Browse Source

Remove idp policies from policy.v3cloudsample.json

By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default idp behavior
by removing them.

Change-Id: I6091d1cdbc4e1fa3a3d5f83a707f003416a43ea0
Closes-Bug: 1804517
tags/15.0.0.0rc1
Lance Bragstad 1 year ago
parent
commit
c0e6d4498a
3 changed files with 22 additions and 7 deletions
  1. +0
    -6
      etc/policy.v3cloudsample.json
  2. +6
    -1
      keystone/tests/unit/test_policy.py
  3. +16
    -0
      releasenotes/notes/bug-1804517-a351aec088fee066.yaml

+ 0
- 6
etc/policy.v3cloudsample.json View File

@@ -183,12 +183,6 @@
"identity:add_endpoint_group_to_project": "rule:admin_required",
"identity:remove_endpoint_group_from_project": "rule:admin_required",

"identity:create_identity_provider": "rule:cloud_admin",
"identity:list_identity_providers": "rule:cloud_admin",
"identity:get_identity_provider": "rule:cloud_admin",
"identity:update_identity_provider": "rule:cloud_admin",
"identity:delete_identity_provider": "rule:cloud_admin",

"identity:create_protocol": "rule:cloud_admin",
"identity:update_protocol": "rule:cloud_admin",
"identity:get_protocol": "rule:cloud_admin",

+ 6
- 1
keystone/tests/unit/test_policy.py View File

@@ -205,7 +205,12 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:get_mapping',
'identity:list_mappings',
'identity:update_mapping',
'identity:delete_mapping'
'identity:delete_mapping',
'identity:create_identity_provider',
'identity:get_identity_provider',
'identity:list_identity_providers',
'identity:update_identity_provider',
'identity:delete_identity_provider'
]
policy_keys = self._get_default_policy_rules()
for p in removed_policies:

+ 16
- 0
releasenotes/notes/bug-1804517-a351aec088fee066.yaml View File

@@ -0,0 +1,16 @@
---
upgrade:
- |
[`bug 1804517 <https://bugs.launchpad.net/keystone/+bug/1804517>`_]
The federated identity provider policies defined in
``policy.v3cloudsample.json`` have been removed. These policies
are now obsolete after incorporating system-scope into the
identity provider API and implementing default roles.
fixes:
- |
[`bug 1804517 <https://bugs.launchpad.net/keystone/+bug/1804517>`_]
The federated identity provider policies in
``policy.v3cloudsample.json`` policy file have been removed in
favor of better defaults in code. These policies weren't tested
exhaustively and were misleading to users and operators.


Loading…
Cancel
Save