Remove assignment policies from policy.v3cloudsample.json

By incorporating system-scope and default roles, we've
effectively made these policies obsolete. We can simplify
what we maintain and provide a more consistent, unified
view of default service behavior by removing them.

This commit also removes some redundant tests in test_v3_protection
or corrects them.

Partial-Bug: 1806762
Change-Id: I008aed9c01b9e834a197444ff2dc1f6eb1ba25b1
(cherry picked from commit 64a455ef94)
This commit is contained in:
Vishakha Agarwal 2019-03-05 13:00:55 +05:30 committed by Lance Bragstad
parent 10305cf729
commit 570e47dbf3
3 changed files with 4 additions and 45 deletions

View File

@ -107,7 +107,6 @@
"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s", "admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s", "admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
"admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s", "admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
"identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter", "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
"identity:get_policy": "rule:cloud_admin", "identity:get_policy": "rule:cloud_admin",
"identity:list_policies": "rule:cloud_admin", "identity:list_policies": "rule:cloud_admin",

View File

@ -235,7 +235,8 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:get_service', 'identity:get_service',
'identity:list_services', 'identity:list_services',
'identity:update_service', 'identity:update_service',
'identity:delete_service' 'identity:delete_service',
'identity:list_role_assignments'
] ]
policy_keys = self._get_default_policy_rules() policy_keys = self._get_default_policy_rules()
for p in removed_policies: for p in removed_policies:

View File

@ -26,7 +26,6 @@ from keystone.tests import unit
from keystone.tests.unit import ksfixtures from keystone.tests.unit import ksfixtures
from keystone.tests.unit.ksfixtures import temporaryfile from keystone.tests.unit.ksfixtures import temporaryfile
from keystone.tests.unit import test_v3 from keystone.tests.unit import test_v3
from keystone.tests.unit import utils
CONF = keystone.conf.CONF CONF = keystone.conf.CONF
@ -1338,8 +1337,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
collection_url = self.build_role_assignment_query_url( collection_url = self.build_role_assignment_query_url(
domain_id=self.domainB['id']) domain_id=self.domainB['id'])
self.get(collection_url, auth=self.auth, r = self.get(collection_url, auth=self.auth)
expected_status=http_client.FORBIDDEN) self.assertEqual([], r.json_body['role_assignments'])
def test_domain_user_list_assignments_of_domain_failed(self): def test_domain_user_list_assignments_of_domain_failed(self):
self.auth = self.build_authentication_request( self.auth = self.build_authentication_request(
@ -1404,46 +1403,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.assertRoleAssignmentInListResponse(r, project_admin_entity) self.assertRoleAssignmentInListResponse(r, project_admin_entity)
self.assertRoleAssignmentInListResponse(r, project_user_entity) self.assertRoleAssignmentInListResponse(r, project_user_entity)
def test_project_admin_list_assignments_of_another_project_failed(self):
projectB = unit.new_project_ref(domain_id=self.domainA['id'])
PROVIDERS.resource_api.create_project(projectB['id'], projectB)
admin_auth = self.build_authentication_request(
user_id=self.project_admin_user['id'],
password=self.project_admin_user['password'],
project_id=self.project['id'])
collection_url = self.build_role_assignment_query_url(
project_id=projectB['id'])
self.get(collection_url, auth=admin_auth,
expected_status=exception.ForbiddenAction.code)
@utils.wip('waiting on bug #1437407')
def test_domain_admin_list_assignments_of_project(self):
self.auth = self.build_authentication_request(
user_id=self.domain_admin_user['id'],
password=self.domain_admin_user['password'],
domain_id=self.domainA['id'])
collection_url = self.build_role_assignment_query_url(
project_id=self.project['id'])
r = self.get(collection_url, auth=self.auth)
self.assertValidRoleAssignmentListResponse(
r, expected_length=2, resource_url=collection_url)
project_admin_entity = self.build_role_assignment_entity(
project_id=self.project['id'],
user_id=self.project_admin_user['id'],
role_id=self.admin_role['id'],
inherited_to_projects=False)
project_user_entity = self.build_role_assignment_entity(
project_id=self.project['id'],
user_id=self.just_a_user['id'],
role_id=self.role['id'],
inherited_to_projects=False)
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
self.assertRoleAssignmentInListResponse(r, project_user_entity)
def test_domain_admin_list_assignment_tree(self): def test_domain_admin_list_assignment_tree(self):
# Add a child project to the standard test data # Add a child project to the standard test data
sub_project = unit.new_project_ref(domain_id=self.domainA['id'], sub_project = unit.new_project_ref(domain_id=self.domainA['id'],