OpenStack Identity (keystone)

  1. Bug #1806713
  2. Comment #12

Comment 12 for bug 1806713

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/622529
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6d756ad61247828319b184b6894fe8cabd7a5968
Submitter: Zuul
Branch: master

commit 6d756ad61247828319b184b6894fe8cabd7a5968
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 18:23:36 2018 +0000

    Remove role policies from policy.v3cloudsample.json

    By incorporating system-scope and default roles, we've effectively
    made these policies obsolete. We can simplify what we maintain and
    provide a more consistent, unified view of default role behavior by
    removing them.

    Note that these changes are slightly different from the
    policy.v3cloudsample.json role policies, hence the removed tests. In
    policy.v3cloudsample.json, domain users were allowed to get and list
    global roles. So were project users. This behavior is changing because
    global roles are considered global resources of the deployment, and
    they should be managed by system users. Domain users should be able to
    add and remove domain specific roles, which will come in a subsequent
    series of patches. This approach is being taken because it is a safer
    default for a system level resource (global roles) and still allows
    the same functionality for domain users through domain-specific roles.

    Change-Id: Iddaa59024a1dcefd4d791b95413602865888c1ff
    Closes-Bug: 1806713