Merge "Remove role policies from policy.v3cloudsample.json"

This commit is contained in:
Zuul 2019-02-28 03:46:50 +00:00 committed by Gerrit Code Review
commit a0091f6a09
4 changed files with 21 additions and 28 deletions

View File

@ -70,12 +70,6 @@
"identity:ec2_create_credential": "rule:admin_required or rule:owner", "identity:ec2_create_credential": "rule:admin_required or rule:owner",
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:get_role": "rule:admin_required",
"identity:list_roles": "rule:admin_required",
"identity:create_role": "rule:cloud_admin",
"identity:update_role": "rule:cloud_admin",
"identity:delete_role": "rule:cloud_admin",
"identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles", "identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles",
"identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles", "identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles",
"identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role", "identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role",

View File

@ -196,6 +196,11 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:list_service_providers', 'identity:list_service_providers',
'identity:update_service_provider', 'identity:update_service_provider',
'identity:delete_service_provider', 'identity:delete_service_provider',
'identity:create_role',
'identity:get_role',
'identity:list_roles',
'identity:update_role',
'identity:delete_role',
'identity:create_region', 'identity:create_region',
'identity:get_region', 'identity:get_region',
'identity:list_regions', 'identity:list_regions',

View File

@ -1816,28 +1816,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self._role_management_cases(expected=exception.ForbiddenAction.code) self._role_management_cases(expected=exception.ForbiddenAction.code)
def test_role_management_with_project_admin(self):
# A project admin user should be able to get and list, but not be able
# to create/update/delete global roles
self.auth = self.build_authentication_request(
user_id=self.project_admin_user['id'],
password=self.project_admin_user['password'],
project_id=self.project['id'])
self._role_management_cases(read_status_OK=True,
expected=exception.ForbiddenAction.code)
def test_role_management_with_domain_admin(self):
# A domain admin user should be able to get and list, but not be able
# to create/update/delete global roles
self.auth = self.build_authentication_request(
user_id=self.domain_admin_user['id'],
password=self.domain_admin_user['password'],
domain_id=self.domainA['id'])
self._role_management_cases(read_status_OK=True,
expected=exception.ForbiddenAction.code)
def test_role_management_with_cloud_admin(self): def test_role_management_with_cloud_admin(self):
# A cloud admin user should have rights to manipulate global roles # A cloud admin user should have rights to manipulate global roles
self.auth = self.build_authentication_request( self.auth = self.build_authentication_request(

View File

@ -0,0 +1,16 @@
---
upgrade:
- |
[`bug 1806713 <https://bugs.launchpad.net/keystone/+bug/1806713>`_]
The role policies defined in ``policy.v3cloudsample.json`` have
been removed. These policies are now obsolete after incorporating
system-scope into the role API and implementing default roles.
fixes:
- |
[`bug 1806713 <https://bugs.launchpad.net/keystone/+bug/1806713>`_]
The role policies in ``policy.v3cloudsample.json`` policy file
have been removed in favor of better defaults in code. These
policies weren't tested exhaustively and were misleading to users
and operators.