DRY: Remove redundant policies from policy.v3cloudsample.json

The policies contained in policy.v3cloudsample.json pre-dated any of
the work to move policy defaults into code. Since deploying a policy
file is now optional, we can remove the redundant policies from this
file and make it more maintainable by not repeating ourselves and
violating the DRY principal.

The only policies left are ones that are testing workarounds for bug
968696. Meanwhile, we're pursuing fixes for scope types and default
roles:

  http://tinyurl.com/y5kj6fn9

These fixes are specific to certain resources to make reviews more
understandable for reviewers. As fixes for those bugs land, we will
be removing the remaining checks in this file, since the behavior will
be captured in new default check strings or in code.

Eventually, we will delete this file entirely since we will have
defaults in code that work for `admins`, `members`, and `readers` on
projects, domains, and the deployment system.

Change-Id: Ibbabe8fdc7989f15aa0edda2bf7b550a0dc16f83
Partial-Bug: 1806762
(cherry picked from commit bb141b1fb4)
This commit is contained in:
Lance Bragstad 2019-04-02 15:17:18 +00:00
parent 2c102cad47
commit c78581b460
3 changed files with 65 additions and 66 deletions

View File

@ -1,8 +1,6 @@
{
"admin_required": "role:admin",
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
@ -10,24 +8,16 @@
"default": "rule:admin_required",
"identity:get_limit_model": "",
"identity:get_limit": "",
"identity:list_limits": "",
"identity:create_limits": "rule:admin_required",
"identity:update_limit": "rule:admin_required",
"identity:delete_limit": "rule:admin_required",
"identity:create_project_tag": "rule:admin_required",
"identity:delete_project_tag": "rule:admin_required",
"identity:get_project_tag": "rule:admin_required",
"identity:list_project_tags": "rule:admin_required",
"identity:delete_project_tags": "rule:admin_required",
"identity:update_project_tags": "rule:admin_required",
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:ec2_list_credentials": "rule:admin_required or rule:owner",
"identity:ec2_create_credential": "rule:admin_required or rule:owner",
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles",
"identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles",
@ -78,57 +68,8 @@
"identity:check_token": "rule:admin_or_owner",
"identity:validate_token": "rule:service_admin_or_owner",
"identity:validate_token_head": "rule:service_or_admin",
"identity:revocation_list": "rule:service_or_admin",
"identity:revoke_token": "rule:admin_or_owner",
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
"identity:list_trusts": "",
"identity:list_roles_for_trust": "",
"identity:get_role_for_trust": "",
"identity:delete_trust": "",
"identity:get_trust": "",
"identity:create_consumer": "rule:admin_required",
"identity:get_consumer": "rule:admin_required",
"identity:list_consumers": "rule:admin_required",
"identity:delete_consumer": "rule:admin_required",
"identity:update_consumer": "rule:admin_required",
"identity:authorize_request_token": "rule:admin_required",
"identity:list_access_token_roles": "rule:admin_required",
"identity:get_access_token_role": "rule:admin_required",
"identity:list_access_tokens": "rule:admin_required",
"identity:get_access_token": "rule:admin_required",
"identity:delete_access_token": "rule:admin_required",
"identity:list_projects_for_endpoint": "rule:admin_required",
"identity:add_endpoint_to_project": "rule:admin_required",
"identity:check_endpoint_in_project": "rule:admin_required",
"identity:list_endpoints_for_project": "rule:admin_required",
"identity:remove_endpoint_from_project": "rule:admin_required",
"identity:create_endpoint_group": "rule:admin_required",
"identity:list_endpoint_groups": "rule:admin_required",
"identity:get_endpoint_group": "rule:admin_required",
"identity:update_endpoint_group": "rule:admin_required",
"identity:delete_endpoint_group": "rule:admin_required",
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
"identity:get_endpoint_group_in_project": "rule:admin_required",
"identity:list_endpoint_groups_for_project": "rule:admin_required",
"identity:add_endpoint_group_to_project": "rule:admin_required",
"identity:remove_endpoint_group_from_project": "rule:admin_required",
"identity:get_auth_catalog": "",
"identity:get_auth_projects": "",
"identity:get_auth_domains": "",
"identity:get_auth_system": "",
"identity:list_projects_for_user": "",
"identity:list_domains_for_user": "",
"identity:list_revoke_events": "rule:service_or_admin",
"identity:create_policy_association_for_endpoint": "rule:cloud_admin",
"identity:check_policy_association_for_endpoint": "rule:cloud_admin",
"identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
@ -143,13 +84,7 @@
"identity:create_domain_config": "rule:cloud_admin",
"identity:get_domain_config": "rule:cloud_admin",
"identity:get_security_compliance_domain_config": "",
"identity:update_domain_config": "rule:cloud_admin",
"identity:delete_domain_config": "rule:cloud_admin",
"identity:get_domain_config_default": "rule:cloud_admin",
"identity:get_application_credential": "rule:admin_or_owner",
"identity:list_application_credentials": "rule:admin_or_owner",
"identity:create_application_credential": "rule:admin_or_owner",
"identity:delete_application_credential": "rule:admin_or_owner"
"identity:get_domain_config_default": "rule:cloud_admin"
}

