Fix oslo policy DeprecatedRule warnings

Since 3.7.0, oslo policy started the DeprecationWarning[1] if
deprecated_reason and deprecated_since param are not passed
in DeprecatedRule or they are passed in RuleDefault object.

These warnings are logged for every test which increase the
log size and sometime can full the log buffer and fail the
job.

[1] https://github.com/openstack/oslo.policy/blob/3.7.0/oslo_policy/policy.py#L1538

Change-Id: Id9d89a04b480cbdcefead93ce55a1f174f948f5d

keystone/common/policies/application_credential.py

@@ -18,24 +18,31 @@ from keystone.common.policies import base
 collection_path = '/v3/users/{user_id}/application_credentials'
 resource_path = collection_path + '/{application_credential_id}'
 
-deprecated_list_application_credentials_for_user = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_application_credentials',
-    check_str=base.RULE_ADMIN_OR_OWNER
-)
-deprecated_get_application_credentials_for_user = policy.DeprecatedRule(
-    name=base.IDENTITY % 'get_application_credentials',
-    check_str=base.RULE_ADMIN_OR_OWNER
-)
-deprecated_delete_application_credentials_for_user = policy.DeprecatedRule(
-    name=base.IDENTITY % 'delete_application_credentials',
-    check_str=base.RULE_ADMIN_OR_OWNER
-)
-
 DEPRECATED_REASON = (
     "The application credential API is now aware of system scope and default "
     "roles."
 )
 
+deprecated_list_application_credentials_for_user = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_application_credentials',
+    check_str=base.RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_get_application_credentials_for_user = policy.DeprecatedRule(
+    name=base.IDENTITY % 'get_application_credentials',
+    check_str=base.RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_delete_application_credentials_for_user = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_application_credentials',
+    check_str=base.RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+
+
 application_credential_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_application_credential',
@@ -46,9 +53,7 @@ application_credential_policies = [
                      'method': 'GET'},
                     {'path': resource_path,
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_get_application_credentials_for_user,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_get_application_credentials_for_user),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_application_credentials',
         check_str=base.RULE_SYSTEM_READER_OR_OWNER,
@@ -58,9 +63,7 @@ application_credential_policies = [
                      'method': 'GET'},
                     {'path': collection_path,
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_list_application_credentials_for_user,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_application_credentials_for_user),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_application_credential',
         check_str=base.RULE_OWNER,
@@ -75,9 +78,7 @@ application_credential_policies = [
         description='Delete an application credential.',
         operations=[{'path': resource_path,
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_application_credentials_for_user,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN)
+        deprecated_rule=deprecated_delete_application_credentials_for_user)
 ]
 
 

keystone/common/policies/consumer.py

@@ -15,31 +15,42 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
-deprecated_get_consumer = policy.DeprecatedRule(
-    name=base.IDENTITY % 'get_consumer',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_list_consumers = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_consumers',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_create_consumer = policy.DeprecatedRule(
-    name=base.IDENTITY % 'create_consumer',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_update_consumer = policy.DeprecatedRule(
-    name=base.IDENTITY % 'update_consumer',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_delete_consumer = policy.DeprecatedRule(
-    name=base.IDENTITY % 'delete_consumer',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-
 DEPRECATED_REASON = (
     "The OAUTH1 consumer API is now aware of system scope and default roles."
 )
 
+deprecated_get_consumer = policy.DeprecatedRule(
+    name=base.IDENTITY % 'get_consumer',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_list_consumers = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_consumers',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_create_consumer = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_consumer',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_update_consumer = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_consumer',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_delete_consumer = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_consumer',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+
+
 consumer_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_consumer',
@@ -48,9 +59,7 @@ consumer_policies = [
         description='Show OAUTH1 consumer details.',
         operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_get_consumer,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_get_consumer),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_consumers',
         check_str=base.SYSTEM_READER,
@@ -58,9 +67,7 @@ consumer_policies = [
         description='List OAUTH1 consumers.',
         operations=[{'path': '/v3/OS-OAUTH1/consumers',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_list_consumers,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_consumers),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_consumer',
         check_str=base.SYSTEM_ADMIN,
@@ -68,9 +75,7 @@ consumer_policies = [
         description='Create OAUTH1 consumer.',
         operations=[{'path': '/v3/OS-OAUTH1/consumers',
                      'method': 'POST'}],
-        deprecated_rule=deprecated_create_consumer,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_create_consumer),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_consumer',
         check_str=base.SYSTEM_ADMIN,
@@ -78,9 +83,7 @@ consumer_policies = [
         description='Update OAUTH1 consumer.',
         operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_consumer,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_update_consumer),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_consumer',
         check_str=base.SYSTEM_ADMIN,
@@ -88,9 +91,7 @@ consumer_policies = [
         description='Delete OAUTH1 consumer.',
         operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_consumer,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_delete_consumer),
 ]
 
 

keystone/common/policies/credential.py

@@ -21,23 +21,33 @@ DEPRECATED_REASON = (
 
 deprecated_get_credential = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_credential',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_list_credentials = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_credentials',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_create_credential = policy.DeprecatedRule(
     name=base.IDENTITY % 'create_credential',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_update_credential = policy.DeprecatedRule(
     name=base.IDENTITY % 'update_credential',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_delete_credential = policy.DeprecatedRule(
     name=base.IDENTITY % 'delete_credential',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 
 
@@ -50,8 +60,6 @@ credential_policies = [
         operations=[{'path': '/v3/credentials/{credential_id}',
                      'method': 'GET'}],
         deprecated_rule=deprecated_get_credential,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_credentials',
@@ -61,8 +69,6 @@ credential_policies = [
         operations=[{'path': '/v3/credentials',
                      'method': 'GET'}],
         deprecated_rule=deprecated_list_credentials,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_credential',
@@ -72,8 +78,6 @@ credential_policies = [
         operations=[{'path': '/v3/credentials',
                      'method': 'POST'}],
         deprecated_rule=deprecated_create_credential,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_credential',
@@ -83,8 +87,6 @@ credential_policies = [
         operations=[{'path': '/v3/credentials/{credential_id}',
                      'method': 'PATCH'}],
         deprecated_rule=deprecated_update_credential,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_credential',
@@ -94,8 +96,6 @@ credential_policies = [
         operations=[{'path': '/v3/credentials/{credential_id}',
                      'method': 'DELETE'}],
         deprecated_rule=deprecated_delete_credential,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     )
 ]
 

keystone/common/policies/domain.py

@@ -21,23 +21,33 @@ DEPRECATED_REASON = (
 
 deprecated_list_domains = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_domains',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_get_domain = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_domain',
-    check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN
+    check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_update_domain = policy.DeprecatedRule(
     name=base.IDENTITY % 'update_domain',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_create_domain = policy.DeprecatedRule(
     name=base.IDENTITY % 'create_domain',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_delete_domain = policy.DeprecatedRule(
     name=base.IDENTITY % 'delete_domain',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 SYSTEM_USER_OR_DOMAIN_USER_OR_PROJECT_USER = (
     '(role:reader and system_scope:all) or '
@@ -56,9 +66,7 @@ domain_policies = [
         description='Show domain details.',
         operations=[{'path': '/v3/domains/{domain_id}',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_get_domain,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_get_domain),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_domains',
         check_str=base.SYSTEM_READER,
@@ -66,9 +74,7 @@ domain_policies = [
         description='List domains.',
         operations=[{'path': '/v3/domains',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_list_domains,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_list_domains),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_domain',
         check_str=base.SYSTEM_ADMIN,
@@ -76,9 +82,7 @@ domain_policies = [
         description='Create domain.',
         operations=[{'path': '/v3/domains',
                      'method': 'POST'}],
-        deprecated_rule=deprecated_create_domain,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_create_domain),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_domain',
         check_str=base.SYSTEM_ADMIN,
@@ -86,9 +90,7 @@ domain_policies = [
         description='Update domain.',
         operations=[{'path': '/v3/domains/{domain_id}',
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_domain,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_update_domain),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_domain',
         check_str=base.SYSTEM_ADMIN,
@@ -96,9 +98,7 @@ domain_policies = [
         description='Delete domain.',
         operations=[{'path': '/v3/domains/{domain_id}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_domain,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_delete_domain),
 ]
 
