Policy in code

Adding the beginning implementation for registering and using
default policy rules in code. Rules are defined in the new
policies module and added to the return list __init__.py.
Default policies can now be maintained in code and registered
via listing mechanisms in the policies module. As we go, we
can remove the duplicated default policies from our policy.json
file.

This commit specifically:
- Creates a new module called `policies` to hold our in code defaults.
- Ensure we pass our in code policy list to our policy ENFORCER.
- Add base policy module for common policy rules.
- Add service default policy module for policy rules.
- Add endpoint default policy module for policy rules.
- Add regions default policy module for policy rules.

partially-implements blueprint policy-in-code
Co-Authored-By: Richard Avelar csravelar@gmail.com
Change-Id: Ic47b1e8b0d479032d8a7b9891ed9800be7036d94

1 files changed, 2 insertions, 1 deletions

diff --git a/keystone/common/wsgi.py b/keystone/common/wsgi.py
index c15de646a..d60c411e9 100644
--- a/keystone/common/wsgi.py
+++ b/keystone/common/wsgi.py
@@ -37,6 +37,7 @@ import webob.exc
 
 from keystone.common import dependency
 from keystone.common import json_home
+from keystone.common import policy
 from keystone.common import request as request_mod
 from keystone.common import utils
 import keystone.conf
@@ -312,7 +313,7 @@ class Application(BaseApplication):
 
             creds['roles'] = user_token_ref.role_names
             # Accept either is_admin or the admin role
-            self.policy_api.enforce(creds, 'admin_required', {})
+            policy.enforce(creds, 'admin_required', {})
 
     def _attribute_is_empty(self, ref, attribute):
         """Determine if the attribute in ref is empty or None."""