Remove endpoint policies from policy.v3cloudsample.json

By incorporating system-scope and default roles, we've effectively made these policies obsolete. We can simplify what we maintain and provide a more consistent, unified view of default endpoint behavior by removing them. Change-Id: I423e54c359b787efdda70f5d141f21e9103f3524 Closes-Bug: 1804482
2018-11-21 17:48:31 +00:00 · 2018-11-21 17:48:31 +00:00 · 6c6c6049f5
parent 00663f93b7
commit 6c6c6049f5
3 changed files with 20 additions and 6 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -16,12 +16,6 @@
    "identity:update_service": "rule:cloud_admin",
    "identity:delete_service": "rule:cloud_admin",

-    "identity:get_endpoint": "rule:admin_required",
-    "identity:list_endpoints": "rule:admin_required",
-    "identity:create_endpoint": "rule:cloud_admin",
-    "identity:update_endpoint": "rule:cloud_admin",
-    "identity:delete_endpoint": "rule:cloud_admin",
-
    "identity:get_limit_model": "",
    "identity:get_limit": "",
    "identity:list_limits": "",
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@ -201,6 +201,11 @@ class PolicyJsonTestCase(unit.TestCase):
            'identity:list_regions',
            'identity:update_region',
            'identity:delete_region',
+            'identity:create_endpoint',
+            'identity:get_endpoint',
+            'identity:list_endpoints',
+            'identity:update_endpoint',
+            'identity:delete_endpoint',
            'identity:create_mapping',
            'identity:get_mapping',
            'identity:list_mappings',
--- a/releasenotes/notes/bug-1804482-aa95619320d098fa.yaml
+++ b/releasenotes/notes/bug-1804482-aa95619320d098fa.yaml
@ -0,0 +1,15 @@
+---
+upgrade:
+  - |
+    [`bug 1804482 <https://bugs.launchpad.net/keystone/+bug/1804482>`_]
+    The endpoint policies defined in ``policy.v3cloudsample.json`` have
+    been removed. These policies are now obsolete after incorporating
+    system-scope into the endpoint API and implementing default roles.
+fixes:
+  - |
+    [`bug 1804482 <https://bugs.launchpad.net/keystone/+bug/1804482>`_]
+    The endpoint policies in ``policy.v3cloudsample.json`` policy file
+    have been removed in favor of better defaults in code. These
+    policies weren't tested exhaustively and were misleading to users
+    and operators.
+