 

keystone/common/policies/domain_config.py

@@ -15,36 +15,46 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
+DEPRECATED_REASON = (
+    "The domain config API is now aware of system scope and default roles."
+)
+
 deprecated_get_domain_config = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_domain_config',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_get_domain_config_default = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_domain_config_default',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_create_domain_config = policy.DeprecatedRule(
     name=base.IDENTITY % 'create_domain_config',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_update_domain_config = policy.DeprecatedRule(
     name=base.IDENTITY % 'update_domain_config',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_delete_domain_config = policy.DeprecatedRule(
     name=base.IDENTITY % 'delete_domain_config',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 
-DEPRECATED_REASON = (
-    "The domain config API is now aware of system scope and default roles."
-)
-
 domain_config_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_domain_config',
@@ -65,9 +75,7 @@ domain_config_policies = [
                 'method': 'PUT'
             }
         ],
-        deprecated_rule=deprecated_create_domain_config,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN
+        deprecated_rule=deprecated_create_domain_config
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_domain_config',
@@ -103,8 +111,6 @@ domain_config_policies = [
             }
         ],
         deprecated_rule=deprecated_get_domain_config,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_security_compliance_domain_config',
@@ -156,8 +162,6 @@ domain_config_policies = [
             }
         ],
         deprecated_rule=deprecated_update_domain_config,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_domain_config',
@@ -180,8 +184,6 @@ domain_config_policies = [
             }
         ],
         deprecated_rule=deprecated_delete_domain_config,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_domain_config_default',
@@ -216,8 +218,6 @@ domain_config_policies = [
             }
         ],
         deprecated_rule=deprecated_get_domain_config_default,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN
     )
 ]
 

keystone/common/policies/ec2_credential.py

@@ -15,27 +15,36 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
-deprecated_ec2_get_credential = policy.DeprecatedRule(
-    name=base.IDENTITY % 'ec2_get_credential',
-    check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER
-)
-deprecated_ec2_list_credentials = policy.DeprecatedRule(
-    name=base.IDENTITY % 'ec2_list_credentials',
-    check_str=base.RULE_ADMIN_OR_OWNER
-)
-deprecated_ec2_create_credentials = policy.DeprecatedRule(
-    name=base.IDENTITY % 'ec2_create_credentials',
-    check_str=base.RULE_ADMIN_OR_OWNER
-)
-deprecated_ec2_delete_credentials = policy.DeprecatedRule(
-    name=base.IDENTITY % 'ec2_delete_credentials',
-    check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER
-)
-
 DEPRECATED_REASON = (
     "The EC2 credential API is now aware of system scope and default roles."
 )
 
+deprecated_ec2_get_credential = policy.DeprecatedRule(
+    name=base.IDENTITY % 'ec2_get_credential',
+    check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_ec2_list_credentials = policy.DeprecatedRule(
+    name=base.IDENTITY % 'ec2_list_credentials',
+    check_str=base.RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_ec2_create_credentials = policy.DeprecatedRule(
+    name=base.IDENTITY % 'ec2_create_credentials',
+    check_str=base.RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_ec2_delete_credentials = policy.DeprecatedRule(
+    name=base.IDENTITY % 'ec2_delete_credentials',
+    check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+
+
 ec2_credential_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'ec2_get_credential',
@@ -45,9 +54,7 @@ ec2_credential_policies = [
         operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/'
                               '{credential_id}'),
                      'method': 'GET'}],
-        deprecated_rule=deprecated_ec2_get_credential,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN
+        deprecated_rule=deprecated_ec2_get_credential
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'ec2_list_credentials',
@@ -57,8 +64,6 @@ ec2_credential_policies = [
         operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
                      'method': 'GET'}],
         deprecated_rule=deprecated_ec2_list_credentials,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'ec2_create_credential',
@@ -68,8 +73,6 @@ ec2_credential_policies = [
         operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
                      'method': 'POST'}],
         deprecated_rule=deprecated_ec2_create_credentials,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'ec2_delete_credential',
@@ -80,8 +83,6 @@ ec2_credential_policies = [
                               '{credential_id}'),
                      'method': 'DELETE'}],
         deprecated_rule=deprecated_ec2_delete_credentials,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN
     )
 ]
 

keystone/common/policies/endpoint.py

@@ -15,24 +15,34 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
+DEPRECATED_REASON = (
+    "The endpoint API is now aware of system scope and default roles."
+)
+
 deprecated_get_endpoint = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_list_endpoints = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_endpoints', check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_update_endpoint = policy.DeprecatedRule(
     name=base.IDENTITY % 'update_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_create_endpoint = policy.DeprecatedRule(
     name=base.IDENTITY % 'create_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_delete_endpoint = policy.DeprecatedRule(
     name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
-)
-
-DEPRECATED_REASON = (
-    "The endpoint API is now aware of system scope and default roles."
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 
 
@@ -44,9 +54,7 @@ endpoint_policies = [
         description='Show endpoint details.',
         operations=[{'path': '/v3/endpoints/{endpoint_id}',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_get_endpoint,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_get_endpoint),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_endpoints',
         check_str=base.SYSTEM_READER,
@@ -54,9 +62,7 @@ endpoint_policies = [
         description='List endpoints.',
         operations=[{'path': '/v3/endpoints',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_list_endpoints,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_list_endpoints),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_endpoint',
         check_str=base.SYSTEM_ADMIN,
@@ -64,9 +70,7 @@ endpoint_policies = [
         description='Create endpoint.',
         operations=[{'path': '/v3/endpoints',
                      'method': 'POST'}],
-        deprecated_rule=deprecated_create_endpoint,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_create_endpoint),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_endpoint',
         check_str=base.SYSTEM_ADMIN,
@@ -74,9 +78,7 @@ endpoint_policies = [
         description='Update endpoint.',
         operations=[{'path': '/v3/endpoints/{endpoint_id}',
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_endpoint,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_update_endpoint),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_endpoint',
         check_str=base.SYSTEM_ADMIN,
@@ -84,9 +86,7 @@ endpoint_policies = [
         description='Delete endpoint.',
         operations=[{'path': '/v3/endpoints/{endpoint_id}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_endpoint,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN)
+        deprecated_rule=deprecated_delete_endpoint)
 ]
 
 

keystone/common/policies/endpoint_group.py

@@ -15,64 +15,85 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
+DEPRECATED_REASON = (
+    "The endpoint groups API is now aware of system scope and default roles."
+)
+
 deprecated_list_endpoint_groups = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_endpoint_groups',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_get_endpoint_group = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_endpoint_group',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_list_projects_assoc_with_endpoint_group = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_list_endpoints_assoc_with_endpoint_group = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_get_endpoint_group_in_project = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_endpoint_group_in_project',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_list_endpoint_groups_for_project = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_endpoint_groups_for_project',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_create_endpoint_group = policy.DeprecatedRule(
     name=base.IDENTITY % 'create_endpoint_group',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_update_endpoint_group = policy.DeprecatedRule(
     name=base.IDENTITY % 'update_endpoint_group',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_delete_endpoint_group = policy.DeprecatedRule(
     name=base.IDENTITY % 'delete_endpoint_group',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_add_endpoint_group_to_project = policy.DeprecatedRule(
     name=base.IDENTITY % 'add_endpoint_group_to_project',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule(
     name=base.IDENTITY % 'remove_endpoint_group_from_project',
     check_str=base.RULE_ADMIN_REQUIRED,
-)
-
-
-DEPRECATED_REASON = (
-    "The endpoint groups API is now aware of system scope and default roles."
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 
@@ -84,9 +105,7 @@ group_endpoint_policies = [
         description='Create endpoint group.',
         operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
                      'method': 'POST'}],
-        deprecated_rule=deprecated_create_endpoint_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_create_endpoint_group),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_endpoint_groups',
         check_str=base.SYSTEM_READER,
@@ -94,9 +113,7 @@ group_endpoint_policies = [
         description='List endpoint groups.',
         operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_list_endpoint_groups,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_endpoint_groups),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_endpoint_group',
         check_str=base.SYSTEM_READER,
@@ -108,9 +125,7 @@ group_endpoint_policies = [
                     {'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                               '{endpoint_group_id}'),
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_get_endpoint_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_get_endpoint_group),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_endpoint_group',
         check_str=base.SYSTEM_ADMIN,
@@ -119,9 +134,7 @@ group_endpoint_policies = [
         operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                               '{endpoint_group_id}'),
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_endpoint_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_update_endpoint_group),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_endpoint_group',
         check_str=base.SYSTEM_ADMIN,
@@ -130,9 +143,7 @@ group_endpoint_policies = [
         operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                               '{endpoint_group_id}'),
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_endpoint_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_delete_endpoint_group),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
         check_str=base.SYSTEM_READER,
@@ -142,9 +153,7 @@ group_endpoint_policies = [
         operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                               '{endpoint_group_id}/projects'),
                      'method': 'GET'}],
-        deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
         check_str=base.SYSTEM_READER,
@@ -153,9 +162,7 @@ group_endpoint_policies = [
         operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                               '{endpoint_group_id}/endpoints'),
                      'method': 'GET'}],
-        deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_endpoint_group_in_project',
         check_str=base.SYSTEM_READER,
@@ -168,9 +175,7 @@ group_endpoint_policies = [
                     {'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                               '{endpoint_group_id}/projects/{project_id}'),
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_get_endpoint_group_in_project,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_get_endpoint_group_in_project),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_endpoint_groups_for_project',
         check_str=base.SYSTEM_READER,
@@ -179,9 +184,7 @@ group_endpoint_policies = [
         operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
                               'endpoint_groups'),
                      'method': 'GET'}],
-        deprecated_rule=deprecated_list_endpoint_groups_for_project,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_endpoint_groups_for_project),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'add_endpoint_group_to_project',
         check_str=base.SYSTEM_ADMIN,
@@ -190,9 +193,7 @@ group_endpoint_policies = [
         operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                               '{endpoint_group_id}/projects/{project_id}'),
                      'method': 'PUT'}],
-        deprecated_rule=deprecated_add_endpoint_group_to_project,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_add_endpoint_group_to_project),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'remove_endpoint_group_from_project',
         check_str=base.SYSTEM_ADMIN,
@@ -201,9 +202,7 @@ group_endpoint_policies = [
         operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                               '{endpoint_group_id}/projects/{project_id}'),
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_remove_endpoint_group_from_project,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN)
+        deprecated_rule=deprecated_remove_endpoint_group_from_project)
 ]
 