View File

@ -181,6 +181,62 @@ class PolicyJsonTestCase(unit.TestCase):
# TODO(lbragstad): Once all policies have been removed from
# policy.v3cloudsample.json, remove this test.
removed_policies = [
'service_role',
'service_or_admin',
'identity:get_limit_model',
'identity:list_limits',
'identity:create_project_tag',
'identity:delete_project_tag',
'identity:delete_project_tags',
'identity:update_project_tags',
'identity:ec2_get_credential',
'identity:ec2_delete_credential',
'identity:revocation_list',
'identity:create_trust',
'identity:list_trusts',
'identity:list_roles_for_trust',
'identity:get_role_for_trust',
'identity:delete_trust',
'identity:get_trust',
'identity:create_consumer',
'identity:get_consumer',
'identity:list_consumers',
'identity:delete_consumer',
'identity:update_consumer',
'identity:authorize_request_token',
'identity:list_access_token_roles',
'identity:get_access_token_role',
'identity:list_access_tokens',
'identity:get_access_token',
'identity:delete_access_token',
'identity:list_projects_for_endpoint',
'identity:add_endpoint_to_project',
'identity:check_endpoint_in_project',
'identity:list_endpoints_for_project',
'identity:remove_endpoint_from_project',
'identity:create_endpoint_group',
'identity:list_endpoint_groups',
'identity:get_endpoint_group',
'identity:update_endpoint_group',
'identity:delete_endpoint_group',
'identity:list_projects_associated_with_endpoint_group',
'identity:list_endpoints_associated_with_endpoint_group',
'identity:get_endpoint_group_in_project',
'identity:list_endpoint_groups_for_project',
'identity:add_endpoint_group_to_project',
'identity:remove_endpoint_group_from_project',
'identity:get_auth_catalog',
'identity:get_auth_projects',
'identity:get_auth_domains',
'identity:get_auth_system',
'identity:list_projects_for_user',
'identity:list_domains_for_user',
'identity:list_revoke_events',
'identity:get_security_compliance_domain_config',
'identity:get_application_credential',
'identity:list_application_credentials',
'identity:create_application_credential',
'identity:delete_application_credential',
'identity:create_credential',
'identity:get_credential',
'identity:list_credentials',

View File

@ -10,6 +10,14 @@ upgrade:
users with role assignments on a domain to retrieve that domain,
as opposed to only allowing users with the ``admin`` role to access
that policy.
All policies in ``policy.v3cloudsample.json`` that are redundant with the
defaults in code have been removed. This improves maintainability and
leaves the ``policy.v3cloudsample.json`` policy file with only
overrides. These overrides will eventually be moved into code or new
defaults in keystone directly. If you're using the policies removed
from ``policy.v3cloudsample.json`` please check to see if you can migrate
to the new defaults or continue maintaining the policy as an override.
fixes:
- |
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]