Ubuntu
keystone package

Merge ~freyes/ubuntu/+source/keystone:upstream into ~ubuntu-openstack-dev/ubuntu/+source/keystone:upstream

  1. Git
  2. lp:~freyes/ubuntu/+source/keystone
  3. upstream
  4. Merge into upstream
Proposed by Felipe Reyes
Status: Merged
Merged at revision: 1fde32da7e51eae8f6a38e5825ad803a3b89a314
Proposed branch: ~freyes/ubuntu/+source/keystone:upstream
Merge into: ~ubuntu-openstack-dev/ubuntu/+source/keystone:upstream
Diff against target: 6994 lines (+1097/-1613)
98 files modified
.zuul.yaml (+13/-14)
AUTHORS (+0/-12)
ChangeLog (+7/-52)
PKG-INFO (+63/-67)
README.rst (+1/-1)
api-ref/source/v3/authenticate-v3.inc (+1/-1)
dev/null (+0/-6)
devstack/plugin.sh (+0/-7)
doc/source/admin/cli-manage-projects-users-and-roles.rst (+2/-2)
doc/source/admin/domain-specific-config.inc (+0/-6)
doc/source/admin/identity-concepts.rst (+9/-9)
doc/source/admin/service-api-protection.rst (+43/-138)
doc/source/admin/upgrading.rst (+1/-1)
doc/source/conf.py (+1/-5)
doc/source/configuration/policy.rst (+0/-9)
doc/source/contributor/how-can-i-help.rst (+1/-1)
doc/source/getting-started/community.rst (+3/-3)
doc/source/getting-started/policy_mapping.rst (+1/-1)
keystone.egg-info/PKG-INFO (+63/-67)
keystone.egg-info/SOURCES.txt (+2/-16)
keystone.egg-info/requires.txt (+3/-3)
keystone/api/s3tokens.py (+1/-4)
keystone/cmd/status.py (+0/-3)
keystone/common/policies/application_credential.py (+16/-17)
keystone/common/policies/consumer.py (+23/-24)
keystone/common/policies/credential.py (+15/-15)
keystone/common/policies/domain.py (+20/-20)
keystone/common/policies/domain_config.py (+17/-17)
keystone/common/policies/ec2_credential.py (+16/-17)
keystone/common/policies/endpoint.py (+19/-19)
keystone/common/policies/endpoint_group.py (+38/-37)
keystone/common/policies/grant.py (+43/-44)
keystone/common/policies/group.py (+40/-40)
keystone/common/policies/identity_provider.py (+21/-22)
keystone/common/policies/implied_role.py (+23/-23)
keystone/common/policies/mapping.py (+22/-23)
keystone/common/policies/policy.py (+19/-19)
keystone/common/policies/policy_association.py (+37/-38)
keystone/common/policies/project.py (+52/-52)
keystone/common/policies/project_endpoint.py (+23/-23)
keystone/common/policies/protocol.py (+24/-25)
keystone/common/policies/region.py (+15/-16)
keystone/common/policies/role.py (+43/-44)
keystone/common/policies/role_assignment.py (+11/-12)
keystone/common/policies/service.py (+23/-24)
keystone/common/policies/service_provider.py (+23/-24)
keystone/common/policies/token.py (+12/-12)
keystone/common/policies/trust.py (+24/-24)
keystone/common/policies/user.py (+20/-20)
keystone/common/rbac_enforcer/enforcer.py (+0/-8)
keystone/common/sql/core.py (+0/-10)
keystone/common/utils.py (+2/-2)
keystone/conf/__init__.py (+0/-7)
keystone/conf/memcache.py (+1/-25)
keystone/federation/idp.py (+2/-10)
keystone/identity/mapping_backends/sql.py (+1/-1)
keystone/identity/shadow_backends/sql.py (+1/-2)
keystone/locale/en_GB/LC_MESSAGES/keystone.po (+2/-14)
keystone/models/revoke_model.py (+1/-1)
keystone/tests/unit/assignment/test_backends.py (+3/-3)
keystone/tests/unit/catalog/test_backends.py (+18/-24)
keystone/tests/unit/common/test_notifications.py (+1/-1)
keystone/tests/unit/config_files/backend_ldap_sql.conf (+1/-1)
keystone/tests/unit/config_files/backend_multi_ldap_sql.conf (+1/-1)
keystone/tests/unit/config_files/backend_sql.conf (+1/-1)
keystone/tests/unit/config_files/deprecated.conf (+8/-0)
keystone/tests/unit/config_files/deprecated_override.conf (+15/-0)
keystone/tests/unit/contrib/federation/test_utils.py (+3/-3)
keystone/tests/unit/core.py (+11/-4)
keystone/tests/unit/endpoint_policy/backends/test_base.py (+1/-1)
keystone/tests/unit/identity/shadow_users/test_backend.py (+2/-2)
keystone/tests/unit/identity/test_backends.py (+16/-20)
keystone/tests/unit/ksfixtures/__init__.py (+0/-1)
keystone/tests/unit/policy/backends/test_base.py (+1/-1)
keystone/tests/unit/resource/test_backends.py (+19/-26)
keystone/tests/unit/test_associate_project_endpoint_extension.py (+4/-4)
keystone/tests/unit/test_backend_id_mapping_sql.py (+4/-24)
keystone/tests/unit/test_backend_ldap.py (+23/-29)
keystone/tests/unit/test_backend_sql.py (+2/-2)
keystone/tests/unit/test_backend_templated.py (+2/-2)
keystone/tests/unit/test_config.py (+35/-1)
keystone/tests/unit/test_contrib_s3_core.py (+0/-82)
keystone/tests/unit/test_hacking_checks.py (+1/-1)
keystone/tests/unit/test_policy.py (+4/-6)
keystone/tests/unit/test_sql_banned_operations.py (+1/-6)
keystone/tests/unit/test_sql_upgrade.py (+2/-21)
keystone/tests/unit/test_v3.py (+2/-2)
keystone/tests/unit/test_v3_assignment.py (+1/-1)
keystone/tests/unit/test_v3_federation.py (+6/-6)
keystone/trust/backends/base.py (+1/-1)
keystone/trust/backends/sql.py (+1/-5)
keystone/trust/core.py (+9/-9)
lower-constraints.txt (+3/-4)
releasenotes/source/index.rst (+0/-3)
releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po (+3/-124)
requirements.txt (+3/-3)
setup.cfg (+4/-4)
tox.ini (+21/-25)
Reviewer Review Type Date Requested Status
Corey Bryant Pending
Review via email: mp+416277@code.launchpad.net
To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/.zuul.yaml b/.zuul.yaml
2index fc3eebb..daadbc7 100644
3--- a/.zuul.yaml
4+++ b/.zuul.yaml
5@@ -33,14 +33,6 @@
6 USE_PYTHON3: True
7
8 - job:
9- name: keystone-dsvm-py3-functional-fips
10- parent: keystone-dsvm-py3-functional
11- nodeset: devstack-single-node-centos-8-stream
12- description: |
13- Functional testing for a FIPS enabled Centos 8 system
14- pre-run: playbooks/enable-fips.yaml
15-
16-- job:
17 name: keystone-dsvm-functional-federation-opensuse15
18 parent: keystone-dsvm-functional
19 nodeset: devstack-single-node-opensuse-15
20@@ -110,6 +102,15 @@
21 osa_test_repo: openstack/openstack-ansible-os_keystone
22
23 - job:
24+ name: keystone-tox-protection
25+ parent: openstack-tox-py37
26+ timeout: 3600
27+ vars:
28+ tox_envlist: protection
29+ bindep_profile: test py37
30+ python_version: 3.7
31+
32+- job:
33 name: keystone-dsvm-ldap-domain-specific-driver
34 parent: devstack-tempest
35 vars:
36@@ -209,7 +210,6 @@
37 - check-requirements
38 - integrated-gate-py3
39 - release-notes-jobs-python3
40- - openstack-python3-wallaby-jobs-arm64
41 check:
42 jobs:
43 - keystone-dsvm-py3-functional:
44@@ -220,9 +220,6 @@
45 - ^etc/.*$
46 - ^keystone/tests/unit/.*$
47 - ^releasenotes/.*$
48- - keystone-dsvm-py3-functional-fips:
49- voting: false
50- irrelevant-files: *irrelevant-files
51 - keystone-dsvm-py3-functional-federation-ubuntu-focal:
52 voting: false
53 irrelevant-files: *irrelevant-files
54@@ -248,7 +245,7 @@
55 irrelevant-files: *tempest-irrelevant-files
56 - tempest-ipv6-only:
57 irrelevant-files: *tempest-irrelevant-files
58- - keystone-protection-functional
59+ - keystone-tox-protection
60 gate:
61 jobs:
62 - keystone-dsvm-py3-functional:
63@@ -261,7 +258,7 @@
64 irrelevant-files: *tempest-irrelevant-files
65 - tempest-ipv6-only:
66 irrelevant-files: *tempest-irrelevant-files
67- - keystone-protection-functional
68+ - keystone-tox-protection
69 experimental:
70 jobs:
71 - keystone-tox-patch_cover
72@@ -271,6 +268,8 @@
73 irrelevant-files: *irrelevant-files
74 - tempest-pg-full:
75 irrelevant-files: *tempest-irrelevant-files
76+ - tempest-full-py3-opensuse15:
77+ irrelevant-files: *tempest-irrelevant-files
78 - keystone-dsvm-functional-federation-centos7:
79 irrelevant-files: *irrelevant-files
80 - keystone-dsvm-functional-federation-ubuntu-xenial:
81diff --git a/AUTHORS b/AUTHORS
82index e0e5154..558a789 100644
83--- a/AUTHORS
84+++ b/AUTHORS
85@@ -1,7 +1,6 @@
86 Adam Gandelman <adam.gandelman@canonical.com>
87 Adam Young <ayoung@f17httpd.ayoung530>
88 Adam Young <ayoung@redhat.com>
89-Ade Lee <alee@redhat.com>
90 Adipudi Praveena <padipudi@padipudi.(none)>
91 Adrian Turjak <adriant@catalyst.net.nz>
92 Ajaya Agrawal <ajku.agr@gmail.com>
93@@ -177,7 +176,6 @@ Ghe Rivero <ghe@debian.org>
94 Gordon Chung <chungg@ca.ibm.com>
95 Graham Hayes <graham.hayes@hpe.com>
96 Grzegorz Grasza <grzegorz.grasza@intel.com>
97-Grzegorz Grasza <xek@redhat.com>
98 Guang Yee <guang.yee@hpe.com>
99 Guang Yee <guang.yee@suse.com>
100 Guo Shan <guoshan@awcloud.com>
101@@ -199,7 +197,6 @@ Hervé Beraud <hberaud@redhat.com>
102 Hidekazu Nakamura <hid-nakamura@vf.jp.nec.com>
103 Hieu LE <hieulq@vn.fujitsu.com>
104 Hirofumi Ichihara <ichihara.hirofumi@lab.ntt.co.jp>
105-Hironori Shiina <shiina.hironori@jp.fujitsu.com>
106 Hongbin Lu <hongbin034@gmail.com>
107 Hugh Saunders <hugh@wherenow.org>
108 Hugo Nicodemos <hugonicodemos@gmail.com>
109@@ -348,7 +345,6 @@ Matthew Thode <mthode@mthode.org>
110 Matthew Treinish <mtreinish@kortar.org>
111 Matthew Treinish <treinish@linux.vnet.ibm.com>
112 Matthieu Huin <mhu@enovance.com>
113-Maurice Escher <maurice.escher@sap.com>
114 Michael Basnight <mbasnight@gmail.com>
115 Michael J Fork <mjfork@us.ibm.com>
116 Michael Krotscheck <krotscheck@gmail.com>
117@@ -422,7 +418,6 @@ Robert Collins <rbtcollins@hp.com>
118 Robert Collins <robertc@robertcollins.net>
119 Robert H. Hyerle <hyerle@hp.com>
120 Robin Norwood <robin.norwood@gmail.com>
121-Rodolfo Alonso Hernandez <ralonsoh@redhat.com>
122 Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com>
123 Rodrigo Duarte <rduartes@redhat.com>
124 Rodrigo Duarte Sousa <rduartes@redhat.com>
125@@ -484,12 +479,10 @@ Sreyansh Jain <taishiroy2904@gmail.com>
126 Stanisław Pitucha <stanislaw.pitucha@hp.com>
127 Stef T <stelford@internap.com>
128 Stephen Finucane <sfinucan@redhat.com>
129-Stephen Finucane <stephenfin@redhat.com>
130 Steve Baker <sbaker@redhat.com>
131 Steve Martinelli <s.martinelli@gmail.com>
132 Steve Martinelli <stevemar@ca.ibm.com>
133 Steven Hardy <shardy@redhat.com>
134-Stuart Grace <stuart.grace@bbc.co.uk>
135 Stuart McLaren <stuart.mclaren@hp.com>
136 Suramya Shah <shah.suramya@gmail.com>
137 Sushil Kumar <sushil.kumar2@globallogic.com>
138@@ -499,7 +492,6 @@ Sylvain Afchain <sylvain.afchain@enovance.com>
139 THOMAS J. COCOZZELLO <tjcocozz@us.ibm.com>
140 Tahmina Ahmed <tahmina.csebuet@gmail.com>
141 Taishi Roy <taishiroy2904@gmail.com>
142-Takashi Kajinami <tkajinam@redhat.com>
143 Takashi NATSUME <natsume.takashi@lab.ntt.co.jp>
144 Telles Nobrega <tellesmvn@lsd.ufcg.edu.br>
145 Theodore Ilie <theodorex.ilie@intel.com>
146@@ -564,7 +556,6 @@ Yong Sheng Gong <gongysh@cn.ibm.com>
147 Yong Sheng Gong <gongysh@unitedstack.com>
148 You Ji <jiyou09@gmail.com>
149 You Yamagata <bi.yamagata@gmail.com>
150-YuehuiLei <leiyuehui-s@inspur.com>
151 Yuiko Takada <takada-yuiko@mxn.nes.nec.co.jp>
152 Yun Mao <yunmao@gmail.com>
153 Yuriy Taraday <yorik.sar@gmail.com>
154@@ -672,7 +663,6 @@ prashkre <prashkre@in.ibm.com>
155 qinglin.cheng <qinglin.cheng@easystack.cn>
156 r-sekine <r-sekine@intellilink.co.jp>
157 rajat29 <rajat.sharma@nectechnologies.in>
158-ricolin <rico.lin.guanyu@gmail.com>
159 rocky <haigang.xu@easystack.cn>
160 root <root@newapps.(none)>
161 rpedde <ron@pedde.com>
162@@ -699,7 +689,6 @@ wanghui <wang_hui@inspur.com>
163 wanglong <wl3617@qq.com>
164 wangqiangbj <wangqiangbj@inspur.com>
165 wangxiyuan <wangxiyuan@huawei.com>
166-wangzihao <wangzihao@yovole.com>
167 werner mendizabal <nonameentername@gmail.com>
168 whoami-rajat <rajatdhasmana@gmail.com>
169 wingwj <wingwj@gmail.com>
170@@ -710,7 +699,6 @@ xingzhou <xingzhou@cn.ibm.com>
171 xuhaigang <haigang.xu@easystack.cn>
172 xurong00037997 <xu.rong@zte.com.cn>
173 yanghuichan <yanghc@fiberhome.com>
174-yangshaoxue <yang.shaoxue@99cloud.net>
175 yangweiwei <yangweiwei@cmss.chinamobile.com>
176 yangyapeng <yang.yapeng@99cloud.net>
177 yaroslavmt <yaroslavmt@gmail.com>
178diff --git a/ChangeLog b/ChangeLog
179index d5d2a11..2f980e8 100644
180--- a/ChangeLog
181+++ b/ChangeLog
182@@ -1,64 +1,21 @@
183 CHANGES
184 =======
185
186-* Add 'WarningsFixture'
187-* Add support for pysaml2 >= 7.1.0
188-* tox: Random fixups
189-* Deprecate ineffective [memcache] options
190-* Fix response code of 'Revoke Token' in api-ref
191-* Accept STS and IAM services from Ceph Obj Gateway
192-* Fix oslo policy warning assert in unit tests
193-* Temporary exclude the common.sql.core.py from sphinx-apidoc target
194-* Remove broken tempest-full-py3-opensuse15 job
195-* Fix typos in application credential policies
196-* Fix typo in identity provider policies
197-* Update master for stable/xena
198-* Improve performance on trust deletion
199-* Replace deprecated assertDictContainsSubset
200-
201-20.0.0
202+18.1.0
203 ------
204
205+* Fix typos in application credential policies
206 * Fix typos in ec2 credential policies
207-* Fix oslo policy DeprecatedRule warnings
208-* Update local\_id limit to 255 characters
209-* Add FIPS check job
210-* Replace deprecated import of ABCs from collections
211-* Moving IRC network reference to OFTC
212-* Update master for stable/wallaby
213-* Remove use of deprecated oslo.db options
214-* docs: Fix failing build
215-* Make DB queries compatible with SQLAlchemy 1.4.x
216-* fix get\_security\_compliance\_domain\_config policy rule typo
217-* setup.cfg: Replace dashes with underscores
218+* Fix typo in identity provider policies
219 * Hide AccountLocked exception from end users
220 * Retry update\_user when sqlalchemy raises StaleDataErrors
221-* Imported Translations from Zanata
222-
223-19.0.0.0rc1
224------------
225-
226-* Add job for keystone functional protection tests
227-* trivial: Update minor wording nit in RBAC persona documentation
228-* Clarify top-level personas in RBAC documentation
229-* Clarify \`\`reader\`\` role implementation in persona admin guide
230-* [goal] Deprecate the JSON formatted policy file
231-* Ignore oslo.db deprecating sqlalchemy-migrate warning
232-* Add openstack-python3-wallaby-jobs-arm64 job
233 * Support bytes type in generate\_public\_ID()
234-* Imported Translations from Zanata
235-* Drop lower-constraints job
236-* fix E741 ambiguous variable name
237-* fix E225 missing whitespace around operator
238 * Use app cred user ID in policy enforcement
239-* Generalize release note for bug 1878938
240-* Use enforce\_new\_defaults when setting up keystone protection tests
241+* Update TOX\_CONSTRAINTS\_FILE for stable/victoria
242+* Drop lower-constraints job
243+* Delete system role assignments from system\_assignment table
244 * Implement more robust connection handling for asynchronous LDAP calls
245-* Imported Translations from Zanata
246-* Update master for stable/victoria
247-* Add vine to lower-constraints
248-* Simplify default config test
249-* Replace assertItemsEqual with assertCountEqual
250+* Update .gitreview for stable/victoria
251
252 18.0.0
253 ------
254@@ -75,9 +32,7 @@ CHANGES
255 * Spelling Fix
256 * NIT: Spelling Fix
257 * Properly handle octet (byte) strings when converting LDAP responses
258-* Add support for functional RBAC tests
259 * Fix invalid assertTrue which should be assertEqual
260-* Delete system role assignments from system\_assignment table
261 * Fix api-ref for list endpoints
262 * Fix lower-constraint for PyMySQL
263 * Fix doc for package mod\_wsgi on Centos8/RHEL8
264diff --git a/PKG-INFO b/PKG-INFO
265index 3b63a18..c4bc751 100644
266--- a/PKG-INFO
267+++ b/PKG-INFO
268@@ -1,11 +1,73 @@
269 Metadata-Version: 2.1
270 Name: keystone
271-Version: 20.1.0.dev27
272+Version: 18.1.0
273 Summary: OpenStack Identity
274 Home-page: https://docs.openstack.org/keystone/latest
275 Author: OpenStack
276 Author-email: openstack-discuss@lists.openstack.org
277 License: UNKNOWN
278+Description: ==================
279+ OpenStack Keystone
280+ ==================
281+
282+ .. image:: https://governance.openstack.org/tc/badges/keystone.svg
283+ :target: https://governance.openstack.org/tc/reference/tags/index.html
284+
285+ .. Change things from this point on
286+
287+ OpenStack Keystone provides authentication, authorization and service discovery
288+ mechanisms via HTTP primarily for use by projects in the OpenStack family. It
289+ is most commonly deployed as an HTTP interface to existing identity systems,
290+ such as LDAP.
291+
292+ Developer documentation, the source of which is in ``doc/source/``, is
293+ published at:
294+
295+ https://docs.openstack.org/keystone/latest
296+
297+ The API reference and documentation are available at:
298+
299+ https://docs.openstack.org/api-ref/identity
300+
301+ The canonical client library is available at:
302+
303+ https://opendev.org/openstack/python-keystoneclient
304+
305+ Documentation for cloud administrators is available at:
306+
307+ https://docs.openstack.org/
308+
309+ The source of documentation for cloud administrators is available at:
310+
311+ https://opendev.org/openstack/openstack-manuals
312+
313+ Information about our team meeting is available at:
314+
315+ https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting
316+
317+ Release notes is available at:
318+
319+ https://docs.openstack.org/releasenotes/keystone
320+
321+ Bugs and feature requests are tracked on Launchpad at:
322+
323+ https://bugs.launchpad.net/keystone
324+
325+ Future design work is tracked at:
326+
327+ https://specs.openstack.org/openstack/keystone-specs
328+
329+ Contributors are encouraged to join IRC (``#openstack-keystone`` on freenode):
330+
331+ https://wiki.openstack.org/wiki/IRC
332+
333+ Source for the project:
334+
335+ https://opendev.org/openstack/keystone
336+
337+ For information on contributing to Keystone, see ``CONTRIBUTING.rst``.
338+
339+
340 Platform: UNKNOWN
341 Classifier: Environment :: OpenStack
342 Classifier: Intended Audience :: Information Technology
343@@ -24,69 +86,3 @@ Provides-Extra: ldap
344 Provides-Extra: memcache
345 Provides-Extra: mongodb
346 Provides-Extra: test
347-License-File: LICENSE
348-License-File: AUTHORS
349-
350-==================
351-OpenStack Keystone
352-==================
353-
354-.. image:: https://governance.openstack.org/tc/badges/keystone.svg
355- :target: https://governance.openstack.org/tc/reference/tags/index.html
356-
357-.. Change things from this point on
358-
359-OpenStack Keystone provides authentication, authorization and service discovery
360-mechanisms via HTTP primarily for use by projects in the OpenStack family. It
361-is most commonly deployed as an HTTP interface to existing identity systems,
362-such as LDAP.
363-
364-Developer documentation, the source of which is in ``doc/source/``, is
365-published at:
366-
367- https://docs.openstack.org/keystone/latest
368-
369-The API reference and documentation are available at:
370-
371- https://docs.openstack.org/api-ref/identity
372-
373-The canonical client library is available at:
374-
375- https://opendev.org/openstack/python-keystoneclient
376-
377-Documentation for cloud administrators is available at:
378-
379- https://docs.openstack.org/
380-
381-The source of documentation for cloud administrators is available at:
382-
383- https://opendev.org/openstack/openstack-manuals
384-
385-Information about our team meeting is available at:
386-
387- https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting
388-
389-Release notes is available at:
390-
391- https://docs.openstack.org/releasenotes/keystone
392-
393-Bugs and feature requests are tracked on Launchpad at:
394-
395- https://bugs.launchpad.net/keystone
396-
397-Future design work is tracked at:
398-
399- https://specs.openstack.org/openstack/keystone-specs
400-
401-Contributors are encouraged to join IRC (``#openstack-keystone`` on OFTC):
402-
403- https://wiki.openstack.org/wiki/IRC
404-
405-Source for the project:
406-
407- https://opendev.org/openstack/keystone
408-
409-For information on contributing to Keystone, see ``CONTRIBUTING.rst``.
410-
411-
412-
413diff --git a/README.rst b/README.rst
414index 520a71e..2a19ff5 100644
415--- a/README.rst
416+++ b/README.rst
417@@ -49,7 +49,7 @@ Future design work is tracked at:
418
419 https://specs.openstack.org/openstack/keystone-specs
420
421-Contributors are encouraged to join IRC (``#openstack-keystone`` on OFTC):
422+Contributors are encouraged to join IRC (``#openstack-keystone`` on freenode):
423
424 https://wiki.openstack.org/wiki/IRC
425
426diff --git a/api-ref/source/v3/authenticate-v3.inc b/api-ref/source/v3/authenticate-v3.inc
427index d69972a..11f19cb 100644
428--- a/api-ref/source/v3/authenticate-v3.inc
429+++ b/api-ref/source/v3/authenticate-v3.inc
430@@ -965,7 +965,7 @@ Status Codes
431
432 .. rest_status_code:: success status.yaml
433
434- - 204
435+ - 201
436
437 .. rest_status_code:: error status.yaml
438
439diff --git a/devstack/lib/scope.sh b/devstack/lib/scope.sh
440deleted file mode 100644
441index 255ed69..0000000
442--- a/devstack/lib/scope.sh
443+++ /dev/null
444@@ -1,26 +0,0 @@
445-# Copyright 2019 SUSE LLC
446-#
447-# Licensed under the Apache License, Version 2.0 (the "License"); you may
448-# not use this file except in compliance with the License. You may obtain
449-# a copy of the License at
450-#
451-# http://www.apache.org/licenses/LICENSE-2.0
452-#
453-# Unless required by applicable law or agreed to in writing, software
454-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
455-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
456-# License for the specific language governing permissions and limitations
457-# under the License.
458-
459-function configure_enforce_scope {
460- iniset $KEYSTONE_CONF oslo_policy enforce_scope true
461- iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
462- iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
463- sudo systemctl restart devstack@keystone
464-}
465-
466-function configure_protection_tests {
467- iniset $TEMPEST_CONFIG identity-feature-enabled enforce_scope true
468- iniset $TEMPEST_CONFIG auth admin_system true
469- iniset $TEMPEST_CONFIG auth admin_project_name ''
470-}
471diff --git a/devstack/plugin.sh b/devstack/plugin.sh
472index 8f7a385..924b820 100644
473--- a/devstack/plugin.sh
474+++ b/devstack/plugin.sh
475@@ -15,7 +15,6 @@
476
477 KEYSTONE_PLUGIN=$DEST/keystone/devstack
478 source $KEYSTONE_PLUGIN/lib/federation.sh
479-source $KEYSTONE_PLUGIN/lib/scope.sh
480
481 # For more information on Devstack plugins, including a more detailed
482 # explanation on when the different steps are executed please see:
483@@ -48,12 +47,6 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then
484 if is_service_enabled keystone-saml2-federation; then
485 configure_tests_settings
486 fi
487- if [[ "$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)" == "True" ]] ; then
488- # devstack and tempest assume enforce_scope is false, so need to wait
489- # until the final phase to turn it on
490- configure_enforce_scope
491- configure_protection_tests
492- fi
493 fi
494
495 if [[ "$1" == "unstack" ]]; then
496diff --git a/doc/source/admin/cli-manage-projects-users-and-roles.rst b/doc/source/admin/cli-manage-projects-users-and-roles.rst
497index 8d2f837..f27979d 100644
498--- a/doc/source/admin/cli-manage-projects-users-and-roles.rst
499+++ b/doc/source/admin/cli-manage-projects-users-and-roles.rst
500@@ -10,8 +10,8 @@ define which actions users can perform. You assign roles to
501 user-project pairs.
502
503 You can define actions for OpenStack service roles in the
504-``/etc/PROJECT/policy.yaml`` files. For example, define actions for
505-Compute service roles in the ``/etc/nova/policy.yaml`` file.
506+``/etc/PROJECT/policy.json`` files. For example, define actions for
507+Compute service roles in the ``/etc/nova/policy.json`` file.
508
509 You can manage projects, users, and roles independently from each other.
510
511diff --git a/doc/source/admin/domain-specific-config.inc b/doc/source/admin/domain-specific-config.inc
512index 2d8f993..3797e30 100644
513--- a/doc/source/admin/domain-specific-config.inc
514+++ b/doc/source/admin/domain-specific-config.inc
515@@ -146,12 +146,6 @@ then the same public ID will be created. This is useful if you are running
516 multiple keystones and want to ensure the same ID would be generated whichever
517 server you hit.
518
519-.. NOTE::
520-
521- In case of the LDAP backend, the names of users and groups are not hashed.
522- As a result, these are length limited to 255 characters. Longer names
523- will result in an error.
524-
525 While keystone will dynamically maintain the identity mapping, including
526 removing entries when entities are deleted via the keystone, for those entities
527 in backends that are managed outside of keystone (e.g. a read-only LDAP),
528diff --git a/doc/source/admin/identity-concepts.rst b/doc/source/admin/identity-concepts.rst
529index 0f8cfc5..3d615c0 100644
530--- a/doc/source/admin/identity-concepts.rst
531+++ b/doc/source/admin/identity-concepts.rst
532@@ -122,9 +122,9 @@ Identity user management examples:
533 Individual services assign meaning to roles, typically through
534 limiting or granting access to users with the role to the
535 operations that the service supports. Role access is typically
536- configured in the service's ``policy.yaml`` file. For example,
537+ configured in the service's ``policy.json`` file. For example,
538 to limit Compute access to the ``compute-user`` role, edit the
539- Compute service's ``policy.yaml`` file to require this role for
540+ Compute service's ``policy.json`` file to require this role for
541 Compute operations.
542
543 The Identity service assigns a project and a role to a user. You might
544@@ -139,25 +139,25 @@ A user can have different roles in different projects. For example, Alice
545 might also have the ``admin`` role in the ``Cyberdyne`` project. A user
546 can also have multiple roles in the same project.
547
548-The ``/etc/[SERVICE_CODENAME]/policy.yaml`` file controls the
549+The ``/etc/[SERVICE_CODENAME]/policy.json`` file controls the
550 tasks that users can perform for a given service. For example, the
551-``/etc/nova/policy.yaml`` file specifies the access policy for the
552-Compute service, the ``/etc/glance/policy.yaml`` file specifies
553+``/etc/nova/policy.json`` file specifies the access policy for the
554+Compute service, the ``/etc/glance/policy.json`` file specifies
555 the access policy for the Image service, and the
556-``/etc/keystone/policy.yaml`` file specifies the access policy for
557+``/etc/keystone/policy.json`` file specifies the access policy for
558 the Identity service.
559
560-The default ``policy.yaml`` files in the Compute, Identity, and
561+The default ``policy.json`` files in the Compute, Identity, and
562 Image services recognize only the ``admin`` role. Any user with
563 any role in a project can access all operations that do not require the
564 ``admin`` role.
565
566 To restrict users from performing operations in, for example, the
567 Compute service, you must create a role in the Identity service and
568-then modify the ``/etc/nova/policy.yaml`` file so that this role
569+then modify the ``/etc/nova/policy.json`` file so that this role
570 is required for Compute operations.
