Remove assignment policies from policy.v3cloudsample.json
By incorporating system-scope and default roles, we've effectively made these policies obsolete. We can simplify what we maintain and provide a more consistent, unified view of default service behavior by removing them. This commit also removes some redundant tests in test_v3_protection or corrects them. Partial-Bug: 1806762 Change-Id: I008aed9c01b9e834a197444ff2dc1f6eb1ba25b1
This commit is contained in:
parent
954b976669
commit
64a455ef94
@ -107,7 +107,6 @@
|
|||||||
"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
|
"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
|
||||||
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
|
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
|
||||||
"admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
"admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
||||||
"identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
|
|
||||||
"identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
|
"identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
|
||||||
"identity:get_policy": "rule:cloud_admin",
|
"identity:get_policy": "rule:cloud_admin",
|
||||||
"identity:list_policies": "rule:cloud_admin",
|
"identity:list_policies": "rule:cloud_admin",
|
||||||
|
@ -235,7 +235,8 @@ class PolicyJsonTestCase(unit.TestCase):
|
|||||||
'identity:get_service',
|
'identity:get_service',
|
||||||
'identity:list_services',
|
'identity:list_services',
|
||||||
'identity:update_service',
|
'identity:update_service',
|
||||||
'identity:delete_service'
|
'identity:delete_service',
|
||||||
|
'identity:list_role_assignments'
|
||||||
]
|
]
|
||||||
policy_keys = self._get_default_policy_rules()
|
policy_keys = self._get_default_policy_rules()
|
||||||
for p in removed_policies:
|
for p in removed_policies:
|
||||||
|
@ -26,7 +26,6 @@ from keystone.tests import unit
|
|||||||
from keystone.tests.unit import ksfixtures
|
from keystone.tests.unit import ksfixtures
|
||||||
from keystone.tests.unit.ksfixtures import temporaryfile
|
from keystone.tests.unit.ksfixtures import temporaryfile
|
||||||
from keystone.tests.unit import test_v3
|
from keystone.tests.unit import test_v3
|
||||||
from keystone.tests.unit import utils
|
|
||||||
|
|
||||||
|
|
||||||
CONF = keystone.conf.CONF
|
CONF = keystone.conf.CONF
|
||||||
@ -1338,8 +1337,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
|||||||
|
|
||||||
collection_url = self.build_role_assignment_query_url(
|
collection_url = self.build_role_assignment_query_url(
|
||||||
domain_id=self.domainB['id'])
|
domain_id=self.domainB['id'])
|
||||||
self.get(collection_url, auth=self.auth,
|
r = self.get(collection_url, auth=self.auth)
|
||||||
expected_status=http_client.FORBIDDEN)
|
self.assertEqual([], r.json_body['role_assignments'])
|
||||||
|
|
||||||
def test_domain_user_list_assignments_of_domain_failed(self):
|
def test_domain_user_list_assignments_of_domain_failed(self):
|
||||||
self.auth = self.build_authentication_request(
|
self.auth = self.build_authentication_request(
|
||||||
@ -1404,46 +1403,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
|||||||
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
|
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
|
||||||
self.assertRoleAssignmentInListResponse(r, project_user_entity)
|
self.assertRoleAssignmentInListResponse(r, project_user_entity)
|
||||||
|
|
||||||
def test_project_admin_list_assignments_of_another_project_failed(self):
|
|
||||||
projectB = unit.new_project_ref(domain_id=self.domainA['id'])
|
|
||||||
PROVIDERS.resource_api.create_project(projectB['id'], projectB)
|
|
||||||
admin_auth = self.build_authentication_request(
|
|
||||||
user_id=self.project_admin_user['id'],
|
|
||||||
password=self.project_admin_user['password'],
|
|
||||||
project_id=self.project['id'])
|
|
||||||
|
|
||||||
collection_url = self.build_role_assignment_query_url(
|
|
||||||
project_id=projectB['id'])
|
|
||||||
self.get(collection_url, auth=admin_auth,
|
|
||||||
expected_status=exception.ForbiddenAction.code)
|
|
||||||
|
|
||||||
@utils.wip('waiting on bug #1437407')
|
|
||||||
def test_domain_admin_list_assignments_of_project(self):
|
|
||||||
self.auth = self.build_authentication_request(
|
|
||||||
user_id=self.domain_admin_user['id'],
|
|
||||||
password=self.domain_admin_user['password'],
|
|
||||||
domain_id=self.domainA['id'])
|
|
||||||
|
|
||||||
collection_url = self.build_role_assignment_query_url(
|
|
||||||
project_id=self.project['id'])
|
|
||||||
r = self.get(collection_url, auth=self.auth)
|
|
||||||
self.assertValidRoleAssignmentListResponse(
|
|
||||||
r, expected_length=2, resource_url=collection_url)
|
|
||||||
|
|
||||||
project_admin_entity = self.build_role_assignment_entity(
|
|
||||||
project_id=self.project['id'],
|
|
||||||
user_id=self.project_admin_user['id'],
|
|
||||||
role_id=self.admin_role['id'],
|
|
||||||
inherited_to_projects=False)
|
|
||||||
project_user_entity = self.build_role_assignment_entity(
|
|
||||||
project_id=self.project['id'],
|
|
||||||
user_id=self.just_a_user['id'],
|
|
||||||
role_id=self.role['id'],
|
|
||||||
inherited_to_projects=False)
|
|
||||||
|
|
||||||
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
|
|
||||||
self.assertRoleAssignmentInListResponse(r, project_user_entity)
|
|
||||||
|
|
||||||
def test_domain_admin_list_assignment_tree(self):
|
def test_domain_admin_list_assignment_tree(self):
|
||||||
# Add a child project to the standard test data
|
# Add a child project to the standard test data
|
||||||
sub_project = unit.new_project_ref(domain_id=self.domainA['id'],
|
sub_project = unit.new_project_ref(domain_id=self.domainA['id'],
|
||||||
|
Loading…
Reference in New Issue
Block a user