Remove obsolete limit and registered limit policies from policy.v3cloudsample.json

Bug #1805880 reported by Lance Bragstad on 2018-11-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Lance Bragstad

Bug Description

Once support for scope types landed in the limit and registered limit API policies, the policies in policy.v3cloudsample.json became obsolete [0].

We should add formal protection for the policies with enforce_scope = True in keystone.tests.unit.protection.v3 and remove the old policies from the v3 sample policy file.

This will reduce confusion by having a true default policy for limits and registered limits.

[0] http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n31

Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
tags: added: limits policy

Related fix proposed to branch: master
Review: https://review.openstack.org/621015

Related fix proposed to branch: master
Review: https://review.openstack.org/621016

Related fix proposed to branch: master
Review: https://review.openstack.org/621017

Related fix proposed to branch: master
Review: https://review.openstack.org/621018

Related fix proposed to branch: master
Review: https://review.openstack.org/621019

Related fix proposed to branch: master
Review: https://review.openstack.org/621020

Related fix proposed to branch: master
Review: https://review.openstack.org/621021

Related fix proposed to branch: master
Review: https://review.openstack.org/621022

Related fix proposed to branch: master
Review: https://review.openstack.org/621023

Related fix proposed to branch: master
Review: https://review.openstack.org/621024

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/621014
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=216a4d5fc9e9d1f1956f26e7353cc9f09148aaf4
Submitter: Zuul
Branch: master

commit 216a4d5fc9e9d1f1956f26e7353cc9f09148aaf4
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:20:07 2018 +0000

    Add registered limit protection tests

    This commit creates a set of sets that we can reuse across different
    default roles and scopes to ensure everyone has access to registered
    limit information. Subsequent patches will make sure we build on this
    by incorporating default roles for:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project users test coverage

    Change-Id: Ibb28ec8f85bad6df531cffc7ba2c5f879e96d297
    Related-Bug: 1805372
    Related-Bug: 1805880

Reviewed: https://review.openstack.org/621015
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8658011e41c05f79694eb4df306e07a0db1ce9a9
Submitter: Zuul
Branch: master

commit 8658011e41c05f79694eb4df306e07a0db1ce9a9
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:27:04 2018 +0000

    Add registered limit tests for system member role

    From keystone-perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writeable registered limit operations
    to the ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable registered limits
    operations. Subsequent patches will incorporate:

     - system admin functionality
     - testing for domain users
     - testing for project users

    Change-Id: I6c428422f09e788faf2179d24cc01eb1ab623b64
    Related-Bug: 1805372
    Related-Bug: 1805880

Reviewed: https://review.openstack.org/621016
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f5e462844b6bebf112b54b75db87165f9e3919b
Submitter: Zuul
Branch: master

commit 4f5e462844b6bebf112b54b75db87165f9e3919b
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:36:36 2018 +0000

    Update registered limit policies for system admin

    This change makes the policy definitions for admin registered limit
    operations consistent with the other registered limit
    policies. Subsequent patches will incorporate:

     - domain user test coverage
     - project user test coverage

    Change-Id: If0352220670fdf5c98d0820309817416466b1466
    Related-Bug: 1805372
    Related-Bug: 1805880

Reviewed: https://review.openstack.org/621017
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e29ff512bb2a5dde3f9eec2b2a2ec596384ec1a2
Submitter: Zuul
Branch: master

commit e29ff512bb2a5dde3f9eec2b2a2ec596384ec1a2
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:44:40 2018 +0000

    Allow domain users to access the registered limits API

    This commit adds domain-scope to the scope_types for registered limit
    policies, allowing domain users to access those API when enforce_scope
    is enabled. This commit also introduces some tests that explicitly
    show how domain users are expected to behave with the registered
    limits API. A subsequent patch will do the same for project users.

    Change-Id: I7a04e1e2fc585340c9e061c915461ab13b9abec2
    Related-Bug: 1805880

Reviewed: https://review.openstack.org/621018
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bd2b7f3ed55dcfeb0036bec71920c785db65214c
Submitter: Zuul
Branch: master

commit bd2b7f3ed55dcfeb0036bec71920c785db65214c
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:46:48 2018 +0000

    Add tests for project users interacting with registered limits

    This commit introduces some tests that explicitly show how project
    users are expected to behave with the registered limits API. A
    subsequent patch will clean up the now obsolete policies in the
    policy.v3cloudsample.json policy file.

    Related-Bug: 1805880

    Change-Id: I66c1d1273dae98f32802de244eb220bf998f9070

Reviewed: https://review.openstack.org/621019
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7af769278aef7e3a170c0da619b67bad7a147d84
Submitter: Zuul
Branch: master

commit 7af769278aef7e3a170c0da619b67bad7a147d84
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:53:00 2018 +0000

    Remove registered limit policies from policy.v3cloudsample.json

    By incorporating system-scope and default roles, we've effectively
    made these policies obsolete. We can simplify what we maintain and
    provide a more consistent, unified view of default registered limit
    behavior by removing them.

    Change-Id: I1ee7fb53a71361966584363687051615dc832329
    Related-Bug: 1805880

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers