DRY: Remove redundant policies from policy.v3cloudsample.json
The policies contained in policy.v3cloudsample.json pre-dated any of
the work to move policy defaults into code. Since deploying a policy
file is now optional, we can remove the redundant policies from this
file and make it more maintainable by not repeating ourselves and
violating the DRY principal.
The only policies left are ones that are testing workarounds for bug
968696. Meanwhile, we're pursuing fixes for scope types and default
roles:
http://tinyurl.com/y5kj6fn9
These fixes are specific to certain resources to make reviews more
understandable for reviewers. As fixes for those bugs land, we will
be removing the remaining checks in this file, since the behavior will
be captured in new default check strings or in code.
Eventually, we will delete this file entirely since we will have
defaults in code that work for `admins`, `members`, and `readers` on
projects, domains, and the deployment system.
Change-Id: Ibbabe8fdc7989f15aa0edda2bf7b550a0dc16f83
Partial-Bug: 1806762
(cherry picked from commit bb141b1fb4
)
This commit is contained in:
parent
2c102cad47
commit
c78581b460
|
@ -1,8 +1,6 @@
|
||||||
{
|
{
|
||||||
"admin_required": "role:admin",
|
"admin_required": "role:admin",
|
||||||
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
|
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
|
||||||
"service_role": "role:service",
|
|
||||||
"service_or_admin": "rule:admin_required or rule:service_role",
|
|
||||||
"owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
"owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
||||||
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
|
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
|
||||||
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
|
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
|
||||||
|
@ -10,24 +8,16 @@
|
||||||
|
|
||||||
"default": "rule:admin_required",
|
"default": "rule:admin_required",
|
||||||
|
|
||||||
"identity:get_limit_model": "",
|
|
||||||
"identity:get_limit": "",
|
"identity:get_limit": "",
|
||||||
"identity:list_limits": "",
|
|
||||||
"identity:create_limits": "rule:admin_required",
|
"identity:create_limits": "rule:admin_required",
|
||||||
"identity:update_limit": "rule:admin_required",
|
"identity:update_limit": "rule:admin_required",
|
||||||
"identity:delete_limit": "rule:admin_required",
|
"identity:delete_limit": "rule:admin_required",
|
||||||
|
|
||||||
"identity:create_project_tag": "rule:admin_required",
|
|
||||||
"identity:delete_project_tag": "rule:admin_required",
|
|
||||||
"identity:get_project_tag": "rule:admin_required",
|
"identity:get_project_tag": "rule:admin_required",
|
||||||
"identity:list_project_tags": "rule:admin_required",
|
"identity:list_project_tags": "rule:admin_required",
|
||||||
"identity:delete_project_tags": "rule:admin_required",
|
|
||||||
"identity:update_project_tags": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
|
||||||
"identity:ec2_list_credentials": "rule:admin_required or rule:owner",
|
"identity:ec2_list_credentials": "rule:admin_required or rule:owner",
|
||||||
"identity:ec2_create_credential": "rule:admin_required or rule:owner",
|
"identity:ec2_create_credential": "rule:admin_required or rule:owner",
|
||||||
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
|
||||||
|
|
||||||
"identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles",
|
"identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles",
|
||||||
"identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles",
|
"identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles",
|
||||||
|
@ -78,57 +68,8 @@
|
||||||
"identity:check_token": "rule:admin_or_owner",
|
"identity:check_token": "rule:admin_or_owner",
|
||||||
"identity:validate_token": "rule:service_admin_or_owner",
|
"identity:validate_token": "rule:service_admin_or_owner",
|
||||||
"identity:validate_token_head": "rule:service_or_admin",
|
"identity:validate_token_head": "rule:service_or_admin",
|
||||||
"identity:revocation_list": "rule:service_or_admin",