571
572-For example, the following line in the ``/etc/cinder/policy.yaml``
573+For example, the following line in the ``/etc/cinder/policy.json``
574 file does not restrict which users can create volumes:
575
576 .. code-block:: none
577diff --git a/doc/source/admin/service-api-protection.rst b/doc/source/admin/service-api-protection.rst
578index 47886ae..80b8af1 100644
579--- a/doc/source/admin/service-api-protection.rst
580+++ b/doc/source/admin/service-api-protection.rst
581@@ -10,16 +10,14 @@ Like most OpenStack services, keystone protects its API using role-based access
582 control (RBAC).
583
584 Users can access different APIs depending on the roles they have on a project,
585-domain, or system, which we refer to as scope.
586+domain, or system.
587
588 As of the Rocky release, keystone provides three roles called ``admin``,
589 ``member``, and ``reader`` by default. Operators can grant these roles to any
590-actor (e.g., group or user) on any scope (e.g., system, domain, or project).
591+actor (e.g., group or user) on any target (e.g., system, domain, or project).
592 If you need a refresher on authorization scopes and token types, please refer
593 to the `token guide`_. The following sections describe how each default role
594-behaves with keystone's API across different scopes. Additionally, other
595-service developers can use this document as a guide for implementing similar
596-patterns in their services.
597+behaves with keystone's API across different scopes.
598
599 Default roles and behaviors across scopes allow operators to delegate more
600 functionality to their team, auditors, customers, and users without maintaining
601@@ -31,10 +29,9 @@ custom policies.
602 Roles Definitions
603 -----------------
604
605-The default roles provided by keystone, via ``keystone-manage boostrap``, are
606-related through role implications. The ``admin`` role implies the ``member``
607-role, and the ``member`` role implies the ``reader`` role. These implications
608-mean users with the ``admin`` role automatically have the ``member`` and
609+The default roles imply one another. The ``admin`` role implies the ``member``
610+role, and the ``member`` role implies the ``reader`` role. This implication
611+means users with the ``admin`` role automatically have the ``member`` and
612 ``reader`` roles. Additionally, users with the ``member`` role automatically
613 have the ``reader`` role. Implying roles reduces role assignments and forms a
614 natural hierarchy between the default roles. It also reduces the complexity of
615@@ -54,26 +51,6 @@ Instead of:
616 Reader
617 ======
618
619-.. warning::
620-
621- While it's possible to use the ``reader`` role to perform audits, we highly
622- recommend assessing the viability of using ``reader`` for auditing from the
623- perspective of the compliance target you're pursuing.
624-
625- The ``reader`` role is the least-privileged role within the role hierarchy
626- described here. As such, OpenStack development teams, by default, do not
627- advocate exposing sensitive information to users with the ``reader`` role,
628- regardless of the scope. We have noted the need for a formal, read-only,
629- role that is useful for inspecting all applicable resources within a
630- particular scope, but it shouldn't be implemented as the lowest level of
631- authorization. This work will come in a subsequent release where we support
632- an elevated read-only role, that implies ``reader``, but also exposes
633- sensitive information, where applicable.
634-
635- This will allow operators to grant third-party auditors a permissive role
636- for viewing sensitive information, specifically for compliance targets that
637- require it.
638-
639 The ``reader`` role provides read-only access to resources within the system, a
640 domain, or a project. Depending on the assignment scope, two users with the
641 ``reader`` role can expect different API behaviors. For example, a user with
642@@ -87,20 +64,6 @@ roles. For example, to accomplish this without analyzing assignment scope, you
643 would need ``system-reader``, ``domain-reader``, and ``project-reader`` roles
644 in addition to custom policies for each service.
645
646-It's imperative to note that ``reader`` is the least authoritative role in the
647-hierarchy because assignments using ``admin`` or ``member`` ultimately include
648-the ``reader`` role. We document this explicitly so that ``reader`` roles are not
649-overloaded with read-only access to sensitive information. For example, a deployment
650-pursuing a specific compliance target may want to leverage the ``reader`` role
651-to perform the audit. If the audit requires the auditor to evaluate sensitive
652-information, like license keys or administrative metadata, within a given
653-scope, auditors shouldn't expect to perform these operations with the
654-``reader`` role. We justify this design decision because sensitive information
655-should be explicitly protected, and not implicitly exposed.
656-
657-The ``reader`` role should be implemented and used from the perspective of
658-least-privilege, which may or may not fulfill your auditing use case.
659-
660 Member
661 ======
662
663@@ -132,30 +95,9 @@ services are addressing this individually at their own pace).
664 As of the Train release, keystone applies the following personas
665 consistently across its API.
666
667----------------
668-System Personas
669----------------
670-
671-This section describes authorization personas typically used for operators and
672-deployers. You can find all users with system role assignments using the
673-following query:
674-
675-.. code-block:: console
676-
677- $ openstack role assignment list --names --system all
678- +--------+------------------------+------------------------+---------+--------+--------+-----------+
679- | Role | User | Group | Project | Domain | System | Inherited |
680- +--------+------------------------+------------------------+---------+--------+--------+-----------+
681- | admin | | system-admins@Default | | | all | False |
682- | admin | admin@Default | | | | all | False |
683- | admin | operator@Default | | | | all | False |
684- | reader | | system-support@Default | | | all | False |
685- | admin | operator@Default | | | | all | False |
686- | member | system-support@Default | | | | all | False |
687- +--------+------------------------+------------------------+---------+--------+--------+-----------+
688-
689+---------------------
690 System Administrators
691-=====================
692+---------------------
693
694 *System administrators* are allowed to manage every resource in keystone.
695 System administrators are typically operators and cloud administrators. They
696@@ -169,7 +111,7 @@ assignments:
697
698 .. code-block:: console
699
700- $ openstack role assignment list --names --system all --role admin
701+ $ openstack role assignment list --names --system all
702 +-------+------------------+-----------------------+---------+--------+--------+-----------+
703 | Role | User | Group | Project | Domain | System | Inherited |
704 +-------+------------------+-----------------------+---------+--------+--------+-----------+
705@@ -178,57 +120,38 @@ assignments:
706 | admin | operator@Default | | | | all | False |
707 +-------+------------------+-----------------------+---------+--------+--------+-----------+
708
709+-------------------------------
710 System Members & System Readers
711-===============================
712+-------------------------------
713
714 In keystone, *system members* and *system readers* are very similar and have
715 the same authorization. Users with these roles on the system can view all
716-resources within keystone. They can list role assignments, users, projects, and
717-group memberships, among other resources.
718+resources within keystone. They can audit role assignments, users, projects,
719+and group memberships, among other resources.
720
721-The *system reader* persona is useful for members of a support team or auditors
722-if the audit doesn't require access to sensitive information. You can find
723-*system members* and *system readers* in your deployment with the following
724-assignments:
725+The *system reader* persona is useful for auditors or members of a support
726+team. You can find *system members* and *system readers* in your deployment
727+with the following assignments:
728
729 .. code-block:: console
730
731 $ openstack role assignment list --names --system all --role member --role reader
732- +--------+------------------------+------------------------+---------+--------+--------+-----------+
733- | Role | User | Group | Project | Domain | System | Inherited |
734- +--------+------------------------+------------------------+---------+--------+--------+-----------+
735- | reader | | system-support@Default | | | all | False |
736- | admin | operator@Default | | | | all | False |
737- | member | system-support@Default | | | | all | False |
738- +--------+------------------------+------------------------+---------+--------+--------+-----------+
739+ +--------+------------------------+-------------------------+---------+--------+--------+-----------+
740+ | Role | User | Group | Project | Domain | System | Inherited |
741+ +--------+------------------------+-------------------------+---------+--------+--------+-----------+
742+ | reader | | system-auditors@Default | | | all | False |
743+ | admin | operator@Default | | | | all | False |
744+ | member | system-support@Default | | | | all | False |
745+ +--------+------------------------+-------------------------+---------+--------+--------+-----------+
746
747 .. warning::
748
749 Filtering system role assignments is currently broken and is being tracked
750 as a `bug <https://bugs.launchpad.net/keystone/+bug/1846817>`_.
751
752----------------
753-Domain Personas
754----------------
755-
756-This section describes authorization personas for people who manage their own
757-domains, which contain projects, users, and groups. You can find all users with
758-role assignments on a specific domain using the following query:
759-
760-.. code-block:: console
761-
762- $ openstack role assignment list --names --domain foobar
763- +--------+-----------------+----------------------+---------+--------+--------+-----------+
764- | Role | User | Group | Project | Domain | System | Inherited |
765- +--------+-----------------+----------------------+---------+--------+--------+-----------+
766- | reader | support@Default | | | foobar | | False |
767- | admin | jsmith@Default | | | foobar | | False |
768- | admin | | foobar-admins@foobar | | foobar | | False |
769- | member | jdoe@foobar | | | foobar | | False |
770- +--------+-----------------+----------------------+---------+--------+--------+-----------+
771-
772+---------------------
773 Domain Administrators
774-=====================
775+---------------------
776
777 *Domain administrators* can manage most aspects of the domain or its contents.
778 These users can create new projects and users within their domain. They can
779@@ -251,18 +174,18 @@ assignment:
780 | admin | | foobar-admins@foobar | | foobar | | False |
781 +-------+----------------+----------------------+---------+--------+--------+-----------+
782
783+-------------------------------
784 Domain Members & Domain Readers
785-===============================
786+-------------------------------
787
788 Domain members and domain readers have the same relationship as system members
789 and system readers. They're allowed to view resources and information about
790 their domain. They aren't allowed to access system-specific information or
791 information about projects, groups, and users outside their domain.
792
793-The domain member and domain reader use-cases are great for support teams,
794-monitoring the details of an account, or auditing resources within a domain
795-assuming the audit doesn't validate sensitive information. You can find domain
796-members and domain readers with the following role assignments:
797+The domain member and domain reader use-cases are great for auditing, support,
798+or monitoring the details of an account. You can find domain members and domain
799+readers with the following role assignments:
800
801 .. code-block:: console
802
803@@ -276,35 +199,16 @@ members and domain readers with the following role assignments:
804 +--------+-----------------+-------+---------+--------+--------+-----------+
805 | Role | User | Group | Project | Domain | System | Inherited |
806 +--------+-----------------+-------+---------+--------+--------+-----------+
807- | reader | support@Default | | | foobar | | False |
808+ | reader | auditor@Default | | | foobar | | False |
809 +--------+-----------------+-------+---------+--------+--------+-----------+
810
811-----------------
812-Project Personas
813-----------------
814-
815-This section describes authorization personas for users operating within a
816-project. These personas are commonly used by end users. You can find all users
817-with role assignments on a specific project using the following query:
818-
819-.. code-block:: console
820-
821- $ openstack role assignment list --names --project production
822- +--------+----------------+----------------------------+-------------------+--------+--------+-----------+
823- | Role | User | Group | Project | Domain | System | Inherited |
824- +--------+----------------+----------------------------+-------------------+--------+--------+-----------+
825- | admin | jsmith@Default | | production@foobar | | | False |
826- | admin | | production-admins@foobar | production@foobar | | | False |
827- | member | | foobar-operators@Default | production@foobar | | | False |
828- | reader | alice@Default | | production@foobar | | | False |
829- | reader | | production-support@Default | production@foobar | | | False |
830- +--------+----------------+----------------------------+-------------------+--------+--------+-----------+
831
832+----------------------
833 Project Administrators
834-======================
835+----------------------
836
837-*Project administrators* can only view and modify data within the project they
838-have authorization on. They're able to view information about their projects
839+*Project administrators* can only view and modify data within the project in
840+their role assignment. They're able to view information about their projects
841 and set tags on their projects. They're not allowed to view system or domain
842 resources, as that would violate the tenancy of their role assignment. Since
843 the majority of the resources in keystone's API are system and domain-specific,
844@@ -323,8 +227,9 @@ role assignment:
845 | admin | | production-admins@foobar | production@foobar | | | False |
846 +-------+----------------+--------------------------+-------------------+--------+--------+-----------+
847
848+---------------------------------
849 Project Members & Project Readers
850-=================================
851+---------------------------------
852
853 *Project members* and *project readers* can discover information about their
854 projects. They can access important information like resource limits for their
855@@ -344,12 +249,12 @@ the following role assignments:
856 | member | | foobar-operators@Default | production@foobar | | | False |
857 +--------+------+--------------------------+-------------------+--------+--------+-----------+
858 $ openstack role assignment list --names --project production --role reader
859- +--------+---------------+----------------------------+-------------------+--------+--------+-----------+
860- | Role | User | Group | Project | Domain | System | Inherited |
861- +--------+---------------+----------------------------+-------------------+--------+--------+-----------+
862- | reader | alice@Default | | production@foobar | | | False |
863- | reader | | production-support@Default | production@foobar | | | False |
864- +--------+---------------+----------------------------+-------------------+--------+--------+-----------+
865+ +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+
866+ | Role | User | Group | Project | Domain | System | Inherited |
867+ +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+
868+ | reader | auditor@Default | | production@foobar | | | False |
869+ | reader | | production-support@Default | production@foobar | | | False |
870+ +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+
871
872 ----------------
873 Writing Policies
874diff --git a/doc/source/admin/upgrading.rst b/doc/source/admin/upgrading.rst
875index 709d98d..687dba4 100644
876--- a/doc/source/admin/upgrading.rst
877+++ b/doc/source/admin/upgrading.rst
878@@ -42,7 +42,7 @@ Plan your upgrade:
879 to re-read the release notes for the previous release (or two!).
880
881 * Prepare your new configuration files, including ``keystone.conf``,
882- ``logging.conf``, ``policy.yaml``, ``keystone-paste.ini``, and anything else
883+ ``logging.conf``, ``policy.json``, ``keystone-paste.ini``, and anything else
884 in ``/etc/keystone/``, by customizing the corresponding files from the next
885 release.
886
887diff --git a/doc/source/conf.py b/doc/source/conf.py
888index 45cd82f..819c1d9 100644
889--- a/doc/source/conf.py
890+++ b/doc/source/conf.py
891@@ -55,11 +55,7 @@ apidoc_output_dir = 'api'
892 apidoc_excluded_paths = [
893 'tests/*',
894 'tests',
895- 'test',
896- # TODO(gmann): with new release of SQLAlchemy(1.4.27) TypeDecorator used
897- # in common/sql/core.py file started failing. Remove this oncethe issue of
898- # TypeDecorator is fixed.
899- 'common/sql/core.py']
900+ 'test']
901 apidoc_separate_modules = True
902
903 # sphinxcontrib.seqdiag options
904diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst
905index 3f80c5e..daafdea 100644
906--- a/doc/source/configuration/policy.rst
907+++ b/doc/source/configuration/policy.rst
908@@ -2,15 +2,6 @@
909 Policy configuration
910 ====================
911
912-.. warning::
913-
914- JSON formatted policy file is deprecated since Keystone 19.0.0 (Wallaby).
915- This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
916- JSON-formatted policy file to YAML in a backward-compatible way.
917-
918-.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
919-
920-
921 Configuration
922 ~~~~~~~~~~~~~
923
924diff --git a/doc/source/contributor/how-can-i-help.rst b/doc/source/contributor/how-can-i-help.rst
925index 47c2f4a..4e37af0 100644
926--- a/doc/source/contributor/how-can-i-help.rst
927+++ b/doc/source/contributor/how-can-i-help.rst
928@@ -50,7 +50,7 @@ become part of the team:
929 You can also subscribe to email notifications for new bugs.
930 * Subscribe to the openstack-discuss@lists.openstack.org mailing list (filter on
931 subject tag ``[keystone]``) and join the #openstack-keystone IRC channel on
932- OFTC. Help answer user support questions if you or your organization has
933+ freenode. Help answer user support questions if you or your organization has
934 faced and solved a similar problem, or chime in on design discussions that
935 will affect you and your organization.
936 * Check out the low hanging fruit bugs, submit patches to fix them:
937diff --git a/doc/source/getting-started/community.rst b/doc/source/getting-started/community.rst
938index 4598cd8..47145ad 100644
939--- a/doc/source/getting-started/community.rst
940+++ b/doc/source/getting-started/community.rst
941@@ -34,10 +34,10 @@ from feature designs to documentation to testing to deployment scripts.
942 .. _Launchpad: https://launchpad.net/keystone
943 .. _wiki: https://wiki.openstack.org/
944
945-#openstack-keystone on OFTC IRC Network
946----------------------------------------
947+#openstack-keystone on Freenode IRC Network
948+-------------------------------------------
949
950-You can find Keystone folks in `<irc://oftc.net/#openstack-keystone>`_.
951+You can find Keystone folks in `<irc://freenode.net/#openstack-keystone>`_.
952 This is usually the best place to ask questions and find your way around. IRC
953 stands for Internet Relay Chat and it is a way to chat online in real time.
954 You can also ask a question and come back to the log files to read the answer
955diff --git a/doc/source/getting-started/policy_mapping.rst b/doc/source/getting-started/policy_mapping.rst
956index a7cb27c..2975b45 100644
957--- a/doc/source/getting-started/policy_mapping.rst
958+++ b/doc/source/getting-started/policy_mapping.rst
959@@ -2,7 +2,7 @@
960 Mapping of policy target to API
961 ===============================
962
963-The following table shows the target in the policy.yaml file for each API.
964+The following table shows the target in the policy.json file for each API.
965
966 ========================================================= ===
967 Target API
968diff --git a/keystone.egg-info/PKG-INFO b/keystone.egg-info/PKG-INFO
969index 3b63a18..c4bc751 100644
970--- a/keystone.egg-info/PKG-INFO
971+++ b/keystone.egg-info/PKG-INFO
972@@ -1,11 +1,73 @@
973 Metadata-Version: 2.1
974 Name: keystone
975-Version: 20.1.0.dev27
976+Version: 18.1.0
977 Summary: OpenStack Identity
978 Home-page: https://docs.openstack.org/keystone/latest
979 Author: OpenStack
980 Author-email: openstack-discuss@lists.openstack.org
981 License: UNKNOWN
982+Description: ==================
983+ OpenStack Keystone
984+ ==================
985+
986+ .. image:: https://governance.openstack.org/tc/badges/keystone.svg
987+ :target: https://governance.openstack.org/tc/reference/tags/index.html
988+
989+ .. Change things from this point on
990+
991+ OpenStack Keystone provides authentication, authorization and service discovery
992+ mechanisms via HTTP primarily for use by projects in the OpenStack family. It
993+ is most commonly deployed as an HTTP interface to existing identity systems,
994+ such as LDAP.
995+
996+ Developer documentation, the source of which is in ``doc/source/``, is
997+ published at:
998+
999+ https://docs.openstack.org/keystone/latest
1000+
1001+ The API reference and documentation are available at:
1002+
1003+ https://docs.openstack.org/api-ref/identity
1004+
1005+ The canonical client library is available at:
1006+
1007+ https://opendev.org/openstack/python-keystoneclient
1008+
1009+ Documentation for cloud administrators is available at:
1010+
1011+ https://docs.openstack.org/
1012+
1013+ The source of documentation for cloud administrators is available at:
1014+
1015+ https://opendev.org/openstack/openstack-manuals
1016+
1017+ Information about our team meeting is available at:
1018+
1019+ https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting
1020+
1021+ Release notes is available at:
1022+
1023+ https://docs.openstack.org/releasenotes/keystone
1024+
1025+ Bugs and feature requests are tracked on Launchpad at:
1026+
1027+ https://bugs.launchpad.net/keystone
1028+
1029+ Future design work is tracked at:
1030+
1031+ https://specs.openstack.org/openstack/keystone-specs
1032+
1033+ Contributors are encouraged to join IRC (``#openstack-keystone`` on freenode):
1034+
1035+ https://wiki.openstack.org/wiki/IRC
1036+
1037+ Source for the project:
1038+
1039+ https://opendev.org/openstack/keystone
1040+
1041+ For information on contributing to Keystone, see ``CONTRIBUTING.rst``.
1042+
1043+
1044 Platform: UNKNOWN
1045 Classifier: Environment :: OpenStack
1046 Classifier: Intended Audience :: Information Technology
1047@@ -24,69 +86,3 @@ Provides-Extra: ldap
1048 Provides-Extra: memcache
1049 Provides-Extra: mongodb
1050 Provides-Extra: test
1051-License-File: LICENSE
1052-License-File: AUTHORS
1053-
1054-==================
1055-OpenStack Keystone
1056-==================
1057-
1058-.. image:: https://governance.openstack.org/tc/badges/keystone.svg
1059- :target: https://governance.openstack.org/tc/reference/tags/index.html
1060-
1061-.. Change things from this point on
1062-
1063-OpenStack Keystone provides authentication, authorization and service discovery
1064-mechanisms via HTTP primarily for use by projects in the OpenStack family. It
1065-is most commonly deployed as an HTTP interface to existing identity systems,
1066-such as LDAP.
1067-
1068-Developer documentation, the source of which is in ``doc/source/``, is
1069-published at:
1070-
1071- https://docs.openstack.org/keystone/latest
1072-
1073-The API reference and documentation are available at:
1074-
1075- https://docs.openstack.org/api-ref/identity
1076-
1077-The canonical client library is available at:
1078-
1079- https://opendev.org/openstack/python-keystoneclient
1080-
1081-Documentation for cloud administrators is available at:
1082-
1083- https://docs.openstack.org/
1084-
1085-The source of documentation for cloud administrators is available at:
1086-
1087- https://opendev.org/openstack/openstack-manuals
1088-
1089-Information about our team meeting is available at:
1090-
1091- https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting
1092-
1093-Release notes is available at:
1094-
1095- https://docs.openstack.org/releasenotes/keystone
1096-
1097-Bugs and feature requests are tracked on Launchpad at:
1098-
1099- https://bugs.launchpad.net/keystone
1100-
1101-Future design work is tracked at:
1102-
1103- https://specs.openstack.org/openstack/keystone-specs
1104-
1105-Contributors are encouraged to join IRC (``#openstack-keystone`` on OFTC):
1106-
1107- https://wiki.openstack.org/wiki/IRC
1108-
1109-Source for the project:
1110-
1111- https://opendev.org/openstack/keystone
1112-
1113-For information on contributing to Keystone, see ``CONTRIBUTING.rst``.
1114-
1115-
1116-
1117diff --git a/keystone.egg-info/SOURCES.txt b/keystone.egg-info/SOURCES.txt
1118index fc8c6b6..b1af601 100644
1119--- a/keystone.egg-info/SOURCES.txt
1120+++ b/keystone.egg-info/SOURCES.txt
1121@@ -315,7 +315,6 @@ devstack/files/federation/shib_apache_alias.txt
1122 devstack/files/federation/shib_apache_handler.txt
1123 devstack/files/federation/shibboleth2.xml
1124 devstack/lib/federation.sh
1125-devstack/lib/scope.sh
1126 doc/Makefile
1127 doc/README.rst
1128 doc/requirements.txt
1129@@ -473,7 +472,6 @@ keystone.egg-info/SOURCES.txt
1130 keystone.egg-info/dependency_links.txt
1131 keystone.egg-info/entry_points.txt
1132 keystone.egg-info/not-zip-safe
1133-keystone.egg-info/pbr.json
1134 keystone.egg-info/requires.txt
1135 keystone.egg-info/top_level.txt
1136 keystone/api/__init__.py
1137@@ -705,7 +703,6 @@ keystone/common/sql/contract_repo/versions/075_placeholder.py
1138 keystone/common/sql/contract_repo/versions/076_placeholder.py
1139 keystone/common/sql/contract_repo/versions/077_placeholder.py
1140 keystone/common/sql/contract_repo/versions/078_placeholder.py
1141-keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py
1142 keystone/common/sql/contract_repo/versions/__init__.py
1143 keystone/common/sql/data_migration_repo/README
1144 keystone/common/sql/data_migration_repo/__init__.py
1145@@ -789,7 +786,6 @@ keystone/common/sql/data_migration_repo/versions/075_placeholder.py
1146 keystone/common/sql/data_migration_repo/versions/076_placeholder.py
1147 keystone/common/sql/data_migration_repo/versions/077_placeholder.py
1148 keystone/common/sql/data_migration_repo/versions/078_placeholder.py
1149-keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py
1150 keystone/common/sql/data_migration_repo/versions/__init__.py
1151 keystone/common/sql/expand_repo/README
1152 keystone/common/sql/expand_repo/__init__.py
1153@@ -873,7 +869,6 @@ keystone/common/sql/expand_repo/versions/075_placeholder.py
1154 keystone/common/sql/expand_repo/versions/076_placeholder.py
1155 keystone/common/sql/expand_repo/versions/077_placeholder.py
1156 keystone/common/sql/expand_repo/versions/078_placeholder.py
1157-keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py
1158 keystone/common/sql/expand_repo/versions/__init__.py
1159 keystone/common/sql/migrate_repo/README
1160 keystone/common/sql/migrate_repo/__init__.py
1161@@ -1235,6 +1230,8 @@ keystone/tests/unit/config_files/backend_multi_ldap_sql.conf
1162 keystone/tests/unit/config_files/backend_pool_liveldap.conf
1163 keystone/tests/unit/config_files/backend_sql.conf
1164 keystone/tests/unit/config_files/backend_tls_liveldap.conf
1165+keystone/tests/unit/config_files/deprecated.conf
1166+keystone/tests/unit/config_files/deprecated_override.conf
1167 keystone/tests/unit/config_files/test_auth_plugin.conf
1168 keystone/tests/unit/config_files/domain_configs_default_ldap_one_sql/keystone.domain1.conf
1169 keystone/tests/unit/config_files/domain_configs_multi_ldap/keystone.Default.conf
1170@@ -1281,7 +1278,6 @@ keystone/tests/unit/ksfixtures/key_repository.py
1171 keystone/tests/unit/ksfixtures/ldapdb.py
1172 keystone/tests/unit/ksfixtures/policy.py
1173 keystone/tests/unit/ksfixtures/temporaryfile.py
1174-keystone/tests/unit/ksfixtures/warnings.py
1175 keystone/tests/unit/limit/__init__.py
1176 keystone/tests/unit/limit/test_backends.py
1177 keystone/tests/unit/policy/__init__.py
1178@@ -1328,7 +1324,6 @@ keystone/trust/backends/__init__.py
1179 keystone/trust/backends/base.py
1180 keystone/trust/backends/sql.py
1181 keystone_tempest_plugin/README.rst
1182-playbooks/enable-fips.yaml
1183 rally-jobs/README.rst
1184 rally-jobs/keystone.yaml
1185 releasenotes/notes/.placeholder
1186@@ -1573,11 +1568,8 @@ releasenotes/notes/bug-1885753-51df25f3ff1d9ae8.yaml
1187 releasenotes/notes/bug-1886017-bc2ad648d57101a2.yaml
1188 releasenotes/notes/bug-1889936-78d6853b5212b8f1.yaml
1189 releasenotes/notes/bug-1896125-b17a4d12730fe493.yaml
1190-releasenotes/notes/bug-1897280-e7065c4368a325ad.yaml
1191 releasenotes/notes/bug-1901207-13762f85b8a04481.yaml
1192 releasenotes/notes/bug-1901654-69b9f35d11cd0c75.yaml
1193-releasenotes/notes/bug-1929066-6e741c9182620a37.yaml
1194-releasenotes/notes/bug-1941020-f694395a9bcea72f.yaml
1195 releasenotes/notes/bug1828565-0790c4c60ba34100.yaml
1196 releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml
1197 releasenotes/notes/bug_1543048_and_1668503-7ead4e15faaab778.yaml
1198@@ -1588,7 +1580,6 @@ releasenotes/notes/catalog-caching-12f2532cfb71325a.yaml
1199 releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml
1200 releasenotes/notes/convert-keystone-to-flask-80d980e239b662b0.yaml
1201 releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml
1202-releasenotes/notes/deprecate-json-formatted-policy-file-95f6307f88358f58.yaml
1203 releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml
1204 releasenotes/notes/deprecate-policies-api-b104fbd1d2367b1b.yaml
1205 releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml
1206@@ -1678,15 +1669,10 @@ releasenotes/source/stein.rst
1207 releasenotes/source/train.rst
1208 releasenotes/source/unreleased.rst
1209 releasenotes/source/ussuri.rst
1210-releasenotes/source/victoria.rst
1211-releasenotes/source/wallaby.rst
1212-releasenotes/source/xena.rst
1213 releasenotes/source/_static/.placeholder
1214 releasenotes/source/_templates/.placeholder
1215 releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po
1216-releasenotes/source/locale/fr/LC_MESSAGES/releasenotes.po
1217 releasenotes/source/locale/ja/LC_MESSAGES/releasenotes.po
1218-releasenotes/source/locale/ko_KR/LC_MESSAGES/releasenotes.po
1219 tools/cover.sh
1220 tools/fast8.sh
1221 tools/sample_data.sh
1222diff --git a/keystone.egg-info/pbr.json b/keystone.egg-info/pbr.json
1223deleted file mode 100644
1224index 7de0b70..0000000
1225--- a/keystone.egg-info/pbr.json
1226+++ /dev/null
1227@@ -1 +0,0 @@
1228-{"git_version": "2ddf8f321", "is_release": false}
1229\ No newline at end of file
1230diff --git a/keystone.egg-info/requires.txt b/keystone.egg-info/requires.txt
1231index 7ca68f2..b85b25d 100644
1232--- a/keystone.egg-info/requires.txt
1233+++ b/keystone.egg-info/requires.txt
1234@@ -11,16 +11,16 @@ keystonemiddleware>=7.0.0
1235 msgpack>=0.5.0
1236 oauthlib>=0.6.2
1237 oslo.cache>=1.26.0
1238-oslo.config>=6.8.0
1239+oslo.config>=5.2.0
1240 oslo.context>=2.22.0
1241 oslo.db>=6.0.0
1242 oslo.i18n>=3.15.3
1243 oslo.log>=3.44.0
1244 oslo.messaging>=5.29.0
1245 oslo.middleware>=3.31.0
1246-oslo.policy>=3.7.0
1247+oslo.policy>=3.0.2
1248 oslo.serialization!=2.19.1,>=2.18.0
1249-oslo.upgradecheck>=1.3.0
1250+oslo.upgradecheck>=0.1.0
1251 oslo.utils>=3.33.0
1252 osprofiler>=1.4.0
1253 passlib>=1.7.0
1254diff --git a/keystone/api/s3tokens.py b/keystone/api/s3tokens.py
1255index 4a8439d..73d0b39 100644
1256--- a/keystone/api/s3tokens.py
1257+++ b/keystone/api/s3tokens.py
1258@@ -56,10 +56,7 @@ def _calculate_signature_v4(string_to_sign, secret_key):
1259 if len(parts) != 4 or parts[0] != b'AWS4-HMAC-SHA256':
1260 raise exception.Unauthorized(message=_('Invalid EC2 signature.'))
1261 scope = parts[2].split(b'/')
1262- if len(scope) != 4 or scope[3] != b'aws4_request':
1263- raise exception.Unauthorized(message=_('Invalid EC2 signature.'))
1264- allowed_services = [b's3', b'iam', b'sts']
1265- if scope[2] not in allowed_services:
1266+ if len(scope) != 4 or scope[2] != b's3' or scope[3] != b'aws4_request':
1267 raise exception.Unauthorized(message=_('Invalid EC2 signature.'))
1268
1269 def _sign(key, msg):
1270diff --git a/keystone/cmd/status.py b/keystone/cmd/status.py
1271index 64b2e62..3585c2e 100644
1272--- a/keystone/cmd/status.py
1273+++ b/keystone/cmd/status.py
1274@@ -12,7 +12,6 @@
1275
1276 from oslo_policy import _checks
1277 from oslo_policy import policy
1278-from oslo_upgradecheck import common_checks
1279 from oslo_upgradecheck import upgradecheck
1280
1281 from keystone.common import driver_hints
1282@@ -87,8 +86,6 @@ class Checks(upgradecheck.UpgradeCommands):
1283 check_trust_policies_are_not_empty),
1284 ("Check default roles are immutable",
1285 check_default_roles_are_immutable),
1286- ("Policy File JSON to YAML Migration",
1287- (common_checks.check_policy_json, {'conf': CONF})),
1288 )
1289
1290
1291diff --git a/keystone/common/policies/application_credential.py b/keystone/common/policies/application_credential.py
1292index bae998a..e44c661 100644
1293--- a/keystone/common/policies/application_credential.py
1294+++ b/keystone/common/policies/application_credential.py
1295@@ -18,30 +18,23 @@ from keystone.common.policies import base
1296 collection_path = '/v3/users/{user_id}/application_credentials'
1297 resource_path = collection_path + '/{application_credential_id}'
1298
1299-DEPRECATED_REASON = (
1300- "The application credential API is now aware of system scope and default "
1301- "roles."
1302-)
1303-
1304 deprecated_list_application_credentials_for_user = policy.DeprecatedRule(
1305 name=base.IDENTITY % 'list_application_credentials',
1306- check_str=base.RULE_ADMIN_OR_OWNER,
1307- deprecated_reason=DEPRECATED_REASON,
1308- deprecated_since=versionutils.deprecated.TRAIN
1309+ check_str=base.RULE_ADMIN_OR_OWNER
1310 )
1311 deprecated_get_application_credentials_for_user = policy.DeprecatedRule(
1312 name=base.IDENTITY % 'get_application_credential',
1313- check_str=base.RULE_ADMIN_OR_OWNER,
1314- deprecated_reason=DEPRECATED_REASON,
1315- deprecated_since=versionutils.deprecated.TRAIN
1316+ check_str=base.RULE_ADMIN_OR_OWNER
1317 )
1318 deprecated_delete_application_credentials_for_user = policy.DeprecatedRule(
1319 name=base.IDENTITY % 'delete_application_credential',
1320- check_str=base.RULE_ADMIN_OR_OWNER,
1321- deprecated_reason=DEPRECATED_REASON,
1322- deprecated_since=versionutils.deprecated.TRAIN
1323+ check_str=base.RULE_ADMIN_OR_OWNER
1324 )
1325
1326+DEPRECATED_REASON = (
1327+ "The application credential API is now aware of system scope and default "
1328+ "roles."
1329+)
1330
1331 application_credential_policies = [
1332 policy.DocumentedRuleDefault(
1333@@ -53,7 +46,9 @@ application_credential_policies = [
1334 'method': 'GET'},
1335 {'path': resource_path,
1336 'method': 'HEAD'}],
1337- deprecated_rule=deprecated_get_application_credentials_for_user),
1338+ deprecated_rule=deprecated_get_application_credentials_for_user,
1339+ deprecated_reason=DEPRECATED_REASON,
1340+ deprecated_since=versionutils.deprecated.TRAIN),
1341 policy.DocumentedRuleDefault(
1342 name=base.IDENTITY % 'list_application_credentials',
1343 check_str=base.RULE_SYSTEM_READER_OR_OWNER,
1344@@ -63,7 +58,9 @@ application_credential_policies = [
1345 'method': 'GET'},
1346 {'path': collection_path,
1347 'method': 'HEAD'}],
1348- deprecated_rule=deprecated_list_application_credentials_for_user),
1349+ deprecated_rule=deprecated_list_application_credentials_for_user,
1350+ deprecated_reason=DEPRECATED_REASON,
1351+ deprecated_since=versionutils.deprecated.TRAIN),
1352 policy.DocumentedRuleDefault(
1353 name=base.IDENTITY % 'create_application_credential',
1354 check_str=base.RULE_OWNER,
1355@@ -78,7 +75,9 @@ application_credential_policies = [
1356 description='Delete an application credential.',
1357 operations=[{'path': resource_path,
1358 'method': 'DELETE'}],
1359- deprecated_rule=deprecated_delete_application_credentials_for_user)
1360+ deprecated_rule=deprecated_delete_application_credentials_for_user,
1361+ deprecated_reason=DEPRECATED_REASON,
1362+ deprecated_since=versionutils.deprecated.TRAIN)
1363 ]
1364
1365
1366diff --git a/keystone/common/policies/consumer.py b/keystone/common/policies/consumer.py
1367index 7931bf0..bf9a6bd 100644
1368--- a/keystone/common/policies/consumer.py
1369+++ b/keystone/common/policies/consumer.py
1370@@ -15,41 +15,30 @@ from oslo_policy import policy
1371
1372 from keystone.common.policies import base
1373
1374-DEPRECATED_REASON = (
1375- "The OAUTH1 consumer API is now aware of system scope and default roles."
1376-)
1377-
1378 deprecated_get_consumer = policy.DeprecatedRule(
1379 name=base.IDENTITY % 'get_consumer',
1380- check_str=base.RULE_ADMIN_REQUIRED,
1381- deprecated_reason=DEPRECATED_REASON,
1382- deprecated_since=versionutils.deprecated.TRAIN
1383+ check_str=base.RULE_ADMIN_REQUIRED
1384 )
1385 deprecated_list_consumers = policy.DeprecatedRule(
1386 name=base.IDENTITY % 'list_consumers',
1387- check_str=base.RULE_ADMIN_REQUIRED,
1388- deprecated_reason=DEPRECATED_REASON,
1389- deprecated_since=versionutils.deprecated.TRAIN
1390+ check_str=base.RULE_ADMIN_REQUIRED
1391 )
1392 deprecated_create_consumer = policy.DeprecatedRule(
1393 name=base.IDENTITY % 'create_consumer',
1394- check_str=base.RULE_ADMIN_REQUIRED,
1395- deprecated_reason=DEPRECATED_REASON,
1396- deprecated_since=versionutils.deprecated.TRAIN
1397+ check_str=base.RULE_ADMIN_REQUIRED
1398 )
1399 deprecated_update_consumer = policy.DeprecatedRule(
1400 name=base.IDENTITY % 'update_consumer',
1401- check_str=base.RULE_ADMIN_REQUIRED,
1402- deprecated_reason=DEPRECATED_REASON,
1403- deprecated_since=versionutils.deprecated.TRAIN
1404+ check_str=base.RULE_ADMIN_REQUIRED
1405 )
1406 deprecated_delete_consumer = policy.DeprecatedRule(
1407 name=base.IDENTITY % 'delete_consumer',
1408- check_str=base.RULE_ADMIN_REQUIRED,
1409- deprecated_reason=DEPRECATED_REASON,
1410- deprecated_since=versionutils.deprecated.TRAIN
1411+ check_str=base.RULE_ADMIN_REQUIRED
1412 )
1413
1414+DEPRECATED_REASON = (
1415+ "The OAUTH1 consumer API is now aware of system scope and default roles."
1416+)
1417
1418 consumer_policies = [
1419 policy.DocumentedRuleDefault(
1420@@ -59,7 +48,9 @@ consumer_policies = [
1421 description='Show OAUTH1 consumer details.',
1422 operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
1423 'method': 'GET'}],
1424- deprecated_rule=deprecated_get_consumer),
1425+ deprecated_rule=deprecated_get_consumer,
1426+ deprecated_reason=DEPRECATED_REASON,
1427+ deprecated_since=versionutils.deprecated.TRAIN),
1428 policy.DocumentedRuleDefault(
1429 name=base.IDENTITY % 'list_consumers',
1430 check_str=base.SYSTEM_READER,
1431@@ -67,7 +58,9 @@ consumer_policies = [
1432 description='List OAUTH1 consumers.',
1433 operations=[{'path': '/v3/OS-OAUTH1/consumers',
1434 'method': 'GET'}],
1435- deprecated_rule=deprecated_list_consumers),
1436+ deprecated_rule=deprecated_list_consumers,
1437+ deprecated_reason=DEPRECATED_REASON,
1438+ deprecated_since=versionutils.deprecated.TRAIN),
1439 policy.DocumentedRuleDefault(
1440 name=base.IDENTITY % 'create_consumer',
1441 check_str=base.SYSTEM_ADMIN,
1442@@ -75,7 +68,9 @@ consumer_policies = [
1443 description='Create OAUTH1 consumer.',
1444 operations=[{'path': '/v3/OS-OAUTH1/consumers',
1445 'method': 'POST'}],
1446- deprecated_rule=deprecated_create_consumer),
1447+ deprecated_rule=deprecated_create_consumer,
1448+ deprecated_reason=DEPRECATED_REASON,
1449+ deprecated_since=versionutils.deprecated.TRAIN),
1450 policy.DocumentedRuleDefault(
1451 name=base.IDENTITY % 'update_consumer',
1452 check_str=base.SYSTEM_ADMIN,
1453@@ -83,7 +78,9 @@ consumer_policies = [
1454 description='Update OAUTH1 consumer.',
1455 operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
1456 'method': 'PATCH'}],
1457- deprecated_rule=deprecated_update_consumer),
1458+ deprecated_rule=deprecated_update_consumer,
1459+ deprecated_reason=DEPRECATED_REASON,
1460+ deprecated_since=versionutils.deprecated.TRAIN),
1461 policy.DocumentedRuleDefault(
1462 name=base.IDENTITY % 'delete_consumer',
1463 check_str=base.SYSTEM_ADMIN,
1464@@ -91,7 +88,9 @@ consumer_policies = [
1465 description='Delete OAUTH1 consumer.',
1466 operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
1467 'method': 'DELETE'}],
1468- deprecated_rule=deprecated_delete_consumer),
1469+ deprecated_rule=deprecated_delete_consumer,
1470+ deprecated_reason=DEPRECATED_REASON,
1471+ deprecated_since=versionutils.deprecated.TRAIN),
1472 ]
1473
1474
1475diff --git a/keystone/common/policies/credential.py b/keystone/common/policies/credential.py
1476index 675e318..52a9fa8 100644
1477--- a/keystone/common/policies/credential.py
1478+++ b/keystone/common/policies/credential.py
1479@@ -21,33 +21,23 @@ DEPRECATED_REASON = (
1480
1481 deprecated_get_credential = policy.DeprecatedRule(
1482 name=base.IDENTITY % 'get_credential',
1483- check_str=base.RULE_ADMIN_REQUIRED,
1484- deprecated_reason=DEPRECATED_REASON,
1485- deprecated_since=versionutils.deprecated.STEIN
1486+ check_str=base.RULE_ADMIN_REQUIRED
1487 )
1488 deprecated_list_credentials = policy.DeprecatedRule(
1489 name=base.IDENTITY % 'list_credentials',
1490- check_str=base.RULE_ADMIN_REQUIRED,
1491- deprecated_reason=DEPRECATED_REASON,
1492- deprecated_since=versionutils.deprecated.STEIN
1493+ check_str=base.RULE_ADMIN_REQUIRED
1494 )
1495 deprecated_create_credential = policy.DeprecatedRule(
1496 name=base.IDENTITY % 'create_credential',
1497- check_str=base.RULE_ADMIN_REQUIRED,
1498- deprecated_reason=DEPRECATED_REASON,
1499- deprecated_since=versionutils.deprecated.STEIN
1500+ check_str=base.RULE_ADMIN_REQUIRED
1501 )
1502 deprecated_update_credential = policy.DeprecatedRule(
1503 name=base.IDENTITY % 'update_credential',
1504- check_str=base.RULE_ADMIN_REQUIRED,
1505- deprecated_reason=DEPRECATED_REASON,
1506- deprecated_since=versionutils.deprecated.STEIN
1507+ check_str=base.RULE_ADMIN_REQUIRED
1508 )
1509 deprecated_delete_credential = policy.DeprecatedRule(
1510 name=base.IDENTITY % 'delete_credential',
1511- check_str=base.RULE_ADMIN_REQUIRED,
1512- deprecated_reason=DEPRECATED_REASON,
1513- deprecated_since=versionutils.deprecated.STEIN
1514+ check_str=base.RULE_ADMIN_REQUIRED
1515 )
1516
1517
1518@@ -60,6 +50,8 @@ credential_policies = [
1519 operations=[{'path': '/v3/credentials/{credential_id}',
1520 'method': 'GET'}],
1521 deprecated_rule=deprecated_get_credential,
1522+ deprecated_reason=DEPRECATED_REASON,
1523+ deprecated_since=versionutils.deprecated.STEIN
1524 ),
1525 policy.DocumentedRuleDefault(
1526 name=base.IDENTITY % 'list_credentials',
1527@@ -69,6 +61,8 @@ credential_policies = [
1528 operations=[{'path': '/v3/credentials',
1529 'method': 'GET'}],
1530 deprecated_rule=deprecated_list_credentials,
1531+ deprecated_reason=DEPRECATED_REASON,
1532+ deprecated_since=versionutils.deprecated.STEIN
1533 ),
1534 policy.DocumentedRuleDefault(
1535 name=base.IDENTITY % 'create_credential',
1536@@ -78,6 +72,8 @@ credential_policies = [
1537 operations=[{'path': '/v3/credentials',
1538 'method': 'POST'}],
1539 deprecated_rule=deprecated_create_credential,
1540+ deprecated_reason=DEPRECATED_REASON,
1541+ deprecated_since=versionutils.deprecated.STEIN
1542 ),
1543 policy.DocumentedRuleDefault(
1544 name=base.IDENTITY % 'update_credential',
1545@@ -87,6 +83,8 @@ credential_policies = [
1546 operations=[{'path': '/v3/credentials/{credential_id}',
1547 'method': 'PATCH'}],
1548 deprecated_rule=deprecated_update_credential,
1549+ deprecated_reason=DEPRECATED_REASON,
1550+ deprecated_since=versionutils.deprecated.STEIN
1551 ),
1552 policy.DocumentedRuleDefault(
1553 name=base.IDENTITY % 'delete_credential',
1554@@ -96,6 +94,8 @@ credential_policies = [
1555 operations=[{'path': '/v3/credentials/{credential_id}',
1556 'method': 'DELETE'}],
1557 deprecated_rule=deprecated_delete_credential,
1558+ deprecated_reason=DEPRECATED_REASON,
1559+ deprecated_since=versionutils.deprecated.STEIN
1560 )
1561 ]
1562
1563diff --git a/keystone/common/policies/domain.py b/keystone/common/policies/domain.py
1564index cd743ee..7d3e3d7 100644
1565--- a/keystone/common/policies/domain.py
1566+++ b/keystone/common/policies/domain.py
1567@@ -21,33 +21,23 @@ DEPRECATED_REASON = (
1568
1569 deprecated_list_domains = policy.DeprecatedRule(
1570 name=base.IDENTITY % 'list_domains',
1571- check_str=base.RULE_ADMIN_REQUIRED,
1572- deprecated_reason=DEPRECATED_REASON,
1573- deprecated_since=versionutils.deprecated.STEIN
1574+ check_str=base.RULE_ADMIN_REQUIRED
1575 )
1576 deprecated_get_domain = policy.DeprecatedRule(
1577 name=base.IDENTITY % 'get_domain',
1578- check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN,
1579- deprecated_reason=DEPRECATED_REASON,
1580- deprecated_since=versionutils.deprecated.STEIN
1581+ check_str=base.RULE_ADMIN_OR_TARGET_DOMAIN
1582 )
1583 deprecated_update_domain = policy.DeprecatedRule(
1584 name=base.IDENTITY % 'update_domain',
1585- check_str=base.RULE_ADMIN_REQUIRED,
1586- deprecated_reason=DEPRECATED_REASON,
1587- deprecated_since=versionutils.deprecated.STEIN
1588+ check_str=base.RULE_ADMIN_REQUIRED
1589 )
1590 deprecated_create_domain = policy.DeprecatedRule(
1591 name=base.IDENTITY % 'create_domain',
1592- check_str=base.RULE_ADMIN_REQUIRED,
1593- deprecated_reason=DEPRECATED_REASON,
1594- deprecated_since=versionutils.deprecated.STEIN
1595+ check_str=base.RULE_ADMIN_REQUIRED
1596 )
1597 deprecated_delete_domain = policy.DeprecatedRule(
1598 name=base.IDENTITY % 'delete_domain',
1599- check_str=base.RULE_ADMIN_REQUIRED,
1600- deprecated_reason=DEPRECATED_REASON,
1601- deprecated_since=versionutils.deprecated.STEIN
1602+ check_str=base.RULE_ADMIN_REQUIRED
1603 )
1604 SYSTEM_USER_OR_DOMAIN_USER_OR_PROJECT_USER = (
1605 '(role:reader and system_scope:all) or '
1606@@ -66,7 +56,9 @@ domain_policies = [
1607 description='Show domain details.',
1608 operations=[{'path': '/v3/domains/{domain_id}',
1609 'method': 'GET'}],
1610- deprecated_rule=deprecated_get_domain),
1611+ deprecated_rule=deprecated_get_domain,
1612+ deprecated_reason=DEPRECATED_REASON,
1613+ deprecated_since=versionutils.deprecated.STEIN),
1614 policy.DocumentedRuleDefault(
1615 name=base.IDENTITY % 'list_domains',
1616 check_str=base.SYSTEM_READER,
1617@@ -74,7 +66,9 @@ domain_policies = [
1618 description='List domains.',
1619 operations=[{'path': '/v3/domains',
1620 'method': 'GET'}],
1621- deprecated_rule=deprecated_list_domains),
1622+ deprecated_rule=deprecated_list_domains,
1623+ deprecated_reason=DEPRECATED_REASON,
1624+ deprecated_since=versionutils.deprecated.STEIN),
1625 policy.DocumentedRuleDefault(
1626 name=base.IDENTITY % 'create_domain',
1627 check_str=base.SYSTEM_ADMIN,
1628@@ -82,7 +76,9 @@ domain_policies = [
1629 description='Create domain.',
1630 operations=[{'path': '/v3/domains',
1631 'method': 'POST'}],
1632- deprecated_rule=deprecated_create_domain),
1633+ deprecated_rule=deprecated_create_domain,
1634+ deprecated_reason=DEPRECATED_REASON,
1635+ deprecated_since=versionutils.deprecated.STEIN),
1636 policy.DocumentedRuleDefault(
1637 name=base.IDENTITY % 'update_domain',
1638 check_str=base.SYSTEM_ADMIN,
1639@@ -90,7 +86,9 @@ domain_policies = [
1640 description='Update domain.',
1641 operations=[{'path': '/v3/domains/{domain_id}',
1642 'method': 'PATCH'}],
1643- deprecated_rule=deprecated_update_domain),
1644+ deprecated_rule=deprecated_update_domain,
1645+ deprecated_reason=DEPRECATED_REASON,
1646+ deprecated_since=versionutils.deprecated.STEIN),
1647 policy.DocumentedRuleDefault(
1648 name=base.IDENTITY % 'delete_domain',
1649 check_str=base.SYSTEM_ADMIN,
1650@@ -98,7 +96,9 @@ domain_policies = [
1651 description='Delete domain.',
1652 operations=[{'path': '/v3/domains/{domain_id}',
1653 'method': 'DELETE'}],
1654- deprecated_rule=deprecated_delete_domain),
1655+ deprecated_rule=deprecated_delete_domain,
1656+ deprecated_reason=DEPRECATED_REASON,
1657+ deprecated_since=versionutils.deprecated.STEIN),
1658 ]
1659
1660
1661diff --git a/keystone/common/policies/domain_config.py b/keystone/common/policies/domain_config.py
1662index b1c8fda..a157f0d 100644
1663--- a/keystone/common/policies/domain_config.py
1664+++ b/keystone/common/policies/domain_config.py
1665@@ -15,46 +15,36 @@ from oslo_policy import policy
1666
1667 from keystone.common.policies import base
1668
1669-DEPRECATED_REASON = (
1670- "The domain config API is now aware of system scope and default roles."
1671-)
1672-
1673 deprecated_get_domain_config = policy.DeprecatedRule(
1674 name=base.IDENTITY % 'get_domain_config',
1675 check_str=base.RULE_ADMIN_REQUIRED,
1676- deprecated_reason=DEPRECATED_REASON,
1677- deprecated_since=versionutils.deprecated.TRAIN
1678 )
1679
1680 deprecated_get_domain_config_default = policy.DeprecatedRule(
1681 name=base.IDENTITY % 'get_domain_config_default',
1682 check_str=base.RULE_ADMIN_REQUIRED,
1683- deprecated_reason=DEPRECATED_REASON,
1684- deprecated_since=versionutils.deprecated.TRAIN
1685 )
1686
1687 deprecated_create_domain_config = policy.DeprecatedRule(
1688 name=base.IDENTITY % 'create_domain_config',
1689 check_str=base.RULE_ADMIN_REQUIRED,
1690- deprecated_reason=DEPRECATED_REASON,
1691- deprecated_since=versionutils.deprecated.TRAIN
1692 )
1693
1694 deprecated_update_domain_config = policy.DeprecatedRule(
1695 name=base.IDENTITY % 'update_domain_config',
1696 check_str=base.RULE_ADMIN_REQUIRED,
1697- deprecated_reason=DEPRECATED_REASON,
1698- deprecated_since=versionutils.deprecated.TRAIN
1699 )
1700
1701 deprecated_delete_domain_config = policy.DeprecatedRule(
1702 name=base.IDENTITY % 'delete_domain_config',
1703 check_str=base.RULE_ADMIN_REQUIRED,
1704- deprecated_reason=DEPRECATED_REASON,
1705- deprecated_since=versionutils.deprecated.TRAIN
1706 )
1707
1708
1709+DEPRECATED_REASON = (
1710+ "The domain config API is now aware of system scope and default roles."
1711+)
1712+
1713 domain_config_policies = [
1714 policy.DocumentedRuleDefault(
1715 name=base.IDENTITY % 'create_domain_config',
1716@@ -75,7 +65,9 @@ domain_config_policies = [
1717 'method': 'PUT'
1718 }
1719 ],
1720- deprecated_rule=deprecated_create_domain_config
1721+ deprecated_rule=deprecated_create_domain_config,
1722+ deprecated_reason=DEPRECATED_REASON,
1723+ deprecated_since=versionutils.deprecated.TRAIN
1724 ),
1725 policy.DocumentedRuleDefault(
1726 name=base.IDENTITY % 'get_domain_config',
1727@@ -111,6 +103,8 @@ domain_config_policies = [
1728 }
1729 ],
1730 deprecated_rule=deprecated_get_domain_config,
1731+ deprecated_reason=DEPRECATED_REASON,
1732+ deprecated_since=versionutils.deprecated.TRAIN
1733 ),
1734 policy.DocumentedRuleDefault(
1735 name=base.IDENTITY % 'get_security_compliance_domain_config',
1736@@ -130,12 +124,12 @@ domain_config_policies = [
1737 'method': 'HEAD'
1738 },
1739 {
1740- 'path': ('/v3/domains/{domain_id}/config/'
1741+ 'path': ('v3/domains/{domain_id}/config/'
1742 'security_compliance/{option}'),
1743 'method': 'GET'
1744 },
1745 {
1746- 'path': ('/v3/domains/{domain_id}/config/'
1747+ 'path': ('v3/domains/{domain_id}/config/'
1748 'security_compliance/{option}'),
1749 'method': 'HEAD'
1750 }
1751@@ -162,6 +156,8 @@ domain_config_policies = [
1752 }
1753 ],
1754 deprecated_rule=deprecated_update_domain_config,
1755+ deprecated_reason=DEPRECATED_REASON,
1756+ deprecated_since=versionutils.deprecated.TRAIN
1757 ),
1758 policy.DocumentedRuleDefault(
1759 name=base.IDENTITY % 'delete_domain_config',
1760@@ -184,6 +180,8 @@ domain_config_policies = [
1761 }
1762 ],
1763 deprecated_rule=deprecated_delete_domain_config,
1764+ deprecated_reason=DEPRECATED_REASON,
1765+ deprecated_since=versionutils.deprecated.TRAIN
1766 ),
1767 policy.DocumentedRuleDefault(
1768 name=base.IDENTITY % 'get_domain_config_default',
1769@@ -218,6 +216,8 @@ domain_config_policies = [
1770 }
1771 ],
1772 deprecated_rule=deprecated_get_domain_config_default,
1773+ deprecated_reason=DEPRECATED_REASON,
1774+ deprecated_since=versionutils.deprecated.TRAIN
1775 )
1776 ]
1777
1778diff --git a/keystone/common/policies/ec2_credential.py b/keystone/common/policies/ec2_credential.py
1779index 9e52709..266a80e 100644
1780--- a/keystone/common/policies/ec2_credential.py
1781+++ b/keystone/common/policies/ec2_credential.py
1782@@ -15,35 +15,26 @@ from oslo_policy import policy
1783
1784 from keystone.common.policies import base
1785
1786-DEPRECATED_REASON = (
1787- "The EC2 credential API is now aware of system scope and default roles."
1788-)
1789-
1790 deprecated_ec2_get_credential = policy.DeprecatedRule(
1791 name=base.IDENTITY % 'ec2_get_credential',
1792- check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER,
1793- deprecated_reason=DEPRECATED_REASON,
1794- deprecated_since=versionutils.deprecated.TRAIN
1795+ check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER
1796 )
1797 deprecated_ec2_list_credentials = policy.DeprecatedRule(
1798 name=base.IDENTITY % 'ec2_list_credentials',
1799- check_str=base.RULE_ADMIN_OR_OWNER,
1800- deprecated_reason=DEPRECATED_REASON,
1801- deprecated_since=versionutils.deprecated.TRAIN
1802+ check_str=base.RULE_ADMIN_OR_OWNER
1803 )
1804 deprecated_ec2_create_credential = policy.DeprecatedRule(
1805 name=base.IDENTITY % 'ec2_create_credential',
1806- check_str=base.RULE_ADMIN_OR_OWNER,
1807- deprecated_reason=DEPRECATED_REASON,
1808- deprecated_since=versionutils.deprecated.TRAIN
1809+ check_str=base.RULE_ADMIN_OR_OWNER
1810 )
1811 deprecated_ec2_delete_credential = policy.DeprecatedRule(
1812 name=base.IDENTITY % 'ec2_delete_credential',
1813- check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER,
1814- deprecated_reason=DEPRECATED_REASON,
1815- deprecated_since=versionutils.deprecated.TRAIN
1816+ check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER
1817 )
1818
1819+DEPRECATED_REASON = (
1820+ "The EC2 credential API is now aware of system scope and default roles."
1821+)
1822
1823 ec2_credential_policies = [
1824 policy.DocumentedRuleDefault(
1825@@ -54,7 +45,9 @@ ec2_credential_policies = [
1826 operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/'
1827 '{credential_id}'),
1828 'method': 'GET'}],
1829- deprecated_rule=deprecated_ec2_get_credential
1830+ deprecated_rule=deprecated_ec2_get_credential,
1831+ deprecated_reason=DEPRECATED_REASON,
1832+ deprecated_since=versionutils.deprecated.TRAIN
1833 ),
1834 policy.DocumentedRuleDefault(
1835 name=base.IDENTITY % 'ec2_list_credentials',
1836@@ -64,6 +57,8 @@ ec2_credential_policies = [
1837 operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
1838 'method': 'GET'}],
1839 deprecated_rule=deprecated_ec2_list_credentials,
1840+ deprecated_reason=DEPRECATED_REASON,
1841+ deprecated_since=versionutils.deprecated.TRAIN
1842 ),
1843 policy.DocumentedRuleDefault(
1844 name=base.IDENTITY % 'ec2_create_credential',
1845@@ -73,6 +68,8 @@ ec2_credential_policies = [
1846 operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
1847 'method': 'POST'}],
1848 deprecated_rule=deprecated_ec2_create_credential,
1849+ deprecated_reason=DEPRECATED_REASON,
1850+ deprecated_since=versionutils.deprecated.TRAIN
1851 ),
1852 policy.DocumentedRuleDefault(
1853 name=base.IDENTITY % 'ec2_delete_credential',
1854@@ -83,6 +80,8 @@ ec2_credential_policies = [
1855 '{credential_id}'),
1856 'method': 'DELETE'}],
1857 deprecated_rule=deprecated_ec2_delete_credential,
1858+ deprecated_reason=DEPRECATED_REASON,
1859+ deprecated_since=versionutils.deprecated.TRAIN
1860 )
1861 ]
1862
1863diff --git a/keystone/common/policies/endpoint.py b/keystone/common/policies/endpoint.py
1864index 7858249..b99a40e 100644
1865--- a/keystone/common/policies/endpoint.py
1866+++ b/keystone/common/policies/endpoint.py
1867@@ -15,34 +15,24 @@ from oslo_policy import policy
1868
1869 from keystone.common.policies import base
1870
1871-DEPRECATED_REASON = (
1872- "The endpoint API is now aware of system scope and default roles."
1873-)
1874-
1875 deprecated_get_endpoint = policy.DeprecatedRule(
1876 name=base.IDENTITY % 'get_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
1877- deprecated_reason=DEPRECATED_REASON,
1878- deprecated_since=versionutils.deprecated.STEIN
1879 )
1880 deprecated_list_endpoints = policy.DeprecatedRule(
1881 name=base.IDENTITY % 'list_endpoints', check_str=base.RULE_ADMIN_REQUIRED,
1882- deprecated_reason=DEPRECATED_REASON,
1883- deprecated_since=versionutils.deprecated.STEIN
1884 )
1885 deprecated_update_endpoint = policy.DeprecatedRule(
1886 name=base.IDENTITY % 'update_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
1887- deprecated_reason=DEPRECATED_REASON,
1888- deprecated_since=versionutils.deprecated.STEIN
1889 )
1890 deprecated_create_endpoint = policy.DeprecatedRule(
1891 name=base.IDENTITY % 'create_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
1892- deprecated_reason=DEPRECATED_REASON,
1893- deprecated_since=versionutils.deprecated.STEIN
1894 )
1895 deprecated_delete_endpoint = policy.DeprecatedRule(
1896 name=base.IDENTITY % 'delete_endpoint', check_str=base.RULE_ADMIN_REQUIRED,
1897- deprecated_reason=DEPRECATED_REASON,
1898- deprecated_since=versionutils.deprecated.STEIN
1899+)
1900+
1901+DEPRECATED_REASON = (
1902+ "The endpoint API is now aware of system scope and default roles."
