Remove obsolete service provider policies from policy.v3cloudsample.json

Bug #1804520 reported by Lance Bragstad on 2018-11-21
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Lance Bragstad

Bug Description

Once support for scope types landed in the service provider API policies, the policies in policy.v3cloudsample.json became obsolete [0][1].

We should add formal protection for the policies with enforce_scope = True in keystone.tests.unit.protection.v3 and remove the old policies from the v3 sample policy file.

This will reduce confusion by having a true default policy for identity providers.

[0] https://review.openstack.org/#/c/526173/
[1] https://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n216

Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
tags: added: policy

Related fix proposed to branch: master
Review: https://review.openstack.org/620157

Related fix proposed to branch: master
Review: https://review.openstack.org/620158

Related fix proposed to branch: master
Review: https://review.openstack.org/620159

Related fix proposed to branch: master
Review: https://review.openstack.org/620160

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/620156
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=acd5d027ecc3d5b8819b0f5772ce114cdbd7a680
Submitter: Zuul
Branch: master

commit acd5d027ecc3d5b8819b0f5772ce114cdbd7a680
Author: Lance Bragstad <email address hidden>
Date: Mon Nov 26 19:46:30 2018 +0000

    Update service provider policies for system reader

    The service provider policies were not taking the default roles work
    we did last release into account. This commit changes the default
    policies to rely on the ``reader`` role for get and list service
    providers. Subsequent patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain users test coverage
     - project users test coverage

     Related-Bug: 1804520
     Related-Bug: 1804522

    Change-Id: I54fde6f6395b55a0798157346af3188bc756ba50

Reviewed: https://review.openstack.org/620157
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e22bafa25bced833115530401ef878f5e1d1c7eb
Submitter: Zuul
Branch: master

commit e22bafa25bced833115530401ef878f5e1d1c7eb
Author: Lance Bragstad <email address hidden>
Date: Mon Nov 26 20:29:00 2018 +0000

    Add service provider tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable service provider operations
    to the ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role is
    allowed to perform readable and not writable service provider
    operations. Subsequent patches will incorporate.

     - system admin functionality
     - domain users test coverage
     - project users test coverage

     Related-Bug: 1804520
     Related-Bug: 1804522

    Change-Id: Iecc39d5e4f1a4dc9293e67ee86f23f9a119793a8

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers