diff options
author | Vishakha Agarwal <agarwalvishakha18@gmail.com> | 2019-03-05 13:00:55 +0530 |
---|---|---|
committer | Lance Bragstad <lbragstad@gmail.com> | 2019-03-25 19:50:35 +0000 |
commit | 570e47dbf3c0c24483be94e0d338acbb6dc2f2c9 (patch) | |
tree | 8734f7798252182bae2dd15aee7b10577166ef55 | |
parent | 10305cf729a59ac43f752b31db154b0ee268a98b (diff) | |
download | keystone-570e47dbf3c0c24483be94e0d338acbb6dc2f2c9.tar.gz |
Remove assignment policies from policy.v3cloudsample.json
By incorporating system-scope and default roles, we've
effectively made these policies obsolete. We can simplify
what we maintain and provide a more consistent, unified
view of default service behavior by removing them.
This commit also removes some redundant tests in test_v3_protection
or corrects them.
Partial-Bug: 1806762
Change-Id: I008aed9c01b9e834a197444ff2dc1f6eb1ba25b1
(cherry picked from commit 64a455ef94c685d48605c0c40db37c2226707f57)
-rw-r--r-- | etc/policy.v3cloudsample.json | 1 | ||||
-rw-r--r-- | keystone/tests/unit/test_policy.py | 3 | ||||
-rw-r--r-- | keystone/tests/unit/test_v3_protection.py | 45 |
3 files changed, 4 insertions, 45 deletions
diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index e79e5a1a4..73f3912e1 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -107,7 +107,6 @@ "admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s", "admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s", "admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s", - "identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter", "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter", "identity:get_policy": "rule:cloud_admin", "identity:list_policies": "rule:cloud_admin", diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index 9462ba2ec..ad62deb68 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -235,7 +235,8 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:get_service', 'identity:list_services', 'identity:update_service', - 'identity:delete_service' + 'identity:delete_service', + 'identity:list_role_assignments' ] policy_keys = self._get_default_policy_rules() for p in removed_policies: diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py index c60371d0c..5e430683c 100644 --- a/keystone/tests/unit/test_v3_protection.py +++ b/keystone/tests/unit/test_v3_protection.py @@ -26,7 +26,6 @@ from keystone.tests import unit from keystone.tests.unit import ksfixtures from keystone.tests.unit.ksfixtures import temporaryfile from keystone.tests.unit import test_v3 -from keystone.tests.unit import utils CONF = keystone.conf.CONF @@ -1338,8 +1337,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, collection_url = self.build_role_assignment_query_url( domain_id=self.domainB['id']) - self.get(collection_url, auth=self.auth, - expected_status=http_client.FORBIDDEN) + r = self.get(collection_url, auth=self.auth) + self.assertEqual([], r.json_body['role_assignments']) def test_domain_user_list_assignments_of_domain_failed(self): self.auth = self.build_authentication_request( @@ -1404,46 +1403,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, self.assertRoleAssignmentInListResponse(r, project_admin_entity) self.assertRoleAssignmentInListResponse(r, project_user_entity) - def test_project_admin_list_assignments_of_another_project_failed(self): - projectB = unit.new_project_ref(domain_id=self.domainA['id']) - PROVIDERS.resource_api.create_project(projectB['id'], projectB) - admin_auth = self.build_authentication_request( - user_id=self.project_admin_user['id'], - password=self.project_admin_user['password'], - project_id=self.project['id']) - - collection_url = self.build_role_assignment_query_url( - project_id=projectB['id']) - self.get(collection_url, auth=admin_auth, - expected_status=exception.ForbiddenAction.code) - - @utils.wip('waiting on bug #1437407') - def test_domain_admin_list_assignments_of_project(self): - self.auth = self.build_authentication_request( - user_id=self.domain_admin_user['id'], - password=self.domain_admin_user['password'], - domain_id=self.domainA['id']) - - collection_url = self.build_role_assignment_query_url( - project_id=self.project['id']) - r = self.get(collection_url, auth=self.auth) - self.assertValidRoleAssignmentListResponse( - r, expected_length=2, resource_url=collection_url) - - project_admin_entity = self.build_role_assignment_entity( - project_id=self.project['id'], - user_id=self.project_admin_user['id'], - role_id=self.admin_role['id'], - inherited_to_projects=False) - project_user_entity = self.build_role_assignment_entity( - project_id=self.project['id'], - user_id=self.just_a_user['id'], - role_id=self.role['id'], - inherited_to_projects=False) - - self.assertRoleAssignmentInListResponse(r, project_admin_entity) - self.assertRoleAssignmentInListResponse(r, project_user_entity) - def test_domain_admin_list_assignment_tree(self): # Add a child project to the standard test data sub_project = unit.new_project_ref(domain_id=self.domainA['id'], |