1903 )
1904
1905
1906@@ -54,7 +44,9 @@ endpoint_policies = [
1907 description='Show endpoint details.',
1908 operations=[{'path': '/v3/endpoints/{endpoint_id}',
1909 'method': 'GET'}],
1910- deprecated_rule=deprecated_get_endpoint),
1911+ deprecated_rule=deprecated_get_endpoint,
1912+ deprecated_reason=DEPRECATED_REASON,
1913+ deprecated_since=versionutils.deprecated.STEIN),
1914 policy.DocumentedRuleDefault(
1915 name=base.IDENTITY % 'list_endpoints',
1916 check_str=base.SYSTEM_READER,
1917@@ -62,7 +54,9 @@ endpoint_policies = [
1918 description='List endpoints.',
1919 operations=[{'path': '/v3/endpoints',
1920 'method': 'GET'}],
1921- deprecated_rule=deprecated_list_endpoints),
1922+ deprecated_rule=deprecated_list_endpoints,
1923+ deprecated_reason=DEPRECATED_REASON,
1924+ deprecated_since=versionutils.deprecated.STEIN),
1925 policy.DocumentedRuleDefault(
1926 name=base.IDENTITY % 'create_endpoint',
1927 check_str=base.SYSTEM_ADMIN,
1928@@ -70,7 +64,9 @@ endpoint_policies = [
1929 description='Create endpoint.',
1930 operations=[{'path': '/v3/endpoints',
1931 'method': 'POST'}],
1932- deprecated_rule=deprecated_create_endpoint),
1933+ deprecated_rule=deprecated_create_endpoint,
1934+ deprecated_reason=DEPRECATED_REASON,
1935+ deprecated_since=versionutils.deprecated.STEIN),
1936 policy.DocumentedRuleDefault(
1937 name=base.IDENTITY % 'update_endpoint',
1938 check_str=base.SYSTEM_ADMIN,
1939@@ -78,7 +74,9 @@ endpoint_policies = [
1940 description='Update endpoint.',
1941 operations=[{'path': '/v3/endpoints/{endpoint_id}',
1942 'method': 'PATCH'}],
1943- deprecated_rule=deprecated_update_endpoint),
1944+ deprecated_rule=deprecated_update_endpoint,
1945+ deprecated_reason=DEPRECATED_REASON,
1946+ deprecated_since=versionutils.deprecated.STEIN),
1947 policy.DocumentedRuleDefault(
1948 name=base.IDENTITY % 'delete_endpoint',
1949 check_str=base.SYSTEM_ADMIN,
1950@@ -86,7 +84,9 @@ endpoint_policies = [
1951 description='Delete endpoint.',
1952 operations=[{'path': '/v3/endpoints/{endpoint_id}',
1953 'method': 'DELETE'}],
1954- deprecated_rule=deprecated_delete_endpoint)
1955+ deprecated_rule=deprecated_delete_endpoint,
1956+ deprecated_reason=DEPRECATED_REASON,
1957+ deprecated_since=versionutils.deprecated.STEIN)
1958 ]
1959
1960
1961diff --git a/keystone/common/policies/endpoint_group.py b/keystone/common/policies/endpoint_group.py
1962index 741e0b7..691a6fe 100644
1963--- a/keystone/common/policies/endpoint_group.py
1964+++ b/keystone/common/policies/endpoint_group.py
1965@@ -15,85 +15,64 @@ from oslo_policy import policy
1966
1967 from keystone.common.policies import base
1968
1969-DEPRECATED_REASON = (
1970- "The endpoint groups API is now aware of system scope and default roles."
1971-)
1972-
1973 deprecated_list_endpoint_groups = policy.DeprecatedRule(
1974 name=base.IDENTITY % 'list_endpoint_groups',
1975 check_str=base.RULE_ADMIN_REQUIRED,
1976- deprecated_reason=DEPRECATED_REASON,
1977- deprecated_since=versionutils.deprecated.TRAIN
1978 )
1979
1980 deprecated_get_endpoint_group = policy.DeprecatedRule(
1981 name=base.IDENTITY % 'get_endpoint_group',
1982 check_str=base.RULE_ADMIN_REQUIRED,
1983- deprecated_reason=DEPRECATED_REASON,
1984- deprecated_since=versionutils.deprecated.TRAIN
1985 )
1986
1987 deprecated_list_projects_assoc_with_endpoint_group = policy.DeprecatedRule(
1988 name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
1989 check_str=base.RULE_ADMIN_REQUIRED,
1990- deprecated_reason=DEPRECATED_REASON,
1991- deprecated_since=versionutils.deprecated.TRAIN
1992 )
1993
1994 deprecated_list_endpoints_assoc_with_endpoint_group = policy.DeprecatedRule(
1995 name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
1996 check_str=base.RULE_ADMIN_REQUIRED,
1997- deprecated_reason=DEPRECATED_REASON,
1998- deprecated_since=versionutils.deprecated.TRAIN
1999 )
2000
2001 deprecated_get_endpoint_group_in_project = policy.DeprecatedRule(
2002 name=base.IDENTITY % 'get_endpoint_group_in_project',
2003 check_str=base.RULE_ADMIN_REQUIRED,
2004- deprecated_reason=DEPRECATED_REASON,
2005- deprecated_since=versionutils.deprecated.TRAIN
2006 )
2007
2008 deprecated_list_endpoint_groups_for_project = policy.DeprecatedRule(
2009 name=base.IDENTITY % 'list_endpoint_groups_for_project',
2010 check_str=base.RULE_ADMIN_REQUIRED,
2011- deprecated_reason=DEPRECATED_REASON,
2012- deprecated_since=versionutils.deprecated.TRAIN
2013 )
2014
2015 deprecated_create_endpoint_group = policy.DeprecatedRule(
2016 name=base.IDENTITY % 'create_endpoint_group',
2017 check_str=base.RULE_ADMIN_REQUIRED,
2018- deprecated_reason=DEPRECATED_REASON,
2019- deprecated_since=versionutils.deprecated.TRAIN
2020 )
2021
2022 deprecated_update_endpoint_group = policy.DeprecatedRule(
2023 name=base.IDENTITY % 'update_endpoint_group',
2024 check_str=base.RULE_ADMIN_REQUIRED,
2025- deprecated_reason=DEPRECATED_REASON,
2026- deprecated_since=versionutils.deprecated.TRAIN
2027 )
2028
2029 deprecated_delete_endpoint_group = policy.DeprecatedRule(
2030 name=base.IDENTITY % 'delete_endpoint_group',
2031 check_str=base.RULE_ADMIN_REQUIRED,
2032- deprecated_reason=DEPRECATED_REASON,
2033- deprecated_since=versionutils.deprecated.TRAIN
2034 )
2035
2036 deprecated_add_endpoint_group_to_project = policy.DeprecatedRule(
2037 name=base.IDENTITY % 'add_endpoint_group_to_project',
2038 check_str=base.RULE_ADMIN_REQUIRED,
2039- deprecated_reason=DEPRECATED_REASON,
2040- deprecated_since=versionutils.deprecated.TRAIN
2041 )
2042
2043 deprecated_remove_endpoint_group_from_project = policy.DeprecatedRule(
2044 name=base.IDENTITY % 'remove_endpoint_group_from_project',
2045 check_str=base.RULE_ADMIN_REQUIRED,
2046- deprecated_reason=DEPRECATED_REASON,
2047- deprecated_since=versionutils.deprecated.TRAIN
2048+)
2049+
2050+
2051+DEPRECATED_REASON = (
2052+ "The endpoint groups API is now aware of system scope and default roles."
2053 )
2054
2055
2056@@ -105,7 +84,9 @@ group_endpoint_policies = [
2057 description='Create endpoint group.',
2058 operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
2059 'method': 'POST'}],
2060- deprecated_rule=deprecated_create_endpoint_group),
2061+ deprecated_rule=deprecated_create_endpoint_group,
2062+ deprecated_reason=DEPRECATED_REASON,
2063+ deprecated_since=versionutils.deprecated.TRAIN),
2064 policy.DocumentedRuleDefault(
2065 name=base.IDENTITY % 'list_endpoint_groups',
2066 check_str=base.SYSTEM_READER,
2067@@ -113,7 +94,9 @@ group_endpoint_policies = [
2068 description='List endpoint groups.',
2069 operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
2070 'method': 'GET'}],
2071- deprecated_rule=deprecated_list_endpoint_groups),
2072+ deprecated_rule=deprecated_list_endpoint_groups,
2073+ deprecated_reason=DEPRECATED_REASON,
2074+ deprecated_since=versionutils.deprecated.TRAIN),
2075 policy.DocumentedRuleDefault(
2076 name=base.IDENTITY % 'get_endpoint_group',
2077 check_str=base.SYSTEM_READER,
2078@@ -125,7 +108,9 @@ group_endpoint_policies = [
2079 {'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2080 '{endpoint_group_id}'),
2081 'method': 'HEAD'}],
2082- deprecated_rule=deprecated_get_endpoint_group),
2083+ deprecated_rule=deprecated_get_endpoint_group,
2084+ deprecated_reason=DEPRECATED_REASON,
2085+ deprecated_since=versionutils.deprecated.TRAIN),
2086 policy.DocumentedRuleDefault(
2087 name=base.IDENTITY % 'update_endpoint_group',
2088 check_str=base.SYSTEM_ADMIN,
2089@@ -134,7 +119,9 @@ group_endpoint_policies = [
2090 operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2091 '{endpoint_group_id}'),
2092 'method': 'PATCH'}],
2093- deprecated_rule=deprecated_update_endpoint_group),
2094+ deprecated_rule=deprecated_update_endpoint_group,
2095+ deprecated_reason=DEPRECATED_REASON,
2096+ deprecated_since=versionutils.deprecated.TRAIN),
2097 policy.DocumentedRuleDefault(
2098 name=base.IDENTITY % 'delete_endpoint_group',
2099 check_str=base.SYSTEM_ADMIN,
2100@@ -143,7 +130,9 @@ group_endpoint_policies = [
2101 operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2102 '{endpoint_group_id}'),
2103 'method': 'DELETE'}],
2104- deprecated_rule=deprecated_delete_endpoint_group),
2105+ deprecated_rule=deprecated_delete_endpoint_group,
2106+ deprecated_reason=DEPRECATED_REASON,
2107+ deprecated_since=versionutils.deprecated.TRAIN),
2108 policy.DocumentedRuleDefault(
2109 name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
2110 check_str=base.SYSTEM_READER,
2111@@ -153,7 +142,9 @@ group_endpoint_policies = [
2112 operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2113 '{endpoint_group_id}/projects'),
2114 'method': 'GET'}],
2115- deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group),
2116+ deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group,
2117+ deprecated_reason=DEPRECATED_REASON,
2118+ deprecated_since=versionutils.deprecated.TRAIN),
2119 policy.DocumentedRuleDefault(
2120 name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
2121 check_str=base.SYSTEM_READER,
2122@@ -162,7 +153,9 @@ group_endpoint_policies = [
2123 operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2124 '{endpoint_group_id}/endpoints'),
2125 'method': 'GET'}],
2126- deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group),
2127+ deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group,
2128+ deprecated_reason=DEPRECATED_REASON,
2129+ deprecated_since=versionutils.deprecated.TRAIN),
2130 policy.DocumentedRuleDefault(
2131 name=base.IDENTITY % 'get_endpoint_group_in_project',
2132 check_str=base.SYSTEM_READER,
2133@@ -175,7 +168,9 @@ group_endpoint_policies = [
2134 {'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2135 '{endpoint_group_id}/projects/{project_id}'),
2136 'method': 'HEAD'}],
2137- deprecated_rule=deprecated_get_endpoint_group_in_project),
2138+ deprecated_rule=deprecated_get_endpoint_group_in_project,
2139+ deprecated_reason=DEPRECATED_REASON,
2140+ deprecated_since=versionutils.deprecated.TRAIN),
2141 policy.DocumentedRuleDefault(
2142 name=base.IDENTITY % 'list_endpoint_groups_for_project',
2143 check_str=base.SYSTEM_READER,
2144@@ -184,7 +179,9 @@ group_endpoint_policies = [
2145 operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
2146 'endpoint_groups'),
2147 'method': 'GET'}],
2148- deprecated_rule=deprecated_list_endpoint_groups_for_project),
2149+ deprecated_rule=deprecated_list_endpoint_groups_for_project,
2150+ deprecated_reason=DEPRECATED_REASON,
2151+ deprecated_since=versionutils.deprecated.TRAIN),
2152 policy.DocumentedRuleDefault(
2153 name=base.IDENTITY % 'add_endpoint_group_to_project',
2154 check_str=base.SYSTEM_ADMIN,
2155@@ -193,7 +190,9 @@ group_endpoint_policies = [
2156 operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2157 '{endpoint_group_id}/projects/{project_id}'),
2158 'method': 'PUT'}],
2159- deprecated_rule=deprecated_add_endpoint_group_to_project),
2160+ deprecated_rule=deprecated_add_endpoint_group_to_project,
2161+ deprecated_reason=DEPRECATED_REASON,
2162+ deprecated_since=versionutils.deprecated.TRAIN),
2163 policy.DocumentedRuleDefault(
2164 name=base.IDENTITY % 'remove_endpoint_group_from_project',
2165 check_str=base.SYSTEM_ADMIN,
2166@@ -202,7 +201,9 @@ group_endpoint_policies = [
2167 operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
2168 '{endpoint_group_id}/projects/{project_id}'),
2169 'method': 'DELETE'}],
2170- deprecated_rule=deprecated_remove_endpoint_group_from_project)
2171+ deprecated_rule=deprecated_remove_endpoint_group_from_project,
2172+ deprecated_reason=DEPRECATED_REASON,
2173+ deprecated_since=versionutils.deprecated.TRAIN)
2174 ]
2175
2176
2177diff --git a/keystone/common/policies/grant.py b/keystone/common/policies/grant.py
2178index 0e1b928..09ef1c9 100644
2179--- a/keystone/common/policies/grant.py
2180+++ b/keystone/common/policies/grant.py
2181@@ -66,79 +66,54 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
2182 '(' + DOMAIN_MATCHES_ROLE + ')'
2183 )
2184
2185-DEPRECATED_REASON = (
2186- "The assignment API is now aware of system scope and default roles."
2187-)
2188-
2189 deprecated_check_system_grant_for_user = policy.DeprecatedRule(
2190 name=base.IDENTITY % 'check_system_grant_for_user',
2191- check_str=base.RULE_ADMIN_REQUIRED,
2192- deprecated_reason=DEPRECATED_REASON,
2193- deprecated_since=versionutils.deprecated.STEIN
2194+ check_str=base.RULE_ADMIN_REQUIRED
2195 )
2196 deprecated_list_system_grants_for_user = policy.DeprecatedRule(
2197 name=base.IDENTITY % 'list_system_grants_for_user',
2198- check_str=base.RULE_ADMIN_REQUIRED,
2199- deprecated_reason=DEPRECATED_REASON,
2200- deprecated_since=versionutils.deprecated.STEIN
2201+ check_str=base.RULE_ADMIN_REQUIRED
2202 )
2203 deprecated_create_system_grant_for_user = policy.DeprecatedRule(
2204 name=base.IDENTITY % 'create_system_grant_for_user',
2205- check_str=base.RULE_ADMIN_REQUIRED,
2206- deprecated_reason=DEPRECATED_REASON,
2207- deprecated_since=versionutils.deprecated.STEIN
2208+ check_str=base.RULE_ADMIN_REQUIRED
2209 )
2210 deprecated_revoke_system_grant_for_user = policy.DeprecatedRule(
2211 name=base.IDENTITY % 'revoke_system_grant_for_user',
2212- check_str=base.RULE_ADMIN_REQUIRED,
2213- deprecated_reason=DEPRECATED_REASON,
2214- deprecated_since=versionutils.deprecated.STEIN
2215+ check_str=base.RULE_ADMIN_REQUIRED
2216 )
2217 deprecated_check_system_grant_for_group = policy.DeprecatedRule(
2218 name=base.IDENTITY % 'check_system_grant_for_group',
2219- check_str=base.RULE_ADMIN_REQUIRED,
2220- deprecated_reason=DEPRECATED_REASON,
2221- deprecated_since=versionutils.deprecated.STEIN
2222+ check_str=base.RULE_ADMIN_REQUIRED
2223 )
2224 deprecated_list_system_grants_for_group = policy.DeprecatedRule(
2225 name=base.IDENTITY % 'list_system_grants_for_group',
2226- check_str=base.RULE_ADMIN_REQUIRED,
2227- deprecated_reason=DEPRECATED_REASON,
2228- deprecated_since=versionutils.deprecated.STEIN
2229+ check_str=base.RULE_ADMIN_REQUIRED
2230 )
2231 deprecated_create_system_grant_for_group = policy.DeprecatedRule(
2232 name=base.IDENTITY % 'create_system_grant_for_group',
2233- check_str=base.RULE_ADMIN_REQUIRED,
2234- deprecated_reason=DEPRECATED_REASON,
2235- deprecated_since=versionutils.deprecated.STEIN
2236+ check_str=base.RULE_ADMIN_REQUIRED
2237 )
2238 deprecated_revoke_system_grant_for_group = policy.DeprecatedRule(
2239 name=base.IDENTITY % 'revoke_system_grant_for_group',
2240- check_str=base.RULE_ADMIN_REQUIRED,
2241- deprecated_reason=DEPRECATED_REASON,
2242- deprecated_since=versionutils.deprecated.STEIN
2243+ check_str=base.RULE_ADMIN_REQUIRED
2244 )
2245 deprecated_list_grants = policy.DeprecatedRule(
2246- name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED,
2247- deprecated_reason=DEPRECATED_REASON,
2248- deprecated_since=versionutils.deprecated.STEIN
2249+ name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED
2250 )
2251 deprecated_check_grant = policy.DeprecatedRule(
2252- name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED,
2253- deprecated_reason=DEPRECATED_REASON,
2254- deprecated_since=versionutils.deprecated.STEIN
2255+ name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED
2256 )
2257 deprecated_create_grant = policy.DeprecatedRule(
2258- name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED,
2259- deprecated_reason=DEPRECATED_REASON,
2260- deprecated_since=versionutils.deprecated.STEIN
2261+ name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED
2262 )
2263 deprecated_revoke_grant = policy.DeprecatedRule(
2264- name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED,
2265- deprecated_reason=DEPRECATED_REASON,
2266- deprecated_since=versionutils.deprecated.STEIN
2267+ name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED
2268 )
2269
2270+DEPRECATED_REASON = (
2271+ "The assignment API is now aware of system scope and default roles."
2272+)
2273
2274 resource_paths = [
2275 '/projects/{project_id}/users/{user_id}/roles/{role_id}',
2276@@ -192,7 +167,9 @@ grant_policies = [
2277 'are inherited to all projects in the subtree, if '
2278 'applicable.'),
2279 operations=list_operations(resource_paths, ['HEAD', 'GET']),
2280- deprecated_rule=deprecated_check_grant),
2281+ deprecated_rule=deprecated_check_grant,
2282+ deprecated_reason=DEPRECATED_REASON,
2283+ deprecated_since=versionutils.deprecated.STEIN),
2284 policy.DocumentedRuleDefault(
2285 name=base.IDENTITY % 'list_grants',
2286 check_str=SYSTEM_READER_OR_DOMAIN_READER_LIST,
2287@@ -204,7 +181,9 @@ grant_policies = [
2288 'domains, where grants are inherited to all projects '
2289 'in the specified domain.'),
2290 operations=list_grants_operations,
2291- deprecated_rule=deprecated_list_grants),
2292+ deprecated_rule=deprecated_list_grants,
2293+ deprecated_reason=DEPRECATED_REASON,
2294+ deprecated_since=versionutils.deprecated.STEIN),
2295 policy.DocumentedRuleDefault(
2296 name=base.IDENTITY % 'create_grant',
2297 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
2298@@ -216,7 +195,9 @@ grant_policies = [
2299 'are inherited to all projects in the subtree, if '
2300 'applicable.'),
2301 operations=list_operations(resource_paths, ['PUT']),
2302- deprecated_rule=deprecated_create_grant),
2303+ deprecated_rule=deprecated_create_grant,
2304+ deprecated_reason=DEPRECATED_REASON,
2305+ deprecated_since=versionutils.deprecated.STEIN),
2306 policy.DocumentedRuleDefault(
2307 name=base.IDENTITY % 'revoke_grant',
2308 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
2309@@ -230,7 +211,9 @@ grant_policies = [
2310 'the target would remove the logical effect of '
2311 'inheriting it to the target\'s projects subtree.'),
2312 operations=list_operations(resource_paths, ['DELETE']),
2313- deprecated_rule=deprecated_revoke_grant),
2314+ deprecated_rule=deprecated_revoke_grant,
2315+ deprecated_reason=DEPRECATED_REASON,
2316+ deprecated_since=versionutils.deprecated.STEIN),
2317 policy.DocumentedRuleDefault(
2318 name=base.IDENTITY % 'list_system_grants_for_user',
2319 check_str=base.SYSTEM_READER,
2320@@ -243,6 +226,8 @@ grant_policies = [
2321 }
2322 ],
2323 deprecated_rule=deprecated_list_system_grants_for_user,
2324+ deprecated_reason=DEPRECATED_REASON,
2325+ deprecated_since=versionutils.deprecated.STEIN
2326 ),
2327 policy.DocumentedRuleDefault(
2328 name=base.IDENTITY % 'check_system_grant_for_user',
2329@@ -256,6 +241,8 @@ grant_policies = [
2330 }
2331 ],
2332 deprecated_rule=deprecated_check_system_grant_for_user,
2333+ deprecated_reason=DEPRECATED_REASON,
2334+ deprecated_since=versionutils.deprecated.STEIN
2335 ),
2336 policy.DocumentedRuleDefault(
2337 name=base.IDENTITY % 'create_system_grant_for_user',
2338@@ -269,6 +256,8 @@ grant_policies = [
2339 }
2340 ],
2341 deprecated_rule=deprecated_create_system_grant_for_user,
2342+ deprecated_reason=DEPRECATED_REASON,
2343+ deprecated_since=versionutils.deprecated.STEIN
2344 ),
2345 policy.DocumentedRuleDefault(
2346 name=base.IDENTITY % 'revoke_system_grant_for_user',
2347@@ -282,6 +271,8 @@ grant_policies = [
2348 }
2349 ],
2350 deprecated_rule=deprecated_revoke_system_grant_for_user,
2351+ deprecated_reason=DEPRECATED_REASON,
2352+ deprecated_since=versionutils.deprecated.STEIN
2353 ),
2354 policy.DocumentedRuleDefault(
2355 name=base.IDENTITY % 'list_system_grants_for_group',
2356@@ -295,6 +286,8 @@ grant_policies = [
2357 }
2358 ],
2359 deprecated_rule=deprecated_list_system_grants_for_group,
2360+ deprecated_reason=DEPRECATED_REASON,
2361+ deprecated_since=versionutils.deprecated.STEIN
2362 ),
2363 policy.DocumentedRuleDefault(
2364 name=base.IDENTITY % 'check_system_grant_for_group',
2365@@ -308,6 +301,8 @@ grant_policies = [
2366 }
2367 ],
2368 deprecated_rule=deprecated_check_system_grant_for_group,
2369+ deprecated_reason=DEPRECATED_REASON,
2370+ deprecated_since=versionutils.deprecated.STEIN
2371 ),
2372 policy.DocumentedRuleDefault(
2373 name=base.IDENTITY % 'create_system_grant_for_group',
2374@@ -321,6 +316,8 @@ grant_policies = [
2375 }
2376 ],
2377 deprecated_rule=deprecated_create_system_grant_for_group,
2378+ deprecated_reason=DEPRECATED_REASON,
2379+ deprecated_since=versionutils.deprecated.STEIN
2380 ),
2381 policy.DocumentedRuleDefault(
2382 name=base.IDENTITY % 'revoke_system_grant_for_group',
2383@@ -334,6 +331,8 @@ grant_policies = [
2384 }
2385 ],
2386 deprecated_rule=deprecated_revoke_system_grant_for_group,
2387+ deprecated_reason=DEPRECATED_REASON,
2388+ deprecated_since=versionutils.deprecated.STEIN
2389 )
2390 ]
2391
2392diff --git a/keystone/common/policies/group.py b/keystone/common/policies/group.py
2393index 0106bad..d33da92 100644
2394--- a/keystone/common/policies/group.py
2395+++ b/keystone/common/policies/group.py
2396@@ -51,63 +51,43 @@ DEPRECATED_REASON = (
2397
2398 deprecated_get_group = policy.DeprecatedRule(
2399 name=base.IDENTITY % 'get_group',
2400- check_str=base.RULE_ADMIN_REQUIRED,
2401- deprecated_reason=DEPRECATED_REASON,
2402- deprecated_since=versionutils.deprecated.STEIN
2403+ check_str=base.RULE_ADMIN_REQUIRED
2404 )
2405 deprecated_list_groups = policy.DeprecatedRule(
2406 name=base.IDENTITY % 'list_groups',
2407- check_str=base.RULE_ADMIN_REQUIRED,
2408- deprecated_reason=DEPRECATED_REASON,
2409- deprecated_since=versionutils.deprecated.STEIN
2410+ check_str=base.RULE_ADMIN_REQUIRED
2411 )
2412 deprecated_list_groups_for_user = policy.DeprecatedRule(
2413 name=base.IDENTITY % 'list_groups_for_user',
2414- check_str=base.RULE_ADMIN_OR_OWNER,
2415- deprecated_reason=DEPRECATED_REASON,
2416- deprecated_since=versionutils.deprecated.STEIN
2417+ check_str=base.RULE_ADMIN_OR_OWNER
2418 )
2419 deprecated_list_users_in_group = policy.DeprecatedRule(
2420 name=base.IDENTITY % 'list_users_in_group',
2421- check_str=base.RULE_ADMIN_REQUIRED,
2422- deprecated_reason=DEPRECATED_REASON,
2423- deprecated_since=versionutils.deprecated.STEIN
2424+ check_str=base.RULE_ADMIN_REQUIRED
2425 )
2426 deprecated_check_user_in_group = policy.DeprecatedRule(
2427 name=base.IDENTITY % 'check_user_in_group',
2428- check_str=base.RULE_ADMIN_REQUIRED,
2429- deprecated_reason=DEPRECATED_REASON,
2430- deprecated_since=versionutils.deprecated.STEIN
2431+ check_str=base.RULE_ADMIN_REQUIRED
2432 )
2433 deprecated_create_group = policy.DeprecatedRule(
2434 name=base.IDENTITY % 'create_group',
2435- check_str=base.RULE_ADMIN_REQUIRED,
2436- deprecated_reason=DEPRECATED_REASON,
2437- deprecated_since=versionutils.deprecated.STEIN
2438+ check_str=base.RULE_ADMIN_REQUIRED
2439 )
2440 deprecated_update_group = policy.DeprecatedRule(
2441 name=base.IDENTITY % 'update_group',
2442- check_str=base.RULE_ADMIN_REQUIRED,
2443- deprecated_reason=DEPRECATED_REASON,
2444- deprecated_since=versionutils.deprecated.STEIN
2445+ check_str=base.RULE_ADMIN_REQUIRED
2446 )
2447 deprecated_delete_group = policy.DeprecatedRule(
2448 name=base.IDENTITY % 'delete_group',
2449- check_str=base.RULE_ADMIN_REQUIRED,
2450- deprecated_reason=DEPRECATED_REASON,
2451- deprecated_since=versionutils.deprecated.STEIN
2452+ check_str=base.RULE_ADMIN_REQUIRED
2453 )
2454 deprecated_remove_user_from_group = policy.DeprecatedRule(
2455 name=base.IDENTITY % 'remove_user_from_group',
2456- check_str=base.RULE_ADMIN_REQUIRED,
2457- deprecated_reason=DEPRECATED_REASON,
2458- deprecated_since=versionutils.deprecated.STEIN
2459+ check_str=base.RULE_ADMIN_REQUIRED
2460 )
2461 deprecated_add_user_to_group = policy.DeprecatedRule(
2462 name=base.IDENTITY % 'add_user_to_group',
2463- check_str=base.RULE_ADMIN_REQUIRED,
2464- deprecated_reason=DEPRECATED_REASON,
2465- deprecated_since=versionutils.deprecated.STEIN
2466+ check_str=base.RULE_ADMIN_REQUIRED
2467 )
2468
2469 group_policies = [
2470@@ -120,7 +100,9 @@ group_policies = [
2471 'method': 'GET'},
2472 {'path': '/v3/groups/{group_id}',
2473 'method': 'HEAD'}],
2474- deprecated_rule=deprecated_get_group),
2475+ deprecated_rule=deprecated_get_group,
2476+ deprecated_reason=DEPRECATED_REASON,
2477+ deprecated_since=versionutils.deprecated.STEIN),
2478 policy.DocumentedRuleDefault(
2479 name=base.IDENTITY % 'list_groups',
2480 check_str=SYSTEM_READER_OR_DOMAIN_READER,
2481@@ -130,7 +112,9 @@ group_policies = [
2482 'method': 'GET'},
2483 {'path': '/v3/groups',
2484 'method': 'HEAD'}],
2485- deprecated_rule=deprecated_list_groups),
2486+ deprecated_rule=deprecated_list_groups,
2487+ deprecated_reason=DEPRECATED_REASON,
2488+ deprecated_since=versionutils.deprecated.STEIN),
2489 policy.DocumentedRuleDefault(
2490 name=base.IDENTITY % 'list_groups_for_user',
2491 check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_USER_OR_OWNER,
2492@@ -140,7 +124,9 @@ group_policies = [
2493 'method': 'GET'},
2494 {'path': '/v3/users/{user_id}/groups',
2495 'method': 'HEAD'}],
2496- deprecated_rule=deprecated_list_groups_for_user),
2497+ deprecated_rule=deprecated_list_groups_for_user,
2498+ deprecated_reason=DEPRECATED_REASON,
2499+ deprecated_since=versionutils.deprecated.STEIN),
2500 policy.DocumentedRuleDefault(
2501 name=base.IDENTITY % 'create_group',
2502 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
2503@@ -148,7 +134,9 @@ group_policies = [
2504 description='Create group.',
2505 operations=[{'path': '/v3/groups',
2506 'method': 'POST'}],
2507- deprecated_rule=deprecated_create_group),
2508+ deprecated_rule=deprecated_create_group,
2509+ deprecated_reason=DEPRECATED_REASON,
2510+ deprecated_since=versionutils.deprecated.STEIN),
2511 policy.DocumentedRuleDefault(
2512 name=base.IDENTITY % 'update_group',
2513 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
2514@@ -156,7 +144,9 @@ group_policies = [
2515 description='Update group.',
2516 operations=[{'path': '/v3/groups/{group_id}',
2517 'method': 'PATCH'}],
2518- deprecated_rule=deprecated_update_group),
2519+ deprecated_rule=deprecated_update_group,
2520+ deprecated_reason=DEPRECATED_REASON,
2521+ deprecated_since=versionutils.deprecated.STEIN),
2522 policy.DocumentedRuleDefault(
2523 name=base.IDENTITY % 'delete_group',
2524 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
2525@@ -164,7 +154,9 @@ group_policies = [
2526 description='Delete group.',
2527 operations=[{'path': '/v3/groups/{group_id}',
2528 'method': 'DELETE'}],
2529- deprecated_rule=deprecated_delete_group),
2530+ deprecated_rule=deprecated_delete_group,
2531+ deprecated_reason=DEPRECATED_REASON,
2532+ deprecated_since=versionutils.deprecated.STEIN),
2533 policy.DocumentedRuleDefault(
2534 name=base.IDENTITY % 'list_users_in_group',
2535 check_str=SYSTEM_READER_OR_DOMAIN_READER,
2536@@ -174,7 +166,9 @@ group_policies = [
2537 'method': 'GET'},
2538 {'path': '/v3/groups/{group_id}/users',
2539 'method': 'HEAD'}],
2540- deprecated_rule=deprecated_list_users_in_group),
2541+ deprecated_rule=deprecated_list_users_in_group,
2542+ deprecated_reason=DEPRECATED_REASON,
2543+ deprecated_since=versionutils.deprecated.STEIN),
2544 policy.DocumentedRuleDefault(
2545 name=base.IDENTITY % 'remove_user_from_group',
2546 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER,
2547@@ -182,7 +176,9 @@ group_policies = [
2548 description='Remove user from group.',
2549 operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
2550 'method': 'DELETE'}],
2551- deprecated_rule=deprecated_remove_user_from_group),
2552+ deprecated_rule=deprecated_remove_user_from_group,
2553+ deprecated_reason=DEPRECATED_REASON,
2554+ deprecated_since=versionutils.deprecated.STEIN),
2555 policy.DocumentedRuleDefault(
2556 name=base.IDENTITY % 'check_user_in_group',
2557 check_str=SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER,
2558@@ -192,7 +188,9 @@ group_policies = [
2559 'method': 'HEAD'},
2560 {'path': '/v3/groups/{group_id}/users/{user_id}',
2561 'method': 'GET'}],
2562- deprecated_rule=deprecated_check_user_in_group),
2563+ deprecated_rule=deprecated_check_user_in_group,
2564+ deprecated_reason=DEPRECATED_REASON,
2565+ deprecated_since=versionutils.deprecated.STEIN),
2566 policy.DocumentedRuleDefault(
2567 name=base.IDENTITY % 'add_user_to_group',
2568 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER,
2569@@ -200,7 +198,9 @@ group_policies = [
2570 description='Add user to group.',
2571 operations=[{'path': '/v3/groups/{group_id}/users/{user_id}',
2572 'method': 'PUT'}],
2573- deprecated_rule=deprecated_add_user_to_group)
2574+ deprecated_rule=deprecated_add_user_to_group,
2575+ deprecated_reason=DEPRECATED_REASON,
2576+ deprecated_since=versionutils.deprecated.STEIN)
2577 ]
2578
2579
2580diff --git a/keystone/common/policies/identity_provider.py b/keystone/common/policies/identity_provider.py
2581index c1b4d5a..8d6ad46 100644
2582--- a/keystone/common/policies/identity_provider.py
2583+++ b/keystone/common/policies/identity_provider.py
2584@@ -15,41 +15,30 @@ from oslo_policy import policy
2585
2586 from keystone.common.policies import base
2587
2588-DEPRECATED_REASON = (
2589- "The identity provider API is now aware of system scope and default roles."
