remove default rule
The default rule no longer applies with the move of policy into code so this change removes it. In previous releases, the default rule was used by operators customizing policy and not wanting to specify every rule in their policy.json. But with the move of policy into code, all checks that the code is going to make are defined in code, so there should never be an occasion for the default rule to be checked. Leaving it defined would confuse operators since it can no longer be used the way it was used before. Change-Id: Idafe1c906f1eb188200eab7af3eae8eb86c8154a Closes-Bug: #1703392
This commit is contained in:
parent
fa88f68448
commit
fbec857384
|
@ -56,9 +56,6 @@ rules = [
|
|||
policy.RuleDefault(
|
||||
name='service_admin_or_token_subject',
|
||||
check_str='rule:service_or_admin or rule:token_subject'),
|
||||
policy.RuleDefault(
|
||||
name='default',
|
||||
check_str='rule:admin_required')
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -126,51 +126,6 @@ class PolicyTestCase(unit.TestCase):
|
|||
policy.enforce(admin_credentials, uppercase_action, self.target)
|
||||
|
||||
|
||||
class DefaultPolicyTestCase(unit.TestCase):
|
||||
def setUp(self):
|
||||
super(DefaultPolicyTestCase, self).setUp()
|
||||
|
||||
self.rules = {
|
||||
"default": [],
|
||||
"example:exist": [["false:false"]]
|
||||
}
|
||||
self._set_rules('default')
|
||||
self.credentials = {}
|
||||
|
||||
# FIXME(gyee): latest Oslo policy Enforcer class reloads the rules in
|
||||
# its enforce() method even though rules has been initialized via
|
||||
# set_rules(). To make it easier to do our tests, we're going to
|
||||
# monkeypatch load_roles() so it does nothing. This seem like a bug in
|
||||
# Oslo policy as we shouldn't have to reload the rules if they have
|
||||
# already been set using set_rules().
|
||||
self._old_load_rules = policy._ENFORCER.load_rules
|
||||
self.addCleanup(setattr, policy._ENFORCER, 'load_rules',
|
||||
self._old_load_rules)
|
||||
policy._ENFORCER.load_rules = lambda *args, **kwargs: None
|
||||
|
||||
def _set_rules(self, default_rule):
|
||||
these_rules = common_policy.Rules.from_dict(self.rules, default_rule)
|
||||
policy._ENFORCER.set_rules(these_rules)
|
||||
|
||||
def test_policy_called(self):
|
||||
self.assertRaises(exception.ForbiddenAction, policy.enforce,
|
||||
self.credentials, "example:exist", {})
|
||||
|
||||
def test_not_found_policy_calls_default(self):
|
||||
policy.enforce(self.credentials, "example:noexist", {})
|
||||
|
||||
def test_default_not_found(self):
|
||||
new_default_rule = "default_noexist"
|
||||
# FIXME(gyee): need to overwrite the Enforcer's default_rule first
|
||||
# as it is recreating the rules with its own default_rule instead
|
||||
# of the default_rule passed in from set_rules(). I think this is a
|
||||
# bug in Oslo policy.
|
||||
policy._ENFORCER.default_rule = new_default_rule
|
||||
self._set_rules(new_default_rule)
|
||||
self.assertRaises(exception.ForbiddenAction, policy.enforce,
|
||||
self.credentials, "example:noexist", {})
|
||||
|
||||
|
||||
class PolicyJsonTestCase(unit.TestCase):
|
||||
|
||||
def _get_default_policy_rules(self):
|
||||
|
@ -229,8 +184,8 @@ class PolicyJsonTestCase(unit.TestCase):
|
|||
# These keys are in the policy.json but aren't targets.
|
||||
policy_rule_keys = [
|
||||
'admin_or_owner', 'admin_or_token_subject', 'admin_required',
|
||||
'default', 'owner', 'service_admin_or_token_subject',
|
||||
'service_or_admin', 'service_role', 'token_subject', ]
|
||||
'owner', 'service_admin_or_token_subject', 'service_or_admin',
|
||||
'service_role', 'token_subject', ]
|
||||
|
||||
def read_doc_targets():
|
||||
# Parse the doc/source/policy_mapping.rst file and return the
|
||||
|
|
|
@ -5,10 +5,14 @@ features:
|
|||
Keystone now supports the ability to register default policies in code.
|
||||
This makes policy file maintenance easier by allowing duplicated default
|
||||
policies to be removed from the policy file. The only policies that should
|
||||
exist within a deployments policy file after Pike should be policy
|
||||
overrides. To generate sample policy files from default values, prune
|
||||
default policies from existing policy files, or familiarize yourself with
|
||||
general policy usage, please see the `usage documentation
|
||||
exist within a deployment's policy file after Pike should be policy
|
||||
overrides. Note that there is no longer a default value for the default
|
||||
rule. That rule is only checked when the more specific rule cannot be
|
||||
found, and with policy in code all rules should be found in code even if
|
||||
they are not in the policy file. To generate sample policy files from
|
||||
default values, prune default policies from existing policy files, or
|
||||
familiarize yourself with general policy usage, please see the
|
||||
`usage documentation
|
||||
<https://docs.openstack.org/developer/oslo.policy/usage.html>`_
|
||||
provided in oslo.policy.
|
||||
|
||||
|
@ -18,9 +22,13 @@ upgrade:
|
|||
Keystone now supports the ability to register default policies in code.
|
||||
This makes policy file maintenance easier by allowing duplicated default
|
||||
policies to be removed from the policy file. The only policies that should
|
||||
exist within a deployments policy file after Pike should be policy
|
||||
overrides. To generate sample policy files from default values, prune
|
||||
default policies from existing policy files, or familiarize yourself with
|
||||
general policy usage, please see the `usage documentation
|
||||
exist within a deployment's policy file after Pike should be policy
|
||||
overrides. Note that there is no longer a default value for the default
|
||||
rule. That rule is only checked when the more specific rule cannot be
|
||||
found, and with policy in code all rules should be found in code even if
|
||||
they are not in the policy file. To generate sample policy files from
|
||||
default values, prune default policies from existing policy files, or
|
||||
familiarize yourself with general policy usage, please see the
|
||||
`usage documentation
|
||||
<https://docs.openstack.org/developer/oslo.policy/usage.html>`_
|
||||
provided in oslo.policy.
|
||||
|
|
Loading…
Reference in New Issue