---
upgrade:
  - |
    [`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
    The domain policies defined in ``policy.v3cloudsample.json``
    have been removed. These policies are now obsolete after incorporating
    system-scope into the domain API and implementing default roles.
    Additionally, the ``identity:get_domain`` policy in
    ``policy.v3cloudsample.json`` has been relaxed slightly to allow all
    users with role assignments on a domain to retrieve that domain,
    as opposed to only allowing users with the ``admin`` role to access
    that policy.

    All policies in ``policy.v3cloudsample.json`` that are redundant with the
    defaults in code have been removed. This improves maintainability and
    leaves the ``policy.v3cloudsample.json`` policy file with only
    overrides. These overrides will eventually be moved into code or new
    defaults in keystone directly. If you're using the policies removed
    from ``policy.v3cloudsample.json`` please check to see if you can migrate
    to the new defaults or continue maintaining the policy as an override.
fixes:
  - |
    [`bug 1806762 <https://bugs.launchpad.net/keystone/+bug/1806762>`_]
    The domain policies in ``policy.v3cloudsample.json`` policy file
    have been removed in favor of better defaults in code. These policies
    weren't tested exhaustively and were misleading to users and operators.