|
|
||||||
"identity:revoke_token": "rule:admin_or_owner",
|
"identity:revoke_token": "rule:admin_or_owner",
|
||||||
|
|
||||||
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
|
|
||||||
"identity:list_trusts": "",
|
|
||||||
"identity:list_roles_for_trust": "",
|
|
||||||
"identity:get_role_for_trust": "",
|
|
||||||
"identity:delete_trust": "",
|
|
||||||
"identity:get_trust": "",
|
|
||||||
|
|
||||||
"identity:create_consumer": "rule:admin_required",
|
|
||||||
"identity:get_consumer": "rule:admin_required",
|
|
||||||
"identity:list_consumers": "rule:admin_required",
|
|
||||||
"identity:delete_consumer": "rule:admin_required",
|
|
||||||
"identity:update_consumer": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:authorize_request_token": "rule:admin_required",
|
|
||||||
"identity:list_access_token_roles": "rule:admin_required",
|
|
||||||
"identity:get_access_token_role": "rule:admin_required",
|
|
||||||
"identity:list_access_tokens": "rule:admin_required",
|
|
||||||
"identity:get_access_token": "rule:admin_required",
|
|
||||||
"identity:delete_access_token": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:list_projects_for_endpoint": "rule:admin_required",
|
|
||||||
"identity:add_endpoint_to_project": "rule:admin_required",
|
|
||||||
"identity:check_endpoint_in_project": "rule:admin_required",
|
|
||||||
"identity:list_endpoints_for_project": "rule:admin_required",
|
|
||||||
"identity:remove_endpoint_from_project": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:create_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:list_endpoint_groups": "rule:admin_required",
|
|
||||||
"identity:get_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:update_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:delete_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
|
|
||||||
"identity:get_endpoint_group_in_project": "rule:admin_required",
|
|
||||||
"identity:list_endpoint_groups_for_project": "rule:admin_required",
|
|
||||||
"identity:add_endpoint_group_to_project": "rule:admin_required",
|
|
||||||
"identity:remove_endpoint_group_from_project": "rule:admin_required",
|
|
||||||
|
|
||||||
"identity:get_auth_catalog": "",
|
|
||||||
"identity:get_auth_projects": "",
|
|
||||||
"identity:get_auth_domains": "",
|
|
||||||
"identity:get_auth_system": "",
|
|
||||||
|
|
||||||
"identity:list_projects_for_user": "",
|
|
||||||
"identity:list_domains_for_user": "",
|
|
||||||
|
|
||||||
"identity:list_revoke_events": "rule:service_or_admin",
|
|
||||||
|
|
||||||
"identity:create_policy_association_for_endpoint": "rule:cloud_admin",
|
"identity:create_policy_association_for_endpoint": "rule:cloud_admin",
|
||||||
"identity:check_policy_association_for_endpoint": "rule:cloud_admin",
|
"identity:check_policy_association_for_endpoint": "rule:cloud_admin",
|
||||||
"identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
|
"identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
|
||||||
|
@ -143,13 +84,7 @@
|
||||||
|
|
||||||
"identity:create_domain_config": "rule:cloud_admin",
|
"identity:create_domain_config": "rule:cloud_admin",
|
||||||
"identity:get_domain_config": "rule:cloud_admin",
|
"identity:get_domain_config": "rule:cloud_admin",
|
||||||
"identity:get_security_compliance_domain_config": "",
|
|
||||||
"identity:update_domain_config": "rule:cloud_admin",
|
"identity:update_domain_config": "rule:cloud_admin",
|
||||||
"identity:delete_domain_config": "rule:cloud_admin",
|
"identity:delete_domain_config": "rule:cloud_admin",
|
||||||
"identity:get_domain_config_default": "rule:cloud_admin",
|
"identity:get_domain_config_default": "rule:cloud_admin"
|
||||||
|
|
||||||
"identity:get_application_credential": "rule:admin_or_owner",
|
|
||||||
"identity:list_application_credentials": "rule:admin_or_owner",
|
|
||||||
"identity:create_application_credential": "rule:admin_or_owner",
|
|
||||||
"identity:delete_application_credential": "rule:admin_or_owner"
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -181,6 +181,62 @@ class PolicyJsonTestCase(unit.TestCase):
