Browse Source

Remove system assignment policies from policy.v3cloudsample.json

By relying on system-scope and default roles, these policies are now
obsolete.

Change-Id: I7a17c2baa6e23b6a5d8fe21668a66ea8c8a89232
Partial-Bug: 1806762
(cherry picked from commit 0dbc8a88e8)
changes/81/647681/1
Lance Bragstad 3 years ago
committed by Colleen Murphy
parent
commit
b7a64a9315
  1. 10
      etc/policy.v3cloudsample.json
  2. 8
      keystone/tests/unit/test_policy.py

10
etc/policy.v3cloudsample.json

@ -80,16 +80,6 @@
"identity:list_role_inference_rules": "rule:cloud_admin",
"identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
"identity:list_system_grants_for_user": "rule:admin_required",
"identity:check_system_grant_for_user": "rule:admin_required",
"identity:create_system_grant_for_user": "rule:admin_required",
"identity:revoke_system_grant_for_user": "rule:admin_required",
"identity:list_system_grants_for_group": "rule:admin_required",
"identity:check_system_grant_for_group": "rule:admin_required",
"identity:create_system_grant_for_group": "rule:admin_required",
"identity:revoke_system_grant_for_group": "rule:admin_required",
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",

8
keystone/tests/unit/test_policy.py

@ -201,6 +201,14 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:list_roles',
'identity:update_role',
'identity:delete_role',
'identity:list_system_grants_for_user',
'identity:check_system_grant_for_user',
'identity:create_system_grant_for_user',
'identity:revoke_system_grant_for_user',
'identity:list_system_grants_for_group',
'identity:check_system_grant_for_group',
'identity:create_system_grant_for_group',
'identity:revoke_system_grant_for_group',
'identity:create_region',
'identity:get_region',
'identity:list_regions',

Loading…
Cancel
Save