Remove redundant policies from v3cloudsample

By incorporating system and domain scope and default roles into keystone's default policies for domains, we've effectively made these policies obsolete. This change also removes the redundant group management tests from the v3cloudsample tests. Change-Id: I4e3b19f9cc025a472fb27a33955856c2cd17fd1d Partial-Bug: #1806762
2019-03-25 20:39:08 +01:00 · 2019-03-25 20:39:08 +01:00 · 8877e9f01c
commit 8877e9f01c
parent be452fee80
4 changed files with 26 additions and 40 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -24,20 +24,6 @@
    "identity:delete_project_tags": "rule:admin_required",
    "identity:update_project_tags": "rule:admin_required",

-    "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
-    "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
-    "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
-    "identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
-    "identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_target_user_domain_id",
-    "identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
-    "identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-
    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
    "identity:ec2_list_credentials": "rule:admin_required or rule:owner",
    "identity:ec2_create_credential": "rule:admin_required or rule:owner",
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@ -255,7 +255,17 @@ class PolicyJsonTestCase(unit.TestCase):
            'identity:get_user',
            'identity:list_users',
            'identity:update_user',
-            'identity:delete_user'
+            'identity:delete_user',
+            'identity:get_group',
+            'identity:list_groups',
+            'identity:list_groups_for_user',
+            'identity:create_group',
+            'identity:update_group',
+            'identity:delete_group',
+            'identity:list_users_in_group',
+            'identity:remove_user_from_group',
+            'identity:check_user_in_group',
+            'identity:add_user_to_group'
        ]
        policy_keys = self._get_default_policy_rules()
        for p in removed_policies:
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@ -919,31 +919,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
        self.post('/roles', auth=self.auth, body={'role': role_ref},
                  expected_status=status_created)

-    def test_group_management(self):
-        # First, authenticate with a user that does not have the domain
-        # admin role - shouldn't be able to do much.
-        self.auth = self.build_authentication_request(
-            user_id=self.just_a_user['id'],
-            password=self.just_a_user['password'],
-            domain_id=self.domainA['id'])
-
-        self._test_group_management(
-            self.group1, expected=exception.ForbiddenAction.code)
-
-        # ...but should be able to list groups of which they are a member
-        url = '/users/%s/groups' % self.just_a_user['id']
-        self.get(url, auth=self.auth)
-
-        # Now, authenticate with a user that does have the domain admin role
-        self.auth = self.build_authentication_request(
-            user_id=self.domain_admin_user['id'],
-            password=self.domain_admin_user['password'],
-            domain_id=self.domainA['id'])
-
-        self._test_group_management(self.group1)
-        self._test_group_management(self.group3,
-                                    expected=exception.ForbiddenAction.code)
-
    def test_group_management_by_cloud_admin(self):
        # Test groups management with a cloud admin. This user should
        # be able to manage groups in any domain.
--- a/releasenotes/notes/bug-1806762-2092fee9f6c87dc3.yaml
+++ b/releasenotes/notes/bug-1806762-2092fee9f6c87dc3.yaml
@ -0,0 +1,15 @@
+---
+upgrade:
+  - |
+    [`bug 1804462 <https://bugs.launchpad.net/keystone/+bug/1804462>`_]
+    The group policies defined in ``policy.v3cloudsample.json`` have
+    been removed. These policies are now obsolete after incorporating
+    system-scope and domain-scope into the groups API and implementing default
+    roles.
+fixes:
+  - |
+    [`bug 1804462 <https://bugs.launchpad.net/keystone/+bug/1804462>`_]
+    The group policies in ``policy.v3cloudsample.json`` policy file
+    have been removed in favor of better defaults in code. These
+    policies weren't tested exhaustively and were misleading to users
+    and operators.