We've make all the default policies keystone supports better by incorporating default roles and scope types. These changes have made the ``policy.v3cloudsample.json`` file obsolete. Let's simply things for users, operators, and develpers by removing it. A follow-on patch will remove the test_v3_protection.py file since those behaviors are passing all the protection tests with the default policies in code. Related-Bug: 1805880 Closes-Bug: 1630434 Closes-Bug: 1806762 Change-Id: Ie45955f5cc54563cc9704d7cb2b656b5544ae030changes/66/682266/6
parent
e860c69831
commit
d4a6023de5
@ -1,30 +0,0 @@
|
||||
{
|
||||
"admin_required": "role:admin",
|
||||
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
|
||||
"owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
||||
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
|
||||
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
|
||||
"service_admin_or_owner": "rule:service_or_admin or rule:owner",
|
||||
|
||||
"default": "rule:admin_required",
|
||||
|
||||
"domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
|
||||
"get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
|
||||
"domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
|
||||
"project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s",
|
||||
"list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles",
|
||||
"domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
|
||||
"project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
|
||||
"admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
|
||||
"implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
|
||||
|
||||
"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
|
||||
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
|
||||
"admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
||||
"identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
|
||||
|
||||
"identity:check_token": "rule:admin_or_owner",
|
||||
"identity:validate_token": "rule:service_admin_or_owner",
|
||||
"identity:validate_token_head": "rule:service_or_admin",
|
||||
"identity:revoke_token": "rule:admin_or_owner"
|
||||
}
|
@ -0,0 +1,21 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
|
||||
[`bug 1630434 <https://bugs.launchpad.net/keystone/+bug/1630434>`_]
|
||||
The entire ``policy.v3cloudsample.json`` file has been removed. If you
|
||||
were using this policy file to supply overrides in your deployment, you
|
||||
should consider using the defaults in code and setting ``keystone.conf
|
||||
[oslo_policy] enforce_scope=True``. The new policy defaults are more
|
||||
flexible, they're tested extensively, and they solve all the problems the
|
||||
``policy.v3cloudsample.json`` file was trying to solve.
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
|
||||
[`bug 1630434 <https://bugs.launchpad.net/keystone/+bug/1630434>`_]
|
||||
The entire ``policy.v3cloudsample.json`` file has been removed. If you
|
||||
were using this policy file to supply overrides in your deployment, you
|
||||
should consider using the defaults in code and setting ``keystone.conf
|
||||
[oslo_policy] enforce_scope=True``. The new policy defaults are more
|
||||
flexible, they're tested extensively, and they solve all the problems the
|
||||
``policy.v3cloudsample.json`` file was trying to solve.
|
Loading…
Reference in new issue