2590-)
2591-
2592 deprecated_get_idp = policy.DeprecatedRule(
2593 name=base.IDENTITY % 'get_identity_provider',
2594- check_str=base.RULE_ADMIN_REQUIRED,
2595- deprecated_reason=DEPRECATED_REASON,
2596- deprecated_since=versionutils.deprecated.STEIN
2597+ check_str=base.RULE_ADMIN_REQUIRED
2598 )
2599 deprecated_list_idp = policy.DeprecatedRule(
2600 name=base.IDENTITY % 'list_identity_providers',
2601- check_str=base.RULE_ADMIN_REQUIRED,
2602- deprecated_reason=DEPRECATED_REASON,
2603- deprecated_since=versionutils.deprecated.STEIN
2604+ check_str=base.RULE_ADMIN_REQUIRED
2605 )
2606 deprecated_update_idp = policy.DeprecatedRule(
2607 name=base.IDENTITY % 'update_identity_provider',
2608- check_str=base.RULE_ADMIN_REQUIRED,
2609- deprecated_reason=DEPRECATED_REASON,
2610- deprecated_since=versionutils.deprecated.STEIN
2611+ check_str=base.RULE_ADMIN_REQUIRED
2612 )
2613 deprecated_create_idp = policy.DeprecatedRule(
2614 name=base.IDENTITY % 'create_identity_provider',
2615- check_str=base.RULE_ADMIN_REQUIRED,
2616- deprecated_reason=DEPRECATED_REASON,
2617- deprecated_since=versionutils.deprecated.STEIN
2618+ check_str=base.RULE_ADMIN_REQUIRED
2619 )
2620 deprecated_delete_idp = policy.DeprecatedRule(
2621 name=base.IDENTITY % 'delete_identity_provider',
2622- check_str=base.RULE_ADMIN_REQUIRED,
2623- deprecated_reason=DEPRECATED_REASON,
2624- deprecated_since=versionutils.deprecated.STEIN
2625+ check_str=base.RULE_ADMIN_REQUIRED
2626 )
2627
2628+DEPRECATED_REASON = (
2629+ "The identity provider API is now aware of system scope and default roles."
2630+)
2631
2632 identity_provider_policies = [
2633 policy.DocumentedRuleDefault(
2634@@ -65,7 +54,9 @@ identity_provider_policies = [
2635 description='Create identity provider.',
2636 operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
2637 'method': 'PUT'}],
2638- deprecated_rule=deprecated_create_idp),
2639+ deprecated_rule=deprecated_create_idp,
2640+ deprecated_reason=DEPRECATED_REASON,
2641+ deprecated_since=versionutils.deprecated.STEIN),
2642 policy.DocumentedRuleDefault(
2643 name=base.IDENTITY % 'list_identity_providers',
2644 check_str=base.SYSTEM_READER,
2645@@ -82,6 +73,8 @@ identity_provider_policies = [
2646 }
2647 ],
2648 deprecated_rule=deprecated_list_idp,
2649+ deprecated_reason=DEPRECATED_REASON,
2650+ deprecated_since=versionutils.deprecated.STEIN
2651 ),
2652 policy.DocumentedRuleDefault(
2653 name=base.IDENTITY % 'get_identity_provider',
2654@@ -99,6 +92,8 @@ identity_provider_policies = [
2655 }
2656 ],
2657 deprecated_rule=deprecated_get_idp,
2658+ deprecated_reason=DEPRECATED_REASON,
2659+ deprecated_since=versionutils.deprecated.STEIN
2660 ),
2661 policy.DocumentedRuleDefault(
2662 name=base.IDENTITY % 'update_identity_provider',
2663@@ -107,7 +102,9 @@ identity_provider_policies = [
2664 description='Update identity provider.',
2665 operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
2666 'method': 'PATCH'}],
2667- deprecated_rule=deprecated_update_idp),
2668+ deprecated_rule=deprecated_update_idp,
2669+ deprecated_reason=DEPRECATED_REASON,
2670+ deprecated_since=versionutils.deprecated.STEIN),
2671 policy.DocumentedRuleDefault(
2672 name=base.IDENTITY % 'delete_identity_provider',
2673 check_str=base.SYSTEM_ADMIN,
2674@@ -115,7 +112,9 @@ identity_provider_policies = [
2675 description='Delete identity provider.',
2676 operations=[{'path': '/v3/OS-FEDERATION/identity_providers/{idp_id}',
2677 'method': 'DELETE'}],
2678- deprecated_rule=deprecated_delete_idp),
2679+ deprecated_rule=deprecated_delete_idp,
2680+ deprecated_reason=DEPRECATED_REASON,
2681+ deprecated_since=versionutils.deprecated.STEIN),
2682 ]
2683
2684
2685diff --git a/keystone/common/policies/implied_role.py b/keystone/common/policies/implied_role.py
2686index 01bcc00..6d164b0 100644
2687--- a/keystone/common/policies/implied_role.py
2688+++ b/keystone/common/policies/implied_role.py
2689@@ -15,45 +15,33 @@ from oslo_policy import policy
2690
2691 from keystone.common.policies import base
2692
2693-DEPRECATED_REASON = (
2694- "The implied role API is now aware of system scope and default roles."
2695-)
2696-
2697 deprecated_get_implied_role = policy.DeprecatedRule(
2698 name=base.IDENTITY % 'get_implied_role',
2699- check_str=base.RULE_ADMIN_REQUIRED,
2700- deprecated_reason=DEPRECATED_REASON,
2701- deprecated_since=versionutils.deprecated.TRAIN
2702+ check_str=base.RULE_ADMIN_REQUIRED
2703 )
2704 deprecated_list_implied_roles = policy.DeprecatedRule(
2705 name=base.IDENTITY % 'list_implied_roles',
2706 check_str=base.RULE_ADMIN_REQUIRED,
2707- deprecated_reason=DEPRECATED_REASON,
2708- deprecated_since=versionutils.deprecated.TRAIN
2709 )
2710 deprecated_list_role_inference_rules = policy.DeprecatedRule(
2711 name=base.IDENTITY % 'list_role_inference_rules',
2712 check_str=base.RULE_ADMIN_REQUIRED,
2713- deprecated_reason=DEPRECATED_REASON,
2714- deprecated_since=versionutils.deprecated.TRAIN
2715 )
2716 deprecated_check_implied_role = policy.DeprecatedRule(
2717 name=base.IDENTITY % 'check_implied_role',
2718 check_str=base.RULE_ADMIN_REQUIRED,
2719- deprecated_reason=DEPRECATED_REASON,
2720- deprecated_since=versionutils.deprecated.TRAIN
2721 )
2722 deprecated_create_implied_role = policy.DeprecatedRule(
2723 name=base.IDENTITY % 'create_implied_role',
2724 check_str=base.RULE_ADMIN_REQUIRED,
2725- deprecated_reason=DEPRECATED_REASON,
2726- deprecated_since=versionutils.deprecated.TRAIN
2727 )
2728 deprecated_delete_implied_role = policy.DeprecatedRule(
2729 name=base.IDENTITY % 'delete_implied_role',
2730 check_str=base.RULE_ADMIN_REQUIRED,
2731- deprecated_reason=DEPRECATED_REASON,
2732- deprecated_since=versionutils.deprecated.TRAIN
2733+)
2734+
2735+DEPRECATED_REASON = (
2736+ "The implied role API is now aware of system scope and default roles."
2737 )
2738
2739
2740@@ -73,7 +61,9 @@ implied_role_policies = [
2741 operations=[
2742 {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
2743 'method': 'GET'}],
2744- deprecated_rule=deprecated_get_implied_role),
2745+ deprecated_rule=deprecated_get_implied_role,
2746+ deprecated_reason=DEPRECATED_REASON,
2747+ deprecated_since=versionutils.deprecated.TRAIN),
2748 policy.DocumentedRuleDefault(
2749 name=base.IDENTITY % 'list_implied_roles',
2750 check_str=base.SYSTEM_READER,
2751@@ -87,7 +77,9 @@ implied_role_policies = [
2752 operations=[
2753 {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'GET'},
2754 {'path': '/v3/roles/{prior_role_id}/implies', 'method': 'HEAD'}],
2755- deprecated_rule=deprecated_list_implied_roles),
2756+ deprecated_rule=deprecated_list_implied_roles,
2757+ deprecated_reason=DEPRECATED_REASON,
2758+ deprecated_since=versionutils.deprecated.TRAIN),
2759 policy.DocumentedRuleDefault(
2760 name=base.IDENTITY % 'create_implied_role',
2761 check_str=base.SYSTEM_ADMIN,
2762@@ -99,7 +91,9 @@ implied_role_policies = [
2763 operations=[
2764 {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
2765 'method': 'PUT'}],
2766- deprecated_rule=deprecated_create_implied_role),
2767+ deprecated_rule=deprecated_create_implied_role,
2768+ deprecated_reason=DEPRECATED_REASON,
2769+ deprecated_since=versionutils.deprecated.TRAIN),
2770 policy.DocumentedRuleDefault(
2771 name=base.IDENTITY % 'delete_implied_role',
2772 check_str=base.SYSTEM_ADMIN,
2773@@ -112,7 +106,9 @@ implied_role_policies = [
2774 operations=[
2775 {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
2776 'method': 'DELETE'}],
2777- deprecated_rule=deprecated_delete_implied_role),
2778+ deprecated_rule=deprecated_delete_implied_role,
2779+ deprecated_reason=DEPRECATED_REASON,
2780+ deprecated_since=versionutils.deprecated.TRAIN),
2781 policy.DocumentedRuleDefault(
2782 name=base.IDENTITY % 'list_role_inference_rules',
2783 check_str=base.SYSTEM_READER,
2784@@ -124,7 +120,9 @@ implied_role_policies = [
2785 operations=[
2786 {'path': '/v3/role_inferences', 'method': 'GET'},
2787 {'path': '/v3/role_inferences', 'method': 'HEAD'}],
2788- deprecated_rule=deprecated_list_role_inference_rules),
2789+ deprecated_rule=deprecated_list_role_inference_rules,
2790+ deprecated_reason=DEPRECATED_REASON,
2791+ deprecated_since=versionutils.deprecated.TRAIN),
2792 policy.DocumentedRuleDefault(
2793 name=base.IDENTITY % 'check_implied_role',
2794 check_str=base.SYSTEM_READER,
2795@@ -136,7 +134,9 @@ implied_role_policies = [
2796 operations=[
2797 {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
2798 'method': 'HEAD'}],
2799- deprecated_rule=deprecated_check_implied_role),
2800+ deprecated_rule=deprecated_check_implied_role,
2801+ deprecated_reason=DEPRECATED_REASON,
2802+ deprecated_since=versionutils.deprecated.TRAIN),
2803 ]
2804
2805
2806diff --git a/keystone/common/policies/mapping.py b/keystone/common/policies/mapping.py
2807index 6c4f0de..498bc7c 100644
2808--- a/keystone/common/policies/mapping.py
2809+++ b/keystone/common/policies/mapping.py
2810@@ -15,41 +15,30 @@ from oslo_policy import policy
2811
2812 from keystone.common.policies import base
2813
2814-DEPRECATED_REASON = (
2815- "The federated mapping API is now aware of system scope and default roles."
2816-)
2817-
2818 deprecated_get_mapping = policy.DeprecatedRule(
2819 name=base.IDENTITY % 'get_mapping',
2820- check_str=base.RULE_ADMIN_REQUIRED,
2821- deprecated_reason=DEPRECATED_REASON,
2822- deprecated_since=versionutils.deprecated.STEIN
2823+ check_str=base.RULE_ADMIN_REQUIRED
2824 )
2825 deprecated_list_mappings = policy.DeprecatedRule(
2826 name=base.IDENTITY % 'list_mappings',
2827- check_str=base.RULE_ADMIN_REQUIRED,
2828- deprecated_reason=DEPRECATED_REASON,
2829- deprecated_since=versionutils.deprecated.STEIN
2830+ check_str=base.RULE_ADMIN_REQUIRED
2831 )
2832 deprecated_update_mapping = policy.DeprecatedRule(
2833 name=base.IDENTITY % 'update_mapping',
2834- check_str=base.RULE_ADMIN_REQUIRED,
2835- deprecated_reason=DEPRECATED_REASON,
2836- deprecated_since=versionutils.deprecated.STEIN
2837+ check_str=base.RULE_ADMIN_REQUIRED
2838 )
2839 deprecated_create_mapping = policy.DeprecatedRule(
2840 name=base.IDENTITY % 'create_mapping',
2841- check_str=base.RULE_ADMIN_REQUIRED,
2842- deprecated_reason=DEPRECATED_REASON,
2843- deprecated_since=versionutils.deprecated.STEIN
2844+ check_str=base.RULE_ADMIN_REQUIRED
2845 )
2846 deprecated_delete_mapping = policy.DeprecatedRule(
2847 name=base.IDENTITY % 'delete_mapping',
2848- check_str=base.RULE_ADMIN_REQUIRED,
2849- deprecated_reason=DEPRECATED_REASON,
2850- deprecated_since=versionutils.deprecated.STEIN
2851+ check_str=base.RULE_ADMIN_REQUIRED
2852 )
2853
2854+DEPRECATED_REASON = (
2855+ "The federated mapping API is now aware of system scope and default roles."
2856+)
2857
2858 mapping_policies = [
2859 policy.DocumentedRuleDefault(
2860@@ -66,7 +55,9 @@ mapping_policies = [
2861 'more sets of rules.'),
2862 operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
2863 'method': 'PUT'}],
2864- deprecated_rule=deprecated_create_mapping),
2865+ deprecated_rule=deprecated_create_mapping,
2866+ deprecated_reason=DEPRECATED_REASON,
2867+ deprecated_since=versionutils.deprecated.STEIN),
2868 policy.DocumentedRuleDefault(
2869 name=base.IDENTITY % 'get_mapping',
2870 check_str=base.SYSTEM_READER,
2871@@ -82,7 +73,9 @@ mapping_policies = [
2872 'method': 'HEAD'
2873 }
2874 ],
2875- deprecated_rule=deprecated_get_mapping
2876+ deprecated_rule=deprecated_get_mapping,
2877+ deprecated_reason=DEPRECATED_REASON,
2878+ deprecated_since=versionutils.deprecated.STEIN
2879 ),
2880 policy.DocumentedRuleDefault(
2881 name=base.IDENTITY % 'list_mappings',
2882@@ -100,6 +93,8 @@ mapping_policies = [
2883 }
2884 ],
2885 deprecated_rule=deprecated_list_mappings,
2886+ deprecated_reason=DEPRECATED_REASON,
2887+ deprecated_since=versionutils.deprecated.STEIN
2888 ),
2889 policy.DocumentedRuleDefault(
2890 name=base.IDENTITY % 'delete_mapping',
2891@@ -108,7 +103,9 @@ mapping_policies = [
2892 description='Delete a federated mapping.',
2893 operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
2894 'method': 'DELETE'}],
2895- deprecated_rule=deprecated_delete_mapping),
2896+ deprecated_rule=deprecated_delete_mapping,
2897+ deprecated_reason=DEPRECATED_REASON,
2898+ deprecated_since=versionutils.deprecated.STEIN),
2899 policy.DocumentedRuleDefault(
2900 name=base.IDENTITY % 'update_mapping',
2901 check_str=base.SYSTEM_ADMIN,
2902@@ -116,7 +113,9 @@ mapping_policies = [
2903 description='Update a federated mapping.',
2904 operations=[{'path': '/v3/OS-FEDERATION/mappings/{mapping_id}',
2905 'method': 'PATCH'}],
2906- deprecated_rule=deprecated_update_mapping)
2907+ deprecated_rule=deprecated_update_mapping,
2908+ deprecated_reason=DEPRECATED_REASON,
2909+ deprecated_since=versionutils.deprecated.STEIN)
2910 ]
2911
2912
2913diff --git a/keystone/common/policies/policy.py b/keystone/common/policies/policy.py
2914index 502fa9d..4c912f3 100644
2915--- a/keystone/common/policies/policy.py
2916+++ b/keystone/common/policies/policy.py
2917@@ -15,43 +15,33 @@ from oslo_policy import policy
2918
2919 from keystone.common.policies import base
2920
2921-DEPRECATED_REASON = (
2922- "The policy API is now aware of system scope and default roles."
2923-)
2924-
2925 deprecated_get_policy = policy.DeprecatedRule(
2926 name=base.IDENTITY % 'get_policy',
2927 check_str=base.RULE_ADMIN_REQUIRED,
2928- deprecated_reason=DEPRECATED_REASON,
2929- deprecated_since=versionutils.deprecated.TRAIN
2930 )
2931
2932 deprecated_list_policies = policy.DeprecatedRule(
2933 name=base.IDENTITY % 'list_policies',
2934 check_str=base.RULE_ADMIN_REQUIRED,
2935- deprecated_reason=DEPRECATED_REASON,
2936- deprecated_since=versionutils.deprecated.TRAIN
2937 )
2938
2939 deprecated_update_policy = policy.DeprecatedRule(
2940 name=base.IDENTITY % 'update_policy',
2941 check_str=base.RULE_ADMIN_REQUIRED,
2942- deprecated_reason=DEPRECATED_REASON,
2943- deprecated_since=versionutils.deprecated.TRAIN
2944 )
2945
2946 deprecated_create_policy = policy.DeprecatedRule(
2947 name=base.IDENTITY % 'create_policy',
2948 check_str=base.RULE_ADMIN_REQUIRED,
2949- deprecated_reason=DEPRECATED_REASON,
2950- deprecated_since=versionutils.deprecated.TRAIN
2951 )
2952
2953 deprecated_delete_policy = policy.DeprecatedRule(
2954 name=base.IDENTITY % 'delete_policy',
2955 check_str=base.RULE_ADMIN_REQUIRED,
2956- deprecated_reason=DEPRECATED_REASON,
2957- deprecated_since=versionutils.deprecated.TRAIN
2958+)
2959+
2960+DEPRECATED_REASON = (
2961+ "The policy API is now aware of system scope and default roles."
2962 )
2963
2964
2965@@ -65,7 +55,9 @@ policy_policies = [
2966 description='Show policy details.',
2967 operations=[{'path': '/v3/policies/{policy_id}',
2968 'method': 'GET'}],
2969- deprecated_rule=deprecated_get_policy),
2970+ deprecated_rule=deprecated_get_policy,
2971+ deprecated_reason=DEPRECATED_REASON,
2972+ deprecated_since=versionutils.deprecated.TRAIN),
2973 policy.DocumentedRuleDefault(
2974 name=base.IDENTITY % 'list_policies',
2975 check_str=base.SYSTEM_READER,
2976@@ -73,7 +65,9 @@ policy_policies = [
2977 description='List policies.',
2978 operations=[{'path': '/v3/policies',
2979 'method': 'GET'}],
2980- deprecated_rule=deprecated_list_policies),
2981+ deprecated_rule=deprecated_list_policies,
2982+ deprecated_reason=DEPRECATED_REASON,
2983+ deprecated_since=versionutils.deprecated.TRAIN),
2984 policy.DocumentedRuleDefault(
2985 name=base.IDENTITY % 'create_policy',
2986 check_str=base.SYSTEM_ADMIN,
2987@@ -81,7 +75,9 @@ policy_policies = [
2988 description='Create policy.',
2989 operations=[{'path': '/v3/policies',
2990 'method': 'POST'}],
2991- deprecated_rule=deprecated_create_policy),
2992+ deprecated_rule=deprecated_create_policy,
2993+ deprecated_reason=DEPRECATED_REASON,
2994+ deprecated_since=versionutils.deprecated.TRAIN),
2995 policy.DocumentedRuleDefault(
2996 name=base.IDENTITY % 'update_policy',
2997 check_str=base.SYSTEM_ADMIN,
2998@@ -89,7 +85,9 @@ policy_policies = [
2999 description='Update policy.',
3000 operations=[{'path': '/v3/policies/{policy_id}',
3001 'method': 'PATCH'}],
3002- deprecated_rule=deprecated_update_policy),
3003+ deprecated_rule=deprecated_update_policy,
3004+ deprecated_reason=DEPRECATED_REASON,
3005+ deprecated_since=versionutils.deprecated.TRAIN),
3006 policy.DocumentedRuleDefault(
3007 name=base.IDENTITY % 'delete_policy',
3008 check_str=base.SYSTEM_ADMIN,
3009@@ -97,7 +95,9 @@ policy_policies = [
3010 description='Delete policy.',
3011 operations=[{'path': '/v3/policies/{policy_id}',
3012 'method': 'DELETE'}],
3013- deprecated_rule=deprecated_delete_policy)
3014+ deprecated_rule=deprecated_delete_policy,
3015+ deprecated_reason=DEPRECATED_REASON,
3016+ deprecated_since=versionutils.deprecated.TRAIN)
3017 ]
3018
3019
3020diff --git a/keystone/common/policies/policy_association.py b/keystone/common/policies/policy_association.py
3021index 1cf6f86..af57900 100644
3022--- a/keystone/common/policies/policy_association.py
3023+++ b/keystone/common/policies/policy_association.py
3024@@ -19,88 +19,65 @@ from keystone.common.policies import base
3025 # System-scoped tokens should be required to manage policy associations to
3026 # existing system-level resources.
3027
3028-DEPRECATED_REASON = (
3029- "The policy association API is now aware of system scope and default "
3030- "roles."
3031-)
3032-
3033 deprecated_check_policy_assoc_for_endpoint = policy.DeprecatedRule(
3034 name=base.IDENTITY % 'check_policy_association_for_endpoint',
3035 check_str=base.RULE_ADMIN_REQUIRED,
3036- deprecated_reason=DEPRECATED_REASON,
3037- deprecated_since=versionutils.deprecated.TRAIN
3038 )
3039
3040 deprecated_check_policy_assoc_for_service = policy.DeprecatedRule(
3041 name=base.IDENTITY % 'check_policy_association_for_service',
3042 check_str=base.RULE_ADMIN_REQUIRED,
3043- deprecated_reason=DEPRECATED_REASON,
3044- deprecated_since=versionutils.deprecated.TRAIN
3045 )
3046
3047 deprecated_check_policy_assoc_for_region_and_service = policy.DeprecatedRule(
3048 name=base.IDENTITY % 'check_policy_association_for_region_and_service',
3049 check_str=base.RULE_ADMIN_REQUIRED,
3050- deprecated_reason=DEPRECATED_REASON,
3051- deprecated_since=versionutils.deprecated.TRAIN
3052 )
3053
3054 deprecated_get_policy_for_endpoint = policy.DeprecatedRule(
3055 name=base.IDENTITY % 'get_policy_for_endpoint',
3056 check_str=base.RULE_ADMIN_REQUIRED,
3057- deprecated_reason=DEPRECATED_REASON,
3058- deprecated_since=versionutils.deprecated.TRAIN
3059 )
3060
3061 deprecated_list_endpoints_for_policy = policy.DeprecatedRule(
3062 name=base.IDENTITY % 'list_endpoints_for_policy',
3063 check_str=base.RULE_ADMIN_REQUIRED,
3064- deprecated_reason=DEPRECATED_REASON,
3065- deprecated_since=versionutils.deprecated.TRAIN
3066 )
3067
3068 deprecated_create_policy_assoc_for_endpoint = policy.DeprecatedRule(
3069 name=base.IDENTITY % 'create_policy_association_for_endpoint',
3070 check_str=base.RULE_ADMIN_REQUIRED,
3071- deprecated_reason=DEPRECATED_REASON,
3072- deprecated_since=versionutils.deprecated.TRAIN
3073 )
3074
3075 deprecated_delete_policy_assoc_for_endpoint = policy.DeprecatedRule(
3076 name=base.IDENTITY % 'delete_policy_association_for_endpoint',
3077 check_str=base.RULE_ADMIN_REQUIRED,
3078- deprecated_reason=DEPRECATED_REASON,
3079- deprecated_since=versionutils.deprecated.TRAIN
3080 )
3081
3082 deprecated_create_policy_assoc_for_service = policy.DeprecatedRule(
3083 name=base.IDENTITY % 'create_policy_association_for_service',
3084 check_str=base.RULE_ADMIN_REQUIRED,
3085- deprecated_reason=DEPRECATED_REASON,
3086- deprecated_since=versionutils.deprecated.TRAIN
3087 )
3088
3089 deprecated_delete_policy_assoc_for_service = policy.DeprecatedRule(
3090 name=base.IDENTITY % 'delete_policy_association_for_service',
3091 check_str=base.RULE_ADMIN_REQUIRED,
3092- deprecated_reason=DEPRECATED_REASON,
3093- deprecated_since=versionutils.deprecated.TRAIN
3094 )
3095
3096 deprecated_create_policy_assoc_for_region_and_service = policy.DeprecatedRule(
3097 name=base.IDENTITY % 'create_policy_association_for_region_and_service',
3098 check_str=base.RULE_ADMIN_REQUIRED,
3099- deprecated_reason=DEPRECATED_REASON,
3100- deprecated_since=versionutils.deprecated.TRAIN
3101 )
3102
3103 deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule(
3104 name=base.IDENTITY % 'delete_policy_association_for_region_and_service',
3105 check_str=base.RULE_ADMIN_REQUIRED,
3106- deprecated_reason=DEPRECATED_REASON,
3107- deprecated_since=versionutils.deprecated.TRAIN
3108 )
3109
3110+DEPRECATED_REASON = (
3111+ "The policy association API is now aware of system scope and default "
3112+ "roles."