 

keystone/common/policies/grant.py

@@ -66,55 +66,80 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
     '(' + DOMAIN_MATCHES_ROLE + ')'
 )
 
-deprecated_check_system_grant_for_user = policy.DeprecatedRule(
-    name=base.IDENTITY % 'check_system_grant_for_user',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_list_system_grants_for_user = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_system_grants_for_user',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_create_system_grant_for_user = policy.DeprecatedRule(
-    name=base.IDENTITY % 'create_system_grant_for_user',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_revoke_system_grant_for_user = policy.DeprecatedRule(
-    name=base.IDENTITY % 'revoke_system_grant_for_user',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_check_system_grant_for_group = policy.DeprecatedRule(
-    name=base.IDENTITY % 'check_system_grant_for_group',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_list_system_grants_for_group = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_system_grants_for_group',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_create_system_grant_for_group = policy.DeprecatedRule(
-    name=base.IDENTITY % 'create_system_grant_for_group',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_revoke_system_grant_for_group = policy.DeprecatedRule(
-    name=base.IDENTITY % 'revoke_system_grant_for_group',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_list_grants = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_check_grant = policy.DeprecatedRule(
-    name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_create_grant = policy.DeprecatedRule(
-    name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_revoke_grant = policy.DeprecatedRule(
-    name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED
-)
-
 DEPRECATED_REASON = (
     "The assignment API is now aware of system scope and default roles."
 )
 
+deprecated_check_system_grant_for_user = policy.DeprecatedRule(
+    name=base.IDENTITY % 'check_system_grant_for_user',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_list_system_grants_for_user = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_system_grants_for_user',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_create_system_grant_for_user = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_system_grant_for_user',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_revoke_system_grant_for_user = policy.DeprecatedRule(
+    name=base.IDENTITY % 'revoke_system_grant_for_user',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_check_system_grant_for_group = policy.DeprecatedRule(
+    name=base.IDENTITY % 'check_system_grant_for_group',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_list_system_grants_for_group = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_system_grants_for_group',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_create_system_grant_for_group = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_system_grant_for_group',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_revoke_system_grant_for_group = policy.DeprecatedRule(
+    name=base.IDENTITY % 'revoke_system_grant_for_group',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_list_grants = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_check_grant = policy.DeprecatedRule(
+    name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_create_grant = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_revoke_grant = policy.DeprecatedRule(
+    name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+
+
 resource_paths = [
     '/projects/{project_id}/users/{user_id}/roles/{role_id}',
     '/projects/{project_id}/groups/{group_id}/roles/{role_id}',
@@ -167,9 +192,7 @@ grant_policies = [
                      'are inherited to all projects in the subtree, if '
                      'applicable.'),
         operations=list_operations(resource_paths, ['HEAD', 'GET']),
-        deprecated_rule=deprecated_check_grant,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_check_grant),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_grants',
         check_str=SYSTEM_READER_OR_DOMAIN_READER_LIST,
@@ -181,9 +204,7 @@ grant_policies = [
                      'domains, where grants are inherited to all projects '
                      'in the specified domain.'),
         operations=list_grants_operations,
-        deprecated_rule=deprecated_list_grants,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_list_grants),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_grant',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
@@ -195,9 +216,7 @@ grant_policies = [
                      'are inherited to all projects in the subtree, if '
                      'applicable.'),
         operations=list_operations(resource_paths, ['PUT']),
-        deprecated_rule=deprecated_create_grant,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_create_grant),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'revoke_grant',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
@@ -211,9 +230,7 @@ grant_policies = [
                      'the target would remove the logical effect of '
                      'inheriting it to the target\'s projects subtree.'),
         operations=list_operations(resource_paths, ['DELETE']),
-        deprecated_rule=deprecated_revoke_grant,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_revoke_grant),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_system_grants_for_user',
         check_str=base.SYSTEM_READER,
@@ -226,8 +243,6 @@ grant_policies = [
             }
         ],
         deprecated_rule=deprecated_list_system_grants_for_user,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'check_system_grant_for_user',
@@ -241,8 +256,6 @@ grant_policies = [
             }
         ],
         deprecated_rule=deprecated_check_system_grant_for_user,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_system_grant_for_user',
@@ -256,8 +269,6 @@ grant_policies = [
             }
         ],
         deprecated_rule=deprecated_create_system_grant_for_user,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'revoke_system_grant_for_user',
@@ -271,8 +282,6 @@ grant_policies = [
             }
         ],
         deprecated_rule=deprecated_revoke_system_grant_for_user,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_system_grants_for_group',
@@ -286,8 +295,6 @@ grant_policies = [
             }
         ],
         deprecated_rule=deprecated_list_system_grants_for_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'check_system_grant_for_group',
@@ -301,8 +308,6 @@ grant_policies = [
             }
         ],
         deprecated_rule=deprecated_check_system_grant_for_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_system_grant_for_group',
@@ -316,8 +321,6 @@ grant_policies = [
             }
         ],
         deprecated_rule=deprecated_create_system_grant_for_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'revoke_system_grant_for_group',
@@ -331,8 +334,6 @@ grant_policies = [
             }
         ],
         deprecated_rule=deprecated_revoke_system_grant_for_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     )
 ]
 

keystone/common/policies/group.py

@@ -51,43 +51,63 @@ DEPRECATED_REASON = (
 
 deprecated_get_group = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_group',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_list_groups = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_groups',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_list_groups_for_user = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_groups_for_user',
-    check_str=base.RULE_ADMIN_OR_OWNER
+    check_str=base.RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_list_users_in_group = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_users_in_group',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_check_user_in_group = policy.DeprecatedRule(
     name=base.IDENTITY % 'check_user_in_group',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_create_group = policy.DeprecatedRule(
     name=base.IDENTITY % 'create_group',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_update_group = policy.DeprecatedRule(
     name=base.IDENTITY % 'update_group',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_delete_group = policy.DeprecatedRule(
     name=base.IDENTITY % 'delete_group',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_remove_user_from_group = policy.DeprecatedRule(
     name=base.IDENTITY % 'remove_user_from_group',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_add_user_to_group = policy.DeprecatedRule(
     name=base.IDENTITY % 'add_user_to_group',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 
 group_policies = [
@@ -100,9 +120,7 @@ group_policies = [
                      'method': 'GET'},
                     {'path': '/v3/groups/{group_id}',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_get_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_get_group),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_groups',
         check_str=SYSTEM_READER_OR_DOMAIN_READER,
@@ -112,9 +130,7 @@ group_policies = [
                      'method': 'GET'},
                     {'path': '/v3/groups',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_list_groups,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_list_groups),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_groups_for_user',
         check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_USER_OR_OWNER,
@@ -124,9 +140,7 @@ group_policies = [
                      'method': 'GET'},
                     {'path': '/v3/users/{user_id}/groups',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_list_groups_for_user,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_list_groups_for_user),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_group',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
@@ -134,9 +148,7 @@ group_policies = [
         description='Create group.',
         operations=[{'path': '/v3/groups',
                      'method': 'POST'}],
-        deprecated_rule=deprecated_create_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_create_group),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_group',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
@@ -144,9 +156,7 @@ group_policies = [
         description='Update group.',
         operations=[{'path': '/v3/groups/{group_id}',
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_update_group),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_group',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
@@ -154,9 +164,7 @@ group_policies = [
         description='Delete group.',
         operations=[{'path': '/v3/groups/{group_id}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_delete_group),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_users_in_group',
         check_str=SYSTEM_READER_OR_DOMAIN_READER,
@@ -166,9 +174,7 @@ group_policies = [
                      'method': 'GET'},
                     {'path': '/v3/groups/{group_id}/users',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_list_users_in_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_list_users_in_group),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'remove_user_from_group',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER,
@@ -176,9 +182,7 @@ group_policies = [
         description='Remove user from group.',
         operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_remove_user_from_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_remove_user_from_group),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'check_user_in_group',
         check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER,
@@ -188,9 +192,7 @@ group_policies = [
                      'method': 'HEAD'},
                     {'path': '/v3/groups/{group_id}/users/{user_id}',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_check_user_in_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_check_user_in_group),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'add_user_to_group',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER,
@@ -198,9 +200,7 @@ group_policies = [
         description='Add user to group.',
         operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
                      'method': 'PUT'}],
-        deprecated_rule=deprecated_add_user_to_group,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN)
+        deprecated_rule=deprecated_add_user_to_group)
 ]
 
 

keystone/common/policies/identity_provider.py

@@ -15,31 +15,42 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
-deprecated_get_idp = policy.DeprecatedRule(
-    name=base.IDENTITY % 'get_identity_providers',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_list_idp = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_identity_providers',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_update_idp = policy.DeprecatedRule(
-    name=base.IDENTITY % 'update_identity_providers',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_create_idp = policy.DeprecatedRule(
-    name=base.IDENTITY % 'create_identity_providers',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_delete_idp = policy.DeprecatedRule(
-    name=base.IDENTITY % 'delete_identity_providers',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-
 DEPRECATED_REASON = (
     "The identity provider API is now aware of system scope and default roles."
 )
 
+deprecated_get_idp = policy.DeprecatedRule(
+    name=base.IDENTITY % 'get_identity_providers',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_list_idp = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_identity_providers',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_update_idp = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_identity_providers',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_create_idp = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_identity_providers',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_delete_idp = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_identity_providers',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+
+
 identity_provider_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_identity_provider',
@@ -54,9 +65,7 @@ identity_provider_policies = [
         description='Create identity provider.',
         operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
                      'method': 'PUT'}],
-        deprecated_rule=deprecated_create_idp,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_create_idp),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_identity_providers',
         check_str=base.SYSTEM_READER,
@@ -73,8 +82,6 @@ identity_provider_policies = [
             }
         ],
         deprecated_rule=deprecated_list_idp,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_identity_provider',
@@ -92,8 +99,6 @@ identity_provider_policies = [
             }
         ],
         deprecated_rule=deprecated_get_idp,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_identity_provider',
@@ -102,9 +107,7 @@ identity_provider_policies = [
         description='Update identity provider.',
         operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_idp,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_update_idp),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_identity_provider',
         check_str=base.SYSTEM_ADMIN,
@@ -112,9 +115,7 @@ identity_provider_policies = [
         description='Delete identity provider.',
         operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_idp,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_delete_idp),
 ]
 
 

keystone/common/policies/implied_role.py

@@ -15,33 +15,45 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
+DEPRECATED_REASON = (
+    "The implied role API is now aware of system scope and default roles."
+)
+
 deprecated_get_implied_role = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_implied_role',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 deprecated_list_implied_roles = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_implied_roles',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 deprecated_list_role_inference_rules = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_role_inference_rules',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 deprecated_check_implied_role = policy.DeprecatedRule(
     name=base.IDENTITY % 'check_implied_role',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 deprecated_create_implied_role = policy.DeprecatedRule(
     name=base.IDENTITY % 'create_implied_role',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 deprecated_delete_implied_role = policy.DeprecatedRule(
     name=base.IDENTITY % 'delete_implied_role',
     check_str=base.RULE_ADMIN_REQUIRED,
-)
-
-DEPRECATED_REASON = (
-    "The implied role API is now aware of system scope and default roles."
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 
@@ -61,9 +73,7 @@ implied_role_policies = [
         operations=[
             {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
              'method': 'GET'}],
-        deprecated_rule=deprecated_get_implied_role,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_get_implied_role),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_implied_roles',
         check_str=base.SYSTEM_READER,
@@ -77,9 +87,7 @@ implied_role_policies = [
         operations=[
             {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'GET'},
             {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'HEAD'}],
-        deprecated_rule=deprecated_list_implied_roles,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_implied_roles),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_implied_role',
         check_str=base.SYSTEM_ADMIN,
@@ -91,9 +99,7 @@ implied_role_policies = [
         operations=[
             {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
              'method': 'PUT'}],
-        deprecated_rule=deprecated_create_implied_role,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_create_implied_role),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_implied_role',
         check_str=base.SYSTEM_ADMIN,
@@ -106,9 +112,7 @@ implied_role_policies = [
         operations=[
             {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
              'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_implied_role,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_delete_implied_role),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_role_inference_rules',
         check_str=base.SYSTEM_READER,
@@ -120,9 +124,7 @@ implied_role_policies = [
         operations=[
             {'path': '/v3/role_inferences', 'method': 'GET'},
             {'path': '/v3/role_inferences', 'method': 'HEAD'}],
-        deprecated_rule=deprecated_list_role_inference_rules,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_role_inference_rules),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'check_implied_role',
         check_str=base.SYSTEM_READER,
@@ -134,9 +136,7 @@ implied_role_policies = [
         operations=[
             {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
              'method': 'HEAD'}],
-        deprecated_rule=deprecated_check_implied_role,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_check_implied_role),
 ]
 
 

keystone/common/policies/mapping.py

@@ -15,31 +15,42 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
-deprecated_get_mapping = policy.DeprecatedRule(
-    name=base.IDENTITY % 'get_mapping',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_list_mappings = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_mappings',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_update_mapping = policy.DeprecatedRule(
-    name=base.IDENTITY % 'update_mapping',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_create_mapping = policy.DeprecatedRule(
-    name=base.IDENTITY % 'create_mapping',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_delete_mapping = policy.DeprecatedRule(
-    name=base.IDENTITY % 'delete_mapping',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-
 DEPRECATED_REASON = (
     "The federated mapping API is now aware of system scope and default roles."
 )
 
+deprecated_get_mapping = policy.DeprecatedRule(
+    name=base.IDENTITY % 'get_mapping',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_list_mappings = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_mappings',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_update_mapping = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_mapping',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_create_mapping = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_mapping',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_delete_mapping = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_mapping',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+
+
 mapping_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_mapping',
@@ -55,9 +66,7 @@ mapping_policies = [
                      'more sets of rules.'),
         operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
                      'method': 'PUT'}],
-        deprecated_rule=deprecated_create_mapping,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_create_mapping),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_mapping',
         check_str=base.SYSTEM_READER,
@@ -73,9 +82,7 @@ mapping_policies = [
                 'method': 'HEAD'
             }
         ],
-        deprecated_rule=deprecated_get_mapping,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
+        deprecated_rule=deprecated_get_mapping
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_mappings',
@@ -93,8 +100,6 @@ mapping_policies = [
             }
         ],
         deprecated_rule=deprecated_list_mappings,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_mapping',
@@ -103,9 +108,7 @@ mapping_policies = [
         description='Delete a federated mapping.',
         operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_mapping,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_delete_mapping),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_mapping',
         check_str=base.SYSTEM_ADMIN,
@@ -113,9 +116,7 @@ mapping_policies = [
         description='Update a federated mapping.',
         operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_mapping,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN)
+        deprecated_rule=deprecated_update_mapping)
 ]
 
 

keystone/common/policies/policy.py

@@ -15,33 +15,43 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
+DEPRECATED_REASON = (
+    "The policy API is now aware of system scope and default roles."
+)
+
 deprecated_get_policy = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_policy',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_list_policies = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_policies',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_update_policy = policy.DeprecatedRule(
     name=base.IDENTITY % 'update_policy',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_create_policy = policy.DeprecatedRule(
     name=base.IDENTITY % 'create_policy',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_delete_policy = policy.DeprecatedRule(
     name=base.IDENTITY % 'delete_policy',
     check_str=base.RULE_ADMIN_REQUIRED,
-)
-
-DEPRECATED_REASON = (
-    "The policy API is now aware of system scope and default roles."
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 
@@ -55,9 +65,7 @@ policy_policies = [
         description='Show policy details.',
         operations=[{'path': '/v3/policies/{policy_id}',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_get_policy,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_get_policy),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_policies',
         check_str=base.SYSTEM_READER,
@@ -65,9 +73,7 @@ policy_policies = [
         description='List policies.',
         operations=[{'path': '/v3/policies',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_list_policies,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_policies),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_policy',
         check_str=base.SYSTEM_ADMIN,
@@ -75,9 +81,7 @@ policy_policies = [
         description='Create policy.',
         operations=[{'path': '/v3/policies',
                      'method': 'POST'}],
-        deprecated_rule=deprecated_create_policy,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_create_policy),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_policy',
         check_str=base.SYSTEM_ADMIN,
@@ -85,9 +89,7 @@ policy_policies = [
         description='Update policy.',
         operations=[{'path': '/v3/policies/{policy_id}',
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_policy,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_update_policy),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_policy',
         check_str=base.SYSTEM_ADMIN,
@@ -95,9 +97,7 @@ policy_policies = [
         description='Delete policy.',
         operations=[{'path': '/v3/policies/{policy_id}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_policy,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN)
+        deprecated_rule=deprecated_delete_policy)
 ]
 
 

keystone/common/policies/policy_association.py

@@ -19,65 +19,88 @@ from keystone.common.policies import base
 # System-scoped tokens should be required to manage policy associations to
 # existing system-level resources.
 
+DEPRECATED_REASON = (
+    "The policy association API is now aware of system scope and default "
+    "roles."
+)
+
 deprecated_check_policy_assoc_for_endpoint = policy.DeprecatedRule(
     name=base.IDENTITY % 'check_policy_association_for_endpoint',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_check_policy_assoc_for_service = policy.DeprecatedRule(
     name=base.IDENTITY % 'check_policy_association_for_service',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_check_policy_assoc_for_region_and_service = policy.DeprecatedRule(
     name=base.IDENTITY % 'check_policy_association_for_region_and_service',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_get_policy_for_endpoint = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_policy_for_endpoint',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_list_endpoints_for_policy = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_endpoints_for_policy',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_create_policy_assoc_for_endpoint = policy.DeprecatedRule(
     name=base.IDENTITY % 'create_policy_association_for_endpoint',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_delete_policy_assoc_for_endpoint = policy.DeprecatedRule(
     name=base.IDENTITY % 'delete_policy_association_for_endpoint',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_create_policy_assoc_for_service = policy.DeprecatedRule(
     name=base.IDENTITY % 'create_policy_association_for_service',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_delete_policy_assoc_for_service = policy.DeprecatedRule(
     name=base.IDENTITY % 'delete_policy_association_for_service',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_create_policy_assoc_for_region_and_service = policy.DeprecatedRule(
     name=base.IDENTITY % 'create_policy_association_for_region_and_service',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule(
     name=base.IDENTITY % 'delete_policy_association_for_region_and_service',
     check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
-DEPRECATED_REASON = (
-    "The policy association API is now aware of system scope and default "
-    "roles."
-)
 
 policy_association_policies = [
     policy.DocumentedRuleDefault(
@@ -88,9 +111,7 @@ policy_association_policies = [
         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                               'endpoints/{endpoint_id}'),
                      'method': 'PUT'}],
-        deprecated_rule=deprecated_create_policy_assoc_for_endpoint,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_create_policy_assoc_for_endpoint),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'check_policy_association_for_endpoint',
         check_str=base.SYSTEM_READER,
@@ -102,9 +123,7 @@ policy_association_policies = [
                     {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                               'endpoints/{endpoint_id}'),
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_check_policy_assoc_for_endpoint,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_check_policy_assoc_for_endpoint),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_policy_association_for_endpoint',
         check_str=base.SYSTEM_ADMIN,
@@ -113,9 +132,7 @@ policy_association_policies = [
         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                               'endpoints/{endpoint_id}'),
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_policy_assoc_for_endpoint,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_delete_policy_assoc_for_endpoint),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_policy_association_for_service',
         check_str=base.SYSTEM_ADMIN,
@@ -124,9 +141,7 @@ policy_association_policies = [
         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                               'services/{service_id}'),
                      'method': 'PUT'}],
-        deprecated_rule=deprecated_create_policy_assoc_for_service,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_create_policy_assoc_for_service),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'check_policy_association_for_service',
         check_str=base.SYSTEM_READER,
@@ -138,9 +153,7 @@ policy_association_policies = [
                     {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                               'services/{service_id}'),
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_check_policy_assoc_for_service,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_check_policy_assoc_for_service),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_policy_association_for_service',
         check_str=base.SYSTEM_ADMIN,
@@ -149,9 +162,7 @@ policy_association_policies = [
         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                               'services/{service_id}'),
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_policy_assoc_for_service,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_delete_policy_assoc_for_service),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % (
             'create_policy_association_for_region_and_service'),
@@ -162,9 +173,7 @@ policy_association_policies = [
         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                               'services/{service_id}/regions/{region_id}'),
                      'method': 'PUT'}],
-        deprecated_rule=deprecated_create_policy_assoc_for_region_and_service,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_create_policy_assoc_for_region_and_service),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'check_policy_association_for_region_and_service',
         check_str=base.SYSTEM_READER,
@@ -176,9 +185,7 @@ policy_association_policies = [
                     {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                               'services/{service_id}/regions/{region_id}'),
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_check_policy_assoc_for_region_and_service,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_check_policy_assoc_for_region_and_service),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % (
             'delete_policy_association_for_region_and_service'),
@@ -188,9 +195,7 @@ policy_association_policies = [
         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                               'services/{service_id}/regions/{region_id}'),
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_policy_for_endpoint',
         check_str=base.SYSTEM_READER,
@@ -202,9 +207,7 @@ policy_association_policies = [
                     {'path': ('/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/'
                               'policy'),
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_get_policy_for_endpoint,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_get_policy_for_endpoint),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_endpoints_for_policy',
         check_str=base.SYSTEM_READER,
@@ -213,9 +216,7 @@ policy_association_policies = [
         operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                               'endpoints'),
                      'method': 'GET'}],
-        deprecated_rule=deprecated_list_endpoints_for_policy,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN)
+        deprecated_rule=deprecated_list_endpoints_for_policy)
 ]
 
 

keystone/common/policies/project.py

@@ -52,60 +52,84 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
     '(role:admin and domain_id:%(target.project.domain_id)s)'
 )
 
-deprecated_list_projects = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_projects',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_get_project = policy.DeprecatedRule(
-    name=base.IDENTITY % 'get_project',
-    check_str=base.RULE_ADMIN_OR_TARGET_PROJECT
-)
-deprecated_list_user_projects = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_user_projects',
-    check_str=base.RULE_ADMIN_OR_OWNER
-)
-deprecated_create_project = policy.DeprecatedRule(
-    name=base.IDENTITY % 'create_project',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_update_project = policy.DeprecatedRule(
-    name=base.IDENTITY % 'update_project',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_delete_project = policy.DeprecatedRule(
-    name=base.IDENTITY % 'delete_project',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_list_project_tags = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_project_tags',
-    check_str=base.RULE_ADMIN_OR_TARGET_PROJECT
-)
-deprecated_get_project_tag = policy.DeprecatedRule(
-    name=base.IDENTITY % 'get_project_tag',
-    check_str=base.RULE_ADMIN_OR_TARGET_PROJECT
-)
-deprecated_update_project_tag = policy.DeprecatedRule(
-    name=base.IDENTITY % 'update_project_tags',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_create_project_tag = policy.DeprecatedRule(
-    name=base.IDENTITY % 'create_project_tag',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_delete_project_tag = policy.DeprecatedRule(
-    name=base.IDENTITY % 'delete_project_tag',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_delete_project_tags = policy.DeprecatedRule(
-    name=base.IDENTITY % 'delete_project_tags',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-
-
 DEPRECATED_REASON = (
     "The project API is now aware of system scope and default roles."
 )
 
+deprecated_list_projects = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_projects',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_get_project = policy.DeprecatedRule(
+    name=base.IDENTITY % 'get_project',
+    check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_list_user_projects = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_user_projects',
+    check_str=base.RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_create_project = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_project',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_update_project = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_project',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_delete_project = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_project',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_list_project_tags = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_project_tags',
+    check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_get_project_tag = policy.DeprecatedRule(
+    name=base.IDENTITY % 'get_project_tag',
+    check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_update_project_tag = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_project_tags',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_create_project_tag = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_project_tag',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_delete_project_tag = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_project_tag',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_delete_project_tags = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_project_tags',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+
+
 TAGS_DEPRECATED_REASON = """
 As of the Train release, the project tags API understands how to handle
 system-scoped tokens in addition to project and domain tokens, making the API
@@ -122,9 +146,7 @@ project_policies = [
         description='Show project details.',
         operations=[{'path': '/v3/projects/{project_id}',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_get_project,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_get_project),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_projects',
         check_str=SYSTEM_READER_OR_DOMAIN_READER,
@@ -136,9 +158,7 @@ project_policies = [
         description='List projects.',
         operations=[{'path': '/v3/projects',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_list_projects,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_list_projects),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_user_projects',
         check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER,
@@ -146,9 +166,7 @@ project_policies = [
         description='List projects for user.',
         operations=[{'path': '/v3/users/{user_id}/projects',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_list_user_projects,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_list_user_projects),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_project',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
@@ -156,9 +174,7 @@ project_policies = [
         description='Create project.',
         operations=[{'path': '/v3/projects',
                      'method': 'POST'}],
-        deprecated_rule=deprecated_create_project,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_create_project),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_project',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
@@ -166,9 +182,7 @@ project_policies = [
         description='Update project.',
         operations=[{'path': '/v3/projects/{project_id}',
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_project,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_update_project),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_project',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
@@ -176,9 +190,7 @@ project_policies = [
         description='Delete project.',
         operations=[{'path': '/v3/projects/{project_id}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_project,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_delete_project),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_project_tags',
         check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
@@ -188,9 +200,7 @@ project_policies = [
                      'method': 'GET'},
                     {'path': '/v3/projects/{project_id}/tags',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_list_project_tags,
-        deprecated_reason=TAGS_DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_project_tags),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_project_tag',
         check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
@@ -200,9 +210,7 @@ project_policies = [
                      'method': 'GET'},
                     {'path': '/v3/projects/{project_id}/tags/{value}',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_get_project_tag,
-        deprecated_reason=TAGS_DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_get_project_tag),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_project_tags',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
@@ -210,9 +218,7 @@ project_policies = [
         description='Replace all tags on a project with the new set of tags.',
         operations=[{'path': '/v3/projects/{project_id}/tags',
                      'method': 'PUT'}],
-        deprecated_rule=deprecated_update_project_tag,
-        deprecated_reason=TAGS_DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_update_project_tag),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_project_tag',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
@@ -220,9 +226,7 @@ project_policies = [
         description='Add a single tag to a project.',
         operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
                      'method': 'PUT'}],
-        deprecated_rule=deprecated_create_project_tag,
-        deprecated_reason=TAGS_DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_create_project_tag),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_project_tags',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
@@ -230,9 +234,7 @@ project_policies = [
         description='Remove all tags from a project.',
         operations=[{'path': '/v3/projects/{project_id}/tags',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_project_tags,
-        deprecated_reason=TAGS_DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_delete_project_tags),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_project_tag',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
@@ -240,9 +242,7 @@ project_policies = [
         description='Delete a specified tag from project.',
         operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_project_tag,
-        deprecated_reason=TAGS_DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN)
+        deprecated_rule=deprecated_delete_project_tag)
 ]
 
 

keystone/common/policies/project_endpoint.py

@@ -15,31 +15,6 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
-deprecated_list_projects_for_endpoint = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_projects_for_endpoint',
-    check_str=base.RULE_ADMIN_REQUIRED,
-)
-
-deprecated_add_endpoint_to_project = policy.DeprecatedRule(
-    name=base.IDENTITY % 'add_endpoint_to_project',
-    check_str=base.RULE_ADMIN_REQUIRED,
-)
-
-deprecated_check_endpoint_in_project = policy.DeprecatedRule(
-    name=base.IDENTITY % 'check_endpoint_in_project',
-    check_str=base.RULE_ADMIN_REQUIRED,
-)
-
-deprecated_list_endpoints_for_project = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_endpoints_for_project',
-    check_str=base.RULE_ADMIN_REQUIRED,
-)
-
-deprecated_remove_endpoint_from_project = policy.DeprecatedRule(
-    name=base.IDENTITY % 'remove_endpoint_from_project',
-    check_str=base.RULE_ADMIN_REQUIRED,
-)
-
 DEPRECATED_REASON = """
 As of the Train release, the project endpoint API now understands default
 roles and system-scoped tokens, making the API more granular by default without
@@ -48,6 +23,41 @@ automatically. Be sure to take these new defaults into consideration if you are
 relying on overrides in your deployment for the project endpoint API.
 """
 
+deprecated_list_projects_for_endpoint = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_projects_for_endpoint',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+
+deprecated_add_endpoint_to_project = policy.DeprecatedRule(
+    name=base.IDENTITY % 'add_endpoint_to_project',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+
+deprecated_check_endpoint_in_project = policy.DeprecatedRule(
+    name=base.IDENTITY % 'check_endpoint_in_project',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+
+deprecated_list_endpoints_for_project = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_endpoints_for_project',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+
+deprecated_remove_endpoint_from_project = policy.DeprecatedRule(
+    name=base.IDENTITY % 'remove_endpoint_from_project',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+
 
 project_endpoint_policies = [
 
@@ -63,9 +73,7 @@ project_endpoint_policies = [
         operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/'
                               'projects'),
                      'method': 'GET'}],
-        deprecated_rule=deprecated_list_projects_for_endpoint,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_projects_for_endpoint),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'add_endpoint_to_project',
         check_str=base.SYSTEM_ADMIN,
@@ -74,9 +82,7 @@ project_endpoint_policies = [
         operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
                               'endpoints/{endpoint_id}'),
                      'method': 'PUT'}],
-        deprecated_rule=deprecated_add_endpoint_to_project,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_add_endpoint_to_project),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'check_endpoint_in_project',
         check_str=base.SYSTEM_READER,
@@ -88,9 +94,7 @@ project_endpoint_policies = [
                     {'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
                               'endpoints/{endpoint_id}'),
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_check_endpoint_in_project,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_check_endpoint_in_project),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_endpoints_for_project',
         check_str=base.SYSTEM_READER,
@@ -99,9 +103,7 @@ project_endpoint_policies = [
         operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
                               'endpoints'),
                      'method': 'GET'}],
-        deprecated_rule=deprecated_list_endpoints_for_project,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_endpoints_for_project),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'remove_endpoint_from_project',
         check_str=base.SYSTEM_ADMIN,
@@ -111,9 +113,7 @@ project_endpoint_policies = [
         operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
                               'endpoints/{endpoint_id}'),
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_remove_endpoint_from_project,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_remove_endpoint_from_project),
 ]
 
 

keystone/common/policies/protocol.py

@@ -15,32 +15,43 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
-deprecated_get_protocol = policy.DeprecatedRule(
-    name=base.IDENTITY % 'get_protocol',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_list_protocols = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_protocols',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_update_protocol = policy.DeprecatedRule(
-    name=base.IDENTITY % 'update_protocol',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_create_protocol = policy.DeprecatedRule(
-    name=base.IDENTITY % 'create_protocol',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_delete_protocol = policy.DeprecatedRule(
-    name=base.IDENTITY % 'delete_protocol',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-
 DEPRECATED_REASON = (
     "The federated protocol API is now aware of system scope and default "
     "roles."
 )
 
+deprecated_get_protocol = policy.DeprecatedRule(
+    name=base.IDENTITY % 'get_protocol',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_list_protocols = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_protocols',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_update_protocol = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_protocol',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_create_protocol = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_protocol',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_delete_protocol = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_protocol',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+
+
 protocol_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_protocol',
@@ -53,9 +64,7 @@ protocol_policies = [
         operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
                               'protocols/{protocol_id}'),
                      'method': 'PUT'}],
-        deprecated_rule=deprecated_create_protocol,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_create_protocol),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_protocol',
         check_str=base.SYSTEM_ADMIN,
@@ -64,9 +73,7 @@ protocol_policies = [
         operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
                               'protocols/{protocol_id}'),
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_protocol,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_update_protocol),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_protocol',
         check_str=base.SYSTEM_READER,
@@ -75,9 +82,7 @@ protocol_policies = [
         operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
                               'protocols/{protocol_id}'),
                      'method': 'GET'}],
-        deprecated_rule=deprecated_get_protocol,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_get_protocol),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_protocols',
         check_str=base.SYSTEM_READER,
@@ -86,9 +91,7 @@ protocol_policies = [
         operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
                               'protocols'),
                      'method': 'GET'}],
-        deprecated_rule=deprecated_list_protocols,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_list_protocols),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_protocol',
         check_str=base.SYSTEM_ADMIN,
@@ -97,9 +100,7 @@ protocol_policies = [
         operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
                               'protocols/{protocol_id}'),
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_protocol,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN)
+        deprecated_rule=deprecated_delete_protocol)
 ]
 
 

keystone/common/policies/region.py

@@ -15,23 +15,30 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
-deprecated_create_region = policy.DeprecatedRule(
-    name=base.IDENTITY % 'create_region',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_update_region = policy.DeprecatedRule(
-    name=base.IDENTITY % 'update_region',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_delete_region = policy.DeprecatedRule(
-    name=base.IDENTITY % 'delete_region',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-
 DEPRECATED_REASON = (
     "The region API is now aware of system scope and default roles."
 )
 
+deprecated_create_region = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_region',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_update_region = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_region',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_delete_region = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_region',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+
+
 region_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_region',
@@ -66,9 +73,7 @@ region_policies = [
                      'method': 'POST'},
                     {'path': '/v3/regions/{region_id}',
                      'method': 'PUT'}],
-        deprecated_rule=deprecated_create_region,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_create_region),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_region',
         check_str=base.SYSTEM_ADMIN,
@@ -76,9 +81,7 @@ region_policies = [
         description='Update region.',
         operations=[{'path': '/v3/regions/{region_id}',
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_region,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_update_region),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_region',
         check_str=base.SYSTEM_ADMIN,
@@ -86,9 +89,7 @@ region_policies = [
         description='Delete region.',
         operations=[{'path': '/v3/regions/{region_id}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_region,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_delete_region),
 ]
 
 

keystone/common/policies/role.py

@@ -15,51 +15,72 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
-deprecated_get_role = policy.DeprecatedRule(
-    name=base.IDENTITY % 'get_role',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_list_role = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_roles',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_update_role = policy.DeprecatedRule(
-    name=base.IDENTITY % 'update_role',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_create_role = policy.DeprecatedRule(
-    name=base.IDENTITY % 'create_role',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_delete_role = policy.DeprecatedRule(
-    name=base.IDENTITY % 'delete_role',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_get_domain_role = policy.DeprecatedRule(
-    name=base.IDENTITY % 'get_domain_role',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_list_domain_roles = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_domain_roles',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_update_domain_role = policy.DeprecatedRule(
-    name=base.IDENTITY % 'update_domain_role',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_create_domain_role = policy.DeprecatedRule(
-    name=base.IDENTITY % 'create_domain_role',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_delete_domain_role = policy.DeprecatedRule(
-    name=base.IDENTITY % 'delete_domain_role',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-
 DEPRECATED_REASON = (
     "The role API is now aware of system scope and default roles."
 )
 
+deprecated_get_role = policy.DeprecatedRule(
+    name=base.IDENTITY % 'get_role',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_list_role = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_roles',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_update_role = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_role',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_create_role = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_role',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_delete_role = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_role',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_get_domain_role = policy.DeprecatedRule(
+    name=base.IDENTITY % 'get_domain_role',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_list_domain_roles = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_domain_roles',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_update_domain_role = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_domain_role',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_create_domain_role = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_domain_role',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+deprecated_delete_domain_role = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_domain_role',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+
+
 role_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_role',
@@ -75,9 +96,7 @@ role_policies = [
                      'method': 'GET'},
                     {'path': '/v3/roles/{role_id}',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_get_role,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_get_role),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_roles',
         check_str=base.SYSTEM_READER,
@@ -87,9 +106,7 @@ role_policies = [
                      'method': 'GET'},
                     {'path': '/v3/roles',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_list_role,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_list_role),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_role',
         check_str=base.SYSTEM_ADMIN,
@@ -97,9 +114,7 @@ role_policies = [
         description='Create role.',
         operations=[{'path': '/v3/roles',
                      'method': 'POST'}],
-        deprecated_rule=deprecated_create_role,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_create_role),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_role',
         check_str=base.SYSTEM_ADMIN,
@@ -107,9 +122,7 @@ role_policies = [
         description='Update role.',
         operations=[{'path': '/v3/roles/{role_id}',
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_role,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_update_role),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_role',
         check_str=base.SYSTEM_ADMIN,
@@ -117,9 +130,7 @@ role_policies = [
         description='Delete role.',
         operations=[{'path': '/v3/roles/{role_id}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_role,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_delete_role),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_domain_role',
         check_str=base.SYSTEM_READER,
@@ -134,9 +145,7 @@ role_policies = [
                      'method': 'GET'},
                     {'path': '/v3/roles/{role_id}',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_get_domain_role,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_get_domain_role),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_domain_roles',
         check_str=base.SYSTEM_READER,
@@ -146,9 +155,7 @@ role_policies = [
                      'method': 'GET'},
                     {'path': '/v3/roles?domain_id={domain_id}',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_list_domain_roles,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_domain_roles),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_domain_role',
         check_str=base.SYSTEM_ADMIN,
@@ -156,9 +163,7 @@ role_policies = [
         scope_types=['system'],
         operations=[{'path': '/v3/roles',
                      'method': 'POST'}],
-        deprecated_rule=deprecated_create_domain_role,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_create_domain_role),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_domain_role',
         check_str=base.SYSTEM_ADMIN,
@@ -166,9 +171,7 @@ role_policies = [
         scope_types=['system'],
         operations=[{'path': '/v3/roles/{role_id}',
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_domain_role,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_update_domain_role),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_domain_role',
         check_str=base.SYSTEM_ADMIN,
@@ -176,9 +179,7 @@ role_policies = [
         scope_types=['system'],
         operations=[{'path': '/v3/roles/{role_id}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_domain_role,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN)
+        deprecated_rule=deprecated_delete_domain_role)
 ]
 
 

keystone/common/policies/role_assignment.py

@@ -25,19 +25,24 @@ SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN = (
     '(role:admin and project_id:%(target.project.id)s)'
 )
 
-deprecated_list_role_assignments = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_role_assignments',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_list_role_assignments_for_tree = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_role_assignments_for_tree',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-
 DEPRECATED_REASON = (
     "The assignment API is now aware of system scope and default roles."
 )
 
+deprecated_list_role_assignments = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_role_assignments',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_list_role_assignments_for_tree = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_role_assignments_for_tree',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
+)
+
+
 role_assignment_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_role_assignments',
@@ -48,9 +53,7 @@ role_assignment_policies = [
                      'method': 'GET'},
                     {'path': '/v3/role_assignments',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_list_role_assignments,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_list_role_assignments),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_role_assignments_for_tree',
         check_str=SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN,
@@ -61,9 +64,7 @@ role_assignment_policies = [
                      'method': 'GET'},
                     {'path': '/v3/role_assignments?include_subtree',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_list_role_assignments_for_tree,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_role_assignments_for_tree),
 
 ]
 

keystone/common/policies/service.py

@@ -15,31 +15,42 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
-deprecated_get_service = policy.DeprecatedRule(
-    name=base.IDENTITY % 'get_service',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_list_service = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_services',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_update_service = policy.DeprecatedRule(
-    name=base.IDENTITY % 'update_service',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_create_service = policy.DeprecatedRule(
-    name=base.IDENTITY % 'create_service',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_delete_service = policy.DeprecatedRule(
-    name=base.IDENTITY % 'delete_service',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-
 DEPRECATED_REASON = (
     "The service API is now aware of system scope and default roles."
 )
 
+deprecated_get_service = policy.DeprecatedRule(
+    name=base.IDENTITY % 'get_service',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_list_service = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_services',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_update_service = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_service',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_create_service = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_service',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_delete_service = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_service',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+
+
 service_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_service',
@@ -48,9 +59,7 @@ service_policies = [
         description='Show service details.',
         operations=[{'path': '/v3/services/{service_id}',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_get_service,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_get_service),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_services',
         check_str=base.SYSTEM_READER,
@@ -58,9 +67,7 @@ service_policies = [
         description='List services.',
         operations=[{'path': '/v3/services',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_list_service,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_list_service),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_service',
         check_str=base.SYSTEM_ADMIN,
@@ -68,9 +75,7 @@ service_policies = [
         description='Create service.',
         operations=[{'path': '/v3/services',
                      'method': 'POST'}],
-        deprecated_rule=deprecated_create_service,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_create_service),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_service',
         check_str=base.SYSTEM_ADMIN,
@@ -78,9 +83,7 @@ service_policies = [
         description='Update service.',
         operations=[{'path': '/v3/services/{service_id}',
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_service,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_update_service),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_service',
         check_str=base.SYSTEM_ADMIN,
@@ -88,9 +91,7 @@ service_policies = [
         description='Delete service.',
         operations=[{'path': '/v3/services/{service_id}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_service,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN)
+        deprecated_rule=deprecated_delete_service)
 ]
 
 

keystone/common/policies/service_provider.py

@@ -15,31 +15,42 @@ from oslo_policy import policy
 
 from keystone.common.policies import base
 
-deprecated_get_sp = policy.DeprecatedRule(
-    name=base.IDENTITY % 'get_service_provider',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_list_sp = policy.DeprecatedRule(
-    name=base.IDENTITY % 'list_service_providers',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_update_sp = policy.DeprecatedRule(
-    name=base.IDENTITY % 'update_service_provider',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_create_sp = policy.DeprecatedRule(
-    name=base.IDENTITY % 'create_service_provider',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-deprecated_delete_sp = policy.DeprecatedRule(
-    name=base.IDENTITY % 'delete_service_provider',
-    check_str=base.RULE_ADMIN_REQUIRED
-)
-
 DEPRECATED_REASON = (
     "The service provider API is now aware of system scope and default roles."
 )
 
+deprecated_get_sp = policy.DeprecatedRule(
+    name=base.IDENTITY % 'get_service_provider',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_list_sp = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_service_providers',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_update_sp = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_service_provider',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_create_sp = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_service_provider',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+deprecated_delete_sp = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_service_provider',
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
+)
+
+
 service_provider_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_service_provider',
@@ -55,9 +66,7 @@ service_provider_policies = [
         operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
                               '{service_provider_id}'),
                      'method': 'PUT'}],
-        deprecated_rule=deprecated_create_sp,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_create_sp),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_service_providers',
         check_str=base.SYSTEM_READER,
@@ -73,9 +82,7 @@ service_provider_policies = [
                 'method': 'HEAD'
             }
         ],
-        deprecated_rule=deprecated_list_sp,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
+        deprecated_rule=deprecated_list_sp
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_service_provider',
@@ -94,9 +101,7 @@ service_provider_policies = [
                 'method': 'HEAD'
             }
         ],
-        deprecated_rule=deprecated_get_sp,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN
+        deprecated_rule=deprecated_get_sp
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_service_provider',
@@ -106,9 +111,7 @@ service_provider_policies = [
         operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
                               '{service_provider_id}'),
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_sp,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_update_sp),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_service_provider',
         check_str=base.SYSTEM_ADMIN,
@@ -117,9 +120,7 @@ service_provider_policies = [
         operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
                               '{service_provider_id}'),
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_sp,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN)
+        deprecated_rule=deprecated_delete_sp)
 ]
 
 

keystone/common/policies/token.py

@@ -21,15 +21,21 @@ DEPRECATED_REASON = (
 
 deprecated_check_token = policy.DeprecatedRule(
     name=base.IDENTITY % 'check_token',
-    check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT
+    check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 deprecated_validate_token = policy.DeprecatedRule(
     name=base.IDENTITY % 'validate_token',
-    check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT
+    check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 deprecated_revoke_token = policy.DeprecatedRule(
     name=base.IDENTITY % 'revoke_token',
-    check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT
+    check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 SYSTEM_ADMIN_OR_TOKEN_SUBJECT = (
@@ -52,9 +58,7 @@ token_policies = [
         description='Check a token.',
         operations=[{'path': '/v3/auth/tokens',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_check_token,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_check_token),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'validate_token',
         check_str=SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT,
@@ -62,9 +66,7 @@ token_policies = [
         description='Validate a token.',
         operations=[{'path': '/v3/auth/tokens',
                      'method': 'GET'}],
-        deprecated_rule=deprecated_validate_token,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_validate_token),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'revoke_token',
         check_str=SYSTEM_ADMIN_OR_TOKEN_SUBJECT,
@@ -72,9 +74,7 @@ token_policies = [
         description='Revoke a token.',
         operations=[{'path': '/v3/auth/tokens',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_revoke_token,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN)
+        deprecated_rule=deprecated_revoke_token)
 ]
 
 

keystone/common/policies/trust.py

@@ -24,29 +24,39 @@ SYSTEM_READER_OR_TRUSTOR = base.SYSTEM_READER + ' or ' + RULE_TRUSTOR
 SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE
 SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR
 
+DEPRECATED_REASON = (
+    "The trust API is now aware of system scope and default roles."
+)
+
 deprecated_list_trusts = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_trusts',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 deprecated_list_roles_for_trust = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_roles_for_trust',
-    check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
+    check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 deprecated_get_role_for_trust = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_role_for_trust',
-    check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
+    check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 deprecated_delete_trust = policy.DeprecatedRule(
     name=base.IDENTITY % 'delete_trust',
-    check_str=RULE_TRUSTOR
+    check_str=RULE_TRUSTOR,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 deprecated_get_trust = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_trust',
-    check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
-)
-
-DEPRECATED_REASON = (
-    "The trust API is now aware of system scope and default roles."
+    check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.TRAIN
 )
 
 trust_policies = [
@@ -69,9 +79,7 @@ trust_policies = [
                      'method': 'GET'},
                     {'path': '/v3/OS-TRUST/trusts',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_list_trusts,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_trusts),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_trusts_for_trustor',
         check_str=SYSTEM_READER_OR_TRUSTOR,
@@ -103,9 +111,7 @@ trust_policies = [
                      'method': 'GET'},
                     {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_list_roles_for_trust,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_list_roles_for_trust),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_role_for_trust',
         check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
@@ -115,9 +121,7 @@ trust_policies = [
                      'method': 'GET'},
                     {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_get_role_for_trust,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_get_role_for_trust),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_trust',
         check_str=SYSTEM_ADMIN_OR_TRUSTOR,
@@ -125,9 +129,7 @@ trust_policies = [
         description='Revoke trust.',
         operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_trust,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN),
+        deprecated_rule=deprecated_delete_trust),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_trust',
         check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
@@ -137,9 +139,7 @@ trust_policies = [
                      'method': 'GET'},
                     {'path': '/v3/OS-TRUST/trusts/{trust_id}',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_get_trust,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.TRAIN)
+        deprecated_rule=deprecated_get_trust)
 ]
 
 

keystone/common/policies/user.py

@@ -36,23 +36,33 @@ DEPRECATED_REASON = (
 
 deprecated_get_user = policy.DeprecatedRule(
     name=base.IDENTITY % 'get_user',
-    check_str=base.RULE_ADMIN_OR_OWNER
+    check_str=base.RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_list_users = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_users',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_create_user = policy.DeprecatedRule(
     name=base.IDENTITY % 'create_user',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_update_user = policy.DeprecatedRule(
     name=base.IDENTITY % 'update_user',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 deprecated_delete_user = policy.DeprecatedRule(
     name=base.IDENTITY % 'delete_user',
-    check_str=base.RULE_ADMIN_REQUIRED
+    check_str=base.RULE_ADMIN_REQUIRED,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.STEIN
 )
 
 user_policies = [
@@ -65,9 +75,7 @@ user_policies = [
                      'method': 'GET'},
                     {'path': '/v3/users/{user_id}',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_get_user,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_get_user),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_users',
         check_str=SYSTEM_READER_OR_DOMAIN_READER,
@@ -77,9 +85,7 @@ user_policies = [
                      'method': 'GET'},
                     {'path': '/v3/users',
                      'method': 'HEAD'}],
-        deprecated_rule=deprecated_list_users,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_list_users),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_projects_for_user',
         check_str='',
@@ -111,9 +117,7 @@ user_policies = [
         description='Create a user.',
         operations=[{'path': '/v3/users',
                      'method': 'POST'}],
-        deprecated_rule=deprecated_create_user,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_create_user),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_user',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
@@ -121,9 +125,7 @@ user_policies = [
         description='Update a user, including administrative password resets.',
         operations=[{'path': '/v3/users/{user_id}',
                      'method': 'PATCH'}],
-        deprecated_rule=deprecated_update_user,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN),
+        deprecated_rule=deprecated_update_user),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_user',
         check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
@@ -131,9 +133,7 @@ user_policies = [
         description='Delete a user.',
         operations=[{'path': '/v3/users/{user_id}',
                      'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_user,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since=versionutils.deprecated.STEIN)
+        deprecated_rule=deprecated_delete_user)
 ]
 
 

lower-constraints.txt

@@ -32,7 +32,7 @@ oslo.i18n==3.15.3
 oslo.log==3.44.0
 oslo.messaging==5.29.0
 oslo.middleware==3.31.0
-oslo.policy==3.6.0
+oslo.policy==3.7.0
 oslo.serialization==2.18.0
 oslo.upgradecheck==1.3.0
 oslo.utils==3.33.0

requirements.txt

@@ -23,7 +23,7 @@ oslo.db>=6.0.0 # Apache-2.0
 oslo.i18n>=3.15.3 # Apache-2.0
 oslo.log>=3.44.0 # Apache-2.0
 oslo.middleware>=3.31.0 # Apache-2.0
-oslo.policy>=3.6.0 # Apache-2.0
+oslo.policy>=3.7.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
 oslo.upgradecheck>=1.3.0 # Apache-2.0
 oslo.utils>=3.33.0 # Apache-2.0