diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index 8487a34a47..d62060df70 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -29,20 +29,6 @@ "admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s", "implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)", - "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", - "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants", - "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", - "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", - "domain_admin_for_grants": "rule:domain_admin_for_global_role_grants or rule:domain_admin_for_domain_role_grants", - "domain_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and rule:domain_admin_grant_match", - "domain_admin_for_domain_role_grants": "rule:admin_required and domain_id:%(target.role.domain_id)s and rule:domain_admin_grant_match", - "domain_admin_grant_match": "domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s", - "project_admin_for_grants": "rule:project_admin_for_global_role_grants or rule:project_admin_for_domain_role_grants", - "project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s", - "project_admin_for_domain_role_grants": "rule:admin_required and project_domain_id:%(target.role.domain_id)s and project_id:%(project_id)s", - "domain_admin_for_list_grants": "rule:admin_required and rule:domain_admin_grant_match", - "project_admin_for_list_grants": "rule:admin_required and project_id:%(project_id)s", - "admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s", "admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s", "admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s", diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index 6255f1eeb1..0c2e56bc53 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -185,6 +185,7 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:add_endpoint_to_project', 'identity:add_user_to_group', 'identity:authorize_request_token', + 'identity:check_grant', 'identity:check_endpoint_in_project', 'identity:check_implied_role', 'identity:check_policy_association_for_endpoint', @@ -200,6 +201,7 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:create_domain_role', 'identity:create_endpoint', 'identity:create_endpoint_group', + 'identity:create_grant', 'identity:create_group', 'identity:create_identity_provider', 'identity:create_implied_role', @@ -295,6 +297,7 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:list_endpoints_associated_with_endpoint_group', 'identity:list_endpoints_for_policy', 'identity:list_endpoints_for_project', + 'identity:list_grants', 'identity:list_groups', 'identity:list_groups_for_user', 'identity:list_identity_providers', @@ -328,6 +331,7 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:remove_endpoint_group_from_project', 'identity:remove_user_from_group', 'identity:revocation_list', + 'identity:revoke_grant', 'identity:revoke_system_grant_for_group', 'identity:revoke_system_grant_for_user', 'identity:update_consumer', diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py index ac2e42ee39..9c131898b4 100644 --- a/keystone/tests/unit/test_v3_protection.py +++ b/keystone/tests/unit/test_v3_protection.py @@ -964,28 +964,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, # other than its own domain or not self._test_project_management(self.domainA['id']) - def test_domain_grants(self): - self.auth = self.build_authentication_request( - user_id=self.just_a_user['id'], - password=self.just_a_user['password'], - domain_id=self.domainA['id']) - - self._test_grants('domains', self.domainA['id'], - expected=exception.ForbiddenAction.code) - - # Now, authenticate with a user that does have the domain admin role - self.auth = self.build_authentication_request( - user_id=self.domain_admin_user['id'], - password=self.domain_admin_user['password'], - domain_id=self.domainA['id']) - - self._test_grants('domains', self.domainA['id']) - - # Check that with such a token we cannot modify grants on a - # different domain - self._test_grants('domains', self.domainB['id'], - expected=exception.ForbiddenAction.code) - def test_domain_grants_by_cloud_admin(self): # Test domain grants with a cloud admin. This user should be # able to manage roles on any domain. @@ -1021,27 +999,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, role_domain_id=self.domainB['id'], expected=exception.ForbiddenAction.code) - def test_domain_grants_by_domain_admin_for_domain_specific_role(self): - # Authenticate with a user that does have the domain admin role, - # should not be able to assign a domain_specific role from another - # domain - self.auth = self.build_authentication_request( - user_id=self.domain_admin_user['id'], - password=self.domain_admin_user['password'], - domain_id=self.domainA['id']) - - self._test_grants('domains', self.domainA['id'], - role_domain_id=self.domainB['id'], - # List status will always be OK, since we are not - # granting/checking/deleting assignments - list_status_OK=True, - expected=exception.ForbiddenAction.code) - - # They should be able to assign a domain specific role from the same - # domain - self._test_grants('domains', self.domainA['id'], - role_domain_id=self.domainA['id']) - def test_project_grants(self): self.auth = self.build_authentication_request( user_id=self.just_a_user['id'], @@ -1084,48 +1041,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, role_domain_id=self.domainB['id'], expected=exception.ForbiddenAction.code) - def test_project_grants_by_project_admin_for_domain_specific_role(self): - # Authenticate with a user that does have the project admin role, - # should not be able to assign a domain_specific role from another - # domain - self.auth = self.build_authentication_request( - user_id=self.project_admin_user['id'], - password=self.project_admin_user['password'], - project_id=self.project['id']) - - self._test_grants('projects', self.project['id'], - role_domain_id=self.domainB['id'], - # List status will always be OK, since we are not - # granting/checking/deleting assignments - list_status_OK=True, - expected=exception.ForbiddenAction.code) - - # They should be able to assign a domain specific role from the same - # domain - self._test_grants('projects', self.project['id'], - role_domain_id=self.domainA['id']) - - def test_project_grants_by_domain_admin_for_domain_specific_role(self): - # Authenticate with a user that does have the domain admin role, - # should not be able to assign a domain_specific role from another - # domain - self.auth = self.build_authentication_request( - user_id=self.domain_admin_user['id'], - password=self.domain_admin_user['password'], - domain_id=self.domainA['id']) - - self._test_grants('projects', self.project['id'], - role_domain_id=self.domainB['id'], - # List status will always be OK, since we are not - # granting/checking/deleting assignments - list_status_OK=True, - expected=exception.ForbiddenAction.code) - - # They should be able to assign a domain specific role from the same - # domain - self._test_grants('projects', self.project['id'], - role_domain_id=self.domainA['id']) - def test_cloud_admin_list_assignments_of_domain(self): self.auth = self.build_authentication_request( user_id=self.cloud_admin_user['id'], diff --git a/releasenotes/notes/bug-1806762-0b7356ace200a5d3.yaml b/releasenotes/notes/bug-1806762-0b7356ace200a5d3.yaml new file mode 100644 index 0000000000..a3b4116210 --- /dev/null +++ b/releasenotes/notes/bug-1806762-0b7356ace200a5d3.yaml @@ -0,0 +1,13 @@ +--- +upgrade: + - | + [`bug 1806762 `_] + The grant policies defined in ``policy.v3cloudsample.json`` have been + removed. These policies are now obsolete after incorporating system-scope + and domain-scope into the grant API and implementing default roles. +fixes: + - | + [`bug 1806762 `_] + The grant policies in ``policy.v3cloudsample.json`` policy file have been + removed in favor of better defaults in code. These policies weren't tested + exhaustively and were misleading to users and operators.