Remove limit policies from policy.v3cloudsample.json
By incorporating system-scope and default roles, we've effectively made these policies obsolete. We can simplify what we maintain and provide a more consistent, unified view of default limit behavior by removing them. Change-Id: Ie0f333a9e8b60154711a24ba7d9ade531217eb71 Closes-Bug: 1805880
This commit is contained in:
parent
e938c49628
commit
5b995cc8fb
|
@ -8,11 +8,6 @@
|
||||||
|
|
||||||
"default": "rule:admin_required",
|
"default": "rule:admin_required",
|
||||||
|
|
||||||
"identity:get_limit": "",
|
|
||||||
"identity:create_limits": "rule:admin_required",
|
|
||||||
"identity:update_limit": "rule:admin_required",
|
|
||||||
"identity:delete_limit": "rule:admin_required",
|
|
||||||
|
|
||||||
"domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
|
"domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
|
||||||
"get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
|
"get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
|
||||||
"domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
|
"domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
|
||||||
|
|
|
@ -206,6 +206,7 @@ class PolicyJsonTestCase(unit.TestCase):
|
||||||
'identity:create_group',
|
'identity:create_group',
|
||||||
'identity:create_identity_provider',
|
'identity:create_identity_provider',
|
||||||
'identity:create_implied_role',
|
'identity:create_implied_role',
|
||||||
|
'identity:create_limits',
|
||||||
'identity:create_mapping',
|
'identity:create_mapping',
|
||||||
'identity:create_policy',
|
'identity:create_policy',
|
||||||
'identity:create_policy_association_for_endpoint',
|
'identity:create_policy_association_for_endpoint',
|
||||||
|
@ -237,6 +238,7 @@ class PolicyJsonTestCase(unit.TestCase):
|
||||||
'identity:delete_identity_provider',
|
'identity:delete_identity_provider',
|
||||||
'identity:delete_implied_role',
|
'identity:delete_implied_role',
|
||||||
'identity:delete_mapping',
|
'identity:delete_mapping',
|
||||||
|
'identity:delete_limit',
|
||||||
'identity:delete_policy',
|
'identity:delete_policy',
|
||||||
'identity:delete_policy_association_for_endpoint',
|
'identity:delete_policy_association_for_endpoint',
|
||||||
'identity:delete_policy_association_for_region_and_service',
|
'identity:delete_policy_association_for_region_and_service',
|
||||||
|
@ -276,6 +278,7 @@ class PolicyJsonTestCase(unit.TestCase):
|
||||||
'identity:get_group',
|
'identity:get_group',
|
||||||
'identity:get_identity_provider',
|
'identity:get_identity_provider',
|
||||||
'identity:get_implied_role',
|
'identity:get_implied_role',
|
||||||
|
'identity:get_limit',
|
||||||
'identity:get_limit_model',
|
'identity:get_limit_model',
|
||||||
'identity:get_mapping',
|
'identity:get_mapping',
|
||||||
'identity:get_policy',
|
'identity:get_policy',
|
||||||
|
@ -354,6 +357,7 @@ class PolicyJsonTestCase(unit.TestCase):
|
||||||
'identity:update_endpoint_group',
|
'identity:update_endpoint_group',
|
||||||
'identity:update_group',
|
'identity:update_group',
|
||||||
'identity:update_identity_provider',
|
'identity:update_identity_provider',
|
||||||
|
'identity:update_limit',
|
||||||
'identity:update_mapping',
|
'identity:update_mapping',
|
||||||
'identity:update_policy',
|
'identity:update_policy',
|
||||||
'identity:update_project',
|
'identity:update_project',
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
[`bug 1805880 <https://bugs.launchpad.net/keystone/+bug/1805880>`_]
|
||||||
|
The limit policies defined in ``policy.v3cloudsample.json``
|
||||||
|
have been removed. These policies are now obsolete after incorporating
|
||||||
|
system-scope into the limit API and implementing default roles.
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1805880 <https://bugs.launchpad.net/keystone/+bug/1805880>`_]
|
||||||
|
The limit policies in ``policy.v3cloudsample.json`` policy
|
||||||
|
file have been removed in favor of better defaults in code. These
|
||||||
|
policies weren't tested exhaustively and were misleading to users
|
||||||
|
and operators.
|
Loading…
Reference in New Issue