Remove idp policies from policy.v3cloudsample.json

By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default idp behavior
by removing them.

Change-Id: I6091d1cdbc4e1fa3a3d5f83a707f003416a43ea0
Closes-Bug: 1804517

etc/policy.v3cloudsample.json

@@ -183,12 +183,6 @@
     "identity:add_endpoint_group_to_project": "rule:admin_required",
     "identity:remove_endpoint_group_from_project": "rule:admin_required",
 
-    "identity:create_identity_provider": "rule:cloud_admin",
-    "identity:list_identity_providers": "rule:cloud_admin",
-    "identity:get_identity_provider": "rule:cloud_admin",
-    "identity:update_identity_provider": "rule:cloud_admin",
-    "identity:delete_identity_provider": "rule:cloud_admin",
-
     "identity:create_protocol": "rule:cloud_admin",
     "identity:update_protocol": "rule:cloud_admin",
     "identity:get_protocol": "rule:cloud_admin",

keystone/tests/unit/test_policy.py

@@ -205,7 +205,12 @@ class PolicyJsonTestCase(unit.TestCase):
             'identity:get_mapping',
             'identity:list_mappings',
             'identity:update_mapping',
-            'identity:delete_mapping'
+            'identity:delete_mapping',
+            'identity:create_identity_provider',
+            'identity:get_identity_provider',
+            'identity:list_identity_providers',
+            'identity:update_identity_provider',
+            'identity:delete_identity_provider'
         ]
         policy_keys = self._get_default_policy_rules()
         for p in removed_policies:

releasenotes/notes/bug-1804517-a351aec088fee066.yaml

@@ -0,0 +1,16 @@
+---
+upgrade:
+  - |
+    [`bug 1804517 <https://bugs.launchpad.net/keystone/+bug/1804517>`_]
+    The federated identity provider policies defined in
+    ``policy.v3cloudsample.json`` have been removed. These policies
+    are now obsolete after incorporating system-scope into the
+    identity provider API and implementing default roles.
+fixes:
+  - |
+    [`bug 1804517 <https://bugs.launchpad.net/keystone/+bug/1804517>`_]
+    The federated identity provider policies in
+    ``policy.v3cloudsample.json`` policy file have been removed in
+    favor of better defaults in code. These policies weren't tested
+    exhaustively and were misleading to users and operators.
+