DRY: Remove redundant policies from policy.v3cloudsample.json15.0.0.0rc215.0.0

The policies contained in policy.v3cloudsample.json pre-dated any of
the work to move policy defaults into code. Since deploying a policy
file is now optional, we can remove the redundant policies from this
file and make it more maintainable by not repeating ourselves and
violating the DRY principal.

The only policies left are ones that are testing workarounds for bug
968696. Meanwhile, we're pursuing fixes for scope types and default
roles:

  http://tinyurl.com/y5kj6fn9

These fixes are specific to certain resources to make reviews more
understandable for reviewers. As fixes for those bugs land, we will
be removing the remaining checks in this file, since the behavior will
be captured in new default check strings or in code.

Eventually, we will delete this file entirely since we will have
defaults in code that work for `admins`, `members`, and `readers` on
projects, domains, and the deployment system.

Change-Id: Ibbabe8fdc7989f15aa0edda2bf7b550a0dc16f83
Partial-Bug: 1806762
(cherry picked from commit bb141b1fb49c5391530399777586611f2a4b2e6d)

3 files changed, 65 insertions, 66 deletions

diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index 188eb0d8e..fdbe357be 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -1,8 +1,6 @@
 {
     "admin_required": "role:admin",
     "cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
     "owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
     "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
     "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
@@ -10,24 +8,16 @@
 
     "default": "rule:admin_required",
 
-    "identity:get_limit_model": "",
     "identity:get_limit": "",
-    "identity:list_limits": "",
     "identity:create_limits": "rule:admin_required",
     "identity:update_limit": "rule:admin_required",
     "identity:delete_limit": "rule:admin_required",
 
-    "identity:create_project_tag": "rule:admin_required",
-    "identity:delete_project_tag": "rule:admin_required",
     "identity:get_project_tag": "rule:admin_required",
     "identity:list_project_tags": "rule:admin_required",
-    "identity:delete_project_tags": "rule:admin_required",
-    "identity:update_project_tags": "rule:admin_required",
 
-    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
     "identity:ec2_list_credentials": "rule:admin_required or rule:owner",
     "identity:ec2_create_credential": "rule:admin_required or rule:owner",
-    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
 
     "identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles",
     "identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles",
@@ -78,57 +68,8 @@
     "identity:check_token": "rule:admin_or_owner",
     "identity:validate_token": "rule:service_admin_or_owner",
     "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
     "identity:revoke_token": "rule:admin_or_owner",
 
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-    "identity:get_trust": "",
-
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:get_endpoint_group_in_project": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-    "identity:get_auth_system": "",
-
-    "identity:list_projects_for_user": "",
-    "identity:list_domains_for_user": "",
-
-    "identity:list_revoke_events": "rule:service_or_admin",
-
     "identity:create_policy_association_for_endpoint": "rule:cloud_admin",
     "identity:check_policy_association_for_endpoint": "rule:cloud_admin",
     "identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
@@ -143,13 +84,7 @@
 
     "identity:create_domain_config": "rule:cloud_admin",
     "identity:get_domain_config": "rule:cloud_admin",
-    "identity:get_security_compliance_domain_config": "",
     "identity:update_domain_config": "rule:cloud_admin",
     "identity:delete_domain_config": "rule:cloud_admin",
-    "identity:get_domain_config_default": "rule:cloud_admin",
-
-    "identity:get_application_credential": "rule:admin_or_owner",
-    "identity:list_application_credentials": "rule:admin_or_owner",
-    "identity:create_application_credential": "rule:admin_or_owner",
-    "identity:delete_application_credential": "rule:admin_or_owner"
+    "identity:get_domain_config_default": "rule:cloud_admin"
 }
diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py
index 79f02897a..db8db5ffd 100644
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@@ -181,6 +181,62 @@ class PolicyJsonTestCase(unit.TestCase):
         # TODO(lbragstad): Once all policies have been removed from
         # policy.v3cloudsample.json, remove this test.
         removed_policies = [
+            'service_role',
+            'service_or_admin',
+            'identity:get_limit_model',
+            'identity:list_limits',
+            'identity:create_project_tag',
+            'identity:delete_project_tag',
+            'identity:delete_project_tags',
+            'identity:update_project_tags',
+            'identity:ec2_get_credential',
+            'identity:ec2_delete_credential',
+            'identity:revocation_list',
+            'identity:create_trust',
+            'identity:list_trusts',
+            'identity:list_roles_for_trust',
+            'identity:get_role_for_trust',
+            'identity:delete_trust',
+            'identity:get_trust',
+            'identity:create_consumer',
+            'identity:get_consumer',
+            'identity:list_consumers',
+            'identity:delete_consumer',
+            'identity:update_consumer',
+            'identity:authorize_request_token',
+            'identity:list_access_token_roles',
+            'identity:get_access_token_role',
+            'identity:list_access_tokens',
+            'identity:get_access_token',
+            'identity:delete_access_token',
+            'identity:list_projects_for_endpoint',
+            'identity:add_endpoint_to_project',
+            'identity:check_endpoint_in_project',
+            'identity:list_endpoints_for_project',
+            'identity:remove_endpoint_from_project',
+            'identity:create_endpoint_group',
+            'identity:list_endpoint_groups',
+            'identity:get_endpoint_group',
+            'identity:update_endpoint_group',
+            'identity:delete_endpoint_group',
+            'identity:list_projects_associated_with_endpoint_group',
+            'identity:list_endpoints_associated_with_endpoint_group',
+            'identity:get_endpoint_group_in_project',
+            'identity:list_endpoint_groups_for_project',
+            'identity:add_endpoint_group_to_project',
+            'identity:remove_endpoint_group_from_project',
+            'identity:get_auth_catalog',
+            'identity:get_auth_projects',
+            'identity:get_auth_domains',
+            'identity:get_auth_system',
+            'identity:list_projects_for_user',
+            'identity:list_domains_for_user',
+            'identity:list_revoke_events',
+            'identity:get_security_compliance_domain_config',
+            'identity:get_application_credential',
+            'identity:list_application_credentials',
+            'identity:create_application_credential',
+            'identity:delete_application_credential',
             'identity:create_credential',
             'identity:get_credential',
             'identity:list_credentials',
diff --git a/releasenotes/notes/bug-1806762-c3bfc71cb9bb94f3.yaml b/releasenotes/notes/bug-1806762-c3bfc71cb9bb94f3.yaml
index 61240a573..a0b1e1be9 100644
--- a/releasenotes/notes/bug-1806762-c3bfc71cb9bb94f3.yaml
+++ b/releasenotes/notes/bug-1806762-c3bfc71cb9bb94f3.yaml
@@ -10,6 +10,14 @@ upgrade:
     users with role assignments on a domain to retrieve that domain,
     as opposed to only allowing users with the ``admin`` role to access
     that policy.
+
+    All policies in ``policy.v3cloudsample.json`` that are redundant with the
+    defaults in code have been removed. This improves maintainability and
+    leaves the ``policy.v3cloudsample.json`` policy file with only
+    overrides. These overrides will eventually be moved into code or new
+    defaults in keystone directly. If you're using the policies removed
+    from ``policy.v3cloudsample.json`` please check to see if you can migrate
+    to the new defaults or continue maintaining the policy as an override.
 fixes:
   - |
     [`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]