Remove domain policies from policy.v3cloudsample.json

By incorporating system scope and default roles into keystone's
default policies for domains, we've effectively made these policies
obsolete.

Related-Bug: 1806762

Change-Id: I96079b15c980de6a4ba71f49d7b39790c1115767
This commit is contained in:
Lance Bragstad 2018-09-27 22:08:55 +00:00
parent 00663f93b7
commit 87e50c029e
4 changed files with 24 additions and 58 deletions

View File

@ -29,12 +29,6 @@
"identity:update_limit": "rule:admin_required", "identity:update_limit": "rule:admin_required",
"identity:delete_limit": "rule:admin_required", "identity:delete_limit": "rule:admin_required",
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
"identity:list_domains": "rule:cloud_admin",
"identity:create_domain": "rule:cloud_admin",
"identity:update_domain": "rule:cloud_admin",
"identity:delete_domain": "rule:cloud_admin",
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s", "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s", "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s", "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",

View File

@ -210,7 +210,12 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:get_identity_provider', 'identity:get_identity_provider',
'identity:list_identity_providers', 'identity:list_identity_providers',
'identity:update_identity_provider', 'identity:update_identity_provider',
'identity:delete_identity_provider' 'identity:delete_identity_provider',
'identity:create_domain',
'identity:get_domain',
'identity:list_domains',
'identity:update_domain',
'identity:delete_domain'
] ]
policy_keys = self._get_default_policy_rules() policy_keys = self._get_default_policy_rules()
for p in removed_policies: for p in removed_policies:

View File

@ -859,25 +859,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.post('/projects', auth=self.auth, body={'project': proj_ref}, self.post('/projects', auth=self.auth, body={'project': proj_ref},
expected_status=status_created) expected_status=status_created)
def _test_domain_management(self, expected=None):
status_OK, status_created, status_no_data = self._stati(expected)
entity_url = '/domains/%s' % self.domainB['id']
list_url = '/domains'
self.get(entity_url, auth=self.auth,
expected_status=status_OK)
self.get(list_url, auth=self.auth,
expected_status=status_OK)
domain = {'description': 'Updated', 'enabled': False}
self.patch(entity_url, auth=self.auth, body={'domain': domain},
expected_status=status_OK)
self.delete(entity_url, auth=self.auth,
expected_status=status_no_data)
domain_ref = unit.new_domain_ref()
self.post('/domains', auth=self.auth, body={'domain': domain_ref},
expected_status=status_created)
def _test_grants(self, target, entity_id, role_domain_id=None, def _test_grants(self, target, entity_id, role_domain_id=None,
list_status_OK=False, expected=None): list_status_OK=False, expected=None):
status_OK, status_created, status_no_data = self._stati(expected) status_OK, status_created, status_no_data = self._stati(expected)
@ -1523,38 +1504,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.get(collection_url, auth=self.auth, self.get(collection_url, auth=self.auth,
expected_status=http_client.FORBIDDEN) expected_status=http_client.FORBIDDEN)
def test_cloud_admin(self):
self.auth = self.build_authentication_request(
user_id=self.domain_admin_user['id'],
password=self.domain_admin_user['password'],
domain_id=self.domainA['id'])
self._test_domain_management(
expected=exception.ForbiddenAction.code)
self.auth = self.build_authentication_request(
user_id=self.cloud_admin_user['id'],
password=self.cloud_admin_user['password'],
project_id=self.admin_project['id'])
self._test_domain_management()
def test_admin_project(self):
self.auth = self.build_authentication_request(
user_id=self.project_admin_user['id'],
password=self.project_admin_user['password'],
project_id=self.project['id'])
self._test_domain_management(
expected=exception.ForbiddenAction.code)
self.auth = self.build_authentication_request(
user_id=self.cloud_admin_user['id'],
password=self.cloud_admin_user['password'],
project_id=self.admin_project['id'])
self._test_domain_management()
def test_domain_admin_get_domain(self): def test_domain_admin_get_domain(self):
self.auth = self.build_authentication_request( self.auth = self.build_authentication_request(
user_id=self.domain_admin_user['id'], user_id=self.domain_admin_user['id'],

View File

@ -0,0 +1,18 @@
---
upgrade:
- |
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
The domain policies defined in ``policy.v3cloudsample.json``
have been removed. These policies are now obsolete after incorporating
system-scope into the domain API and implementing default roles.
Additionally, the ``identity:get_domain`` policy in
``policy.v3cloudsample.json`` has been relaxed slightly to allow all
users with role assignments on a domain to retrieve that domain,
as opposed to only allowing users with the ``admin`` role to access
that policy.
fixes:
- |
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
The domain policies in ``policy.v3cloudsample.json`` policy file
have been removed in favor of better defaults in code. These policies
weren't tested exhaustively and were misleading to users and operators.