Remove policy.v3cloudsample.json

We've make all the default policies keystone supports better by incorporating default roles and scope types. These changes have made the ``policy.v3cloudsample.json`` file obsolete. Let's simply things for users, operators, and develpers by removing it. A follow-on patch will remove the test_v3_protection.py file since those behaviors are passing all the protection tests with the default policies in code. Related-Bug: 1805880 Closes-Bug: 1630434 Closes-Bug: 1806762 Change-Id: Ie45955f5cc54563cc9704d7cb2b656b5544ae030
2 years ago · d4a6023de5
5 changed files with 21 additions and 338 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -1,30 +0,0 @@
-{
-    "admin_required": "role:admin",
-    "cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
-    "owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
-    "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
-    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
-    "service_admin_or_owner": "rule:service_or_admin or rule:owner",
-
-    "default": "rule:admin_required",
-
-    "domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
-    "get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
-    "domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
-    "project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s",
-    "list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles",
-    "domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
-    "project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
-    "admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
-    "implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
-
-    "admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
-    "admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
-    "admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
-    "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
-
-    "identity:check_token": "rule:admin_or_owner",
-    "identity:validate_token": "rule:service_admin_or_owner",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_owner"
-}
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@ -13,7 +13,6 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

-import json
 import os
 import subprocess
 import uuid
@ -21,7 +20,6 @@ import uuid
 import mock
 from oslo_policy import policy as common_policy
 import six
-from testtools import matchers

 from keystone.common import policies
 from keystone.common.rbac_enforcer import policy
@ -177,215 +175,6 @@ class PolicyJsonTestCase(unit.TestCase):
            rules[rule.name] = rule.check_str
        return rules

