From c83fcbc42aac247789c9a53abfbe237fa9640d38 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 21 Nov 2018 15:45:50 +0000 Subject: [PATCH] Remove service policies from policy.v3cloudsample.json By incorporating system-scope and default roles, we've effectively made these policies obsolete. We can simplify what we maintain and provide a more consistent, unified view of default service behavior by removing them. Change-Id: Ifa2282481ee3fc544c1d50ac8e8972b0d3a5332e Closes-Bug: 1804462 --- etc/policy.v3cloudsample.json | 6 ------ keystone/tests/unit/test_policy.py | 7 ++++++- .../notes/bug-1804462-59ad43f98242dea0.yaml | 14 ++++++++++++++ 3 files changed, 20 insertions(+), 7 deletions(-) create mode 100644 releasenotes/notes/bug-1804462-59ad43f98242dea0.yaml diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index e03da8e216..e79e5a1a47 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -10,12 +10,6 @@ "default": "rule:admin_required", - "identity:get_service": "rule:admin_required", - "identity:list_services": "rule:admin_required", - "identity:create_service": "rule:cloud_admin", - "identity:update_service": "rule:cloud_admin", - "identity:delete_service": "rule:cloud_admin", - "identity:get_limit_model": "", "identity:get_limit": "", "identity:list_limits": "", diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index 0ccf8a3f89..9462ba2ece 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -230,7 +230,12 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:get_domain', 'identity:list_domains', 'identity:update_domain', - 'identity:delete_domain' + 'identity:delete_domain', + 'identity:create_service', + 'identity:get_service', + 'identity:list_services', + 'identity:update_service', + 'identity:delete_service' ] policy_keys = self._get_default_policy_rules() for p in removed_policies: diff --git a/releasenotes/notes/bug-1804462-59ad43f98242dea0.yaml b/releasenotes/notes/bug-1804462-59ad43f98242dea0.yaml new file mode 100644 index 0000000000..5d41e4d3ce --- /dev/null +++ b/releasenotes/notes/bug-1804462-59ad43f98242dea0.yaml @@ -0,0 +1,14 @@ +--- +upgrade: + - | + [`bug 1804462 `_] + The service policies defined in ``policy.v3cloudsample.json`` have + been removed. These policies are now obsolete after incorporating + system-scope into the service API and implementing default roles. +fixes: + - | + [`bug 1804462 `_] + The service policies in ``policy.v3cloudsample.json`` policy file + have been removed in favor of better defaults in code. These + policies weren't tested exhaustively and were misleading to users + and operators.