Merge "Remove role policies from policy.v3cloudsample.json"
This commit is contained in:
commit
a0091f6a09
@ -70,12 +70,6 @@
|
|||||||
"identity:ec2_create_credential": "rule:admin_required or rule:owner",
|
"identity:ec2_create_credential": "rule:admin_required or rule:owner",
|
||||||
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||||
|
|
||||||
"identity:get_role": "rule:admin_required",
|
|
||||||
"identity:list_roles": "rule:admin_required",
|
|
||||||
"identity:create_role": "rule:cloud_admin",
|
|
||||||
"identity:update_role": "rule:cloud_admin",
|
|
||||||
"identity:delete_role": "rule:cloud_admin",
|
|
||||||
|
|
||||||
"identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles",
|
"identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles",
|
||||||
"identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles",
|
"identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles",
|
||||||
"identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role",
|
"identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role",
|
||||||
|
@ -196,6 +196,11 @@ class PolicyJsonTestCase(unit.TestCase):
|
|||||||
'identity:list_service_providers',
|
'identity:list_service_providers',
|
||||||
'identity:update_service_provider',
|
'identity:update_service_provider',
|
||||||
'identity:delete_service_provider',
|
'identity:delete_service_provider',
|
||||||
|
'identity:create_role',
|
||||||
|
'identity:get_role',
|
||||||
|
'identity:list_roles',
|
||||||
|
'identity:update_role',
|
||||||
|
'identity:delete_role',
|
||||||
'identity:create_region',
|
'identity:create_region',
|
||||||
'identity:get_region',
|
'identity:get_region',
|
||||||
'identity:list_regions',
|
'identity:list_regions',
|
||||||
|
@ -1816,28 +1816,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
|||||||
|
|
||||||
self._role_management_cases(expected=exception.ForbiddenAction.code)
|
self._role_management_cases(expected=exception.ForbiddenAction.code)
|
||||||
|
|
||||||
def test_role_management_with_project_admin(self):
|
|
||||||
# A project admin user should be able to get and list, but not be able
|
|
||||||
# to create/update/delete global roles
|
|
||||||
self.auth = self.build_authentication_request(
|
|
||||||
user_id=self.project_admin_user['id'],
|
|
||||||
password=self.project_admin_user['password'],
|
|
||||||
project_id=self.project['id'])
|
|
||||||
|
|
||||||
self._role_management_cases(read_status_OK=True,
|
|
||||||
expected=exception.ForbiddenAction.code)
|
|
||||||
|
|
||||||
def test_role_management_with_domain_admin(self):
|
|
||||||
# A domain admin user should be able to get and list, but not be able
|
|
||||||
# to create/update/delete global roles
|
|
||||||
self.auth = self.build_authentication_request(
|
|
||||||
user_id=self.domain_admin_user['id'],
|
|
||||||
password=self.domain_admin_user['password'],
|
|
||||||
domain_id=self.domainA['id'])
|
|
||||||
|
|
||||||
self._role_management_cases(read_status_OK=True,
|
|
||||||
expected=exception.ForbiddenAction.code)
|
|
||||||
|
|
||||||
def test_role_management_with_cloud_admin(self):
|
def test_role_management_with_cloud_admin(self):
|
||||||
# A cloud admin user should have rights to manipulate global roles
|
# A cloud admin user should have rights to manipulate global roles
|
||||||
self.auth = self.build_authentication_request(
|
self.auth = self.build_authentication_request(
|
||||||
|
16
releasenotes/notes/bug-1806713-cf5feab23fc78a23.yaml
Normal file
16
releasenotes/notes/bug-1806713-cf5feab23fc78a23.yaml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
[`bug 1806713 <https://bugs.launchpad.net/keystone/+bug/1806713>`_]
|
||||||
|
The role policies defined in ``policy.v3cloudsample.json`` have
|
||||||
|
been removed. These policies are now obsolete after incorporating
|
||||||
|
system-scope into the role API and implementing default roles.
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1806713 <https://bugs.launchpad.net/keystone/+bug/1806713>`_]
|
||||||
|
The role policies in ``policy.v3cloudsample.json`` policy file
|
||||||
|
have been removed in favor of better defaults in code. These
|
||||||
|
policies weren't tested exhaustively and were misleading to users
|
||||||
|
and operators.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user