diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index df43a8b44d..d9d31f9ddf 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -70,12 +70,6 @@ "identity:ec2_create_credential": "rule:admin_required or rule:owner", "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - "identity:get_role": "rule:admin_required", - "identity:list_roles": "rule:admin_required", - "identity:create_role": "rule:cloud_admin", - "identity:update_role": "rule:cloud_admin", - "identity:delete_role": "rule:cloud_admin", - "identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles", "identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles", "identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role", diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index dfb5aa7ce5..df3178bcef 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -196,6 +196,11 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:list_service_providers', 'identity:update_service_provider', 'identity:delete_service_provider', + 'identity:create_role', + 'identity:get_role', + 'identity:list_roles', + 'identity:update_role', + 'identity:delete_role', 'identity:create_region', 'identity:get_region', 'identity:list_regions', diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py index 6e82a851ed..c60371d0c2 100644 --- a/keystone/tests/unit/test_v3_protection.py +++ b/keystone/tests/unit/test_v3_protection.py @@ -1816,28 +1816,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, self._role_management_cases(expected=exception.ForbiddenAction.code) - def test_role_management_with_project_admin(self): - # A project admin user should be able to get and list, but not be able - # to create/update/delete global roles - self.auth = self.build_authentication_request( - user_id=self.project_admin_user['id'], - password=self.project_admin_user['password'], - project_id=self.project['id']) - - self._role_management_cases(read_status_OK=True, - expected=exception.ForbiddenAction.code) - - def test_role_management_with_domain_admin(self): - # A domain admin user should be able to get and list, but not be able - # to create/update/delete global roles - self.auth = self.build_authentication_request( - user_id=self.domain_admin_user['id'], - password=self.domain_admin_user['password'], - domain_id=self.domainA['id']) - - self._role_management_cases(read_status_OK=True, - expected=exception.ForbiddenAction.code) - def test_role_management_with_cloud_admin(self): # A cloud admin user should have rights to manipulate global roles self.auth = self.build_authentication_request( diff --git a/releasenotes/notes/bug-1806713-cf5feab23fc78a23.yaml b/releasenotes/notes/bug-1806713-cf5feab23fc78a23.yaml new file mode 100644 index 0000000000..ee35ae5791 --- /dev/null +++ b/releasenotes/notes/bug-1806713-cf5feab23fc78a23.yaml @@ -0,0 +1,16 @@ +--- +upgrade: + - | + [`bug 1806713 `_] + The role policies defined in ``policy.v3cloudsample.json`` have + been removed. These policies are now obsolete after incorporating + system-scope into the role API and implementing default roles. +fixes: + - | + [`bug 1806713 `_] + The role policies in ``policy.v3cloudsample.json`` policy file + have been removed in favor of better defaults in code. These + policies weren't tested exhaustively and were misleading to users + and operators. + +