6d756ad612
By incorporating system-scope and default roles, we've effectively made these policies obsolete. We can simplify what we maintain and provide a more consistent, unified view of default role behavior by removing them. Note that these changes are slightly different from the policy.v3cloudsample.json role policies, hence the removed tests. In policy.v3cloudsample.json, domain users were allowed to get and list global roles. So were project users. This behavior is changing because global roles are considered global resources of the deployment, and they should be managed by system users. Domain users should be able to add and remove domain specific roles, which will come in a subsequent series of patches. This approach is being taken because it is a safer default for a system level resource (global roles) and still allows the same functionality for domain users through domain-specific roles. Change-Id: Iddaa59024a1dcefd4d791b95413602865888c1ff Closes-Bug: 1806713 |
||
|---|---|---|
| .. | ||
| default_catalog.templates | ||
| logging.conf.sample | ||
| policy.v3cloudsample.json | ||
| README.txt | ||
| sso_callback_template.html | ||
To generate the sample keystone.conf and keystone.policy.yaml files, run the
following commands from the top level of the keystone directory:
tox -egenconfig
tox -egenpolicy
For a pre-generated example of the latest files, see:
https://docs.openstack.org/keystone/latest/configuration/samples/index.html