Browse Source

Remove assignment policies from policy.v3cloudsample.json

By incorporating system-scope and default roles, we've
effectively made these policies obsolete. We can simplify
what we maintain and provide a more consistent, unified
view of default service behavior by removing them.

This commit also removes some redundant tests in test_v3_protection
or corrects them.

Partial-Bug: 1806762
Change-Id: I008aed9c01b9e834a197444ff2dc1f6eb1ba25b1
(cherry picked from commit 64a455ef94)
changes/89/647589/1
Vishakha Agarwal 3 years ago
committed by Lance Bragstad
parent
commit
570e47dbf3
  1. 1
      etc/policy.v3cloudsample.json
  2. 3
      keystone/tests/unit/test_policy.py
  3. 45
      keystone/tests/unit/test_v3_protection.py

1
etc/policy.v3cloudsample.json

@ -107,7 +107,6 @@
"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
"admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
"identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
"identity:get_policy": "rule:cloud_admin",
"identity:list_policies": "rule:cloud_admin",

3
keystone/tests/unit/test_policy.py

@ -235,7 +235,8 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:get_service',
'identity:list_services',
'identity:update_service',
'identity:delete_service'
'identity:delete_service',
'identity:list_role_assignments'
]
policy_keys = self._get_default_policy_rules()
for p in removed_policies:

45
keystone/tests/unit/test_v3_protection.py

@ -26,7 +26,6 @@ from keystone.tests import unit
from keystone.tests.unit import ksfixtures
from keystone.tests.unit.ksfixtures import temporaryfile
from keystone.tests.unit import test_v3
from keystone.tests.unit import utils
CONF = keystone.conf.CONF
@ -1338,8 +1337,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
collection_url = self.build_role_assignment_query_url(
domain_id=self.domainB['id'])
self.get(collection_url, auth=self.auth,
expected_status=http_client.FORBIDDEN)
r = self.get(collection_url, auth=self.auth)
self.assertEqual([], r.json_body['role_assignments'])
def test_domain_user_list_assignments_of_domain_failed(self):
self.auth = self.build_authentication_request(
@ -1404,46 +1403,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
self.assertRoleAssignmentInListResponse(r, project_user_entity)
def test_project_admin_list_assignments_of_another_project_failed(self):
projectB = unit.new_project_ref(domain_id=self.domainA['id'])
PROVIDERS.resource_api.create_project(projectB['id'], projectB)
admin_auth = self.build_authentication_request(
user_id=self.project_admin_user['id'],
password=self.project_admin_user['password'],
project_id=self.project['id'])
collection_url = self.build_role_assignment_query_url(
project_id=projectB['id'])
self.get(collection_url, auth=admin_auth,
expected_status=exception.ForbiddenAction.code)
@utils.wip('waiting on bug #1437407')
def test_domain_admin_list_assignments_of_project(self):
self.auth = self.build_authentication_request(
user_id=self.domain_admin_user['id'],
password=self.domain_admin_user['password'],
domain_id=self.domainA['id'])
collection_url = self.build_role_assignment_query_url(
project_id=self.project['id'])
r = self.get(collection_url, auth=self.auth)
self.assertValidRoleAssignmentListResponse(
r, expected_length=2, resource_url=collection_url)
project_admin_entity = self.build_role_assignment_entity(
project_id=self.project['id'],
user_id=self.project_admin_user['id'],
role_id=self.admin_role['id'],
inherited_to_projects=False)
project_user_entity = self.build_role_assignment_entity(
project_id=self.project['id'],
user_id=self.just_a_user['id'],
role_id=self.role['id'],
inherited_to_projects=False)
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
self.assertRoleAssignmentInListResponse(r, project_user_entity)
def test_domain_admin_list_assignment_tree(self):
# Add a child project to the standard test data
sub_project = unit.new_project_ref(domain_id=self.domainA['id'],

Loading…
Cancel
Save