Remove limit policies from policy.v3cloudsample.json

By incorporating system-scope and default roles, we've effectively made these policies obsolete. We can simplify what we maintain and provide a more consistent, unified view of default limit behavior by removing them. Change-Id: Ie0f333a9e8b60154711a24ba7d9ade531217eb71 Closes-Bug: 1805880
2018-11-29 21:30:06 +00:00 · 2018-11-29 21:30:06 +00:00 · 5b995cc8fb
commit 5b995cc8fb
parent e938c49628
3 changed files with 18 additions and 5 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -8,11 +8,6 @@

    "default": "rule:admin_required",

-    "identity:get_limit": "",
-    "identity:create_limits": "rule:admin_required",
-    "identity:update_limit": "rule:admin_required",
-    "identity:delete_limit": "rule:admin_required",
-
    "domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
    "get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
    "domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@ -206,6 +206,7 @@ class PolicyJsonTestCase(unit.TestCase):
            'identity:create_group',
            'identity:create_identity_provider',
            'identity:create_implied_role',
+            'identity:create_limits',
            'identity:create_mapping',
            'identity:create_policy',
            'identity:create_policy_association_for_endpoint',
@ -237,6 +238,7 @@ class PolicyJsonTestCase(unit.TestCase):
            'identity:delete_identity_provider',
            'identity:delete_implied_role',
            'identity:delete_mapping',
+            'identity:delete_limit',
            'identity:delete_policy',
            'identity:delete_policy_association_for_endpoint',
            'identity:delete_policy_association_for_region_and_service',
@ -276,6 +278,7 @@ class PolicyJsonTestCase(unit.TestCase):
            'identity:get_group',
            'identity:get_identity_provider',
            'identity:get_implied_role',
+            'identity:get_limit',
            'identity:get_limit_model',
            'identity:get_mapping',
            'identity:get_policy',
@ -354,6 +357,7 @@ class PolicyJsonTestCase(unit.TestCase):
            'identity:update_endpoint_group',
            'identity:update_group',
            'identity:update_identity_provider',
+            'identity:update_limit',
            'identity:update_mapping',
            'identity:update_policy',
            'identity:update_project',
--- a/releasenotes/notes/bug-1805880-0032024ea6b83563.yaml
+++ b/releasenotes/notes/bug-1805880-0032024ea6b83563.yaml
@ -0,0 +1,14 @@
+---
+upgrade:
+  - |
+    [`bug 1805880 <https://bugs.launchpad.net/keystone/+bug/1805880>`_]
+    The limit policies defined in ``policy.v3cloudsample.json``
+    have been removed. These policies are now obsolete after incorporating
+    system-scope into the limit API and implementing default roles.
+fixes:
+  - |
+    [`bug 1805880 <https://bugs.launchpad.net/keystone/+bug/1805880>`_]
+    The limit policies in ``policy.v3cloudsample.json`` policy
+    file have been removed in favor of better defaults in code. These
+    policies weren't tested exhaustively and were misleading to users
+    and operators.