Browse Source

Remove domain policies from policy.v3cloudsample.json

By incorporating system scope and default roles into keystone's
default policies for domains, we've effectively made these policies
obsolete.

Related-Bug: 1806762

Change-Id: I96079b15c980de6a4ba71f49d7b39790c1115767
changes/76/605876/14
Lance Bragstad 3 years ago
parent
commit
87e50c029e
  1. 6
      etc/policy.v3cloudsample.json
  2. 7
      keystone/tests/unit/test_policy.py
  3. 51
      keystone/tests/unit/test_v3_protection.py
  4. 18
      releasenotes/notes/bug-1806762-c3bfc71cb9bb94f3.yaml

6
etc/policy.v3cloudsample.json

@ -29,12 +29,6 @@
"identity:update_limit": "rule:admin_required",
"identity:delete_limit": "rule:admin_required",
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
"identity:list_domains": "rule:cloud_admin",
"identity:create_domain": "rule:cloud_admin",
"identity:update_domain": "rule:cloud_admin",
"identity:delete_domain": "rule:cloud_admin",
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",

7
keystone/tests/unit/test_policy.py

@ -210,7 +210,12 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:get_identity_provider',
'identity:list_identity_providers',
'identity:update_identity_provider',
'identity:delete_identity_provider'
'identity:delete_identity_provider',
'identity:create_domain',
'identity:get_domain',
'identity:list_domains',
'identity:update_domain',
'identity:delete_domain'
]
policy_keys = self._get_default_policy_rules()
for p in removed_policies:

51
keystone/tests/unit/test_v3_protection.py

@ -859,25 +859,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.post('/projects', auth=self.auth, body={'project': proj_ref},
expected_status=status_created)
def _test_domain_management(self, expected=None):
status_OK, status_created, status_no_data = self._stati(expected)
entity_url = '/domains/%s' % self.domainB['id']
list_url = '/domains'
self.get(entity_url, auth=self.auth,
expected_status=status_OK)
self.get(list_url, auth=self.auth,
expected_status=status_OK)
domain = {'description': 'Updated', 'enabled': False}
self.patch(entity_url, auth=self.auth, body={'domain': domain},
expected_status=status_OK)
self.delete(entity_url, auth=self.auth,
expected_status=status_no_data)
domain_ref = unit.new_domain_ref()
self.post('/domains', auth=self.auth, body={'domain': domain_ref},
expected_status=status_created)
def _test_grants(self, target, entity_id, role_domain_id=None,
list_status_OK=False, expected=None):
status_OK, status_created, status_no_data = self._stati(expected)
@ -1523,38 +1504,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.get(collection_url, auth=self.auth,
expected_status=http_client.FORBIDDEN)
def test_cloud_admin(self):
self.auth = self.build_authentication_request(
user_id=self.domain_admin_user['id'],
password=self.domain_admin_user['password'],
domain_id=self.domainA['id'])
self._test_domain_management(
expected=exception.ForbiddenAction.code)
self.auth = self.build_authentication_request(
user_id=self.cloud_admin_user['id'],
password=self.cloud_admin_user['password'],
project_id=self.admin_project['id'])
self._test_domain_management()
def test_admin_project(self):
self.auth = self.build_authentication_request(
user_id=self.project_admin_user['id'],
password=self.project_admin_user['password'],
project_id=self.project['id'])
self._test_domain_management(
expected=exception.ForbiddenAction.code)
self.auth = self.build_authentication_request(
user_id=self.cloud_admin_user['id'],
password=self.cloud_admin_user['password'],
project_id=self.admin_project['id'])
self._test_domain_management()
def test_domain_admin_get_domain(self):
self.auth = self.build_authentication_request(
user_id=self.domain_admin_user['id'],

18
releasenotes/notes/bug-1806762-c3bfc71cb9bb94f3.yaml

@ -0,0 +1,18 @@
---
upgrade:
- |
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
The domain policies defined in ``policy.v3cloudsample.json``
have been removed. These policies are now obsolete after incorporating
system-scope into the domain API and implementing default roles.
Additionally, the ``identity:get_domain`` policy in
``policy.v3cloudsample.json`` has been relaxed slightly to allow all
users with role assignments on a domain to retrieve that domain,
as opposed to only allowing users with the ``admin`` role to access
that policy.
fixes:
- |
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
The domain policies in ``policy.v3cloudsample.json`` policy file
have been removed in favor of better defaults in code. These policies
weren't tested exhaustively and were misleading to users and operators.
Loading…
Cancel
Save