From 7af769278aef7e3a170c0da619b67bad7a147d84 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Thu, 29 Nov 2018 18:53:00 +0000
Subject: [PATCH] Remove registered limit policies from
 policy.v3cloudsample.json

By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default registered limit
behavior by removing them.

Change-Id: I1ee7fb53a71361966584363687051615dc832329
Related-Bug: 1805880
---
 etc/policy.v3cloudsample.json                      |  6 ------
 keystone/tests/unit/test_policy.py                 |  7 ++++++-
 .../notes/bug-1805880-3fc6b30309a4370f.yaml        | 14 ++++++++++++++
 3 files changed, 20 insertions(+), 7 deletions(-)
 create mode 100644 releasenotes/notes/bug-1805880-3fc6b30309a4370f.yaml

diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index 271d7e8050..ab36cbb6a3 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -28,12 +28,6 @@
     "identity:update_endpoint": "rule:cloud_admin",
     "identity:delete_endpoint": "rule:cloud_admin",
 
-    "identity:get_registered_limit": "",
-    "identity:list_registered_limits": "",
-    "identity:create_registered_limits": "rule:admin_required",
-    "identity:update_registered_limit": "rule:admin_required",
-    "identity:delete_registered_limit": "rule:admin_required",
-
     "identity:get_limit_model": "",
     "identity:get_limit": "",
     "identity:list_limits": "",
diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py
index 24e507b7f0..63f6f1aa25 100644
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@@ -185,7 +185,12 @@ class PolicyJsonTestCase(unit.TestCase):
             'identity:get_credential',
             'identity:list_credentials',
             'identity:update_credential',
-            'identity:delete_credential'
+            'identity:delete_credential',
+            'identity:create_registered_limits',
+            'identity:get_registered_limit',
+            'identity:list_registered_limits',
+            'identity:update_registered_limit',
+            'identity:delete_registered_limit'
         ]
         policy_keys = self._get_default_policy_rules()
         for p in removed_policies:
diff --git a/releasenotes/notes/bug-1805880-3fc6b30309a4370f.yaml b/releasenotes/notes/bug-1805880-3fc6b30309a4370f.yaml
new file mode 100644
index 0000000000..2c4ca1f7e3
--- /dev/null
+++ b/releasenotes/notes/bug-1805880-3fc6b30309a4370f.yaml
@@ -0,0 +1,14 @@
+---
+upgrade:
+  - |
+    [`bug 1805880 <https://bugs.launchpad.net/keystone/+bug/1805880>`_]
+    The registered limit policies defined in ``policy.v3cloudsample.json``
+    have been removed. These policies are now obsolete after incorporating
+    system-scope into the registered limit API and implementing default roles.
+fixes:
+  - |
+    [`bug 1805880 <https://bugs.launchpad.net/keystone/+bug/1805880>`_]
+    The registered limit policies in ``policy.v3cloudsample.json`` policy
+    file have been removed in favor of better defaults in code. These
+    policies weren't tested exhaustively and were misleading to users
+    and operators.