Remove obsolete credential policies
The policy.v3cloudsample.json policy file attempted to solve admin-ness issues with elaborate policy checks. These checks are no longer needed with advent of system scope and incorporating system scope into keystone APIs. This commit removes the credential policies from the policy.v3cloudsample.conf policy file since the new defaults introduce more flexibility by consuming scope, rendering the policies in policy.v3cloudsample.conf obsolete. More specific test coverage has also been added for each new case in keystone.tests.unit.protection.v3.test_credentials. Change-Id: I6c74f40640da23375574f4a26ee60779ef08d120 Related-Bug: 1788415
This commit is contained in:
parent
d15c0fe5f4
commit
7c129f1c70
@ -83,12 +83,6 @@
|
|||||||
"identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
"identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||||
"identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
"identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
||||||
|
|
||||||
"identity:get_credential": "rule:admin_required",
|
|
||||||
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
|
|
||||||
"identity:create_credential": "rule:admin_required",
|
|
||||||
"identity:update_credential": "rule:admin_required",
|
|
||||||
"identity:delete_credential": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||||
"identity:ec2_list_credentials": "rule:admin_required or rule:owner",
|
"identity:ec2_list_credentials": "rule:admin_required or rule:owner",
|
||||||
"identity:ec2_create_credential": "rule:admin_required or rule:owner",
|
"identity:ec2_create_credential": "rule:admin_required or rule:owner",
|
||||||
|
@ -178,7 +178,18 @@ class PolicyJsonTestCase(unit.TestCase):
|
|||||||
return rules
|
return rules
|
||||||
|
|
||||||
def test_json_examples_have_matching_entries(self):
|
def test_json_examples_have_matching_entries(self):
|
||||||
|
# TODO(lbragstad): Once all policies have been removed from
|
||||||
|
# policy.v3cloudsample.json, remove this test.
|
||||||
|
removed_policies = [
|
||||||
|
'identity:create_credential',
|
||||||
|
'identity:get_credential',
|
||||||
|
'identity:list_credentials',
|
||||||
|
'identity:update_credential',
|
||||||
|
'identity:delete_credential'
|
||||||
|
]
|
||||||
policy_keys = self._get_default_policy_rules()
|
policy_keys = self._get_default_policy_rules()
|
||||||
|
for p in removed_policies:
|
||||||
|
del policy_keys[p]
|
||||||
cloud_policy_keys = set(
|
cloud_policy_keys = set(
|
||||||
json.load(open(unit.dirs.etc('policy.v3cloudsample.json'))))
|
json.load(open(unit.dirs.etc('policy.v3cloudsample.json'))))
|
||||||
|
|
||||||
|
@ -1563,28 +1563,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
|||||||
entity_url = '/domains/%s' % self.domainA['id']
|
entity_url = '/domains/%s' % self.domainA['id']
|
||||||
self.get(entity_url, auth=self.auth)
|
self.get(entity_url, auth=self.auth)
|
||||||
|
|
||||||
def test_list_user_credentials(self):
|
|
||||||
credential_user = unit.new_credential_ref(self.just_a_user['id'])
|
|
||||||
PROVIDERS.credential_api.create_credential(
|
|
||||||
credential_user['id'], credential_user
|
|
||||||
)
|
|
||||||
credential_admin = unit.new_credential_ref(self.cloud_admin_user['id'])
|
|
||||||
PROVIDERS.credential_api.create_credential(
|
|
||||||
credential_admin['id'], credential_admin
|
|
||||||
)
|
|
||||||
|
|
||||||
self.auth = self.build_authentication_request(
|
|
||||||
user_id=self.just_a_user['id'],
|
|
||||||
password=self.just_a_user['password'])
|
|
||||||
url = '/credentials?user_id=%s' % self.just_a_user['id']
|
|
||||||
self.get(url, auth=self.auth)
|
|
||||||
url = '/credentials?user_id=%s' % self.cloud_admin_user['id']
|
|
||||||
self.get(url, auth=self.auth,
|
|
||||||
expected_status=exception.ForbiddenAction.code)
|
|
||||||
url = '/credentials'
|
|
||||||
self.get(url, auth=self.auth,
|
|
||||||
expected_status=exception.ForbiddenAction.code)
|
|
||||||
|
|
||||||
def test_get_and_delete_ec2_credentials(self):
|
def test_get_and_delete_ec2_credentials(self):
|
||||||
"""Test getting and deleting ec2 credentials through the ec2 API."""
|
"""Test getting and deleting ec2 credentials through the ec2 API."""
|
||||||
another_user = unit.create_user(PROVIDERS.identity_api,
|
another_user = unit.create_user(PROVIDERS.identity_api,
|
||||||
|
Loading…
Reference in New Issue
Block a user