|
||||||
# TODO(lbragstad): Once all policies have been removed from
|
# TODO(lbragstad): Once all policies have been removed from
|
||||||
# policy.v3cloudsample.json, remove this test.
|
# policy.v3cloudsample.json, remove this test.
|
||||||
removed_policies = [
|
removed_policies = [
|
||||||
|
'service_role',
|
||||||
|
'service_or_admin',
|
||||||
|
'identity:get_limit_model',
|
||||||
|
'identity:list_limits',
|
||||||
|
'identity:create_project_tag',
|
||||||
|
'identity:delete_project_tag',
|
||||||
|
'identity:delete_project_tags',
|
||||||
|
'identity:update_project_tags',
|
||||||
|
'identity:ec2_get_credential',
|
||||||
|
'identity:ec2_delete_credential',
|
||||||
|
'identity:revocation_list',
|
||||||
|
'identity:create_trust',
|
||||||
|
'identity:list_trusts',
|
||||||
|
'identity:list_roles_for_trust',
|
||||||
|
'identity:get_role_for_trust',
|
||||||
|
'identity:delete_trust',
|
||||||
|
'identity:get_trust',
|
||||||
|
'identity:create_consumer',
|
||||||
|
'identity:get_consumer',
|
||||||
|
'identity:list_consumers',
|
||||||
|
'identity:delete_consumer',
|
||||||
|
'identity:update_consumer',
|
||||||
|
'identity:authorize_request_token',
|
||||||
|
'identity:list_access_token_roles',
|
||||||
|
'identity:get_access_token_role',
|
||||||
|
'identity:list_access_tokens',
|
||||||
|
'identity:get_access_token',
|
||||||
|
'identity:delete_access_token',
|
||||||
|
'identity:list_projects_for_endpoint',
|
||||||
|
'identity:add_endpoint_to_project',
|
||||||
|
'identity:check_endpoint_in_project',
|
||||||
|
'identity:list_endpoints_for_project',
|
||||||
|
'identity:remove_endpoint_from_project',
|
||||||
|
'identity:create_endpoint_group',
|
||||||
|
'identity:list_endpoint_groups',
|
||||||
|
'identity:get_endpoint_group',
|
||||||
|
'identity:update_endpoint_group',
|
||||||
|
'identity:delete_endpoint_group',
|
||||||
|
'identity:list_projects_associated_with_endpoint_group',
|
||||||
|
'identity:list_endpoints_associated_with_endpoint_group',
|
||||||
|
'identity:get_endpoint_group_in_project',
|
||||||
|
'identity:list_endpoint_groups_for_project',
|
||||||
|
'identity:add_endpoint_group_to_project',
|
||||||
|
'identity:remove_endpoint_group_from_project',
|
||||||
|
'identity:get_auth_catalog',
|
||||||
|
'identity:get_auth_projects',
|
||||||
|
'identity:get_auth_domains',
|
||||||
|
'identity:get_auth_system',
|
||||||
|
'identity:list_projects_for_user',
|
||||||
|
'identity:list_domains_for_user',
|
||||||
|
'identity:list_revoke_events',
|
||||||
|
'identity:get_security_compliance_domain_config',
|
||||||
|
'identity:get_application_credential',
|
||||||
|
'identity:list_application_credentials',
|
||||||
|
'identity:create_application_credential',
|
||||||
|
'identity:delete_application_credential',
|
||||||
'identity:create_credential',
|
'identity:create_credential',
|
||||||
'identity:get_credential',
|
'identity:get_credential',
|
||||||
'identity:list_credentials',
|
'identity:list_credentials',
|
||||||
|
|
|
@ -10,6 +10,14 @@ upgrade:
|
||||||
users with role assignments on a domain to retrieve that domain,
|
users with role assignments on a domain to retrieve that domain,
|
||||||
as opposed to only allowing users with the ``admin`` role to access
|
as opposed to only allowing users with the ``admin`` role to access
|
||||||
that policy.
|
that policy.
|
||||||
|
|
||||||
|
All policies in ``policy.v3cloudsample.json`` that are redundant with the
|
||||||
|
defaults in code have been removed. This improves maintainability and
|
||||||
|
leaves the ``policy.v3cloudsample.json`` policy file with only
|
||||||
|
overrides. These overrides will eventually be moved into code or new
|
||||||
|
defaults in keystone directly. If you're using the policies removed
|
||||||
|
from ``policy.v3cloudsample.json`` please check to see if you can migrate
|
||||||
|
to the new defaults or continue maintaining the policy as an override.
|
||||||
fixes:
|
fixes:
|
||||||
- |
|
- |
|
||||||
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
|
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
|
||||||
|
|
Loading…
Reference in New Issue