3113+)
3114
3115 policy_association_policies = [
3116 policy.DocumentedRuleDefault(
3117@@ -111,7 +88,9 @@ policy_association_policies = [
3118 operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3119 'endpoints/{endpoint_id}'),
3120 'method': 'PUT'}],
3121- deprecated_rule=deprecated_create_policy_assoc_for_endpoint),
3122+ deprecated_rule=deprecated_create_policy_assoc_for_endpoint,
3123+ deprecated_reason=DEPRECATED_REASON,
3124+ deprecated_since=versionutils.deprecated.TRAIN),
3125 policy.DocumentedRuleDefault(
3126 name=base.IDENTITY % 'check_policy_association_for_endpoint',
3127 check_str=base.SYSTEM_READER,
3128@@ -123,7 +102,9 @@ policy_association_policies = [
3129 {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3130 'endpoints/{endpoint_id}'),
3131 'method': 'HEAD'}],
3132- deprecated_rule=deprecated_check_policy_assoc_for_endpoint),
3133+ deprecated_rule=deprecated_check_policy_assoc_for_endpoint,
3134+ deprecated_reason=DEPRECATED_REASON,
3135+ deprecated_since=versionutils.deprecated.TRAIN),
3136 policy.DocumentedRuleDefault(
3137 name=base.IDENTITY % 'delete_policy_association_for_endpoint',
3138 check_str=base.SYSTEM_ADMIN,
3139@@ -132,7 +113,9 @@ policy_association_policies = [
3140 operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3141 'endpoints/{endpoint_id}'),
3142 'method': 'DELETE'}],
3143- deprecated_rule=deprecated_delete_policy_assoc_for_endpoint),
3144+ deprecated_rule=deprecated_delete_policy_assoc_for_endpoint,
3145+ deprecated_reason=DEPRECATED_REASON,
3146+ deprecated_since=versionutils.deprecated.TRAIN),
3147 policy.DocumentedRuleDefault(
3148 name=base.IDENTITY % 'create_policy_association_for_service',
3149 check_str=base.SYSTEM_ADMIN,
3150@@ -141,7 +124,9 @@ policy_association_policies = [
3151 operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3152 'services/{service_id}'),
3153 'method': 'PUT'}],
3154- deprecated_rule=deprecated_create_policy_assoc_for_service),
3155+ deprecated_rule=deprecated_create_policy_assoc_for_service,
3156+ deprecated_reason=DEPRECATED_REASON,
3157+ deprecated_since=versionutils.deprecated.TRAIN),
3158 policy.DocumentedRuleDefault(
3159 name=base.IDENTITY % 'check_policy_association_for_service',
3160 check_str=base.SYSTEM_READER,
3161@@ -153,7 +138,9 @@ policy_association_policies = [
3162 {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3163 'services/{service_id}'),
3164 'method': 'HEAD'}],
3165- deprecated_rule=deprecated_check_policy_assoc_for_service),
3166+ deprecated_rule=deprecated_check_policy_assoc_for_service,
3167+ deprecated_reason=DEPRECATED_REASON,
3168+ deprecated_since=versionutils.deprecated.TRAIN),
3169 policy.DocumentedRuleDefault(
3170 name=base.IDENTITY % 'delete_policy_association_for_service',
3171 check_str=base.SYSTEM_ADMIN,
3172@@ -162,7 +149,9 @@ policy_association_policies = [
3173 operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3174 'services/{service_id}'),
3175 'method': 'DELETE'}],
3176- deprecated_rule=deprecated_delete_policy_assoc_for_service),
3177+ deprecated_rule=deprecated_delete_policy_assoc_for_service,
3178+ deprecated_reason=DEPRECATED_REASON,
3179+ deprecated_since=versionutils.deprecated.TRAIN),
3180 policy.DocumentedRuleDefault(
3181 name=base.IDENTITY % (
3182 'create_policy_association_for_region_and_service'),
3183@@ -173,7 +162,9 @@ policy_association_policies = [
3184 operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3185 'services/{service_id}/regions/{region_id}'),
3186 'method': 'PUT'}],
3187- deprecated_rule=deprecated_create_policy_assoc_for_region_and_service),
3188+ deprecated_rule=deprecated_create_policy_assoc_for_region_and_service,
3189+ deprecated_reason=DEPRECATED_REASON,
3190+ deprecated_since=versionutils.deprecated.TRAIN),
3191 policy.DocumentedRuleDefault(
3192 name=base.IDENTITY % 'check_policy_association_for_region_and_service',
3193 check_str=base.SYSTEM_READER,
3194@@ -185,7 +176,9 @@ policy_association_policies = [
3195 {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3196 'services/{service_id}/regions/{region_id}'),
3197 'method': 'HEAD'}],
3198- deprecated_rule=deprecated_check_policy_assoc_for_region_and_service),
3199+ deprecated_rule=deprecated_check_policy_assoc_for_region_and_service,
3200+ deprecated_reason=DEPRECATED_REASON,
3201+ deprecated_since=versionutils.deprecated.TRAIN),
3202 policy.DocumentedRuleDefault(
3203 name=base.IDENTITY % (
3204 'delete_policy_association_for_region_and_service'),
3205@@ -195,7 +188,9 @@ policy_association_policies = [
3206 operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3207 'services/{service_id}/regions/{region_id}'),
3208 'method': 'DELETE'}],
3209- deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service),
3210+ deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service,
3211+ deprecated_reason=DEPRECATED_REASON,
3212+ deprecated_since=versionutils.deprecated.TRAIN),
3213 policy.DocumentedRuleDefault(
3214 name=base.IDENTITY % 'get_policy_for_endpoint',
3215 check_str=base.SYSTEM_READER,
3216@@ -207,7 +202,9 @@ policy_association_policies = [
3217 {'path': ('/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/'
3218 'policy'),
3219 'method': 'HEAD'}],
3220- deprecated_rule=deprecated_get_policy_for_endpoint),
3221+ deprecated_rule=deprecated_get_policy_for_endpoint,
3222+ deprecated_reason=DEPRECATED_REASON,
3223+ deprecated_since=versionutils.deprecated.TRAIN),
3224 policy.DocumentedRuleDefault(
3225 name=base.IDENTITY % 'list_endpoints_for_policy',
3226 check_str=base.SYSTEM_READER,
3227@@ -216,7 +213,9 @@ policy_association_policies = [
3228 operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
3229 'endpoints'),
3230 'method': 'GET'}],
3231- deprecated_rule=deprecated_list_endpoints_for_policy)
3232+ deprecated_rule=deprecated_list_endpoints_for_policy,
3233+ deprecated_reason=DEPRECATED_REASON,
3234+ deprecated_since=versionutils.deprecated.TRAIN)
3235 ]
3236
3237
3238diff --git a/keystone/common/policies/project.py b/keystone/common/policies/project.py
3239index db7cdee..c7b7c0a 100644
3240--- a/keystone/common/policies/project.py
3241+++ b/keystone/common/policies/project.py
3242@@ -52,84 +52,60 @@ SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
3243 '(role:admin and domain_id:%(target.project.domain_id)s)'
3244 )
3245
3246-DEPRECATED_REASON = (
3247- "The project API is now aware of system scope and default roles."
3248-)
3249-
3250 deprecated_list_projects = policy.DeprecatedRule(
3251 name=base.IDENTITY % 'list_projects',
3252- check_str=base.RULE_ADMIN_REQUIRED,
3253- deprecated_reason=DEPRECATED_REASON,
3254- deprecated_since=versionutils.deprecated.STEIN
3255+ check_str=base.RULE_ADMIN_REQUIRED
3256 )
3257 deprecated_get_project = policy.DeprecatedRule(
3258 name=base.IDENTITY % 'get_project',
3259- check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
3260- deprecated_reason=DEPRECATED_REASON,
3261- deprecated_since=versionutils.deprecated.STEIN
3262+ check_str=base.RULE_ADMIN_OR_TARGET_PROJECT
3263 )
3264 deprecated_list_user_projects = policy.DeprecatedRule(
3265 name=base.IDENTITY % 'list_user_projects',
3266- check_str=base.RULE_ADMIN_OR_OWNER,
3267- deprecated_reason=DEPRECATED_REASON,
3268- deprecated_since=versionutils.deprecated.STEIN
3269+ check_str=base.RULE_ADMIN_OR_OWNER
3270 )
3271 deprecated_create_project = policy.DeprecatedRule(
3272 name=base.IDENTITY % 'create_project',
3273- check_str=base.RULE_ADMIN_REQUIRED,
3274- deprecated_reason=DEPRECATED_REASON,
3275- deprecated_since=versionutils.deprecated.STEIN
3276+ check_str=base.RULE_ADMIN_REQUIRED
3277 )
3278 deprecated_update_project = policy.DeprecatedRule(
3279 name=base.IDENTITY % 'update_project',
3280- check_str=base.RULE_ADMIN_REQUIRED,
3281- deprecated_reason=DEPRECATED_REASON,
3282- deprecated_since=versionutils.deprecated.STEIN
3283+ check_str=base.RULE_ADMIN_REQUIRED
3284 )
3285 deprecated_delete_project = policy.DeprecatedRule(
3286 name=base.IDENTITY % 'delete_project',
3287- check_str=base.RULE_ADMIN_REQUIRED,
3288- deprecated_reason=DEPRECATED_REASON,
3289- deprecated_since=versionutils.deprecated.STEIN
3290+ check_str=base.RULE_ADMIN_REQUIRED
3291 )
3292 deprecated_list_project_tags = policy.DeprecatedRule(
3293 name=base.IDENTITY % 'list_project_tags',
3294- check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
3295- deprecated_reason=DEPRECATED_REASON,
3296- deprecated_since=versionutils.deprecated.TRAIN
3297+ check_str=base.RULE_ADMIN_OR_TARGET_PROJECT
3298 )
3299 deprecated_get_project_tag = policy.DeprecatedRule(
3300 name=base.IDENTITY % 'get_project_tag',
3301- check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
3302- deprecated_reason=DEPRECATED_REASON,
3303- deprecated_since=versionutils.deprecated.TRAIN
3304+ check_str=base.RULE_ADMIN_OR_TARGET_PROJECT
3305 )
3306 deprecated_update_project_tag = policy.DeprecatedRule(
3307 name=base.IDENTITY % 'update_project_tags',
3308- check_str=base.RULE_ADMIN_REQUIRED,
3309- deprecated_reason=DEPRECATED_REASON,
3310- deprecated_since=versionutils.deprecated.TRAIN
3311+ check_str=base.RULE_ADMIN_REQUIRED
3312 )
3313 deprecated_create_project_tag = policy.DeprecatedRule(
3314 name=base.IDENTITY % 'create_project_tag',
3315- check_str=base.RULE_ADMIN_REQUIRED,
3316- deprecated_reason=DEPRECATED_REASON,
3317- deprecated_since=versionutils.deprecated.TRAIN
3318+ check_str=base.RULE_ADMIN_REQUIRED
3319 )
3320 deprecated_delete_project_tag = policy.DeprecatedRule(
3321 name=base.IDENTITY % 'delete_project_tag',
3322- check_str=base.RULE_ADMIN_REQUIRED,
3323- deprecated_reason=DEPRECATED_REASON,
3324- deprecated_since=versionutils.deprecated.TRAIN
3325+ check_str=base.RULE_ADMIN_REQUIRED
3326 )
3327 deprecated_delete_project_tags = policy.DeprecatedRule(
3328 name=base.IDENTITY % 'delete_project_tags',
3329- check_str=base.RULE_ADMIN_REQUIRED,
3330- deprecated_reason=DEPRECATED_REASON,
3331- deprecated_since=versionutils.deprecated.TRAIN
3332+ check_str=base.RULE_ADMIN_REQUIRED
3333 )
3334
3335
3336+DEPRECATED_REASON = (
3337+ "The project API is now aware of system scope and default roles."
3338+)
3339+
3340 TAGS_DEPRECATED_REASON = """
3341 As of the Train release, the project tags API understands how to handle
3342 system-scoped tokens in addition to project and domain tokens, making the API
3343@@ -146,7 +122,9 @@ project_policies = [
3344 description='Show project details.',
3345 operations=[{'path': '/v3/projects/{project_id}',
3346 'method': 'GET'}],
3347- deprecated_rule=deprecated_get_project),
3348+ deprecated_rule=deprecated_get_project,
3349+ deprecated_reason=DEPRECATED_REASON,
3350+ deprecated_since=versionutils.deprecated.STEIN),
3351 policy.DocumentedRuleDefault(
3352 name=base.IDENTITY % 'list_projects',
3353 check_str=SYSTEM_READER_OR_DOMAIN_READER,
3354@@ -158,7 +136,9 @@ project_policies = [
3355 description='List projects.',
3356 operations=[{'path': '/v3/projects',
3357 'method': 'GET'}],
3358- deprecated_rule=deprecated_list_projects),
3359+ deprecated_rule=deprecated_list_projects,
3360+ deprecated_reason=DEPRECATED_REASON,
3361+ deprecated_since=versionutils.deprecated.STEIN),
3362 policy.DocumentedRuleDefault(
3363 name=base.IDENTITY % 'list_user_projects',
3364 check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_OWNER,
3365@@ -166,7 +146,9 @@ project_policies = [
3366 description='List projects for user.',
3367 operations=[{'path': '/v3/users/{user_id}/projects',
3368 'method': 'GET'}],
3369- deprecated_rule=deprecated_list_user_projects),
3370+ deprecated_rule=deprecated_list_user_projects,
3371+ deprecated_reason=DEPRECATED_REASON,
3372+ deprecated_since=versionutils.deprecated.STEIN),
3373 policy.DocumentedRuleDefault(
3374 name=base.IDENTITY % 'create_project',
3375 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
3376@@ -174,7 +156,9 @@ project_policies = [
3377 description='Create project.',
3378 operations=[{'path': '/v3/projects',
3379 'method': 'POST'}],
3380- deprecated_rule=deprecated_create_project),
3381+ deprecated_rule=deprecated_create_project,
3382+ deprecated_reason=DEPRECATED_REASON,
3383+ deprecated_since=versionutils.deprecated.STEIN),
3384 policy.DocumentedRuleDefault(
3385 name=base.IDENTITY % 'update_project',
3386 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
3387@@ -182,7 +166,9 @@ project_policies = [
3388 description='Update project.',
3389 operations=[{'path': '/v3/projects/{project_id}',
3390 'method': 'PATCH'}],
3391- deprecated_rule=deprecated_update_project),
3392+ deprecated_rule=deprecated_update_project,
3393+ deprecated_reason=DEPRECATED_REASON,
3394+ deprecated_since=versionutils.deprecated.STEIN),
3395 policy.DocumentedRuleDefault(
3396 name=base.IDENTITY % 'delete_project',
3397 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
3398@@ -190,7 +176,9 @@ project_policies = [
3399 description='Delete project.',
3400 operations=[{'path': '/v3/projects/{project_id}',
3401 'method': 'DELETE'}],
3402- deprecated_rule=deprecated_delete_project),
3403+ deprecated_rule=deprecated_delete_project,
3404+ deprecated_reason=DEPRECATED_REASON,
3405+ deprecated_since=versionutils.deprecated.STEIN),
3406 policy.DocumentedRuleDefault(
3407 name=base.IDENTITY % 'list_project_tags',
3408 check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
3409@@ -200,7 +188,9 @@ project_policies = [
3410 'method': 'GET'},
3411 {'path': '/v3/projects/{project_id}/tags',
3412 'method': 'HEAD'}],
3413- deprecated_rule=deprecated_list_project_tags),
3414+ deprecated_rule=deprecated_list_project_tags,
3415+ deprecated_reason=TAGS_DEPRECATED_REASON,
3416+ deprecated_since=versionutils.deprecated.TRAIN),
3417 policy.DocumentedRuleDefault(
3418 name=base.IDENTITY % 'get_project_tag',
3419 check_str=SYSTEM_READER_OR_DOMAIN_READER_OR_PROJECT_USER,
3420@@ -210,7 +200,9 @@ project_policies = [
3421 'method': 'GET'},
3422 {'path': '/v3/projects/{project_id}/tags/{value}',
3423 'method': 'HEAD'}],
3424- deprecated_rule=deprecated_get_project_tag),
3425+ deprecated_rule=deprecated_get_project_tag,
3426+ deprecated_reason=TAGS_DEPRECATED_REASON,
3427+ deprecated_since=versionutils.deprecated.TRAIN),
3428 policy.DocumentedRuleDefault(
3429 name=base.IDENTITY % 'update_project_tags',
3430 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
3431@@ -218,7 +210,9 @@ project_policies = [
3432 description='Replace all tags on a project with the new set of tags.',
3433 operations=[{'path': '/v3/projects/{project_id}/tags',
3434 'method': 'PUT'}],
3435- deprecated_rule=deprecated_update_project_tag),
3436+ deprecated_rule=deprecated_update_project_tag,
3437+ deprecated_reason=TAGS_DEPRECATED_REASON,
3438+ deprecated_since=versionutils.deprecated.TRAIN),
3439 policy.DocumentedRuleDefault(
3440 name=base.IDENTITY % 'create_project_tag',
3441 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
3442@@ -226,7 +220,9 @@ project_policies = [
3443 description='Add a single tag to a project.',
3444 operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
3445 'method': 'PUT'}],
3446- deprecated_rule=deprecated_create_project_tag),
3447+ deprecated_rule=deprecated_create_project_tag,
3448+ deprecated_reason=TAGS_DEPRECATED_REASON,
3449+ deprecated_since=versionutils.deprecated.TRAIN),
3450 policy.DocumentedRuleDefault(
3451 name=base.IDENTITY % 'delete_project_tags',
3452 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
3453@@ -234,7 +230,9 @@ project_policies = [
3454 description='Remove all tags from a project.',
3455 operations=[{'path': '/v3/projects/{project_id}/tags',
3456 'method': 'DELETE'}],
3457- deprecated_rule=deprecated_delete_project_tags),
3458+ deprecated_rule=deprecated_delete_project_tags,
3459+ deprecated_reason=TAGS_DEPRECATED_REASON,
3460+ deprecated_since=versionutils.deprecated.TRAIN),
3461 policy.DocumentedRuleDefault(
3462 name=base.IDENTITY % 'delete_project_tag',
3463 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN_OR_PROJECT_ADMIN,
3464@@ -242,7 +240,9 @@ project_policies = [
3465 description='Delete a specified tag from project.',
3466 operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
3467 'method': 'DELETE'}],
3468- deprecated_rule=deprecated_delete_project_tag)
3469+ deprecated_rule=deprecated_delete_project_tag,
3470+ deprecated_reason=TAGS_DEPRECATED_REASON,
3471+ deprecated_since=versionutils.deprecated.TRAIN)
3472 ]
3473
3474
3475diff --git a/keystone/common/policies/project_endpoint.py b/keystone/common/policies/project_endpoint.py
3476index 86a020e..c04cddd 100644
3477--- a/keystone/common/policies/project_endpoint.py
3478+++ b/keystone/common/policies/project_endpoint.py
3479@@ -15,49 +15,39 @@ from oslo_policy import policy
3480
3481 from keystone.common.policies import base
3482
3483-DEPRECATED_REASON = """
3484-As of the Train release, the project endpoint API now understands default
3485-roles and system-scoped tokens, making the API more granular by default without
3486-compromising security. The new policy defaults account for these changes
3487-automatically. Be sure to take these new defaults into consideration if you are
3488-relying on overrides in your deployment for the project endpoint API.
3489-"""
3490-
3491 deprecated_list_projects_for_endpoint = policy.DeprecatedRule(
3492 name=base.IDENTITY % 'list_projects_for_endpoint',
3493 check_str=base.RULE_ADMIN_REQUIRED,
3494- deprecated_reason=DEPRECATED_REASON,
3495- deprecated_since=versionutils.deprecated.TRAIN
3496 )
3497
3498 deprecated_add_endpoint_to_project = policy.DeprecatedRule(
3499 name=base.IDENTITY % 'add_endpoint_to_project',
3500 check_str=base.RULE_ADMIN_REQUIRED,
3501- deprecated_reason=DEPRECATED_REASON,
3502- deprecated_since=versionutils.deprecated.TRAIN
3503 )
3504
3505 deprecated_check_endpoint_in_project = policy.DeprecatedRule(
3506 name=base.IDENTITY % 'check_endpoint_in_project',
3507 check_str=base.RULE_ADMIN_REQUIRED,
3508- deprecated_reason=DEPRECATED_REASON,
3509- deprecated_since=versionutils.deprecated.TRAIN
3510 )
3511
3512 deprecated_list_endpoints_for_project = policy.DeprecatedRule(
3513 name=base.IDENTITY % 'list_endpoints_for_project',
3514 check_str=base.RULE_ADMIN_REQUIRED,
3515- deprecated_reason=DEPRECATED_REASON,
3516- deprecated_since=versionutils.deprecated.TRAIN
3517 )
3518
3519 deprecated_remove_endpoint_from_project = policy.DeprecatedRule(
3520 name=base.IDENTITY % 'remove_endpoint_from_project',
3521 check_str=base.RULE_ADMIN_REQUIRED,
3522- deprecated_reason=DEPRECATED_REASON,
3523- deprecated_since=versionutils.deprecated.TRAIN
3524 )
3525
3526+DEPRECATED_REASON = """
3527+As of the Train release, the project endpoint API now understands default
3528+roles and system-scoped tokens, making the API more granular by default without
3529+compromising security. The new policy defaults account for these changes
3530+automatically. Be sure to take these new defaults into consideration if you are
3531+relying on overrides in your deployment for the project endpoint API.
3532+"""
3533+
3534
3535 project_endpoint_policies = [
3536
3537@@ -73,7 +63,9 @@ project_endpoint_policies = [
3538 operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/'
3539 'projects'),
3540 'method': 'GET'}],
3541- deprecated_rule=deprecated_list_projects_for_endpoint),
3542+ deprecated_rule=deprecated_list_projects_for_endpoint,
3543+ deprecated_reason=DEPRECATED_REASON,
3544+ deprecated_since=versionutils.deprecated.TRAIN),
3545 policy.DocumentedRuleDefault(
3546 name=base.IDENTITY % 'add_endpoint_to_project',
3547 check_str=base.SYSTEM_ADMIN,
3548@@ -82,7 +74,9 @@ project_endpoint_policies = [
3549 operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
3550 'endpoints/{endpoint_id}'),
3551 'method': 'PUT'}],
3552- deprecated_rule=deprecated_add_endpoint_to_project),
3553+ deprecated_rule=deprecated_add_endpoint_to_project,
3554+ deprecated_reason=DEPRECATED_REASON,
3555+ deprecated_since=versionutils.deprecated.TRAIN),
3556 policy.DocumentedRuleDefault(
3557 name=base.IDENTITY % 'check_endpoint_in_project',
3558 check_str=base.SYSTEM_READER,
3559@@ -94,7 +88,9 @@ project_endpoint_policies = [
3560 {'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
3561 'endpoints/{endpoint_id}'),
3562 'method': 'HEAD'}],
3563- deprecated_rule=deprecated_check_endpoint_in_project),
3564+ deprecated_rule=deprecated_check_endpoint_in_project,
3565+ deprecated_reason=DEPRECATED_REASON,
3566+ deprecated_since=versionutils.deprecated.TRAIN),
3567 policy.DocumentedRuleDefault(
3568 name=base.IDENTITY % 'list_endpoints_for_project',
3569 check_str=base.SYSTEM_READER,
3570@@ -103,7 +99,9 @@ project_endpoint_policies = [
3571 operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
3572 'endpoints'),
3573 'method': 'GET'}],
3574- deprecated_rule=deprecated_list_endpoints_for_project),
3575+ deprecated_rule=deprecated_list_endpoints_for_project,
3576+ deprecated_reason=DEPRECATED_REASON,
3577+ deprecated_since=versionutils.deprecated.TRAIN),
3578 policy.DocumentedRuleDefault(
3579 name=base.IDENTITY % 'remove_endpoint_from_project',
3580 check_str=base.SYSTEM_ADMIN,
3581@@ -113,7 +111,9 @@ project_endpoint_policies = [
3582 operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
3583 'endpoints/{endpoint_id}'),
3584 'method': 'DELETE'}],
3585- deprecated_rule=deprecated_remove_endpoint_from_project),
3586+ deprecated_rule=deprecated_remove_endpoint_from_project,
3587+ deprecated_reason=DEPRECATED_REASON,
3588+ deprecated_since=versionutils.deprecated.TRAIN),
3589 ]
3590
3591
3592diff --git a/keystone/common/policies/protocol.py b/keystone/common/policies/protocol.py
3593index 887fc70..de2a729 100644
3594--- a/keystone/common/policies/protocol.py
3595+++ b/keystone/common/policies/protocol.py
3596@@ -15,42 +15,31 @@ from oslo_policy import policy
3597
3598 from keystone.common.policies import base
3599
3600-DEPRECATED_REASON = (
3601- "The federated protocol API is now aware of system scope and default "
3602- "roles."
3603-)
3604-
3605 deprecated_get_protocol = policy.DeprecatedRule(
3606 name=base.IDENTITY % 'get_protocol',
3607- check_str=base.RULE_ADMIN_REQUIRED,
3608- deprecated_reason=DEPRECATED_REASON,
3609- deprecated_since=versionutils.deprecated.STEIN
3610+ check_str=base.RULE_ADMIN_REQUIRED
3611 )
3612 deprecated_list_protocols = policy.DeprecatedRule(
3613 name=base.IDENTITY % 'list_protocols',
3614- check_str=base.RULE_ADMIN_REQUIRED,
3615- deprecated_reason=DEPRECATED_REASON,
3616- deprecated_since=versionutils.deprecated.STEIN
3617+ check_str=base.RULE_ADMIN_REQUIRED
3618 )
3619 deprecated_update_protocol = policy.DeprecatedRule(
3620 name=base.IDENTITY % 'update_protocol',
3621- check_str=base.RULE_ADMIN_REQUIRED,
3622- deprecated_reason=DEPRECATED_REASON,
3623- deprecated_since=versionutils.deprecated.STEIN
3624+ check_str=base.RULE_ADMIN_REQUIRED
3625 )
3626 deprecated_create_protocol = policy.DeprecatedRule(
3627 name=base.IDENTITY % 'create_protocol',
3628- check_str=base.RULE_ADMIN_REQUIRED,
3629- deprecated_reason=DEPRECATED_REASON,
3630- deprecated_since=versionutils.deprecated.STEIN
3631+ check_str=base.RULE_ADMIN_REQUIRED
3632 )
3633 deprecated_delete_protocol = policy.DeprecatedRule(
3634 name=base.IDENTITY % 'delete_protocol',
3635- check_str=base.RULE_ADMIN_REQUIRED,
3636- deprecated_reason=DEPRECATED_REASON,
3637- deprecated_since=versionutils.deprecated.STEIN
3638+ check_str=base.RULE_ADMIN_REQUIRED
3639 )
3640
3641+DEPRECATED_REASON = (
3642+ "The federated protocol API is now aware of system scope and default "
3643+ "roles."
3644+)
3645
3646 protocol_policies = [
3647 policy.DocumentedRuleDefault(
3648@@ -64,7 +53,9 @@ protocol_policies = [
3649 operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
3650 'protocols/{protocol_id}'),
3651 'method': 'PUT'}],
3652- deprecated_rule=deprecated_create_protocol),
3653+ deprecated_rule=deprecated_create_protocol,
3654+ deprecated_reason=DEPRECATED_REASON,
3655+ deprecated_since=versionutils.deprecated.STEIN),
3656 policy.DocumentedRuleDefault(
3657 name=base.IDENTITY % 'update_protocol',
3658 check_str=base.SYSTEM_ADMIN,
3659@@ -73,7 +64,9 @@ protocol_policies = [
3660 operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
3661 'protocols/{protocol_id}'),
3662 'method': 'PATCH'}],
3663- deprecated_rule=deprecated_update_protocol),
3664+ deprecated_rule=deprecated_update_protocol,
3665+ deprecated_reason=DEPRECATED_REASON,
3666+ deprecated_since=versionutils.deprecated.STEIN),
3667 policy.DocumentedRuleDefault(
3668 name=base.IDENTITY % 'get_protocol',
3669 check_str=base.SYSTEM_READER,
3670@@ -82,7 +75,9 @@ protocol_policies = [
3671 operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
3672 'protocols/{protocol_id}'),
3673 'method': 'GET'}],
3674- deprecated_rule=deprecated_get_protocol),
3675+ deprecated_rule=deprecated_get_protocol,
3676+ deprecated_reason=DEPRECATED_REASON,
3677+ deprecated_since=versionutils.deprecated.STEIN),
3678 policy.DocumentedRuleDefault(
3679 name=base.IDENTITY % 'list_protocols',
3680 check_str=base.SYSTEM_READER,
3681@@ -91,7 +86,9 @@ protocol_policies = [
3682 operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
3683 'protocols'),
3684 'method': 'GET'}],
3685- deprecated_rule=deprecated_list_protocols),
3686+ deprecated_rule=deprecated_list_protocols,
3687+ deprecated_reason=DEPRECATED_REASON,
3688+ deprecated_since=versionutils.deprecated.STEIN),
3689 policy.DocumentedRuleDefault(
3690 name=base.IDENTITY % 'delete_protocol',
3691 check_str=base.SYSTEM_ADMIN,
3692@@ -100,7 +97,9 @@ protocol_policies = [
3693 operations=[{'path': ('/v3/OS-FEDERATION/identity_providers/{idp_id}/'
3694 'protocols/{protocol_id}'),
3695 'method': 'DELETE'}],
3696- deprecated_rule=deprecated_delete_protocol)
3697+ deprecated_rule=deprecated_delete_protocol,
3698+ deprecated_reason=DEPRECATED_REASON,
3699+ deprecated_since=versionutils.deprecated.STEIN)
3700 ]
3701
3702
3703diff --git a/keystone/common/policies/region.py b/keystone/common/policies/region.py
3704index f13299d..bf60f8f 100644
3705--- a/keystone/common/policies/region.py
3706+++ b/keystone/common/policies/region.py
3707@@ -15,29 +15,22 @@ from oslo_policy import policy
3708
3709 from keystone.common.policies import base
3710
3711-DEPRECATED_REASON = (
3712- "The region API is now aware of system scope and default roles."
3713-)
3714-
3715 deprecated_create_region = policy.DeprecatedRule(
3716 name=base.IDENTITY % 'create_region',
3717- check_str=base.RULE_ADMIN_REQUIRED,
3718- deprecated_reason=DEPRECATED_REASON,
3719- deprecated_since=versionutils.deprecated.STEIN
3720+ check_str=base.RULE_ADMIN_REQUIRED
3721 )
3722 deprecated_update_region = policy.DeprecatedRule(
3723 name=base.IDENTITY % 'update_region',
3724- check_str=base.RULE_ADMIN_REQUIRED,
3725- deprecated_reason=DEPRECATED_REASON,
3726- deprecated_since=versionutils.deprecated.STEIN
3727+ check_str=base.RULE_ADMIN_REQUIRED
3728 )
3729 deprecated_delete_region = policy.DeprecatedRule(
3730 name=base.IDENTITY % 'delete_region',
3731- check_str=base.RULE_ADMIN_REQUIRED,
3732- deprecated_reason=DEPRECATED_REASON,
3733- deprecated_since=versionutils.deprecated.STEIN
3734+ check_str=base.RULE_ADMIN_REQUIRED
3735 )
3736
3737+DEPRECATED_REASON = (
3738+ "The region API is now aware of system scope and default roles."
