Remove system EC2 credentials from policy.v3cloudsample.json

By relying on system-scope and default roles, these policies are now
obsolete.

Change-Id: Ie6be658a8e4dd028834a3fee956689f9513a37e9
Partial-Bug: #1806762
Closes-Bug: #1750678

3 files changed, 38 insertions, 3 deletions

diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index 8487a34a4..df060863a 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -16,9 +16,6 @@
     "identity:get_project_tag": "rule:admin_required",
     "identity:list_project_tags": "rule:admin_required",
 
-    "identity:ec2_list_credentials": "rule:admin_required or rule:owner",
-    "identity:ec2_create_credential": "rule:admin_required or rule:owner",
-
     "domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
     "get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
     "domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py
index 67df10ecf..481973640 100644
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@@ -248,8 +248,10 @@ class PolicyJsonTestCase(unit.TestCase):
             'identity:delete_service_provider',
             'identity:delete_trust',
             'identity:delete_user',
+            'identity:ec2_create_credential',
             'identity:ec2_delete_credential',
             'identity:ec2_get_credential',
+            'identity:ec2_list_credentials',
             'identity:get_access_rule',
             'identity:get_access_token',
             'identity:get_access_token_role',
diff --git a/releasenotes/notes/bug-1750678-88a38851ca80fc64.yaml b/releasenotes/notes/bug-1750678-88a38851ca80fc64.yaml
new file mode 100644
index 000000000..2c45856c6
--- /dev/null
+++ b/releasenotes/notes/bug-1750678-88a38851ca80fc64.yaml
@@ -0,0 +1,36 @@
+---
+features:
+  - |
+    [`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
+    The EC2 credentials API now supports the ``admin``,
+    ``member``, and ``reader`` default roles.
+
+upgrade:
+  - |
+    [`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
+    The EC2 credentials API uses new default policies to
+    make it more accessible to end users and administrators in a secure way.
+    Please consider these new defaults if your deployment overrides EC2
+    credentials consumer policies.
+deprecations:
+  - |
+    [`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
+    The EC2 credentials policies have been deprecated. The
+    ``identity:ec2_get_credentials`` now use  ``(role:reader and system_scope:all)
+    or user_id:%(target.credential.user_id)s`` instead of
+    ``rule:admin_required``and ``identity:ec2_list_credentials`` policies now use
+    ``role:reader and system_scope:all or rule:owner`` instead of
+    ``rule:admin_required``. The ``identity:ec2_delete_credentials`` now use
+    ``(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s``
+    instead of ``rule:admin_required``and ``identity:ec2_create_credentials``
+    policies now use ``role:admin and system_scope:all or rule:owner`` instead of
+    ``rule:admin_required``.
+    These new defaults automatically account for system-scope and support
+    a read-only role, making it easier for system administrators to delegate
+    subsets of responsibility without compromising security. Please consider
+    these new defaults if your deployment overrides the EC2 credentials policies.
+security:
+  - |
+    [`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
+    The EC2 credentials API now uses system-scope and default
+    roles to provide better accessibility to users in a secure manner.