Remove obsolete credential policies

The policy.v3cloudsample.json policy file attempted to solve
admin-ness issues with elaborate policy checks. These checks are no
longer needed with advent of system scope and incorporating system
scope into keystone APIs.

This commit removes the credential policies from the
policy.v3cloudsample.conf policy file since the new defaults introduce
more flexibility by consuming scope, rendering the policies in
policy.v3cloudsample.conf obsolete. More specific test coverage has
also been added for each new case in
keystone.tests.unit.protection.v3.test_credentials.

Change-Id: I6c74f40640da23375574f4a26ee60779ef08d120
Related-Bug: 1788415
This commit is contained in:
Lance Bragstad 2018-08-28 15:44:48 +00:00
parent d15c0fe5f4
commit 7c129f1c70
3 changed files with 11 additions and 28 deletions

View File

@ -83,12 +83,6 @@
"identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:get_credential": "rule:admin_required",
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
"identity:create_credential": "rule:admin_required",
"identity:update_credential": "rule:admin_required",
"identity:delete_credential": "rule:admin_required",
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:ec2_list_credentials": "rule:admin_required or rule:owner", "identity:ec2_list_credentials": "rule:admin_required or rule:owner",
"identity:ec2_create_credential": "rule:admin_required or rule:owner", "identity:ec2_create_credential": "rule:admin_required or rule:owner",

View File

@ -178,7 +178,18 @@ class PolicyJsonTestCase(unit.TestCase):
return rules return rules
def test_json_examples_have_matching_entries(self): def test_json_examples_have_matching_entries(self):
# TODO(lbragstad): Once all policies have been removed from
# policy.v3cloudsample.json, remove this test.
removed_policies = [
'identity:create_credential',
'identity:get_credential',
'identity:list_credentials',
'identity:update_credential',
'identity:delete_credential'
]
policy_keys = self._get_default_policy_rules() policy_keys = self._get_default_policy_rules()
for p in removed_policies:
del policy_keys[p]
cloud_policy_keys = set( cloud_policy_keys = set(
json.load(open(unit.dirs.etc('policy.v3cloudsample.json')))) json.load(open(unit.dirs.etc('policy.v3cloudsample.json'))))

View File

@ -1563,28 +1563,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
entity_url = '/domains/%s' % self.domainA['id'] entity_url = '/domains/%s' % self.domainA['id']
self.get(entity_url, auth=self.auth) self.get(entity_url, auth=self.auth)
def test_list_user_credentials(self):
credential_user = unit.new_credential_ref(self.just_a_user['id'])
PROVIDERS.credential_api.create_credential(
credential_user['id'], credential_user
)
credential_admin = unit.new_credential_ref(self.cloud_admin_user['id'])
PROVIDERS.credential_api.create_credential(
credential_admin['id'], credential_admin
)
self.auth = self.build_authentication_request(
user_id=self.just_a_user['id'],
password=self.just_a_user['password'])
url = '/credentials?user_id=%s' % self.just_a_user['id']
self.get(url, auth=self.auth)
url = '/credentials?user_id=%s' % self.cloud_admin_user['id']
self.get(url, auth=self.auth,
expected_status=exception.ForbiddenAction.code)
url = '/credentials'
self.get(url, auth=self.auth,
expected_status=exception.ForbiddenAction.code)
def test_get_and_delete_ec2_credentials(self): def test_get_and_delete_ec2_credentials(self):
"""Test getting and deleting ec2 credentials through the ec2 API.""" """Test getting and deleting ec2 credentials through the ec2 API."""
another_user = unit.create_user(PROVIDERS.identity_api, another_user = unit.create_user(PROVIDERS.identity_api,