Merge "Remove role policies from policy.v3cloudsample.json"

etc/policy.v3cloudsample.json

@@ -70,12 +70,6 @@
     "identity:ec2_create_credential": "rule:admin_required or rule:owner",
     "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
 
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:cloud_admin",
-    "identity:update_role": "rule:cloud_admin",
-    "identity:delete_role": "rule:cloud_admin",
-
     "identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles",
     "identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles",
     "identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role",

keystone/tests/unit/test_policy.py

@@ -196,6 +196,11 @@ class PolicyJsonTestCase(unit.TestCase):
             'identity:list_service_providers',
             'identity:update_service_provider',
             'identity:delete_service_provider',
+            'identity:create_role',
+            'identity:get_role',
+            'identity:list_roles',
+            'identity:update_role',
+            'identity:delete_role',
             'identity:create_region',
             'identity:get_region',
             'identity:list_regions',

keystone/tests/unit/test_v3_protection.py

@@ -1816,28 +1816,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
 
         self._role_management_cases(expected=exception.ForbiddenAction.code)
 
-    def test_role_management_with_project_admin(self):
-        # A project admin user should be able to get and list, but not be able
-        # to create/update/delete global roles
-        self.auth = self.build_authentication_request(
-            user_id=self.project_admin_user['id'],
-            password=self.project_admin_user['password'],
-            project_id=self.project['id'])
-
-        self._role_management_cases(read_status_OK=True,
-                                    expected=exception.ForbiddenAction.code)
-
-    def test_role_management_with_domain_admin(self):
-        # A domain admin user should be able to get and list, but not be able
-        # to create/update/delete global roles
-        self.auth = self.build_authentication_request(
-            user_id=self.domain_admin_user['id'],
-            password=self.domain_admin_user['password'],
-            domain_id=self.domainA['id'])
-
-        self._role_management_cases(read_status_OK=True,
-                                    expected=exception.ForbiddenAction.code)
-
     def test_role_management_with_cloud_admin(self):
         # A cloud admin user should have rights to manipulate global roles
         self.auth = self.build_authentication_request(

releasenotes/notes/bug-1806713-cf5feab23fc78a23.yaml

@@ -0,0 +1,16 @@
+---
+upgrade:
+  - |
+    [`bug 1806713 <https://bugs.launchpad.net/keystone/+bug/1806713>`_]
+    The role policies defined in ``policy.v3cloudsample.json`` have
+    been removed. These policies are now obsolete after incorporating
+    system-scope into the role API and implementing default roles.
+fixes:
+  - |
+    [`bug 1806713 <https://bugs.launchpad.net/keystone/+bug/1806713>`_]
+    The role policies in ``policy.v3cloudsample.json`` policy file
+    have been removed in favor of better defaults in code. These
+    policies weren't tested exhaustively and were misleading to users
+    and operators.
+
+