Remove obsolete role policies from policy.v3cloudsample.json

Bug #1806713 reported by Lance Bragstad on 2018-12-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Lance Bragstad

Bug Description

Once support for scope types landed in the role API policies, the policies in policy.v3cloudsample.json became obsolete [0][1].

We should add formal protection for the policies with enforce_scope = True in keystone.tests.unit.protection.v3 and remove the old policies from the v3 sample policy file.

This will reduce confusion by having a true default policy for limits and registered limits.

[0] https://review.openstack.org/#/c/526171/
[1] http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n91

tags: added: policy
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium

Related fix proposed to branch: master
Review: https://review.openstack.org/622525

Related fix proposed to branch: master
Review: https://review.openstack.org/622526

Related fix proposed to branch: master
Review: https://review.openstack.org/622527

Related fix proposed to branch: master
Review: https://review.openstack.org/622528

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/622524
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=567f305b41414f1468147e5eba903871bfbe7392
Submitter: Zuul
Branch: master

commit 567f305b41414f1468147e5eba903871bfbe7392
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 15:45:42 2018 +0000

    Update role policies for system reader

    The role policies were not taking the default roles work we did last
    release into account. This commit changes the default policies to rely
    on the ``reader`` role for getting and listing roles. Subsequent
    patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I3e373c437ff0ffddba10bde59fd7f18f8be6498c
    Related-Bug: 1805402
    Related-Bug: 1806713

Reviewed: https://review.openstack.org/622525
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=dd9d06c6379d1f9cb046ae49406330a31bb63a09
Submitter: Zuul
Branch: master

commit dd9d06c6379d1f9cb046ae49406330a31bb63a09
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 15:50:41 2018 +0000

    Add role tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable role operations to the
    ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role is
    allowed to perform readable and not writable role operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I2bc3b65b6ef16adaa95e6299ac205b26797f7185
    Related-Bug: 1805402
    Related-Bug: 1806713

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers