpoint_group',
|
'identity:update_endpoint_group',
|
||||||
|
|||||||
41
releasenotes/notes/bug-1805366-670867516c6fc4bc.yaml
Normal file
41
releasenotes/notes/bug-1805366-670867516c6fc4bc.yaml
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
[`bug 1805366 <https://bugs.launchpad.net/keystone/+bug/1805366>`_]
|
||||||
|
The Domain Config API now supports the ``admin``, ``member``, and ``reader``
|
||||||
|
default roles.
|
||||||
|
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
[`bug 1805366 <https://bugs.launchpad.net/keystone/+bug/1805366>`_]
|
||||||
|
The Domain Config API uses new default policies to make it more
|
||||||
|
accessible to end users and administrators in a secure way. Please
|
||||||
|
consider these new defaults if your deployment overrides Domain Config
|
||||||
|
policies.
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
[`bug 1805366 <https://bugs.launchpad.net/keystone/+bug/1805366>`_]
|
||||||
|
The Domain Config API policies have been deprecated. The
|
||||||
|
``identity:get_domain_config`` policy now uses
|
||||||
|
``role:reader and system_scope:all`` instead of
|
||||||
|
``rule:admin_required``.
|
||||||
|
The ``identity:get_domain_config_default`` policy
|
||||||
|
now use ``role:reader and system_scope:all`` instead of
|
||||||
|
``rule:admin_required``.The ``identity:create_domain_config`` policy
|
||||||
|
now use ``role:admin and system_scope:all`` instead of
|
||||||
|
``rule:admin_required``. The ``identity:update_domain_config`` policy
|
||||||
|
now use ``role:admin and system_scope:all`` instead of
|
||||||
|
``rule:admin_required``.
|
||||||
|
The ``identity:delete_domain_config`` policy
|
||||||
|
now uses ``role:admin and system_scope:all`` instead of
|
||||||
|
``rule:admin_required``.
|
||||||
|
|
||||||
|
These new defaults automatically account for system-scope and support
|
||||||
|
a read-only role, making it easier for system administrators to delegate
|
||||||
|
subsets of responsibility without compromising security. Please consider
|
||||||
|
these new defaults if your deployment overrides the domain config policies.
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
[`bug 1805366 <https://bugs.launchpad.net/keystone/+bug/1805366>`_]
|
||||||
|
The domain config API now uses system-scope and default roles to
|
||||||
|
provide better accessibility to users in a secure manner.
|
||||||
Loading…
x
Reference in New Issue
Block a user