-    def test_json_examples_have_matching_entries(self):
-        # TODO(lbragstad): Once all policies have been removed from
-        # policy.v3cloudsample.json, remove this test.
-        removed_policies = [
-            'identity:add_endpoint_group_to_project',
-            'identity:add_endpoint_to_project',
-            'identity:add_user_to_group',
-            'identity:authorize_request_token',
-            'identity:check_grant',
-            'identity:check_endpoint_in_project',
-            'identity:check_implied_role',
-            'identity:check_policy_association_for_endpoint',
-            'identity:check_policy_association_for_region_and_service',
-            'identity:check_policy_association_for_service',
-            'identity:check_system_grant_for_group',
-            'identity:check_system_grant_for_user',
-            'identity:check_user_in_group',
-            'identity:create_application_credential',
-            'identity:create_consumer',
-            'identity:create_credential',
-            'identity:create_domain',
-            'identity:create_domain_config',
-            'identity:create_domain_role',
-            'identity:create_endpoint',
-            'identity:create_endpoint_group',
-            'identity:create_grant',
-            'identity:create_group',
-            'identity:create_identity_provider',
-            'identity:create_implied_role',
-            'identity:create_limits',
-            'identity:create_mapping',
-            'identity:create_policy',
-            'identity:create_policy_association_for_endpoint',
-            'identity:create_policy_association_for_region_and_service',
-            'identity:create_policy_association_for_service',
-            'identity:create_project',
-            'identity:create_project_tag',
-            'identity:create_protocol',
-            'identity:create_region',
-            'identity:create_registered_limits',
-            'identity:create_role',
-            'identity:create_service',
-            'identity:create_service_provider',
-            'identity:create_system_grant_for_group',
-            'identity:create_system_grant_for_user',
-            'identity:create_trust',
-            'identity:create_user',
-            'identity:delete_access_rule',
-            'identity:delete_access_token',
-            'identity:delete_application_credential',
-            'identity:delete_consumer',
-            'identity:delete_credential',
-            'identity:delete_domain',
-            'identity:delete_domain_config',
-            'identity:delete_domain_role',
-            'identity:delete_endpoint',
-            'identity:delete_endpoint_group',
-            'identity:delete_group',
-            'identity:delete_identity_provider',
-            'identity:delete_implied_role',
-            'identity:delete_mapping',
-            'identity:delete_limit',
-            'identity:delete_policy',
-            'identity:delete_policy_association_for_endpoint',
-            'identity:delete_policy_association_for_region_and_service',
-            'identity:delete_policy_association_for_service',
-            'identity:delete_project',
-            'identity:delete_project_tag',
-            'identity:delete_project_tags',
-            'identity:delete_protocol',
-            'identity:delete_region',
-            'identity:delete_registered_limit',
-            'identity:delete_role',
-            'identity:delete_service',
-            'identity:delete_service_provider',
-            'identity:delete_trust',
-            'identity:delete_user',
-            'identity:ec2_create_credential',
-            'identity:ec2_delete_credential',
-            'identity:ec2_get_credential',
-            'identity:ec2_list_credentials',
-            'identity:get_access_rule',
-            'identity:get_access_token',
-            'identity:get_access_token_role',
-            'identity:get_application_credential',
-            'identity:get_auth_catalog',
-            'identity:get_auth_domains',
-            'identity:get_auth_projects',
-            'identity:get_auth_system',
-            'identity:get_consumer',
-            'identity:get_credential',
-            'identity:get_domain',
-            'identity:get_domain_config',
-            'identity:get_domain_config_default',
-            'identity:get_domain_role',
-            'identity:get_endpoint',
-            'identity:get_endpoint_group',
-            'identity:get_endpoint_group_in_project',
-            'identity:get_group',
-            'identity:get_identity_provider',
-            'identity:get_implied_role',
-            'identity:get_limit',
-            'identity:get_limit_model',
-            'identity:get_mapping',
-            'identity:get_policy',
-            'identity:get_policy_for_endpoint',
-            'identity:get_project_tag',
-            'identity:get_project',
-            'identity:get_protocol',
-            'identity:get_region',
-            'identity:get_registered_limit',
-            'identity:get_role',
-            'identity:get_role_for_trust',
-            'identity:get_security_compliance_domain_config',
-            'identity:get_service',
-            'identity:get_service_provider',
-            'identity:get_trust',
-            'identity:get_user',
-            'identity:list_access_rules',
-            'identity:list_access_token_roles',
-            'identity:list_access_tokens',
-            'identity:list_application_credentials',
-            'identity:list_consumers',
-            'identity:list_credentials',
-            'identity:list_domain_roles',
-            'identity:list_domains',
-            'identity:list_domains_for_user',
-            'identity:list_endpoint_groups',
-            'identity:list_endpoint_groups_for_project',
-            'identity:list_endpoints',
-            'identity:list_endpoints_associated_with_endpoint_group',
-            'identity:list_endpoints_for_policy',
-            'identity:list_endpoints_for_project',
-            'identity:list_grants',
-            'identity:list_groups',
-            'identity:list_groups_for_user',
-            'identity:list_identity_providers',
-            'identity:list_implied_roles',
-            'identity:list_limits',
-            'identity:list_mappings',
-            'identity:list_policies',
-            'identity:list_projects',
-            'identity:list_projects_associated_with_endpoint_group',
-            'identity:list_projects_for_endpoint',
-            'identity:list_projects_for_user',
-            'identity:list_project_tags',
-            'identity:list_protocols',
-            'identity:list_regions',
-            'identity:list_registered_limits',
-            'identity:list_revoke_events',
-            'identity:list_role_assignments',
-            'identity:list_role_inference_rules',
-            'identity:list_roles',
-            'identity:list_roles_for_trust',
-            'identity:list_service_providers',
-            'identity:list_services',
-            'identity:list_system_grants_for_group',
-            'identity:list_system_grants_for_user',
-            'identity:list_trusts',
-            'identity:list_trusts_for_trustee',
-            'identity:list_trusts_for_trustor',
-            'identity:list_user_projects',
-            'identity:list_users',
-            'identity:list_users_in_group',
-            'identity:remove_endpoint_from_project',
-            'identity:remove_endpoint_group_from_project',
-            'identity:remove_user_from_group',
-            'identity:revocation_list',
-            'identity:revoke_grant',
-            'identity:revoke_system_grant_for_group',
-            'identity:revoke_system_grant_for_user',
-            'identity:update_consumer',
-            'identity:update_credential',
-            'identity:update_domain',
-            'identity:update_domain_config',
-            'identity:update_domain_role',
-            'identity:update_endpoint',
-            'identity:update_endpoint_group',
-            'identity:update_group',
-            'identity:update_identity_provider',
-            'identity:update_limit',
-            'identity:update_mapping',
-            'identity:update_policy',
-            'identity:update_project',
-            'identity:update_project_tags',
-            'identity:update_protocol',
-            'identity:update_region',
-            'identity:update_registered_limit',
-            'identity:update_role',
-            'identity:update_service',
-            'identity:update_service_provider',
-            'identity:update_user',
-            'service_or_admin',
-            'service_role',
-        ]
-        policy_keys = self._get_default_policy_rules()
-        for p in removed_policies:
-            del policy_keys[p]
-        cloud_policy_keys = set(
-            json.load(open(unit.dirs.etc('policy.v3cloudsample.json'))))
-
-        policy_extra_keys = ['admin_or_token_subject',
-                             'service_admin_or_token_subject',
-                             'token_subject', ]
-        expected_policy_keys = list(cloud_policy_keys) + policy_extra_keys
-        diffs = set(policy_keys).difference(set(expected_policy_keys))
-
-        self.assertThat(diffs, matchers.Equals(set()))
-
    def test_policies_loads(self):
        action = 'identity:list_projects'
        target = {'user_id': uuid.uuid4().hex,
@ -406,11 +195,6 @@ class PolicyJsonTestCase(unit.TestCase):
                                                    credentials)
        self.assertTrue(result)

