Deprecate identity:revocation_list policy for removal

This policy doesn't actually protect anything. We can safely deprecate
it for removal and simplify policy files.

Change-Id: Iff604f6d77b9b0b91e63d4f4b1572dbb18f43947
Closes-Bug: 1818845

keystone/common/policies/token_revocation.py

@@ -10,10 +10,18 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+from oslo_log import versionutils
 from oslo_policy import policy
 
 from keystone.common.policies import base
 
+DEPRECATED_REASON = """
+The identity:revocation_list policy isn't used to protect any APIs in keystone
+now that the revocation list API has been deprecated and only returns a 410 or
+403 depending on how keystone is configured. This policy can be safely removed
+from policy files.
+"""
+
 token_revocation_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'revocation_list',
@@ -25,7 +33,11 @@ token_revocation_policies = [
         scope_types=['system', 'project'],
         description='List revoked PKI tokens.',
         operations=[{'path': '/v3/auth/tokens/OS-PKI/revoked',
-                     'method': 'GET'}])
+                     'method': 'GET'}],
+        deprecated_for_removal=True,
+        deprecated_since=versionutils.deprecated.TRAIN,
+        deprecated_reason=DEPRECATED_REASON
+    )
 ]
 
 

releasenotes/notes/bug-1818845-05f8c3af5ea9abc7.yaml

@@ -0,0 +1,9 @@
+---
+deprecations:
+  - |
+    [`bug 1818845 <https://bugs.launchpad.net/keystone/+bug/1818845>`_]
+    The ``identity:revocation_list`` policy has been deprecated for removal.
+    This policy didn't actually protect the revocation list API since that API
+    is unenforced and unprotected. It only returns an ``HTTP 410`` or ``HTTP
+    403`` depending on how keystone is configured. This policy can be safely
+    removed.