Browse Source

Remove system policy and its association from policy.v3cloudsample.json

By relying on system-scope and default roles, these policies are now
obsolete.

Change-Id: Ib2aa3e9023194ee578c617cdf2d53c6264c0e785
Partial-Bug: #1806762
Closes-Bug: #1805409
changes/75/678475/3
Vishakha Agarwal 2 years ago
parent
commit
704cb2590e
  1. 17
      etc/policy.v3cloudsample.json
  2. 18
      keystone/tests/unit/test_policy.py

17
etc/policy.v3cloudsample.json

@ -59,29 +59,12 @@
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
"admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
"identity:get_policy": "rule:cloud_admin",
"identity:list_policies": "rule:cloud_admin",
"identity:create_policy": "rule:cloud_admin",
"identity:update_policy": "rule:cloud_admin",
"identity:delete_policy": "rule:cloud_admin",
"identity:check_token": "rule:admin_or_owner",
"identity:validate_token": "rule:service_admin_or_owner",
"identity:validate_token_head": "rule:service_or_admin",
"identity:revoke_token": "rule:admin_or_owner",
"identity:create_policy_association_for_endpoint": "rule:cloud_admin",
"identity:check_policy_association_for_endpoint": "rule:cloud_admin",
"identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
"identity:create_policy_association_for_service": "rule:cloud_admin",
"identity:check_policy_association_for_service": "rule:cloud_admin",
"identity:delete_policy_association_for_service": "rule:cloud_admin",
"identity:create_policy_association_for_region_and_service": "rule:cloud_admin",
"identity:check_policy_association_for_region_and_service": "rule:cloud_admin",
"identity:delete_policy_association_for_region_and_service": "rule:cloud_admin",
"identity:get_policy_for_endpoint": "rule:cloud_admin",
"identity:list_endpoints_for_policy": "rule:cloud_admin",
"identity:create_domain_config": "rule:cloud_admin",
"identity:get_domain_config": "rule:cloud_admin",
"identity:update_domain_config": "rule:cloud_admin",

18
keystone/tests/unit/test_policy.py

@ -321,7 +321,23 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:list_users_in_group',
'identity:remove_user_from_group',
'identity:check_user_in_group',
'identity:add_user_to_group'
'identity:add_user_to_group',
'identity:get_policy',
'identity:list_policies',
'identity:create_policy',
'identity:update_policy',
'identity:delete_policy',
'identity:create_policy_association_for_endpoint',
'identity:check_policy_association_for_endpoint',
'identity:delete_policy_association_for_endpoint',
'identity:create_policy_association_for_service',
'identity:check_policy_association_for_service',
'identity:delete_policy_association_for_service',
'identity:create_policy_association_for_region_and_service',
'identity:check_policy_association_for_region_and_service',
'identity:delete_policy_association_for_region_and_service',
'identity:get_policy_for_endpoint',
'identity:list_endpoints_for_policy'
]
policy_keys = self._get_default_policy_rules()
for p in removed_policies:

Loading…
Cancel
Save