3739+)
3740
3741 region_policies = [
3742 policy.DocumentedRuleDefault(
3743@@ -73,7 +66,9 @@ region_policies = [
3744 'method': 'POST'},
3745 {'path': '/v3/regions/{region_id}',
3746 'method': 'PUT'}],
3747- deprecated_rule=deprecated_create_region),
3748+ deprecated_rule=deprecated_create_region,
3749+ deprecated_reason=DEPRECATED_REASON,
3750+ deprecated_since=versionutils.deprecated.STEIN),
3751 policy.DocumentedRuleDefault(
3752 name=base.IDENTITY % 'update_region',
3753 check_str=base.SYSTEM_ADMIN,
3754@@ -81,7 +76,9 @@ region_policies = [
3755 description='Update region.',
3756 operations=[{'path': '/v3/regions/{region_id}',
3757 'method': 'PATCH'}],
3758- deprecated_rule=deprecated_update_region),
3759+ deprecated_rule=deprecated_update_region,
3760+ deprecated_reason=DEPRECATED_REASON,
3761+ deprecated_since=versionutils.deprecated.STEIN),
3762 policy.DocumentedRuleDefault(
3763 name=base.IDENTITY % 'delete_region',
3764 check_str=base.SYSTEM_ADMIN,
3765@@ -89,7 +86,9 @@ region_policies = [
3766 description='Delete region.',
3767 operations=[{'path': '/v3/regions/{region_id}',
3768 'method': 'DELETE'}],
3769- deprecated_rule=deprecated_delete_region),
3770+ deprecated_rule=deprecated_delete_region,
3771+ deprecated_reason=DEPRECATED_REASON,
3772+ deprecated_since=versionutils.deprecated.STEIN),
3773 ]
3774
3775
3776diff --git a/keystone/common/policies/role.py b/keystone/common/policies/role.py
3777index b372efb..7d6a38e 100644
3778--- a/keystone/common/policies/role.py
3779+++ b/keystone/common/policies/role.py
3780@@ -15,71 +15,50 @@ from oslo_policy import policy
3781
3782 from keystone.common.policies import base
3783
3784-DEPRECATED_REASON = (
3785- "The role API is now aware of system scope and default roles."
3786-)
3787-
3788 deprecated_get_role = policy.DeprecatedRule(
3789 name=base.IDENTITY % 'get_role',
3790- check_str=base.RULE_ADMIN_REQUIRED,
3791- deprecated_reason=DEPRECATED_REASON,
3792- deprecated_since=versionutils.deprecated.STEIN
3793+ check_str=base.RULE_ADMIN_REQUIRED
3794 )
3795 deprecated_list_role = policy.DeprecatedRule(
3796 name=base.IDENTITY % 'list_roles',
3797- check_str=base.RULE_ADMIN_REQUIRED,
3798- deprecated_reason=DEPRECATED_REASON,
3799- deprecated_since=versionutils.deprecated.STEIN
3800+ check_str=base.RULE_ADMIN_REQUIRED
3801 )
3802 deprecated_update_role = policy.DeprecatedRule(
3803 name=base.IDENTITY % 'update_role',
3804- check_str=base.RULE_ADMIN_REQUIRED,
3805- deprecated_reason=DEPRECATED_REASON,
3806- deprecated_since=versionutils.deprecated.STEIN
3807+ check_str=base.RULE_ADMIN_REQUIRED
3808 )
3809 deprecated_create_role = policy.DeprecatedRule(
3810 name=base.IDENTITY % 'create_role',
3811- check_str=base.RULE_ADMIN_REQUIRED,
3812- deprecated_reason=DEPRECATED_REASON,
3813- deprecated_since=versionutils.deprecated.STEIN
3814+ check_str=base.RULE_ADMIN_REQUIRED
3815 )
3816 deprecated_delete_role = policy.DeprecatedRule(
3817 name=base.IDENTITY % 'delete_role',
3818- check_str=base.RULE_ADMIN_REQUIRED,
3819- deprecated_reason=DEPRECATED_REASON,
3820- deprecated_since=versionutils.deprecated.STEIN
3821+ check_str=base.RULE_ADMIN_REQUIRED
3822 )
3823 deprecated_get_domain_role = policy.DeprecatedRule(
3824 name=base.IDENTITY % 'get_domain_role',
3825- check_str=base.RULE_ADMIN_REQUIRED,
3826- deprecated_reason=DEPRECATED_REASON,
3827- deprecated_since=versionutils.deprecated.TRAIN
3828+ check_str=base.RULE_ADMIN_REQUIRED
3829 )
3830 deprecated_list_domain_roles = policy.DeprecatedRule(
3831 name=base.IDENTITY % 'list_domain_roles',
3832- check_str=base.RULE_ADMIN_REQUIRED,
3833- deprecated_reason=DEPRECATED_REASON,
3834- deprecated_since=versionutils.deprecated.TRAIN
3835+ check_str=base.RULE_ADMIN_REQUIRED
3836 )
3837 deprecated_update_domain_role = policy.DeprecatedRule(
3838 name=base.IDENTITY % 'update_domain_role',
3839- check_str=base.RULE_ADMIN_REQUIRED,
3840- deprecated_reason=DEPRECATED_REASON,
3841- deprecated_since=versionutils.deprecated.TRAIN
3842+ check_str=base.RULE_ADMIN_REQUIRED
3843 )
3844 deprecated_create_domain_role = policy.DeprecatedRule(
3845 name=base.IDENTITY % 'create_domain_role',
3846- check_str=base.RULE_ADMIN_REQUIRED,
3847- deprecated_reason=DEPRECATED_REASON,
3848- deprecated_since=versionutils.deprecated.TRAIN
3849+ check_str=base.RULE_ADMIN_REQUIRED
3850 )
3851 deprecated_delete_domain_role = policy.DeprecatedRule(
3852 name=base.IDENTITY % 'delete_domain_role',
3853- check_str=base.RULE_ADMIN_REQUIRED,
3854- deprecated_reason=DEPRECATED_REASON,
3855- deprecated_since=versionutils.deprecated.TRAIN
3856+ check_str=base.RULE_ADMIN_REQUIRED
3857 )
3858
3859+DEPRECATED_REASON = (
3860+ "The role API is now aware of system scope and default roles."
3861+)
3862
3863 role_policies = [
3864 policy.DocumentedRuleDefault(
3865@@ -96,7 +75,9 @@ role_policies = [
3866 'method': 'GET'},
3867 {'path': '/v3/roles/{role_id}',
3868 'method': 'HEAD'}],
3869- deprecated_rule=deprecated_get_role),
3870+ deprecated_rule=deprecated_get_role,
3871+ deprecated_reason=DEPRECATED_REASON,
3872+ deprecated_since=versionutils.deprecated.STEIN),
3873 policy.DocumentedRuleDefault(
3874 name=base.IDENTITY % 'list_roles',
3875 check_str=base.SYSTEM_READER,
3876@@ -106,7 +87,9 @@ role_policies = [
3877 'method': 'GET'},
3878 {'path': '/v3/roles',
3879 'method': 'HEAD'}],
3880- deprecated_rule=deprecated_list_role),
3881+ deprecated_rule=deprecated_list_role,
3882+ deprecated_reason=DEPRECATED_REASON,
3883+ deprecated_since=versionutils.deprecated.STEIN),
3884 policy.DocumentedRuleDefault(
3885 name=base.IDENTITY % 'create_role',
3886 check_str=base.SYSTEM_ADMIN,
3887@@ -114,7 +97,9 @@ role_policies = [
3888 description='Create role.',
3889 operations=[{'path': '/v3/roles',
3890 'method': 'POST'}],
3891- deprecated_rule=deprecated_create_role),
3892+ deprecated_rule=deprecated_create_role,
3893+ deprecated_reason=DEPRECATED_REASON,
3894+ deprecated_since=versionutils.deprecated.STEIN),
3895 policy.DocumentedRuleDefault(
3896 name=base.IDENTITY % 'update_role',
3897 check_str=base.SYSTEM_ADMIN,
3898@@ -122,7 +107,9 @@ role_policies = [
3899 description='Update role.',
3900 operations=[{'path': '/v3/roles/{role_id}',
3901 'method': 'PATCH'}],
3902- deprecated_rule=deprecated_update_role),
3903+ deprecated_rule=deprecated_update_role,
3904+ deprecated_reason=DEPRECATED_REASON,
3905+ deprecated_since=versionutils.deprecated.STEIN),
3906 policy.DocumentedRuleDefault(
3907 name=base.IDENTITY % 'delete_role',
3908 check_str=base.SYSTEM_ADMIN,
3909@@ -130,7 +117,9 @@ role_policies = [
3910 description='Delete role.',
3911 operations=[{'path': '/v3/roles/{role_id}',
3912 'method': 'DELETE'}],
3913- deprecated_rule=deprecated_delete_role),
3914+ deprecated_rule=deprecated_delete_role,
3915+ deprecated_reason=DEPRECATED_REASON,
3916+ deprecated_since=versionutils.deprecated.STEIN),
3917 policy.DocumentedRuleDefault(
3918 name=base.IDENTITY % 'get_domain_role',
3919 check_str=base.SYSTEM_READER,
3920@@ -145,7 +134,9 @@ role_policies = [
3921 'method': 'GET'},
3922 {'path': '/v3/roles/{role_id}',
3923 'method': 'HEAD'}],
3924- deprecated_rule=deprecated_get_domain_role),
3925+ deprecated_rule=deprecated_get_domain_role,
3926+ deprecated_reason=DEPRECATED_REASON,
3927+ deprecated_since=versionutils.deprecated.TRAIN),
3928 policy.DocumentedRuleDefault(
3929 name=base.IDENTITY % 'list_domain_roles',
3930 check_str=base.SYSTEM_READER,
3931@@ -155,7 +146,9 @@ role_policies = [
3932 'method': 'GET'},
3933 {'path': '/v3/roles?domain_id={domain_id}',
3934 'method': 'HEAD'}],
3935- deprecated_rule=deprecated_list_domain_roles),
3936+ deprecated_rule=deprecated_list_domain_roles,
3937+ deprecated_reason=DEPRECATED_REASON,
3938+ deprecated_since=versionutils.deprecated.TRAIN),
3939 policy.DocumentedRuleDefault(
3940 name=base.IDENTITY % 'create_domain_role',
3941 check_str=base.SYSTEM_ADMIN,
3942@@ -163,7 +156,9 @@ role_policies = [
3943 scope_types=['system'],
3944 operations=[{'path': '/v3/roles',
3945 'method': 'POST'}],
3946- deprecated_rule=deprecated_create_domain_role),
3947+ deprecated_rule=deprecated_create_domain_role,
3948+ deprecated_reason=DEPRECATED_REASON,
3949+ deprecated_since=versionutils.deprecated.TRAIN),
3950 policy.DocumentedRuleDefault(
3951 name=base.IDENTITY % 'update_domain_role',
3952 check_str=base.SYSTEM_ADMIN,
3953@@ -171,7 +166,9 @@ role_policies = [
3954 scope_types=['system'],
3955 operations=[{'path': '/v3/roles/{role_id}',
3956 'method': 'PATCH'}],
3957- deprecated_rule=deprecated_update_domain_role),
3958+ deprecated_rule=deprecated_update_domain_role,
3959+ deprecated_reason=DEPRECATED_REASON,
3960+ deprecated_since=versionutils.deprecated.TRAIN),
3961 policy.DocumentedRuleDefault(
3962 name=base.IDENTITY % 'delete_domain_role',
3963 check_str=base.SYSTEM_ADMIN,
3964@@ -179,7 +176,9 @@ role_policies = [
3965 scope_types=['system'],
3966 operations=[{'path': '/v3/roles/{role_id}',
3967 'method': 'DELETE'}],
3968- deprecated_rule=deprecated_delete_domain_role)
3969+ deprecated_rule=deprecated_delete_domain_role,
3970+ deprecated_reason=DEPRECATED_REASON,
3971+ deprecated_since=versionutils.deprecated.TRAIN)
3972 ]
3973
3974
3975diff --git a/keystone/common/policies/role_assignment.py b/keystone/common/policies/role_assignment.py
3976index 5dea3dc..c70f292 100644
3977--- a/keystone/common/policies/role_assignment.py
3978+++ b/keystone/common/policies/role_assignment.py
3979@@ -25,23 +25,18 @@ SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN = (
3980 '(role:admin and project_id:%(target.project.id)s)'
3981 )
3982
3983-DEPRECATED_REASON = (
3984- "The assignment API is now aware of system scope and default roles."
3985-)
3986-
3987 deprecated_list_role_assignments = policy.DeprecatedRule(
3988 name=base.IDENTITY % 'list_role_assignments',
3989- check_str=base.RULE_ADMIN_REQUIRED,
3990- deprecated_reason=DEPRECATED_REASON,
3991- deprecated_since=versionutils.deprecated.STEIN
3992+ check_str=base.RULE_ADMIN_REQUIRED
3993 )
3994 deprecated_list_role_assignments_for_tree = policy.DeprecatedRule(
3995 name=base.IDENTITY % 'list_role_assignments_for_tree',
3996- check_str=base.RULE_ADMIN_REQUIRED,
3997- deprecated_reason=DEPRECATED_REASON,
3998- deprecated_since=versionutils.deprecated.TRAIN
3999+ check_str=base.RULE_ADMIN_REQUIRED
4000 )
4001
4002+DEPRECATED_REASON = (
4003+ "The assignment API is now aware of system scope and default roles."
4004+)
4005
4006 role_assignment_policies = [
4007 policy.DocumentedRuleDefault(
4008@@ -53,7 +48,9 @@ role_assignment_policies = [
4009 'method': 'GET'},
4010 {'path': '/v3/role_assignments',
4011 'method': 'HEAD'}],
4012- deprecated_rule=deprecated_list_role_assignments),
4013+ deprecated_rule=deprecated_list_role_assignments,
4014+ deprecated_reason=DEPRECATED_REASON,
4015+ deprecated_since=versionutils.deprecated.STEIN),
4016 policy.DocumentedRuleDefault(
4017 name=base.IDENTITY % 'list_role_assignments_for_tree',
4018 check_str=SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN,
4019@@ -64,7 +61,9 @@ role_assignment_policies = [
4020 'method': 'GET'},
4021 {'path': '/v3/role_assignments?include_subtree',
4022 'method': 'HEAD'}],
4023- deprecated_rule=deprecated_list_role_assignments_for_tree),
4024+ deprecated_rule=deprecated_list_role_assignments_for_tree,
4025+ deprecated_reason=DEPRECATED_REASON,
4026+ deprecated_since=versionutils.deprecated.TRAIN),
4027
4028 ]
4029
4030diff --git a/keystone/common/policies/service.py b/keystone/common/policies/service.py
4031index 0287076..66d3aaa 100644
4032--- a/keystone/common/policies/service.py
4033+++ b/keystone/common/policies/service.py
4034@@ -15,41 +15,30 @@ from oslo_policy import policy
4035
4036 from keystone.common.policies import base
4037
4038-DEPRECATED_REASON = (
4039- "The service API is now aware of system scope and default roles."
4040-)
4041-
4042 deprecated_get_service = policy.DeprecatedRule(
4043 name=base.IDENTITY % 'get_service',
4044- check_str=base.RULE_ADMIN_REQUIRED,
4045- deprecated_reason=DEPRECATED_REASON,
4046- deprecated_since=versionutils.deprecated.STEIN
4047+ check_str=base.RULE_ADMIN_REQUIRED
4048 )
4049 deprecated_list_service = policy.DeprecatedRule(
4050 name=base.IDENTITY % 'list_services',
4051- check_str=base.RULE_ADMIN_REQUIRED,
4052- deprecated_reason=DEPRECATED_REASON,
4053- deprecated_since=versionutils.deprecated.STEIN
4054+ check_str=base.RULE_ADMIN_REQUIRED
4055 )
4056 deprecated_update_service = policy.DeprecatedRule(
4057 name=base.IDENTITY % 'update_service',
4058- check_str=base.RULE_ADMIN_REQUIRED,
4059- deprecated_reason=DEPRECATED_REASON,
4060- deprecated_since=versionutils.deprecated.STEIN
4061+ check_str=base.RULE_ADMIN_REQUIRED
4062 )
4063 deprecated_create_service = policy.DeprecatedRule(
4064 name=base.IDENTITY % 'create_service',
4065- check_str=base.RULE_ADMIN_REQUIRED,
4066- deprecated_reason=DEPRECATED_REASON,
4067- deprecated_since=versionutils.deprecated.STEIN
4068+ check_str=base.RULE_ADMIN_REQUIRED
4069 )
4070 deprecated_delete_service = policy.DeprecatedRule(
4071 name=base.IDENTITY % 'delete_service',
4072- check_str=base.RULE_ADMIN_REQUIRED,
4073- deprecated_reason=DEPRECATED_REASON,
4074- deprecated_since=versionutils.deprecated.STEIN
4075+ check_str=base.RULE_ADMIN_REQUIRED
4076 )
4077
4078+DEPRECATED_REASON = (
4079+ "The service API is now aware of system scope and default roles."
4080+)
4081
4082 service_policies = [
4083 policy.DocumentedRuleDefault(
4084@@ -59,7 +48,9 @@ service_policies = [
4085 description='Show service details.',
4086 operations=[{'path': '/v3/services/{service_id}',
4087 'method': 'GET'}],
4088- deprecated_rule=deprecated_get_service),
4089+ deprecated_rule=deprecated_get_service,
4090+ deprecated_reason=DEPRECATED_REASON,
4091+ deprecated_since=versionutils.deprecated.STEIN),
4092 policy.DocumentedRuleDefault(
4093 name=base.IDENTITY % 'list_services',
4094 check_str=base.SYSTEM_READER,
4095@@ -67,7 +58,9 @@ service_policies = [
4096 description='List services.',
4097 operations=[{'path': '/v3/services',
4098 'method': 'GET'}],
4099- deprecated_rule=deprecated_list_service),
4100+ deprecated_rule=deprecated_list_service,
4101+ deprecated_reason=DEPRECATED_REASON,
4102+ deprecated_since=versionutils.deprecated.STEIN),
4103 policy.DocumentedRuleDefault(
4104 name=base.IDENTITY % 'create_service',
4105 check_str=base.SYSTEM_ADMIN,
4106@@ -75,7 +68,9 @@ service_policies = [
4107 description='Create service.',
4108 operations=[{'path': '/v3/services',
4109 'method': 'POST'}],
4110- deprecated_rule=deprecated_create_service),
4111+ deprecated_rule=deprecated_create_service,
4112+ deprecated_reason=DEPRECATED_REASON,
4113+ deprecated_since=versionutils.deprecated.STEIN),
4114 policy.DocumentedRuleDefault(
4115 name=base.IDENTITY % 'update_service',
4116 check_str=base.SYSTEM_ADMIN,
4117@@ -83,7 +78,9 @@ service_policies = [
4118 description='Update service.',
4119 operations=[{'path': '/v3/services/{service_id}',
4120 'method': 'PATCH'}],
4121- deprecated_rule=deprecated_update_service),
4122+ deprecated_rule=deprecated_update_service,
4123+ deprecated_reason=DEPRECATED_REASON,
4124+ deprecated_since=versionutils.deprecated.STEIN),
4125 policy.DocumentedRuleDefault(
4126 name=base.IDENTITY % 'delete_service',
4127 check_str=base.SYSTEM_ADMIN,
4128@@ -91,7 +88,9 @@ service_policies = [
4129 description='Delete service.',
4130 operations=[{'path': '/v3/services/{service_id}',
4131 'method': 'DELETE'}],
4132- deprecated_rule=deprecated_delete_service)
4133+ deprecated_rule=deprecated_delete_service,
4134+ deprecated_reason=DEPRECATED_REASON,
4135+ deprecated_since=versionutils.deprecated.STEIN)
4136 ]
4137
4138
4139diff --git a/keystone/common/policies/service_provider.py b/keystone/common/policies/service_provider.py
4140index 657368a..4d0e3cb 100644
4141--- a/keystone/common/policies/service_provider.py
4142+++ b/keystone/common/policies/service_provider.py
4143@@ -15,41 +15,30 @@ from oslo_policy import policy
4144
4145 from keystone.common.policies import base
4146
4147-DEPRECATED_REASON = (
4148- "The service provider API is now aware of system scope and default roles."
4149-)
4150-
4151 deprecated_get_sp = policy.DeprecatedRule(
4152 name=base.IDENTITY % 'get_service_provider',
4153- check_str=base.RULE_ADMIN_REQUIRED,
4154- deprecated_reason=DEPRECATED_REASON,
4155- deprecated_since=versionutils.deprecated.STEIN
4156+ check_str=base.RULE_ADMIN_REQUIRED
4157 )
4158 deprecated_list_sp = policy.DeprecatedRule(
4159 name=base.IDENTITY % 'list_service_providers',
4160- check_str=base.RULE_ADMIN_REQUIRED,
4161- deprecated_reason=DEPRECATED_REASON,
4162- deprecated_since=versionutils.deprecated.STEIN
4163+ check_str=base.RULE_ADMIN_REQUIRED
4164 )
4165 deprecated_update_sp = policy.DeprecatedRule(
4166 name=base.IDENTITY % 'update_service_provider',
4167- check_str=base.RULE_ADMIN_REQUIRED,
4168- deprecated_reason=DEPRECATED_REASON,
4169- deprecated_since=versionutils.deprecated.STEIN
4170+ check_str=base.RULE_ADMIN_REQUIRED
4171 )
4172 deprecated_create_sp = policy.DeprecatedRule(
4173 name=base.IDENTITY % 'create_service_provider',
4174- check_str=base.RULE_ADMIN_REQUIRED,
4175- deprecated_reason=DEPRECATED_REASON,
4176- deprecated_since=versionutils.deprecated.STEIN
4177+ check_str=base.RULE_ADMIN_REQUIRED
4178 )
4179 deprecated_delete_sp = policy.DeprecatedRule(
4180 name=base.IDENTITY % 'delete_service_provider',
4181- check_str=base.RULE_ADMIN_REQUIRED,
4182- deprecated_reason=DEPRECATED_REASON,
4183- deprecated_since=versionutils.deprecated.STEIN
4184+ check_str=base.RULE_ADMIN_REQUIRED
4185 )
4186
4187+DEPRECATED_REASON = (
4188+ "The service provider API is now aware of system scope and default roles."
4189+)
4190
4191 service_provider_policies = [
4192 policy.DocumentedRuleDefault(
4193@@ -66,7 +55,9 @@ service_provider_policies = [
4194 operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
4195 '{service_provider_id}'),
4196 'method': 'PUT'}],
4197- deprecated_rule=deprecated_create_sp),
4198+ deprecated_rule=deprecated_create_sp,
4199+ deprecated_reason=DEPRECATED_REASON,
4200+ deprecated_since=versionutils.deprecated.STEIN),
4201 policy.DocumentedRuleDefault(
4202 name=base.IDENTITY % 'list_service_providers',
4203 check_str=base.SYSTEM_READER,
4204@@ -82,7 +73,9 @@ service_provider_policies = [
4205 'method': 'HEAD'
4206 }
4207 ],
4208- deprecated_rule=deprecated_list_sp
4209+ deprecated_rule=deprecated_list_sp,
4210+ deprecated_reason=DEPRECATED_REASON,
4211+ deprecated_since=versionutils.deprecated.STEIN
4212 ),
4213 policy.DocumentedRuleDefault(
4214 name=base.IDENTITY % 'get_service_provider',
4215@@ -101,7 +94,9 @@ service_provider_policies = [
4216 'method': 'HEAD'
4217 }
4218 ],
4219- deprecated_rule=deprecated_get_sp
4220+ deprecated_rule=deprecated_get_sp,
4221+ deprecated_reason=DEPRECATED_REASON,
4222+ deprecated_since=versionutils.deprecated.STEIN
4223 ),
4224 policy.DocumentedRuleDefault(
4225 name=base.IDENTITY % 'update_service_provider',
4226@@ -111,7 +106,9 @@ service_provider_policies = [
4227 operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
4228 '{service_provider_id}'),
4229 'method': 'PATCH'}],
4230- deprecated_rule=deprecated_update_sp),
4231+ deprecated_rule=deprecated_update_sp,
4232+ deprecated_reason=DEPRECATED_REASON,
4233+ deprecated_since=versionutils.deprecated.STEIN),
4234 policy.DocumentedRuleDefault(
4235 name=base.IDENTITY % 'delete_service_provider',
4236 check_str=base.SYSTEM_ADMIN,
4237@@ -120,7 +117,9 @@ service_provider_policies = [
4238 operations=[{'path': ('/v3/OS-FEDERATION/service_providers/'
4239 '{service_provider_id}'),
4240 'method': 'DELETE'}],
4241- deprecated_rule=deprecated_delete_sp)
4242+ deprecated_rule=deprecated_delete_sp,
4243+ deprecated_reason=DEPRECATED_REASON,
4244+ deprecated_since=versionutils.deprecated.STEIN)
4245 ]
4246
4247
4248diff --git a/keystone/common/policies/token.py b/keystone/common/policies/token.py
4249index cb321b0..9fa3c52 100644
4250--- a/keystone/common/policies/token.py
4251+++ b/keystone/common/policies/token.py
4252@@ -21,21 +21,15 @@ DEPRECATED_REASON = (
4253
4254 deprecated_check_token = policy.DeprecatedRule(
4255 name=base.IDENTITY % 'check_token',
4256- check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT,
4257- deprecated_reason=DEPRECATED_REASON,
4258- deprecated_since=versionutils.deprecated.TRAIN
4259+ check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT
4260 )
4261 deprecated_validate_token = policy.DeprecatedRule(
4262 name=base.IDENTITY % 'validate_token',
4263- check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT,
4264- deprecated_reason=DEPRECATED_REASON,
4265- deprecated_since=versionutils.deprecated.TRAIN
4266+ check_str=base.RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT
4267 )
4268 deprecated_revoke_token = policy.DeprecatedRule(
4269 name=base.IDENTITY % 'revoke_token',
4270- check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT,
4271- deprecated_reason=DEPRECATED_REASON,
4272- deprecated_since=versionutils.deprecated.TRAIN
4273+ check_str=base.RULE_ADMIN_OR_TOKEN_SUBJECT
4274 )
4275
4276 SYSTEM_ADMIN_OR_TOKEN_SUBJECT = (
4277@@ -58,7 +52,9 @@ token_policies = [
4278 description='Check a token.',
4279 operations=[{'path': '/v3/auth/tokens',
4280 'method': 'HEAD'}],
4281- deprecated_rule=deprecated_check_token),
4282+ deprecated_rule=deprecated_check_token,
4283+ deprecated_reason=DEPRECATED_REASON,
4284+ deprecated_since=versionutils.deprecated.TRAIN),
4285 policy.DocumentedRuleDefault(
4286 name=base.IDENTITY % 'validate_token',
4287 check_str=SYSTEM_USER_OR_SERVICE_OR_TOKEN_SUBJECT,
4288@@ -66,7 +62,9 @@ token_policies = [
4289 description='Validate a token.',
4290 operations=[{'path': '/v3/auth/tokens',
4291 'method': 'GET'}],
4292- deprecated_rule=deprecated_validate_token),
4293+ deprecated_rule=deprecated_validate_token,
4294+ deprecated_reason=DEPRECATED_REASON,
4295+ deprecated_since=versionutils.deprecated.TRAIN),
4296 policy.DocumentedRuleDefault(
4297 name=base.IDENTITY % 'revoke_token',
4298 check_str=SYSTEM_ADMIN_OR_TOKEN_SUBJECT,
4299@@ -74,7 +72,9 @@ token_policies = [
4300 description='Revoke a token.',
4301 operations=[{'path': '/v3/auth/tokens',
4302 'method': 'DELETE'}],
4303- deprecated_rule=deprecated_revoke_token)
4304+ deprecated_rule=deprecated_revoke_token,
4305+ deprecated_reason=DEPRECATED_REASON,
4306+ deprecated_since=versionutils.deprecated.TRAIN)
4307 ]
4308
4309
4310diff --git a/keystone/common/policies/trust.py b/keystone/common/policies/trust.py
4311index 7678106..82acb0a 100644
4312--- a/keystone/common/policies/trust.py
4313+++ b/keystone/common/policies/trust.py
4314@@ -24,39 +24,29 @@ SYSTEM_READER_OR_TRUSTOR = base.SYSTEM_READER + ' or ' + RULE_TRUSTOR
4315 SYSTEM_READER_OR_TRUSTEE = base.SYSTEM_READER + ' or ' + RULE_TRUSTEE
4316 SYSTEM_ADMIN_OR_TRUSTOR = base.SYSTEM_ADMIN + ' or ' + RULE_TRUSTOR
4317
4318-DEPRECATED_REASON = (
4319- "The trust API is now aware of system scope and default roles."
4320-)
4321-
4322 deprecated_list_trusts = policy.DeprecatedRule(
4323 name=base.IDENTITY % 'list_trusts',
4324- check_str=base.RULE_ADMIN_REQUIRED,
4325- deprecated_reason=DEPRECATED_REASON,
4326- deprecated_since=versionutils.deprecated.TRAIN
4327+ check_str=base.RULE_ADMIN_REQUIRED
4328 )
4329 deprecated_list_roles_for_trust = policy.DeprecatedRule(
4330 name=base.IDENTITY % 'list_roles_for_trust',
4331- check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE,
4332- deprecated_reason=DEPRECATED_REASON,
4333- deprecated_since=versionutils.deprecated.TRAIN
4334+ check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
4335 )
4336 deprecated_get_role_for_trust = policy.DeprecatedRule(
4337 name=base.IDENTITY % 'get_role_for_trust',
4338- check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE,
4339- deprecated_reason=DEPRECATED_REASON,
4340- deprecated_since=versionutils.deprecated.TRAIN
4341+ check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
4342 )
4343 deprecated_delete_trust = policy.DeprecatedRule(
4344 name=base.IDENTITY % 'delete_trust',
4345- check_str=RULE_TRUSTOR,
4346- deprecated_reason=DEPRECATED_REASON,
4347- deprecated_since=versionutils.deprecated.TRAIN
4348+ check_str=RULE_TRUSTOR
4349 )
4350 deprecated_get_trust = policy.DeprecatedRule(
4351 name=base.IDENTITY % 'get_trust',
4352- check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE,
4353- deprecated_reason=DEPRECATED_REASON,
4354- deprecated_since=versionutils.deprecated.TRAIN
4355+ check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE
4356+)
4357+
4358+DEPRECATED_REASON = (
4359+ "The trust API is now aware of system scope and default roles."
4360 )
4361
4362 trust_policies = [
4363@@ -79,7 +69,9 @@ trust_policies = [
4364 'method': 'GET'},
4365 {'path': '/v3/OS-TRUST/trusts',
4366 'method': 'HEAD'}],
4367- deprecated_rule=deprecated_list_trusts),
4368+ deprecated_rule=deprecated_list_trusts,
4369+ deprecated_reason=DEPRECATED_REASON,
4370+ deprecated_since=versionutils.deprecated.TRAIN),
4371 policy.DocumentedRuleDefault(
4372 name=base.IDENTITY % 'list_trusts_for_trustor',
4373 check_str=SYSTEM_READER_OR_TRUSTOR,
4374@@ -111,7 +103,9 @@ trust_policies = [
4375 'method': 'GET'},
4376 {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles',
4377 'method': 'HEAD'}],
4378- deprecated_rule=deprecated_list_roles_for_trust),
4379+ deprecated_rule=deprecated_list_roles_for_trust,
4380+ deprecated_reason=DEPRECATED_REASON,
4381+ deprecated_since=versionutils.deprecated.TRAIN),
4382 policy.DocumentedRuleDefault(
4383 name=base.IDENTITY % 'get_role_for_trust',
4384 check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
4385@@ -121,7 +115,9 @@ trust_policies = [
4386 'method': 'GET'},
4387 {'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}',
4388 'method': 'HEAD'}],
4389- deprecated_rule=deprecated_get_role_for_trust),
4390+ deprecated_rule=deprecated_get_role_for_trust,
4391+ deprecated_reason=DEPRECATED_REASON,
4392+ deprecated_since=versionutils.deprecated.TRAIN),
4393 policy.DocumentedRuleDefault(
4394 name=base.IDENTITY % 'delete_trust',
4395 check_str=SYSTEM_ADMIN_OR_TRUSTOR,
4396@@ -129,7 +125,9 @@ trust_policies = [
4397 description='Revoke trust.',
4398 operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
4399 'method': 'DELETE'}],
4400- deprecated_rule=deprecated_delete_trust),
4401+ deprecated_rule=deprecated_delete_trust,
4402+ deprecated_reason=DEPRECATED_REASON,
4403+ deprecated_since=versionutils.deprecated.TRAIN),
4404 policy.DocumentedRuleDefault(
4405 name=base.IDENTITY % 'get_trust',
4406 check_str=SYSTEM_READER_OR_TRUSTOR_OR_TRUSTEE,
4407@@ -139,7 +137,9 @@ trust_policies = [
4408 'method': 'GET'},
4409 {'path': '/v3/OS-TRUST/trusts/{trust_id}',
4410 'method': 'HEAD'}],
4411- deprecated_rule=deprecated_get_trust)
4412+ deprecated_rule=deprecated_get_trust,
4413+ deprecated_reason=DEPRECATED_REASON,
4414+ deprecated_since=versionutils.deprecated.TRAIN)
4415 ]
4416
4417
4418diff --git a/keystone/common/policies/user.py b/keystone/common/policies/user.py
4419index 0534f70..75a0062 100644
4420--- a/keystone/common/policies/user.py
4421+++ b/keystone/common/policies/user.py
4422@@ -36,33 +36,23 @@ DEPRECATED_REASON = (
4423
4424 deprecated_get_user = policy.DeprecatedRule(
4425 name=base.IDENTITY % 'get_user',
4426- check_str=base.RULE_ADMIN_OR_OWNER,
4427- deprecated_reason=DEPRECATED_REASON,
4428- deprecated_since=versionutils.deprecated.STEIN
4429+ check_str=base.RULE_ADMIN_OR_OWNER
4430 )
4431 deprecated_list_users = policy.DeprecatedRule(
4432 name=base.IDENTITY % 'list_users',
4433- check_str=base.RULE_ADMIN_REQUIRED,
4434- deprecated_reason=DEPRECATED_REASON,
4435- deprecated_since=versionutils.deprecated.STEIN
4436+ check_str=base.RULE_ADMIN_REQUIRED
4437 )
4438 deprecated_create_user = policy.DeprecatedRule(
4439 name=base.IDENTITY % 'create_user',
4440- check_str=base.RULE_ADMIN_REQUIRED,
4441- deprecated_reason=DEPRECATED_REASON,
4442- deprecated_since=versionutils.deprecated.STEIN
4443+ check_str=base.RULE_ADMIN_REQUIRED
4444 )
4445 deprecated_update_user = policy.DeprecatedRule(
4446 name=base.IDENTITY % 'update_user',
4447- check_str=base.RULE_ADMIN_REQUIRED,
4448- deprecated_reason=DEPRECATED_REASON,
4449- deprecated_since=versionutils.deprecated.STEIN
4450+ check_str=base.RULE_ADMIN_REQUIRED
4451 )
4452 deprecated_delete_user = policy.DeprecatedRule(
4453 name=base.IDENTITY % 'delete_user',
4454- check_str=base.RULE_ADMIN_REQUIRED,
4455- deprecated_reason=DEPRECATED_REASON,
4456- deprecated_since=versionutils.deprecated.STEIN
4457+ check_str=base.RULE_ADMIN_REQUIRED
4458 )
4459
4460 user_policies = [
4461@@ -75,7 +65,9 @@ user_policies = [
4462 'method': 'GET'},
4463 {'path': '/v3/users/{user_id}',
4464 'method': 'HEAD'}],
4465- deprecated_rule=deprecated_get_user),
4466+ deprecated_rule=deprecated_get_user,
4467+ deprecated_reason=DEPRECATED_REASON,
4468+ deprecated_since=versionutils.deprecated.STEIN),
4469 policy.DocumentedRuleDefault(
4470 name=base.IDENTITY % 'list_users',
4471 check_str=SYSTEM_READER_OR_DOMAIN_READER,
4472@@ -85,7 +77,9 @@ user_policies = [
4473 'method': 'GET'},
4474 {'path': '/v3/users',
4475 'method': 'HEAD'}],
4476- deprecated_rule=deprecated_list_users),
4477+ deprecated_rule=deprecated_list_users,
4478+ deprecated_reason=DEPRECATED_REASON,
4479+ deprecated_since=versionutils.deprecated.STEIN),
4480 policy.DocumentedRuleDefault(
4481 name=base.IDENTITY % 'list_projects_for_user',
4482 check_str='',
4483@@ -117,7 +111,9 @@ user_policies = [
4484 description='Create a user.',
4485 operations=[{'path': '/v3/users',
4486 'method': 'POST'}],
4487- deprecated_rule=deprecated_create_user),
4488+ deprecated_rule=deprecated_create_user,
4489+ deprecated_reason=DEPRECATED_REASON,
4490+ deprecated_since=versionutils.deprecated.STEIN),
4491 policy.DocumentedRuleDefault(
4492 name=base.IDENTITY % 'update_user',
4493 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
4494@@ -125,7 +121,9 @@ user_policies = [
4495 description='Update a user, including administrative password resets.',
4496 operations=[{'path': '/v3/users/{user_id}',
4497 'method': 'PATCH'}],
4498- deprecated_rule=deprecated_update_user),
4499+ deprecated_rule=deprecated_update_user,
4500+ deprecated_reason=DEPRECATED_REASON,
4501+ deprecated_since=versionutils.deprecated.STEIN),
4502 policy.DocumentedRuleDefault(
4503 name=base.IDENTITY % 'delete_user',
4504 check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
4505@@ -133,7 +131,9 @@ user_policies = [
4506 description='Delete a user.',
4507 operations=[{'path': '/v3/users/{user_id}',
4508 'method': 'DELETE'}],
4509- deprecated_rule=deprecated_delete_user)
4510+ deprecated_rule=deprecated_delete_user,
4511+ deprecated_reason=DEPRECATED_REASON,
4512+ deprecated_since=versionutils.deprecated.STEIN)
4513 ]
4514
4515
4516diff --git a/keystone/common/rbac_enforcer/enforcer.py b/keystone/common/rbac_enforcer/enforcer.py
4517index 7add048..ca6a8e7 100644
4518--- a/keystone/common/rbac_enforcer/enforcer.py
4519+++ b/keystone/common/rbac_enforcer/enforcer.py
4520@@ -14,7 +14,6 @@ import functools
4521
4522 import flask
4523 from oslo_log import log
4524-from oslo_policy import opts
4525 from oslo_policy import policy as common_policy
4526 from oslo_utils import strutils
4527
4528@@ -40,13 +39,6 @@ _POSSIBLE_TARGET_ACTIONS = frozenset([
4529 _ENFORCEMENT_CHECK_ATTR = 'keystone:RBAC:enforcement_called'
4530
4531
4532-# TODO(gmann): Remove setting the default value of config policy_file
4533-# once oslo_policy change the default value to 'policy.yaml'.
4534-# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
4535-DEFAULT_POLICY_FILE = 'policy.yaml'
4536-opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
4537-
4538-
4539 class RBACEnforcer(object):
4540 """Enforce RBAC on API calls."""
4541
4542diff --git a/keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py b/keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py
4543deleted file mode 100644
4544index 2b09cbc..0000000
4545--- a/keystone/common/sql/contract_repo/versions/079_contract_update_local_id_limit.py
4546+++ /dev/null
4547@@ -1,18 +0,0 @@
4548-# Licensed under the Apache License, Version 2.0 (the "License"); you may
4549-# not use this file except in compliance with the License. You may obtain
4550-# a copy of the License at
4551-#
4552-# http://www.apache.org/licenses/LICENSE-2.0
4553-#
4554-# Unless required by applicable law or agreed to in writing, software
4555-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
4556-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
4557-# License for the specific language governing permissions and limitations
4558-# under the License.
4559-
4560-# This is a placeholder for Ussuri backports. Do not use this number for new
4561-# Victoria work. New Victoria work starts after all the placeholders.
4562-
4563-
4564-def upgrade(migrate_engine):
4565- pass
4566diff --git a/keystone/common/sql/core.py b/keystone/common/sql/core.py
4567index 7670c47..ed84e58 100644
4568--- a/keystone/common/sql/core.py
4569+++ b/keystone/common/sql/core.py
4570@@ -119,11 +119,6 @@ ModelBase.__init__ = initialize_decorator(ModelBase.__init__)
4571 class JsonBlob(sql_types.TypeDecorator):
4572
4573 impl = sql.Text
4574- # NOTE(ralonsoh): set to True as any other TypeDecorator in SQLAlchemy
4575- # https://docs.sqlalchemy.org/en/14/core/custom_types.html# \
4576- # sqlalchemy.types.TypeDecorator.cache_ok
4577- cache_ok = True
4578- """This type is safe to cache."""
4579
4580 def process_bind_param(self, value, dialect):
4581 return jsonutils.dumps(value)
4582@@ -149,11 +144,6 @@ class DateTimeInt(sql_types.TypeDecorator):
4583
4584 impl = sql.BigInteger
4585 epoch = datetime.datetime.fromtimestamp(0, tz=pytz.UTC)
4586- # NOTE(ralonsoh): set to True as any other TypeDecorator in SQLAlchemy
4587- # https://docs.sqlalchemy.org/en/14/core/custom_types.html# \
4588- # sqlalchemy.types.TypeDecorator.cache_ok
4589- cache_ok = True
4590- """This type is safe to cache."""
4591
4592 def process_bind_param(self, value, dialect):
4593 if value is None:
4594diff --git a/keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py b/keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py
4595deleted file mode 100644
4596index 2b09cbc..0000000
4597--- a/keystone/common/sql/data_migration_repo/versions/079_migrate_update_local_id_limit.py
4598+++ /dev/null
4599@@ -1,18 +0,0 @@
4600-# Licensed under the Apache License, Version 2.0 (the "License"); you may
4601-# not use this file except in compliance with the License. You may obtain
4602-# a copy of the License at
4603-#
4604-# http://www.apache.org/licenses/LICENSE-2.0
4605-#
4606-# Unless required by applicable law or agreed to in writing, software
4607-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
4608-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
4609-# License for the specific language governing permissions and limitations
4610-# under the License.
4611-
4612-# This is a placeholder for Ussuri backports. Do not use this number for new
4613-# Victoria work. New Victoria work starts after all the placeholders.
4614-
4615-
4616-def upgrade(migrate_engine):
4617- pass
4618diff --git a/keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py b/keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py
4619deleted file mode 100644
4620index 20db838..0000000
4621--- a/keystone/common/sql/expand_repo/versions/079_expand_update_local_id_limit.py
4622+++ /dev/null
4623@@ -1,24 +0,0 @@
4624-# Licensed under the Apache License, Version 2.0 (the "License"); you may
4625-# not use this file except in compliance with the License. You may obtain
4626-# a copy of the License at
4627-#
4628-# http://www.apache.org/licenses/LICENSE-2.0
4629-#
4630-# Unless required by applicable law or agreed to in writing, software
4631-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
4632-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
4633-# License for the specific language governing permissions and limitations
4634-# under the License.
4635-
4636-import sqlalchemy as sql
4637-
4638-
4639-def upgrade(migrate_engine):
4640-
4641- meta = sql.MetaData()
4642- meta.bind = migrate_engine
4643-
4644- id_mapping_table = sql.Table(
4645- 'id_mapping', meta, autoload=True
4646- )
4647- id_mapping_table.c.local_id.alter(type=sql.String(255))
4648diff --git a/keystone/common/utils.py b/keystone/common/utils.py
4649index 7c3e7ae..1314085 100644
4650--- a/keystone/common/utils.py
4651+++ b/keystone/common/utils.py
4652@@ -16,7 +16,7 @@
4653 # License for the specific language governing permissions and limitations
4654 # under the License.
4655
4656-import collections.abc
4657+import collections
4658 import grp
4659 import hashlib
4660 import itertools
4661@@ -81,7 +81,7 @@ def flatten_dict(d, parent_key=''):
4662 items = []
4663 for k, v in d.items():
4664 new_key = parent_key + '.' + k if parent_key else k
4665- if isinstance(v, collections.abc.MutableMapping):
4666+ if isinstance(v, collections.MutableMapping):
4667 items.extend(list(flatten_dict(v, new_key).items()))
4668 else:
4669 items.append((new_key, v))
4670diff --git a/keystone/conf/__init__.py b/keystone/conf/__init__.py
4671index 5de0ec1..77c26a1 100644
4672--- a/keystone/conf/__init__.py
4673+++ b/keystone/conf/__init__.py
4674@@ -18,7 +18,6 @@ from oslo_log import log
4675 from oslo_log import versionutils
4676 import oslo_messaging
4677 from oslo_middleware import cors
4678-from oslo_policy import opts as policy_opts
4679 from osprofiler import opts as profiler
4680
4681 from keystone.conf import application_credential
4682@@ -186,12 +185,6 @@ def set_external_opts_defaults():
4683 # configure OSprofiler options
4684 profiler.set_defaults(CONF, enabled=False, trace_sqlalchemy=False)
4685
4686- # TODO(gmann): Remove setting the default value of config policy_file
4687- # once oslo_policy change the default value to 'policy.yaml'.
4688- # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
4689- DEFAULT_POLICY_FILE = 'policy.yaml'
4690- policy_opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
4691-
4692 # Oslo.cache is always enabled by default for request-local caching
4693 # TODO(morganfainberg): Fix this to not use internal interface when
4694 # oslo.cache has proper interface to set defaults added. This is
4695diff --git a/keystone/conf/memcache.py b/keystone/conf/memcache.py
4696index b4b8c8b..97dc2c9 100644
4697--- a/keystone/conf/memcache.py
4698+++ b/keystone/conf/memcache.py
4699@@ -19,12 +19,6 @@ from keystone.conf import utils
4700 dead_retry = cfg.IntOpt(
4701 'dead_retry',
4702 default=5 * 60,
4703- deprecated_for_removal=True,
4704- deprecated_reason='This option has no effect. '
4705- 'Configure ``keystone.conf [cache] '
4706- 'memcache_dead_retry`` option to set the '
4707- 'dead_retry of memcached instead. ',
4708- deprecated_since='Y',
4709 help=utils.fmt("""
4710 Number of seconds memcached server is considered dead before it is tried again.
4711 This is used by the key value store system.
4712@@ -34,7 +28,7 @@ socket_timeout = cfg.IntOpt(
4713 'socket_timeout',
4714 default=3,
4715 deprecated_for_removal=True,
4716- deprecated_reason='This option has no effect. '
4717+ deprecated_reason='This option is duplicated with oslo.cache. '
4718 'Configure ``keystone.conf [cache] '
4719 'memcache_socket_timeout`` option to set the '
4720 'socket_timeout of memcached instead. ',
4721@@ -47,12 +41,6 @@ store system.
4722 pool_maxsize = cfg.IntOpt(
4723 'pool_maxsize',
4724 default=10,
4725- deprecated_for_removal=True,
4726- deprecated_reason='This option has no effect. '
4727- 'Configure ``keystone.conf [cache] '
4728- 'memcache_pool_maxsize`` option to set the '
4729- 'pool_maxsize of memcached instead. ',
4730- deprecated_since='Y',
4731 help=utils.fmt("""
4732 Max total number of open connections to every memcached server. This is used by
4733 the key value store system.
4734@@ -61,12 +49,6 @@ the key value store system.
4735 pool_unused_timeout = cfg.IntOpt(
4736 'pool_unused_timeout',
4737 default=60,
4738- deprecated_for_removal=True,
4739- deprecated_reason='This option has no effect. '
4740- 'Configure ``keystone.conf [cache] '
4741- 'memcache_pool_unused_timeout`` option to set the '
4742- 'pool_unused_timeout of memcached instead. ',
4743- deprecated_since='Y',
4744 help=utils.fmt("""
4745 Number of seconds a connection to memcached is held unused in the pool before
4746 it is closed. This is used by the key value store system.
4747@@ -75,12 +57,6 @@ it is closed. This is used by the key value store system.
4748 pool_connection_get_timeout = cfg.IntOpt(
4749 'pool_connection_get_timeout',
4750 default=10,
4751- deprecated_for_removal=True,
4752- deprecated_reason='This option has no effect. '
4753- 'Configure ``keystone.conf [cache] '
4754- 'memcache_pool_connection_get_timeout`` option to set '
4755- 'the connection_get_timeout of memcached instead. ',
4756- deprecated_since='Y',
4757 help=utils.fmt("""
4758 Number of seconds that an operation will wait to get a memcache client
4759 connection. This is used by the key value store system.
4760diff --git a/keystone/federation/idp.py b/keystone/federation/idp.py
4761index 2f1a4fe..fd464f5 100644
4762--- a/keystone/federation/idp.py
4763+++ b/keystone/federation/idp.py
4764@@ -366,11 +366,7 @@ class SAMLGenerator(object):
4765
4766 """
4767 canonicalization_method = xmldsig.CanonicalizationMethod()
4768- # TODO(stephenfin): Drop when we remove support for pysaml < 7.1.0
4769- if hasattr(xmldsig, 'TRANSFORM_C14N'): # >= 7.1.0
4770- canonicalization_method.algorithm = xmldsig.TRANSFORM_C14N
4771- else: # < 7.1.0
4772- canonicalization_method.algorithm = xmldsig.ALG_EXC_C14N
4773+ canonicalization_method.algorithm = xmldsig.ALG_EXC_C14N
4774 signature_method = xmldsig.SignatureMethod(
4775 algorithm=xmldsig.SIG_RSA_SHA1)
4776
4777@@ -378,11 +374,7 @@ class SAMLGenerator(object):
4778 envelope_transform = xmldsig.Transform(
4779 algorithm=xmldsig.TRANSFORM_ENVELOPED)
4780
4781- # TODO(stephenfin): Drop when we remove support for pysaml < 7.1.0
4782- if hasattr(xmldsig, 'TRANSFORM_C14N'): # >= 7.1.0
4783- c14_transform = xmldsig.Transform(algorithm=xmldsig.TRANSFORM_C14N)
4784- else: # < 7.1.0
4785- c14_transform = xmldsig.Transform(algorithm=xmldsig.ALG_EXC_C14N)
4786+ c14_transform = xmldsig.Transform(algorithm=xmldsig.ALG_EXC_C14N)
4787 transforms.transform = [envelope_transform, c14_transform]
4788
4789 digest_method = xmldsig.DigestMethod(algorithm=xmldsig.DIGEST_SHA1)
4790diff --git a/keystone/identity/mapping_backends/sql.py b/keystone/identity/mapping_backends/sql.py
4791index 6fadd6a..676d144 100644
4792--- a/keystone/identity/mapping_backends/sql.py
4793+++ b/keystone/identity/mapping_backends/sql.py
4794@@ -21,7 +21,7 @@ class IDMapping(sql.ModelBase, sql.ModelDictMixin):
4795 __tablename__ = 'id_mapping'
4796 public_id = sql.Column(sql.String(64), primary_key=True)
4797 domain_id = sql.Column(sql.String(64), nullable=False)
4798- local_id = sql.Column(sql.String(255), nullable=False)
4799+ local_id = sql.Column(sql.String(64), nullable=False)
4800 # NOTE(henry-nash): Postgres requires a name to be defined for an Enum
4801 entity_type = sql.Column(
4802 sql.Enum(identity_mapping.EntityType.USER,
4803diff --git a/keystone/identity/shadow_backends/sql.py b/keystone/identity/shadow_backends/sql.py
4804index 3e04b33..1d817c0 100644
4805--- a/keystone/identity/shadow_backends/sql.py
4806+++ b/keystone/identity/shadow_backends/sql.py
4807@@ -98,8 +98,7 @@ class ShadowUsers(base.ShadowUsersDriverBase):
4808 x for x in hints.filters if x['name'] not in ('idp_id',
4809 'protocol_id',
4810 'unique_id')]
4811- if statements:
4812- query = query.filter(sqlalchemy.and_(*statements))
4813+ query = query.filter(sqlalchemy.and_(*statements))
4814 return query
4815
4816 def get_federated_users(self, hints):
4817diff --git a/keystone/locale/en_GB/LC_MESSAGES/keystone.po b/keystone/locale/en_GB/LC_MESSAGES/keystone.po
4818index 191ed55..5e6cdf8 100644
4819--- a/keystone/locale/en_GB/LC_MESSAGES/keystone.po
4820+++ b/keystone/locale/en_GB/LC_MESSAGES/keystone.po
4821@@ -12,11 +12,11 @@ msgid ""
4822 msgstr ""
4823 "Project-Id-Version: keystone VERSION\n"
4824 "Report-Msgid-Bugs-To: https://bugs.launchpad.net/openstack-i18n/\n"
4825-"POT-Creation-Date: 2021-01-08 19:57+0000\n"
4826+"POT-Creation-Date: 2020-06-18 11:23+0000\n"
4827 "MIME-Version: 1.0\n"
4828 "Content-Type: text/plain; charset=UTF-8\n"
4829 "Content-Transfer-Encoding: 8bit\n"
4830-"PO-Revision-Date: 2020-10-28 02:12+0000\n"
4831+"PO-Revision-Date: 2020-06-15 05:35+0000\n"
4832 "Last-Translator: Andi Chandler <andi@gowling.com>\n"
4833 "Language: en_GB\n"
4834 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
4835@@ -1384,14 +1384,6 @@ msgstr ""
4836
4837 #, python-format
4838 msgid ""
4839-"Unable to create additional credentials, maximum of %(limit)d already "
4840-"exceeded for user."
4841-msgstr ""
4842-"Unable to create additional credentials, maximum of %(limit)d already "
4843-"exceeded for user."
4844-
4845-#, python-format
4846-msgid ""
4847 "Unable to delete immutable %(type)s resource: `%(resource_id)s. Set resource "
4848 "option \"immutable\" to false first."
4849 msgstr ""
4850@@ -1500,10 +1492,6 @@ msgstr ""
4851 "%(group_id)s, Project: %(project_id)s, Domain: %(domain_id)s."
4852
4853 #, python-format
4854-msgid "Unexpected evaluation type \"%(eval_type)s\""
4855-msgstr "Unexpected evaluation type \"%(eval_type)s\""
4856-
4857-#, python-format
4858 msgid "Unexpected status requested for JSON Home response, %s"
4859 msgstr "Unexpected status requested for JSON Home response, %s"
4860
4861diff --git a/keystone/models/revoke_model.py b/keystone/models/revoke_model.py
4862index 63425f1..6841559 100644
4863--- a/keystone/models/revoke_model.py
4864+++ b/keystone/models/revoke_model.py
4865@@ -170,7 +170,7 @@ def matches(event, token_values):
4866 # rest of the logic.
4867
4868 # The token has two attributes that can match the domain_id.
4869- if event.domain_id is not None and event.domain_id not in (
4870+ if event.domain_id is not None and event.domain_id not in(
4871 token_values['identity_domain_id'],
4872 token_values['assignment_domain_id'],):
4873 return False
4874diff --git a/keystone/tests/unit/assignment/test_backends.py b/keystone/tests/unit/assignment/test_backends.py
4875index 4add564..cdf8966 100644
4876--- a/keystone/tests/unit/assignment/test_backends.py
4877+++ b/keystone/tests/unit/assignment/test_backends.py
4878@@ -3694,9 +3694,9 @@ class ImpliedRoleTests(AssignmentTestHelperMixin):
4879 expected_implied_role_ref = {
4880 'prior_role_id': prior_role_ref['id'],
4881 'implied_role_id': implied_role_ref['id']}
4882- self.assertLessEqual(
4883- expected_implied_role_ref.items(),
4884- implied_role.items())
4885+ self.assertDictContainsSubset(
4886+ expected_implied_role_ref,
4887+ implied_role)
4888
4889 PROVIDERS.role_api.delete_implied_role(
4890 prior_role_ref['id'],
4891diff --git a/keystone/tests/unit/catalog/test_backends.py b/keystone/tests/unit/catalog/test_backends.py
4892index 513e5c3..b2989de 100644
4893--- a/keystone/tests/unit/catalog/test_backends.py
4894+++ b/keystone/tests/unit/catalog/test_backends.py
4895@@ -111,23 +111,20 @@ class CatalogTests(object):
4896 PROVIDERS.catalog_api.get_region(region_id)
4897 # update the region bypassing catalog_api
4898 PROVIDERS.catalog_api.driver.update_region(region_id, updated_region)
4899- self.assertLessEqual(
4900- new_region.items(),
4901- PROVIDERS.catalog_api.get_region(region_id).items()
4902+ self.assertDictContainsSubset(
4903+ new_region, PROVIDERS.catalog_api.get_region(region_id)
4904 )
4905 PROVIDERS.catalog_api.get_region.invalidate(
4906 PROVIDERS.catalog_api, region_id
4907 )
4908- self.assertLessEqual(
4909- updated_region.items(),
4910- PROVIDERS.catalog_api.get_region(region_id).items()
4911+ self.assertDictContainsSubset(
4912+ updated_region, PROVIDERS.catalog_api.get_region(region_id)
4913 )
4914 # delete the region
4915 PROVIDERS.catalog_api.driver.delete_region(region_id)
4916 # still get the old region
4917- self.assertLessEqual(
4918- updated_region.items(),
4919- PROVIDERS.catalog_api.get_region(region_id).items()
4920+ self.assertDictContainsSubset(
4921+ updated_region, PROVIDERS.catalog_api.get_region(region_id)
4922 )
4923 PROVIDERS.catalog_api.get_region.invalidate(
4924 PROVIDERS.catalog_api, region_id
4925@@ -345,23 +342,20 @@ class CatalogTests(object):
4926 PROVIDERS.catalog_api.driver.update_service(
4927 service_id, updated_service
4928 )
4929- self.assertLessEqual(
4930- new_service.items(),
4931- PROVIDERS.catalog_api.get_service(service_id).items()
4932+ self.assertDictContainsSubset(
4933+ new_service, PROVIDERS.catalog_api.get_service(service_id)
4934 )
4935 PROVIDERS.catalog_api.get_service.invalidate(
4936 PROVIDERS.catalog_api, service_id
4937 )
4938- self.assertLessEqual(
4939- updated_service.items(),
4940- PROVIDERS.catalog_api.get_service(service_id).items()
4941+ self.assertDictContainsSubset(
4942+ updated_service, PROVIDERS.catalog_api.get_service(service_id)
4943 )
4944
4945 # delete bypassing catalog api
4946 PROVIDERS.catalog_api.driver.delete_service(service_id)
4947- self.assertLessEqual(
4948- updated_service.items(),
4949- PROVIDERS.catalog_api.get_service(service_id).items()
4950+ self.assertDictContainsSubset(
4951+ updated_service, PROVIDERS.catalog_api.get_service(service_id)
4952 )
4953 PROVIDERS.catalog_api.get_service.invalidate(
4954 PROVIDERS.catalog_api, service_id
4955@@ -422,12 +416,12 @@ class CatalogTests(object):
4956 PROVIDERS.catalog_api.get_endpoint(endpoint['id'])
4957 # delete the service bypassing catalog api
4958 PROVIDERS.catalog_api.driver.delete_service(service['id'])
4959- self.assertLessEqual(
4960- endpoint.items(),
4961- PROVIDERS.catalog_api.get_endpoint(endpoint['id']).items())
4962- self.assertLessEqual(
4963- service.items(),
4964- PROVIDERS.catalog_api.get_service(service['id']).items())
4965+ self.assertDictContainsSubset(endpoint,
4966+ PROVIDERS.catalog_api.
4967+ get_endpoint(endpoint['id']))
4968+ self.assertDictContainsSubset(service,
4969+ PROVIDERS.catalog_api.
4970+ get_service(service['id']))
4971 PROVIDERS.catalog_api.get_endpoint.invalidate(
4972 PROVIDERS.catalog_api, endpoint['id']
4973 )
4974diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py
4975index 2fa9f26..308cc01 100644
4976--- a/keystone/tests/unit/common/test_notifications.py
4977+++ b/keystone/tests/unit/common/test_notifications.py
4978@@ -1045,7 +1045,7 @@ class TestEventCallbacks(test_v3.RestfulTestCase):
4979 Foo()
4980 project_ref = unit.new_project_ref(domain_id=self.domain_id)
4981 PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
4982- self.assertCountEqual(['cb1', 'cb0'], callback_called)
4983+ self.assertItemsEqual(['cb1', 'cb0'], callback_called)
4984
4985 def test_invalid_event_callbacks(self):
4986 @notifications.listener
4987diff --git a/keystone/tests/unit/config_files/backend_ldap_sql.conf b/keystone/tests/unit/config_files/backend_ldap_sql.conf
4988index c50d8dd..96a0ffa 100644
4989--- a/keystone/tests/unit/config_files/backend_ldap_sql.conf
4990+++ b/keystone/tests/unit/config_files/backend_ldap_sql.conf
4991@@ -5,7 +5,7 @@
4992 #connection = mysql+pymysql://keystone:keystone@localhost/keystone?charset=utf8
4993 #To Test PostgreSQL:
4994 #connection = postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8
4995-connection_recycle_time = 200
4996+idle_timeout = 200
4997
4998 [ldap]
4999 url = fake://memory
5000diff --git a/keystone/tests/unit/config_files/backend_multi_ldap_sql.conf b/keystone/tests/unit/config_files/backend_multi_ldap_sql.conf
The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches