From c0e6d4498a7e6091212b2618a537eb786595397c Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Wed, 21 Nov 2018 22:26:25 +0000
Subject: [PATCH] Remove idp policies from policy.v3cloudsample.json

By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default idp behavior
by removing them.

Change-Id: I6091d1cdbc4e1fa3a3d5f83a707f003416a43ea0
Closes-Bug: 1804517
---
 etc/policy.v3cloudsample.json                    |  6 ------
 keystone/tests/unit/test_policy.py               |  7 ++++++-
 .../notes/bug-1804517-a351aec088fee066.yaml      | 16 ++++++++++++++++
 3 files changed, 22 insertions(+), 7 deletions(-)
 create mode 100644 releasenotes/notes/bug-1804517-a351aec088fee066.yaml

diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index 4647e72ec6..40e32550c2 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -183,12 +183,6 @@
     "identity:add_endpoint_group_to_project": "rule:admin_required",
     "identity:remove_endpoint_group_from_project": "rule:admin_required",
 
-    "identity:create_identity_provider": "rule:cloud_admin",
-    "identity:list_identity_providers": "rule:cloud_admin",
-    "identity:get_identity_provider": "rule:cloud_admin",
-    "identity:update_identity_provider": "rule:cloud_admin",
-    "identity:delete_identity_provider": "rule:cloud_admin",
-
     "identity:create_protocol": "rule:cloud_admin",
     "identity:update_protocol": "rule:cloud_admin",
     "identity:get_protocol": "rule:cloud_admin",
diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py
index 608dcbf246..5cefa70b20 100644
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@@ -205,7 +205,12 @@ class PolicyJsonTestCase(unit.TestCase):
             'identity:get_mapping',
             'identity:list_mappings',
             'identity:update_mapping',
-            'identity:delete_mapping'
+            'identity:delete_mapping',
+            'identity:create_identity_provider',
+            'identity:get_identity_provider',
+            'identity:list_identity_providers',
+            'identity:update_identity_provider',
+            'identity:delete_identity_provider'
         ]
         policy_keys = self._get_default_policy_rules()
         for p in removed_policies:
diff --git a/releasenotes/notes/bug-1804517-a351aec088fee066.yaml b/releasenotes/notes/bug-1804517-a351aec088fee066.yaml
new file mode 100644
index 0000000000..f00b1a30fd
--- /dev/null
+++ b/releasenotes/notes/bug-1804517-a351aec088fee066.yaml
@@ -0,0 +1,16 @@
+---
+upgrade:
+  - |
+    [`bug 1804517 <https://bugs.launchpad.net/keystone/+bug/1804517>`_]
+    The federated identity provider policies defined in
+    ``policy.v3cloudsample.json`` have been removed. These policies
+    are now obsolete after incorporating system-scope into the
+    identity provider API and implementing default roles.
+fixes:
+  - |
+    [`bug 1804517 <https://bugs.launchpad.net/keystone/+bug/1804517>`_]
+    The federated identity provider policies in
+    ``policy.v3cloudsample.json`` policy file have been removed in
+    favor of better defaults in code. These policies weren't tested
+    exhaustively and were misleading to users and operators.
+