diff options
| author | Colleen Murphy <colleen.murphy@suse.de> | 2019-08-13 13:09:41 -0700 |
|---|---|---|
| committer | Colleen Murphy <colleen.murphy@suse.de> | 2019-08-16 15:20:12 -0700 |
| commit | a09163a3202c32f05cf636559a95fe45c6ea272b (patch) | |
| tree | 65af969ce2d44130a5cc588e8f079a945ca238be /keystone/tests/unit/test_cli.py | |
| parent | 0df8d0e2e1519154ec76100f7a4c2fdc8c9c04bb (diff) | |
| download | keystone-a09163a3202c32f05cf636559a95fe45c6ea272b.tar.gz | |
Move delete_trust enforcement to default policies
Without this change, policy enforcement for the DELETE
/OS-TRUST/trusts/{trust_id} API is hardcoded in the flask dispatcher
code. This is a problem because this enforcement can't be controlled by
the operator, as is the norm. Moreover, it makes the transition to
system-scope and default-roles-aware policies more difficult because
there's no sensible migration from "" to a logical role-based check
string.
This converts the hardcoded enforcement to enforcement via default
policies for DELETE /OS-TRUST/trusts/{trust_id}. Currently only the
trustor or the is_admin user can access this API (since the is_admin
user bypasses the policy loading). This behavior will be changed in a
future patch that will allow the system admin to access this API.
This change does not use the formal oslo.policy deprecation system
because "" OR'd with the new default is entirely useless as a policy.
Change-Id: I1aaba72b69b389ffbfcf7d5b8cc70453ffa59e73
Partial-bug: #1818850
Partial-bug: #1818846
Diffstat (limited to 'keystone/tests/unit/test_cli.py')
| -rw-r--r-- | keystone/tests/unit/test_cli.py | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py index 67e35da56..f5b73f87c 100644 --- a/keystone/tests/unit/test_cli.py +++ b/keystone/tests/unit/test_cli.py @@ -1865,14 +1865,16 @@ class CliStatusTestCase(unit.SQLDriverOverrides, unit.TestCase): def test_check_safe_trust_policies(self): with open(self.policy_file_name, 'w') as f: overridden_policies = { - 'identity:list_trusts': '' + 'identity:list_trusts': '', + 'identity:delete_trust': '' } f.write(jsonutils.dumps(overridden_policies)) result = self.checks.check_trust_policies_are_not_empty() self.assertEqual(upgradecheck.Code.FAILURE, result.code) with open(self.policy_file_name, 'w') as f: overridden_policies = { - 'identity:list_trusts': 'rule:admin_required' + 'identity:list_trusts': 'rule:admin_required', + 'identity:delete_trust': 'rule:admin_required' } f.write(jsonutils.dumps(overridden_policies)) result = self.checks.check_trust_policies_are_not_empty() |