Remove domain policies from policy.v3cloudsample.json
By incorporating system scope and default roles into keystone's default policies for domains, we've effectively made these policies obsolete. Related-Bug: 1806762 Change-Id: I96079b15c980de6a4ba71f49d7b39790c1115767
This commit is contained in:
parent
00663f93b7
commit
87e50c029e
|
@ -29,12 +29,6 @@
|
||||||
"identity:update_limit": "rule:admin_required",
|
"identity:update_limit": "rule:admin_required",
|
||||||
"identity:delete_limit": "rule:admin_required",
|
"identity:delete_limit": "rule:admin_required",
|
||||||
|
|
||||||
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
|
|
||||||
"identity:list_domains": "rule:cloud_admin",
|
|
||||||
"identity:create_domain": "rule:cloud_admin",
|
|
||||||
"identity:update_domain": "rule:cloud_admin",
|
|
||||||
"identity:delete_domain": "rule:cloud_admin",
|
|
||||||
|
|
||||||
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
||||||
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
|
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
|
||||||
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
|
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
|
||||||
|
|
|
@ -210,7 +210,12 @@ class PolicyJsonTestCase(unit.TestCase):
|
||||||
'identity:get_identity_provider',
|
'identity:get_identity_provider',
|
||||||
'identity:list_identity_providers',
|
'identity:list_identity_providers',
|
||||||
'identity:update_identity_provider',
|
'identity:update_identity_provider',
|
||||||
'identity:delete_identity_provider'
|
'identity:delete_identity_provider',
|
||||||
|
'identity:create_domain',
|
||||||
|
'identity:get_domain',
|
||||||
|
'identity:list_domains',
|
||||||
|
'identity:update_domain',
|
||||||
|
'identity:delete_domain'
|
||||||
]
|
]
|
||||||
policy_keys = self._get_default_policy_rules()
|
policy_keys = self._get_default_policy_rules()
|
||||||
for p in removed_policies:
|
for p in removed_policies:
|
||||||
|
|
|
@ -859,25 +859,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
||||||
self.post('/projects', auth=self.auth, body={'project': proj_ref},
|
self.post('/projects', auth=self.auth, body={'project': proj_ref},
|
||||||
expected_status=status_created)
|
expected_status=status_created)
|
||||||
|
|
||||||
def _test_domain_management(self, expected=None):
|
|
||||||
status_OK, status_created, status_no_data = self._stati(expected)
|
|
||||||
entity_url = '/domains/%s' % self.domainB['id']
|
|
||||||
list_url = '/domains'
|
|
||||||
|
|
||||||
self.get(entity_url, auth=self.auth,
|
|
||||||
expected_status=status_OK)
|
|
||||||
self.get(list_url, auth=self.auth,
|
|
||||||
expected_status=status_OK)
|
|
||||||
domain = {'description': 'Updated', 'enabled': False}
|
|
||||||
self.patch(entity_url, auth=self.auth, body={'domain': domain},
|
|
||||||
expected_status=status_OK)
|
|
||||||
self.delete(entity_url, auth=self.auth,
|
|
||||||
expected_status=status_no_data)
|
|
||||||
|
|
||||||
domain_ref = unit.new_domain_ref()
|
|
||||||
self.post('/domains', auth=self.auth, body={'domain': domain_ref},
|
|
||||||
expected_status=status_created)
|
|
||||||
|
|
||||||
def _test_grants(self, target, entity_id, role_domain_id=None,
|
def _test_grants(self, target, entity_id, role_domain_id=None,
|
||||||
list_status_OK=False, expected=None):
|
list_status_OK=False, expected=None):
|
||||||
status_OK, status_created, status_no_data = self._stati(expected)
|
status_OK, status_created, status_no_data = self._stati(expected)
|
||||||
|
@ -1523,38 +1504,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
||||||
self.get(collection_url, auth=self.auth,
|
self.get(collection_url, auth=self.auth,
|
||||||
expected_status=http_client.FORBIDDEN)
|
expected_status=http_client.FORBIDDEN)
|
||||||
|
|
||||||
def test_cloud_admin(self):
|
|
||||||
self.auth = self.build_authentication_request(
|
|
||||||
user_id=self.domain_admin_user['id'],
|
|
||||||
password=self.domain_admin_user['password'],
|
|
||||||
domain_id=self.domainA['id'])
|
|
||||||
|
|
||||||
self._test_domain_management(
|
|
||||||
expected=exception.ForbiddenAction.code)
|
|
||||||
|
|
||||||
self.auth = self.build_authentication_request(
|
|
||||||
user_id=self.cloud_admin_user['id'],
|
|
||||||
password=self.cloud_admin_user['password'],
|
|
||||||
project_id=self.admin_project['id'])
|
|
||||||
|
|
||||||
self._test_domain_management()
|
|
||||||
|
|
||||||
def test_admin_project(self):
|
|
||||||
self.auth = self.build_authentication_request(
|
|
||||||
user_id=self.project_admin_user['id'],
|
|
||||||
password=self.project_admin_user['password'],
|
|
||||||
project_id=self.project['id'])
|
|
||||||
|
|
||||||
self._test_domain_management(
|
|
||||||
expected=exception.ForbiddenAction.code)
|
|
||||||
|
|
||||||
self.auth = self.build_authentication_request(
|
|
||||||
user_id=self.cloud_admin_user['id'],
|
|
||||||
password=self.cloud_admin_user['password'],
|
|
||||||
project_id=self.admin_project['id'])
|
|
||||||
|
|
||||||
self._test_domain_management()
|
|
||||||
|
|
||||||
def test_domain_admin_get_domain(self):
|
def test_domain_admin_get_domain(self):
|
||||||
self.auth = self.build_authentication_request(
|
self.auth = self.build_authentication_request(
|
||||||
user_id=self.domain_admin_user['id'],
|
user_id=self.domain_admin_user['id'],
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
|
||||||
|
The domain policies defined in ``policy.v3cloudsample.json``
|
||||||
|
have been removed. These policies are now obsolete after incorporating
|
||||||
|
system-scope into the domain API and implementing default roles.
|
||||||
|
Additionally, the ``identity:get_domain`` policy in
|
||||||
|
``policy.v3cloudsample.json`` has been relaxed slightly to allow all
|
||||||
|
users with role assignments on a domain to retrieve that domain,
|
||||||
|
as opposed to only allowing users with the ``admin`` role to access
|
||||||
|
that policy.
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
|
||||||
|
The domain policies in ``policy.v3cloudsample.json`` policy file
|
||||||
|
have been removed in favor of better defaults in code. These policies
|
||||||
|
weren't tested exhaustively and were misleading to users and operators.
|
Loading…
Reference in New Issue