Remove role policies from policy.v3cloudsample.json
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default role behavior by
removing them.
Note that these changes are slightly different from the
policy.v3cloudsample.json role policies, hence the removed tests. In
policy.v3cloudsample.json, domain users were allowed to get and list
global roles. So were project users. This behavior is changing because
global roles are considered global resources of the deployment, and
they should be managed by system users. Domain users should be able to
add and remove domain specific roles, which will come in a subsequent
series of patches. This approach is being taken because it is a safer
default for a system level resource (global roles) and still allows
the same functionality for domain users through domain-specific roles.
Reviewed: https:/ /review. openstack. org/622529 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=6d756ad6124 7828319b184b689 4fe8cabd7a5968
Committed: https:/
Submitter: Zuul
Branch: master
commit 6d756ad61247828 319b184b6894fe8 cabd7a5968
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 18:23:36 2018 +0000
Remove role policies from policy. v3cloudsample. json
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default role behavior by
removing them.
Note that these changes are slightly different from the v3cloudsample. json role policies, hence the removed tests. In v3cloudsample. json, domain users were allowed to get and list
policy.
policy.
global roles. So were project users. This behavior is changing because
global roles are considered global resources of the deployment, and
they should be managed by system users. Domain users should be able to
add and remove domain specific roles, which will come in a subsequent
series of patches. This approach is being taken because it is a safer
default for a system level resource (global roles) and still allows
the same functionality for domain users through domain-specific roles.
Change-Id: Iddaa59024a1dce fd4d791b9541360 2865888c1ff
Closes-Bug: 1806713