Remove system Domain Config from policy.v3cloudsample.json

By relying on system-scope and default roles, these policies are now
obsolete.

Change-Id: I21473f757611cfd3299d0227eddef89d4ef624ff
Partial-Bug: #1806762
Closes-Bug: #1805366
This commit is contained in:
Vishakha Agarwal 2019-09-05 15:09:40 +05:30
parent 1e8b0491d4
commit 566f8e734d
3 changed files with 47 additions and 7 deletions

View File

@ -51,11 +51,5 @@
"identity:check_token": "rule:admin_or_owner",
"identity:validate_token": "rule:service_admin_or_owner",
"identity:validate_token_head": "rule:service_or_admin",
"identity:revoke_token": "rule:admin_or_owner",
"identity:create_domain_config": "rule:cloud_admin",
"identity:get_domain_config": "rule:cloud_admin",
"identity:update_domain_config": "rule:cloud_admin",
"identity:delete_domain_config": "rule:cloud_admin",
"identity:get_domain_config_default": "rule:cloud_admin"
"identity:revoke_token": "rule:admin_or_owner"
}

View File

@ -197,6 +197,7 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:create_consumer',
'identity:create_credential',
'identity:create_domain',
'identity:create_domain_config',
'identity:create_domain_role',
'identity:create_endpoint',
'identity:create_endpoint_group',
@ -226,6 +227,7 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:delete_consumer',
'identity:delete_credential',
'identity:delete_domain',
'identity:delete_domain_config',
'identity:delete_domain_role',
'identity:delete_endpoint',
'identity:delete_endpoint_group',
@ -261,6 +263,8 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:get_consumer',
'identity:get_credential',
'identity:get_domain',
'identity:get_domain_config',
'identity:get_domain_config_default',
'identity:get_domain_role',
'identity:get_endpoint',
'identity:get_endpoint_group',
@ -336,6 +340,7 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:update_consumer',
'identity:update_credential',
'identity:update_domain',
'identity:update_domain_config',
'identity:update_domain_role',
'identity:update_endpoint',
'identity:update_endpoint_group',

View File

@ -0,0 +1,41 @@
---
features:
- |
[`bug 1805366 <https://bugs.launchpad.net/keystone/+bug/1805366>`_]
The Domain Config API now supports the ``admin``, ``member``, and ``reader``
default roles.
upgrade:
- |
[`bug 1805366 <https://bugs.launchpad.net/keystone/+bug/1805366>`_]
The Domain Config API uses new default policies to make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides Domain Config
policies.
deprecations:
- |
[`bug 1805366 <https://bugs.launchpad.net/keystone/+bug/1805366>`_]
The Domain Config API policies have been deprecated. The
``identity:get_domain_config`` policy now uses
``role:reader and system_scope:all`` instead of
``rule:admin_required``.
The ``identity:get_domain_config_default`` policy
now use ``role:reader and system_scope:all`` instead of
``rule:admin_required``.The ``identity:create_domain_config`` policy
now use ``role:admin and system_scope:all`` instead of
``rule:admin_required``. The ``identity:update_domain_config`` policy
now use ``role:admin and system_scope:all`` instead of
``rule:admin_required``.
The ``identity:delete_domain_config`` policy
now uses ``role:admin and system_scope:all`` instead of
``rule:admin_required``.
These new defaults automatically account for system-scope and support
a read-only role, making it easier for system administrators to delegate
subsets of responsibility without compromising security. Please consider
these new defaults if your deployment overrides the domain config policies.
security:
- |
[`bug 1805366 <https://bugs.launchpad.net/keystone/+bug/1805366>`_]
The domain config API now uses system-scope and default roles to
provide better accessibility to users in a secure manner.