openstack/keystone
Code Issues Proposed changes

Merge "Remove obsolete credential policies"

Browse Source
This commit is contained in:
Zuul 2018-10-31 00:02:48 +00:00 committed by Gerrit Code Review
commit 723c7408e3
3 changed files with 11 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
etc/policy.v3cloudsample.json
View File

@ -83,12 +83,6 @@
"identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:get_credential": "rule:admin_required",
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
"identity:create_credential": "rule:admin_required",
"identity:update_credential": "rule:admin_required",
"identity:delete_credential": "rule:admin_required",
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:ec2_list_credentials": "rule:admin_required or rule:owner", "identity:ec2_list_credentials": "rule:admin_required or rule:owner",
"identity:ec2_create_credential": "rule:admin_required or rule:owner", "identity:ec2_create_credential": "rule:admin_required or rule:owner",

11
keystone/tests/unit/test_policy.py
View File

@ -178,7 +178,18 @@ class PolicyJsonTestCase(unit.TestCase):
return rules return rules
def test_json_examples_have_matching_entries(self): def test_json_examples_have_matching_entries(self):
# TODO(lbragstad): Once all policies have been removed from
# policy.v3cloudsample.json, remove this test.
removed_policies = [
'identity:create_credential',
'identity:get_credential',
'identity:list_credentials',
'identity:update_credential',
'identity:delete_credential'
]
policy_keys = self._get_default_policy_rules() policy_keys = self._get_default_policy_rules()
for p in removed_policies:
del policy_keys[p]
cloud_policy_keys = set( cloud_policy_keys = set(
json.load(open(unit.dirs.etc('policy.v3cloudsample.json')))) json.load(open(unit.dirs.etc('policy.v3cloudsample.json'))))

22
keystone/tests/unit/test_v3_protection.py
View File

@ -1563,28 +1563,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
entity_url = '/domains/%s' % self.domainA['id'] entity_url = '/domains/%s' % self.domainA['id']
self.get(entity_url, auth=self.auth) self.get(entity_url, auth=self.auth)
def test_list_user_credentials(self):
credential_user = unit.new_credential_ref(self.just_a_user['id'])
PROVIDERS.credential_api.create_credential(
credential_user['id'], credential_user
)
credential_admin = unit.new_credential_ref(self.cloud_admin_user['id'])
PROVIDERS.credential_api.create_credential(
credential_admin['id'], credential_admin
)
self.auth = self.build_authentication_request(
user_id=self.just_a_user['id'],
password=self.just_a_user['password'])
url = '/credentials?user_id=%s' % self.just_a_user['id']
self.get(url, auth=self.auth)
url = '/credentials?user_id=%s' % self.cloud_admin_user['id']
self.get(url, auth=self.auth,
expected_status=exception.ForbiddenAction.code)
url = '/credentials'
self.get(url, auth=self.auth,
expected_status=exception.ForbiddenAction.code)
def test_get_and_delete_ec2_credentials(self): def test_get_and_delete_ec2_credentials(self):
"""Test getting and deleting ec2 credentials through the ec2 API.""" """Test getting and deleting ec2 credentials through the ec2 API."""
another_user = unit.create_user(PROVIDERS.identity_api, another_user = unit.create_user(PROVIDERS.identity_api,