From 87e50c029e11d412368f0b08b7e65c6796bf1871 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Thu, 27 Sep 2018 22:08:55 +0000 Subject: [PATCH] Remove domain policies from policy.v3cloudsample.json By incorporating system scope and default roles into keystone's default policies for domains, we've effectively made these policies obsolete. Related-Bug: 1806762 Change-Id: I96079b15c980de6a4ba71f49d7b39790c1115767 --- etc/policy.v3cloudsample.json | 6 --- keystone/tests/unit/test_policy.py | 7 ++- keystone/tests/unit/test_v3_protection.py | 51 ------------------- .../notes/bug-1806762-c3bfc71cb9bb94f3.yaml | 18 +++++++ 4 files changed, 24 insertions(+), 58 deletions(-) create mode 100644 releasenotes/notes/bug-1806762-c3bfc71cb9bb94f3.yaml diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index 40e32550c2..df43a8b44d 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -29,12 +29,6 @@ "identity:update_limit": "rule:admin_required", "identity:delete_limit": "rule:admin_required", - "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s", - "identity:list_domains": "rule:cloud_admin", - "identity:create_domain": "rule:cloud_admin", - "identity:update_domain": "rule:cloud_admin", - "identity:delete_domain": "rule:cloud_admin", - "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s", "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s", "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s", diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index 5cefa70b20..dfb5aa7ce5 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -210,7 +210,12 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:get_identity_provider', 'identity:list_identity_providers', 'identity:update_identity_provider', - 'identity:delete_identity_provider' + 'identity:delete_identity_provider', + 'identity:create_domain', + 'identity:get_domain', + 'identity:list_domains', + 'identity:update_domain', + 'identity:delete_domain' ] policy_keys = self._get_default_policy_rules() for p in removed_policies: diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py index ad637fd06e..6e82a851ed 100644 --- a/keystone/tests/unit/test_v3_protection.py +++ b/keystone/tests/unit/test_v3_protection.py @@ -859,25 +859,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, self.post('/projects', auth=self.auth, body={'project': proj_ref}, expected_status=status_created) - def _test_domain_management(self, expected=None): - status_OK, status_created, status_no_data = self._stati(expected) - entity_url = '/domains/%s' % self.domainB['id'] - list_url = '/domains' - - self.get(entity_url, auth=self.auth, - expected_status=status_OK) - self.get(list_url, auth=self.auth, - expected_status=status_OK) - domain = {'description': 'Updated', 'enabled': False} - self.patch(entity_url, auth=self.auth, body={'domain': domain}, - expected_status=status_OK) - self.delete(entity_url, auth=self.auth, - expected_status=status_no_data) - - domain_ref = unit.new_domain_ref() - self.post('/domains', auth=self.auth, body={'domain': domain_ref}, - expected_status=status_created) - def _test_grants(self, target, entity_id, role_domain_id=None, list_status_OK=False, expected=None): status_OK, status_created, status_no_data = self._stati(expected) @@ -1523,38 +1504,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, self.get(collection_url, auth=self.auth, expected_status=http_client.FORBIDDEN) - def test_cloud_admin(self): - self.auth = self.build_authentication_request( - user_id=self.domain_admin_user['id'], - password=self.domain_admin_user['password'], - domain_id=self.domainA['id']) - - self._test_domain_management( - expected=exception.ForbiddenAction.code) - - self.auth = self.build_authentication_request( - user_id=self.cloud_admin_user['id'], - password=self.cloud_admin_user['password'], - project_id=self.admin_project['id']) - - self._test_domain_management() - - def test_admin_project(self): - self.auth = self.build_authentication_request( - user_id=self.project_admin_user['id'], - password=self.project_admin_user['password'], - project_id=self.project['id']) - - self._test_domain_management( - expected=exception.ForbiddenAction.code) - - self.auth = self.build_authentication_request( - user_id=self.cloud_admin_user['id'], - password=self.cloud_admin_user['password'], - project_id=self.admin_project['id']) - - self._test_domain_management() - def test_domain_admin_get_domain(self): self.auth = self.build_authentication_request( user_id=self.domain_admin_user['id'], diff --git a/releasenotes/notes/bug-1806762-c3bfc71cb9bb94f3.yaml b/releasenotes/notes/bug-1806762-c3bfc71cb9bb94f3.yaml new file mode 100644 index 0000000000..61240a573a --- /dev/null +++ b/releasenotes/notes/bug-1806762-c3bfc71cb9bb94f3.yaml @@ -0,0 +1,18 @@ +--- +upgrade: + - | + [`bug 1806762 `_] + The domain policies defined in ``policy.v3cloudsample.json`` + have been removed. These policies are now obsolete after incorporating + system-scope into the domain API and implementing default roles. + Additionally, the ``identity:get_domain`` policy in + ``policy.v3cloudsample.json`` has been relaxed slightly to allow all + users with role assignments on a domain to retrieve that domain, + as opposed to only allowing users with the ``admin`` role to access + that policy. +fixes: + - | + [`bug 1806762 `_] + The domain policies in ``policy.v3cloudsample.json`` policy file + have been removed in favor of better defaults in code. These policies + weren't tested exhaustively and were misleading to users and operators.