-        domain_policy = unit.dirs.etc('policy.v3cloudsample.json')
-        enforcer = common_policy.Enforcer(CONF, policy_file=domain_policy)
-        result = enforcer.enforce(action, target, credentials)
-        self.assertTrue(result)
-
    def test_all_targets_documented(self):
        policy_keys = self._get_default_policy_rules()

--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@ -2906,12 +2906,6 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
            domain_id=self.domainA['id']
        )

-    def _policy_fixture(self):
-        return ksfixtures.Policy(
-            self.config_fixture,
-            policy_file=unit.dirs.etc('policy.v3cloudsample.json')
-        )
-
    def test_user_revokes_own_token(self):
        user_token = self.get_requested_token(
            self.build_authentication_request(
@ -2988,37 +2982,6 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
                  expected_status=http_client.NOT_FOUND,
                  token=adminA_token)

-    def test_adminB_fails_revoking_userA_token(self):
-        # DomainB setup
-        self.domainB = unit.new_domain_ref()
-        PROVIDERS.resource_api.create_domain(self.domainB['id'], self.domainB)
-        userAdminB = unit.create_user(PROVIDERS.identity_api,
-                                      domain_id=self.domainB['id'])
-        PROVIDERS.assignment_api.create_grant(
-            self.role['id'], user_id=userAdminB['id'],
-            domain_id=self.domainB['id']
-        )
-
-        user_token = self.get_requested_token(
-            self.build_authentication_request(
-                user_id=self.userNormalA['id'],
-                password=self.userNormalA['password'],
-                user_domain_id=self.domainA['id']))
-        headers = {'X-Subject-Token': user_token}
-
-        adminB_token = self.get_requested_token(
-            self.build_authentication_request(
-                user_id=userAdminB['id'],
-                password=userAdminB['password'],
-                domain_name=self.domainB['name']))
-
-        self.head('/auth/tokens', headers=headers,
-                  expected_status=http_client.FORBIDDEN,
-                  token=adminB_token)
-        self.delete('/auth/tokens', headers=headers,
-                    expected_status=http_client.FORBIDDEN,
-                    token=adminB_token)
-

 class TestTokenRevokeById(test_v3.RestfulTestCase):
    """Test token revocation on the v3 Identity API."""
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@ -643,12 +643,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
                                      test_v3.AssignmentTestMixin):
    """Test policy enforcement of the sample v3 cloud policy file."""

