From 704cb2590e2f4496a73a79b3eeb22656083b4081 Mon Sep 17 00:00:00 2001 From: Vishakha Agarwal Date: Mon, 26 Aug 2019 12:58:55 +0530 Subject: [PATCH] Remove system policy and its association from policy.v3cloudsample.json By relying on system-scope and default roles, these policies are now obsolete. Change-Id: Ib2aa3e9023194ee578c617cdf2d53c6264c0e785 Partial-Bug: #1806762 Closes-Bug: #1805409 --- etc/policy.v3cloudsample.json | 17 ----------------- keystone/tests/unit/test_policy.py | 18 +++++++++++++++++- 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index fdbe357bea..f4aca1d0b2 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -59,29 +59,12 @@ "admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s", "admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s", "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter", - "identity:get_policy": "rule:cloud_admin", - "identity:list_policies": "rule:cloud_admin", - "identity:create_policy": "rule:cloud_admin", - "identity:update_policy": "rule:cloud_admin", - "identity:delete_policy": "rule:cloud_admin", "identity:check_token": "rule:admin_or_owner", "identity:validate_token": "rule:service_admin_or_owner", "identity:validate_token_head": "rule:service_or_admin", "identity:revoke_token": "rule:admin_or_owner", - "identity:create_policy_association_for_endpoint": "rule:cloud_admin", - "identity:check_policy_association_for_endpoint": "rule:cloud_admin", - "identity:delete_policy_association_for_endpoint": "rule:cloud_admin", - "identity:create_policy_association_for_service": "rule:cloud_admin", - "identity:check_policy_association_for_service": "rule:cloud_admin", - "identity:delete_policy_association_for_service": "rule:cloud_admin", - "identity:create_policy_association_for_region_and_service": "rule:cloud_admin", - "identity:check_policy_association_for_region_and_service": "rule:cloud_admin", - "identity:delete_policy_association_for_region_and_service": "rule:cloud_admin", - "identity:get_policy_for_endpoint": "rule:cloud_admin", - "identity:list_endpoints_for_policy": "rule:cloud_admin", - "identity:create_domain_config": "rule:cloud_admin", "identity:get_domain_config": "rule:cloud_admin", "identity:update_domain_config": "rule:cloud_admin", diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index db8db5ffd5..ab6babe9a2 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -321,7 +321,23 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:list_users_in_group', 'identity:remove_user_from_group', 'identity:check_user_in_group', - 'identity:add_user_to_group' + 'identity:add_user_to_group', + 'identity:get_policy', + 'identity:list_policies', + 'identity:create_policy', + 'identity:update_policy', + 'identity:delete_policy', + 'identity:create_policy_association_for_endpoint', + 'identity:check_policy_association_for_endpoint', + 'identity:delete_policy_association_for_endpoint', + 'identity:create_policy_association_for_service', + 'identity:check_policy_association_for_service', + 'identity:delete_policy_association_for_service', + 'identity:create_policy_association_for_region_and_service', + 'identity:check_policy_association_for_region_and_service', + 'identity:delete_policy_association_for_region_and_service', + 'identity:get_policy_for_endpoint', + 'identity:list_endpoints_for_policy' ] policy_keys = self._get_default_policy_rules() for p in removed_policies: