This commit adds explicit tests that show how domain users
are expected to behave with global roles. A subsequent patch
will do the same for project users.
Note that these changes are slightly different from the
policy.v3cloudsample.json role policies. In policy.v3cloudsample.json,
domain users were allowed to get and list global roles. So were
project users. This behavior is changing because global roles are
considered global resources of the deployment, and they should be
managed by system users. Domain users should be able to add and remove
domain specific roles, which will come in a subsequent series of
patches. This approach is being taken because it is a safer default
for a system level resource (roles) and still allows the same
functionality for domain users through domain-specific roles.
Reviewed: https:/ /review. openstack. org/622527 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=31eecfb2a42 e44899ea2f72866 be33cc7700db65
Committed: https:/
Submitter: Zuul
Branch: master
commit 31eecfb2a42e448 99ea2f72866be33 cc7700db65
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 18:16:34 2018 +0000
Add tests for domain users interacting with roles
This commit adds explicit tests that show how domain users
are expected to behave with global roles. A subsequent patch
will do the same for project users.
Note that these changes are slightly different from the v3cloudsample. json role policies. In policy. v3cloudsample. json,
policy.
domain users were allowed to get and list global roles. So were
project users. This behavior is changing because global roles are
considered global resources of the deployment, and they should be
managed by system users. Domain users should be able to add and remove
domain specific roles, which will come in a subsequent series of
patches. This approach is being taken because it is a safer default
for a system level resource (roles) and still allows the same
functionality for domain users through domain-specific roles.
Change-Id: Ia1a7adf4431042 ecea1b41e3c589c 55112183ab5
Partial-Bug: 1806713
Partial-Bug: 1805400