-    def _policy_fixture(self):
-        return ksfixtures.Policy(
-            self.config_fixture,
-            policy_file=unit.dirs.etc('policy.v3cloudsample.json')
-        )
-
    def setUp(self):
        """Setup for v3 Cloud Policy Sample Test Cases.

@ -1167,55 +1161,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
        self.assertRoleAssignmentInListResponse(r, project_admin_entity)
        self.assertRoleAssignmentInListResponse(r, project_user_entity)

-    def test_domain_admin_list_assignment_tree(self):
-        # Add a child project to the standard test data
-        sub_project = unit.new_project_ref(domain_id=self.domainA['id'],
-                                           parent_id=self.project['id'])
-        PROVIDERS.resource_api.create_project(sub_project['id'], sub_project)
-        PROVIDERS.assignment_api.create_grant(
-            self.role['id'], user_id=self.just_a_user['id'],
-            project_id=sub_project['id']
-        )
-
-        collection_url = self.build_role_assignment_query_url(
-            project_id=self.project['id'])
-        collection_url += '&include_subtree=True'
-
-        # The domain admin should be able to list the assignment tree
-        auth = self.build_authentication_request(
-            user_id=self.domain_admin_user['id'],
-            password=self.domain_admin_user['password'],
-            domain_id=self.domainA['id'])
-
-        r = self.get(collection_url, auth=auth)
-        self.assertValidRoleAssignmentListResponse(
-            r, expected_length=3, resource_url=collection_url)
-
-        # A project admin should not be able to
-        auth = self.build_authentication_request(
-            user_id=self.project_admin_user['id'],
-            password=self.project_admin_user['password'],
-            project_id=self.project['id'])
-
-        r = self.get(collection_url, auth=auth,
-                     expected_status=http_client.FORBIDDEN)
-
-        # A neither should a domain admin from a different domain
-        domainB_admin_user = unit.create_user(
-            PROVIDERS.identity_api,
-            domain_id=self.domainB['id'])
-        PROVIDERS.assignment_api.create_grant(
-            self.admin_role['id'], user_id=domainB_admin_user['id'],
-            domain_id=self.domainB['id']
-        )
-        auth = self.build_authentication_request(
-            user_id=domainB_admin_user['id'],
-            password=domainB_admin_user['password'],
-            domain_id=self.domainB['id'])
-
-        r = self.get(collection_url, auth=auth,
-                     expected_status=http_client.FORBIDDEN)
-
    def test_domain_user_list_assignments_of_project_failed(self):
        self.auth = self.build_authentication_request(
            user_id=self.just_a_user['id'],
--- a/releasenotes/notes/bug-1806762-08ff9eecdc03c554.yaml
+++ b/releasenotes/notes/bug-1806762-08ff9eecdc03c554.yaml
@ -0,0 +1,21 @@
+---
+upgrade:
+  - |
+    [`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
+    [`bug 1630434 <https://bugs.launchpad.net/keystone/+bug/1630434>`_]
+    The entire ``policy.v3cloudsample.json`` file has been removed. If you
+    were using this policy file to supply overrides in your deployment, you
+    should consider using the defaults in code and setting ``keystone.conf
+    [oslo_policy] enforce_scope=True``. The new policy defaults are more
+    flexible, they're tested extensively, and they solve all the problems the
+    ``policy.v3cloudsample.json`` file was trying to solve.
+fixes:
+  - |
+    [`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
+    [`bug 1630434 <https://bugs.launchpad.net/keystone/+bug/1630434>`_]
+    The entire ``policy.v3cloudsample.json`` file has been removed. If you
+    were using this policy file to supply overrides in your deployment, you
+    should consider using the defaults in code and setting ``keystone.conf
+    [oslo_policy] enforce_scope=True``. The new policy defaults are more
+    flexible, they're tested extensively, and they solve all the problems the
+    ``policy.v3cloudsample.json`` file was trying to solve.