Add policy for limit model protection

We plan to expose the enforcement model a deployment is using via
the limit API. This commit prepares for that implementation by
introducing the policy for it.

Change-Id: I03c9cec3646ee354ebcdd4ddc1168e00d611171b
Related-Bug: 1765193

doc/source/getting-started/policy_mapping.rst

@@ -36,6 +36,8 @@ identity:list_limits                                       GET /v3/limits
 identity:create_limits                                     POST /v3/limits
 identity:update_limit                                      PATCH /v3/limits/{limit_id}
 identity:delete_limit                                      DELETE /v3/limits/{limit_id}
+identity:get_limit_model                                   GET /v3/limits/model
+                                                           HEAD /v3/limits/model
 
 identity:get_domain                                        GET /v3/domains/{domain_id}
 identity:list_domains                                      GET /v3/domains

etc/policy.v3cloudsample.json

@@ -34,6 +34,7 @@
     "identity:update_registered_limit": "rule:admin_required",
     "identity:delete_registered_limit": "rule:admin_required",
 
+    "identity:get_limit_model": "",
     "identity:get_limit": "",
     "identity:list_limits": "",
     "identity:create_limits": "rule:admin_required",

keystone/common/policies/limit.py

@@ -15,6 +15,15 @@ from oslo_policy import policy
 from keystone.common.policies import base
 
 limit_policies = [
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'get_limit_model',
+        check_str='',
+        scope_types=['system', 'project'],
+        description='Get limit enforcement model.',
+        operations=[{'path': '/v3/limits/model',
+                     'method': 'GET'},
+                    {'path': '/v3/limits/model',
+                     'method': 'HEAD'}]),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_limit',
         check_str='',