Add scope_types to implied role policies

Today, keystone doesn't support the ability to create roles and
immediately start using them without modifying policy files
across multiple services. Since role management is technically
considered a system-level resource because of this reason, it makes
sense to have implied role policies system-level as well.

From now on, a warning will be logged when a project-scoped token is
used to imply roles. Operators will be able to opt into requiring
system-scoped tokens for these policies by enabling oslo.policy's
`enforce_scope` configuration option, which will result in an
HTTP Forbidden exception when mismatching scope is used.

Change-Id: I9ec3bf02904dfe3773164e410db822a81ff213e2

keystone/common/policies/implied_role.py

@@ -18,6 +18,11 @@ implied_role_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_implied_role',
         check_str=base.RULE_ADMIN_REQUIRED,
+        # FIXME(lbragstad) The management of implied roles currently makes
+        # sense as a system-only resource. Once keystone has the ability to
+        # support RBAC solely over the API without having to customize policy
+        # files, scope_types should include 'project'.
+        scope_types=['system'],
         description='Get information about an association between two roles. '
                     'When a relationship exists between a prior role and an '
                     'implied role and the prior role is assigned to a user, '
@@ -28,6 +33,7 @@ implied_role_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_implied_roles',
         check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
         description='List associations between two roles. When a relationship '
                     'exists between a prior role and an implied role and the '
                     'prior role is assigned to a user, the user also assumes '
@@ -40,6 +46,7 @@ implied_role_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_implied_role',
         check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
         description='Create an association between two roles. When a '
                     'relationship exists between a prior role and an implied '
                     'role and the prior role is assigned to a user, the user '
@@ -50,6 +57,7 @@ implied_role_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_implied_role',
         check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
         description='Delete the association between two roles. When a '
                     'relationship exists between a prior role and an implied '
                     'role and the prior role is assigned to a user, the user '
@@ -61,6 +69,7 @@ implied_role_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_role_inference_rules',
         check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
         description='List all associations between two roles in the system. '
                     'When a relationship exists between a prior role and an '
                     'implied role and the prior role is assigned to a user, '
@@ -71,6 +80,7 @@ implied_role_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'check_implied_role',
         check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
         description='Check an association between two roles. When a '
                     'relationship exists between a prior role and an implied '
                     'role and the prior role is assigned to a user, the user '