From b7a64a9315a2bfe8c76b4e9b117458530df75e80 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Thu, 21 Mar 2019 19:28:08 +0000
Subject: [PATCH] Remove system assignment policies from
 policy.v3cloudsample.json

By relying on system-scope and default roles, these policies are now
obsolete.

Change-Id: I7a17c2baa6e23b6a5d8fe21668a66ea8c8a89232
Partial-Bug: 1806762
(cherry picked from commit 0dbc8a88e8856d5decb1d0efec2921f49d90b879)
---
 etc/policy.v3cloudsample.json      | 10 ----------
 keystone/tests/unit/test_policy.py |  8 ++++++++
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index e79e5a1a47..1ea18e28c2 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -80,16 +80,6 @@
     "identity:list_role_inference_rules": "rule:cloud_admin",
     "identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
 
-    "identity:list_system_grants_for_user": "rule:admin_required",
-    "identity:check_system_grant_for_user": "rule:admin_required",
-    "identity:create_system_grant_for_user": "rule:admin_required",
-    "identity:revoke_system_grant_for_user": "rule:admin_required",
-
-    "identity:list_system_grants_for_group": "rule:admin_required",
-    "identity:check_system_grant_for_group": "rule:admin_required",
-    "identity:create_system_grant_for_group": "rule:admin_required",
-    "identity:revoke_system_grant_for_group": "rule:admin_required",
-
     "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
     "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
     "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py
index 9462ba2ece..519dcd3946 100644
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@@ -201,6 +201,14 @@ class PolicyJsonTestCase(unit.TestCase):
             'identity:list_roles',
             'identity:update_role',
             'identity:delete_role',
+            'identity:list_system_grants_for_user',
+            'identity:check_system_grant_for_user',
+            'identity:create_system_grant_for_user',
+            'identity:revoke_system_grant_for_user',
+            'identity:list_system_grants_for_group',
+            'identity:check_system_grant_for_group',
+            'identity:create_system_grant_for_group',
+            'identity:revoke_system_grant_for_group',
             'identity:create_region',
             'identity:get_region',
             'identity:list_regions',