openstack
/
keystone
Code Issues Proposed changes

Merge "Remove assignment policies from policy.v3cloudsample.json"

This commit is contained in:
Zuul 2019-03-26 06:42:41 +00:00 committed by Gerrit Code Review
parent 8653eecc33 64a455ef94
commit 9940021f3c
3 changed files with 4 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
etc/policy.v3cloudsample.json
View File

@ -89,7 +89,6 @@
"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
"admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
"identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
"identity:get_policy": "rule:cloud_admin",
"identity:list_policies": "rule:cloud_admin",

3
keystone/tests/unit/test_policy.py
View File

@ -249,7 +249,8 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:get_service',
'identity:list_services',
'identity:update_service',
'identity:delete_service'
'identity:delete_service',
'identity:list_role_assignments'
]
policy_keys = self._get_default_policy_rules()
for p in removed_policies:

45
keystone/tests/unit/test_v3_protection.py
View File

@ -26,7 +26,6 @@ from keystone.tests import unit
from keystone.tests.unit import ksfixtures
from keystone.tests.unit.ksfixtures import temporaryfile
from keystone.tests.unit import test_v3
from keystone.tests.unit import utils
CONF = keystone.conf.CONF
@ -1338,8 +1337,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
collection_url = self.build_role_assignment_query_url(
domain_id=self.domainB['id'])
self.get(collection_url, auth=self.auth,
expected_status=http_client.FORBIDDEN)
r = self.get(collection_url, auth=self.auth)
self.assertEqual([], r.json_body['role_assignments'])
def test_domain_user_list_assignments_of_domain_failed(self):
self.auth = self.build_authentication_request(
@ -1404,46 +1403,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
self.assertRoleAssignmentInListResponse(r, project_user_entity)
def test_project_admin_list_assignments_of_another_project_failed(self):
projectB = unit.new_project_ref(domain_id=self.domainA['id'])
PROVIDERS.resource_api.create_project(projectB['id'], projectB)
admin_auth = self.build_authentication_request(
user_id=self.project_admin_user['id'],
password=self.project_admin_user['password'],
project_id=self.project['id'])
collection_url = self.build_role_assignment_query_url(
project_id=projectB['id'])
self.get(collection_url, auth=admin_auth,
expected_status=exception.ForbiddenAction.code)
@utils.wip('waiting on bug #1437407')
def test_domain_admin_list_assignments_of_project(self):
self.auth = self.build_authentication_request(
user_id=self.domain_admin_user['id'],
password=self.domain_admin_user['password'],
domain_id=self.domainA['id'])
collection_url = self.build_role_assignment_query_url(
project_id=self.project['id'])
r = self.get(collection_url, auth=self.auth)
self.assertValidRoleAssignmentListResponse(
r, expected_length=2, resource_url=collection_url)
project_admin_entity = self.build_role_assignment_entity(
project_id=self.project['id'],
user_id=self.project_admin_user['id'],
role_id=self.admin_role['id'],
inherited_to_projects=False)
project_user_entity = self.build_role_assignment_entity(
project_id=self.project['id'],
user_id=self.just_a_user['id'],
role_id=self.role['id'],
inherited_to_projects=False)
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
self.assertRoleAssignmentInListResponse(r, project_user_entity)
def test_domain_admin_list_assignment_tree(self):
# Add a child project to the standard test data
sub_project = unit.new_project_ref(domain_id=self.domainA['id'],