From 546b7f1bba0c5a9b9c22828cc27a90191bb8f30d Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Mon, 10 Dec 2018 22:22:52 +0000
Subject: [PATCH] Remove project policies from policy.v3cloudsample.json

By incorporating system-scope, domain-scope, project-scope, and
default roles, we've effectively made these policies obsolete. We can
simplify what we maintain and provide a more consistent, unified view
of default project behavior by removing them.

Change-Id: I80221b72ce0f234440e6d6aaea51869bd5f1c6e7
Related-Bug: 1806762
---
 etc/policy.v3cloudsample.json      | 8 --------
 keystone/tests/unit/test_policy.py | 6 ++++++
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index e79e5a1a47..fe3a583617 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -17,14 +17,6 @@
     "identity:update_limit": "rule:admin_required",
     "identity:delete_limit": "rule:admin_required",
 
-    "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
-    "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
-    "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
-    "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
-    "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
-    "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
-    "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
-    "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
     "identity:create_project_tag": "rule:admin_required",
     "identity:delete_project_tag": "rule:admin_required",
     "identity:get_project_tag": "rule:admin_required",
diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py
index 9462ba2ece..fc137ba473 100644
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@@ -231,6 +231,12 @@ class PolicyJsonTestCase(unit.TestCase):
             'identity:list_domains',
             'identity:update_domain',
             'identity:delete_domain',
+            'identity:create_project',
+            'identity:get_project',
+            'identity:list_projects',
+            'identity:update_project',
+            'identity:delete_project',
+            'identity:list_user_projects',
             'identity:create_service',
             'identity:get_service',
             'identity:list_services',