Merge "Remove idp policies from policy.v3cloudsample.json"

2019-02-26 17:35:57 +00:00 · 2019-02-26 17:35:57 +00:00 · 5b410cfd81
parent e34609d478 c0e6d4498a
commit 5b410cfd81
3 changed files with 22 additions and 7 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -183,12 +183,6 @@
    "identity:add_endpoint_group_to_project": "rule:admin_required",
    "identity:remove_endpoint_group_from_project": "rule:admin_required",

-    "identity:create_identity_provider": "rule:cloud_admin",
-    "identity:list_identity_providers": "rule:cloud_admin",
-    "identity:get_identity_provider": "rule:cloud_admin",
-    "identity:update_identity_provider": "rule:cloud_admin",
-    "identity:delete_identity_provider": "rule:cloud_admin",
-
    "identity:create_protocol": "rule:cloud_admin",
    "identity:update_protocol": "rule:cloud_admin",
    "identity:get_protocol": "rule:cloud_admin",
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@ -205,7 +205,12 @@ class PolicyJsonTestCase(unit.TestCase):
            'identity:get_mapping',
            'identity:list_mappings',
            'identity:update_mapping',
-            'identity:delete_mapping'
+            'identity:delete_mapping',
+            'identity:create_identity_provider',
+            'identity:get_identity_provider',
+            'identity:list_identity_providers',
+            'identity:update_identity_provider',
+            'identity:delete_identity_provider'
        ]
        policy_keys = self._get_default_policy_rules()
        for p in removed_policies:
--- a/releasenotes/notes/bug-1804517-a351aec088fee066.yaml
+++ b/releasenotes/notes/bug-1804517-a351aec088fee066.yaml
@ -0,0 +1,16 @@
+---
+upgrade:
+  - |
+    [`bug 1804517 <https://bugs.launchpad.net/keystone/+bug/1804517>`_]
+    The federated identity provider policies defined in
+    ``policy.v3cloudsample.json`` have been removed. These policies
+    are now obsolete after incorporating system-scope into the
+    identity provider API and implementing default roles.
+fixes:
+  - |
+    [`bug 1804517 <https://bugs.launchpad.net/keystone/+bug/1804517>`_]
+    The federated identity provider policies in
+    ``policy.v3cloudsample.json`` policy file have been removed in
+    favor of better defaults in code. These policies weren't tested
+    exhaustively and were misleading to users and operators.
+