Remove system policy and its association from policy.v3cloudsample.json

By relying on system-scope and default roles, these policies are now obsolete. Change-Id: Ib2aa3e9023194ee578c617cdf2d53c6264c0e785 Partial-Bug: #1806762 Closes-Bug: #1805409
2019-08-26 12:58:55 +05:30 · 2019-08-26 12:58:55 +05:30 · 704cb2590e
parent 296ea0f6d9
commit 704cb2590e
2 changed files with 17 additions and 18 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -59,29 +59,12 @@
    "admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
    "admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
    "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
-    "identity:get_policy": "rule:cloud_admin",
-    "identity:list_policies": "rule:cloud_admin",
-    "identity:create_policy": "rule:cloud_admin",
-    "identity:update_policy": "rule:cloud_admin",
-    "identity:delete_policy": "rule:cloud_admin",

    "identity:check_token": "rule:admin_or_owner",
    "identity:validate_token": "rule:service_admin_or_owner",
    "identity:validate_token_head": "rule:service_or_admin",
    "identity:revoke_token": "rule:admin_or_owner",

-    "identity:create_policy_association_for_endpoint": "rule:cloud_admin",
-    "identity:check_policy_association_for_endpoint": "rule:cloud_admin",
-    "identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
-    "identity:create_policy_association_for_service": "rule:cloud_admin",
-    "identity:check_policy_association_for_service": "rule:cloud_admin",
-    "identity:delete_policy_association_for_service": "rule:cloud_admin",
-    "identity:create_policy_association_for_region_and_service": "rule:cloud_admin",
-    "identity:check_policy_association_for_region_and_service": "rule:cloud_admin",
-    "identity:delete_policy_association_for_region_and_service": "rule:cloud_admin",
-    "identity:get_policy_for_endpoint": "rule:cloud_admin",
-    "identity:list_endpoints_for_policy": "rule:cloud_admin",
-
    "identity:create_domain_config": "rule:cloud_admin",
    "identity:get_domain_config": "rule:cloud_admin",
    "identity:update_domain_config": "rule:cloud_admin",
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@ -321,7 +321,23 @@ class PolicyJsonTestCase(unit.TestCase):
            'identity:list_users_in_group',
            'identity:remove_user_from_group',
            'identity:check_user_in_group',
-            'identity:add_user_to_group'
+            'identity:add_user_to_group',
+            'identity:get_policy',
+            'identity:list_policies',
+            'identity:create_policy',
+            'identity:update_policy',
+            'identity:delete_policy',
+            'identity:create_policy_association_for_endpoint',
+            'identity:check_policy_association_for_endpoint',
+            'identity:delete_policy_association_for_endpoint',
+            'identity:create_policy_association_for_service',
+            'identity:check_policy_association_for_service',
+            'identity:delete_policy_association_for_service',
+            'identity:create_policy_association_for_region_and_service',
+            'identity:check_policy_association_for_region_and_service',
+            'identity:delete_policy_association_for_region_and_service',
+            'identity:get_policy_for_endpoint',
+            'identity:list_endpoints_for_policy'
        ]
        policy_keys = self._get_default_policy_rules()
        for p in removed_policies: