Remove default policy in keystone chart

Keystone has default policy defined in code, this change
removes the outdated values set in values.yaml in order to fall
back onto the in code values for policy.

Change-Id: If27eb0aa312b52c6fddd3811f10bc6207c7dfe27

keystone/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Keystone
 name: keystone
-version: 0.2.17
+version: 0.2.18
 home: https://docs.openstack.org/keystone/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
 sources:

keystone/values.yaml

@@ -558,173 +558,7 @@ conf:
   # A sample of the value override can be found in sample file:
   # tools/overrides/example/keystone_domain_config.yaml
   # ks_domains:
-  policy:
-    admin_required: role:admin or is_admin:1
-    service_role: role:service
-    service_or_admin: rule:admin_required or rule:service_role
-    owner: user_id:%(user_id)s
-    admin_or_owner: rule:admin_required or rule:owner
-    token_subject: user_id:%(target.token.user_id)s
-    admin_or_token_subject: rule:admin_required or rule:token_subject
-    service_admin_or_token_subject: rule:service_or_admin or rule:token_subject
-    default: rule:admin_required
-    identity:get_region: ''
-    identity:list_regions: ''
-    identity:create_region: rule:admin_required
-    identity:update_region: rule:admin_required
-    identity:delete_region: rule:admin_required
-    identity:get_service: rule:admin_required
-    identity:list_services: rule:admin_required
-    identity:create_service: rule:admin_required
-    identity:update_service: rule:admin_required
-    identity:delete_service: rule:admin_required
-    identity:get_endpoint: rule:admin_required
-    identity:list_endpoints: rule:admin_required
-    identity:create_endpoint: rule:admin_required
-    identity:update_endpoint: rule:admin_required
-    identity:delete_endpoint: rule:admin_required
-    identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s
-    identity:list_domains: rule:admin_required
-    identity:create_domain: rule:admin_required
-    identity:update_domain: rule:admin_required
-    identity:delete_domain: rule:admin_required
-    identity:get_project: rule:admin_required or project_id:%(target.project.id)s
-    identity:list_projects: rule:admin_required
-    identity:list_user_projects: rule:admin_or_owner
-    identity:create_project: rule:admin_required
-    identity:update_project: rule:admin_required
-    identity:delete_project: rule:admin_required
-    identity:get_user: rule:admin_or_owner
-    identity:list_users: rule:admin_required
-    identity:create_user: rule:admin_required
-    identity:update_user: rule:admin_required
-    identity:delete_user: rule:admin_required
-    identity:change_password: rule:admin_or_owner
-    identity:get_group: rule:admin_required
-    identity:list_groups: rule:admin_required
-    identity:list_groups_for_user: rule:admin_or_owner
-    identity:create_group: rule:admin_required
-    identity:update_group: rule:admin_required
-    identity:delete_group: rule:admin_required
-    identity:list_users_in_group: rule:admin_required
-    identity:remove_user_from_group: rule:admin_required
-    identity:check_user_in_group: rule:admin_required
-    identity:add_user_to_group: rule:admin_required
-    identity:get_credential: rule:admin_required
-    identity:list_credentials: rule:admin_required
-    identity:create_credential: rule:admin_required
-    identity:update_credential: rule:admin_required
-    identity:delete_credential: rule:admin_required
-    identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
-    identity:ec2_list_credentials: rule:admin_or_owner
-    identity:ec2_create_credential: rule:admin_or_owner
-    identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
-    identity:get_role: rule:admin_required
-    identity:list_roles: rule:admin_required
-    identity:create_role: rule:admin_required
-    identity:update_role: rule:admin_required
-    identity:delete_role: rule:admin_required
-    identity:get_domain_role: rule:admin_required
-    identity:list_domain_roles: rule:admin_required
-    identity:create_domain_role: rule:admin_required
-    identity:update_domain_role: rule:admin_required
-    identity:delete_domain_role: rule:admin_required
-    identity:get_implied_role: 'rule:admin_required '
-    identity:list_implied_roles: rule:admin_required
-    identity:create_implied_role: rule:admin_required
-    identity:delete_implied_role: rule:admin_required
-    identity:list_role_inference_rules: rule:admin_required
-    identity:check_implied_role: rule:admin_required
-    identity:check_grant: rule:admin_required
-    identity:list_grants: rule:admin_required
-    identity:create_grant: rule:admin_required
-    identity:revoke_grant: rule:admin_required
-    identity:list_role_assignments: rule:admin_required
-    identity:list_role_assignments_for_tree: rule:admin_required
-    identity:get_policy: rule:admin_required
-    identity:list_policies: rule:admin_required
-    identity:create_policy: rule:admin_required
-    identity:update_policy: rule:admin_required
-    identity:delete_policy: rule:admin_required
-    identity:check_token: rule:admin_or_token_subject
-    identity:validate_token: rule:service_admin_or_token_subject
-    identity:validate_token_head: rule:service_or_admin
-    identity:revocation_list: rule:service_or_admin
-    identity:revoke_token: rule:admin_or_token_subject
-    identity:create_trust: user_id:%(trust.trustor_user_id)s
-    identity:list_trusts: ''
-    identity:list_roles_for_trust: ''
-    identity:get_role_for_trust: ''
-    identity:delete_trust: ''
-    identity:create_consumer: rule:admin_required
-    identity:get_consumer: rule:admin_required
-    identity:list_consumers: rule:admin_required
-    identity:delete_consumer: rule:admin_required
-    identity:update_consumer: rule:admin_required
-    identity:authorize_request_token: rule:admin_required
-    identity:list_access_token_roles: rule:admin_required
-    identity:get_access_token_role: rule:admin_required
-    identity:list_access_tokens: rule:admin_required
-    identity:get_access_token: rule:admin_required
-    identity:delete_access_token: rule:admin_required
-    identity:list_projects_for_endpoint: rule:admin_required
-    identity:add_endpoint_to_project: rule:admin_required
-    identity:check_endpoint_in_project: rule:admin_required
-    identity:list_endpoints_for_project: rule:admin_required
-    identity:remove_endpoint_from_project: rule:admin_required
-    identity:create_endpoint_group: rule:admin_required
-    identity:list_endpoint_groups: rule:admin_required
-    identity:get_endpoint_group: rule:admin_required
-    identity:update_endpoint_group: rule:admin_required
-    identity:delete_endpoint_group: rule:admin_required
-    identity:list_projects_associated_with_endpoint_group: rule:admin_required
-    identity:list_endpoints_associated_with_endpoint_group: rule:admin_required
-    identity:get_endpoint_group_in_project: rule:admin_required
-    identity:list_endpoint_groups_for_project: rule:admin_required
-    identity:add_endpoint_group_to_project: rule:admin_required
-    identity:remove_endpoint_group_from_project: rule:admin_required
-    identity:create_identity_provider: rule:admin_required
-    identity:list_identity_providers: rule:admin_required
-    identity:get_identity_provider: rule:admin_required
-    identity:update_identity_provider: rule:admin_required
-    identity:delete_identity_provider: rule:admin_required
-    identity:create_protocol: rule:admin_required
-    identity:update_protocol: rule:admin_required
-    identity:get_protocol: rule:admin_required
-    identity:list_protocols: rule:admin_required
-    identity:delete_protocol: rule:admin_required
-    identity:create_mapping: rule:admin_required
-    identity:get_mapping: rule:admin_required
-    identity:list_mappings: rule:admin_required
-    identity:delete_mapping: rule:admin_required
-    identity:update_mapping: rule:admin_required
-    identity:create_service_provider: rule:admin_required
-    identity:list_service_providers: rule:admin_required
-    identity:get_service_provider: rule:admin_required
-    identity:update_service_provider: rule:admin_required
-    identity:delete_service_provider: rule:admin_required
-    identity:get_auth_catalog: ''
-    identity:get_auth_projects: ''
-    identity:get_auth_domains: ''
-    identity:list_projects_for_user: ''
-    identity:list_domains_for_user: ''
-    identity:list_revoke_events: ''
-    identity:create_policy_association_for_endpoint: rule:admin_required
-    identity:check_policy_association_for_endpoint: rule:admin_required
-    identity:delete_policy_association_for_endpoint: rule:admin_required
-    identity:create_policy_association_for_service: rule:admin_required
-    identity:check_policy_association_for_service: rule:admin_required
-    identity:delete_policy_association_for_service: rule:admin_required
-    identity:create_policy_association_for_region_and_service: rule:admin_required
-    identity:check_policy_association_for_region_and_service: rule:admin_required
-    identity:delete_policy_association_for_region_and_service: rule:admin_required
-    identity:get_policy_for_endpoint: rule:admin_required
-    identity:list_endpoints_for_policy: rule:admin_required
-    identity:create_domain_config: rule:admin_required
-    identity:get_domain_config: rule:admin_required
-    identity:update_domain_config: rule:admin_required
-    identity:delete_domain_config: rule:admin_required
-    identity:get_domain_config_default: rule:admin_required
+  policy: {}
   access_rules: {}
   rabbitmq:
     # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones

releasenotes/notes/keystone.yaml

@@ -33,4 +33,5 @@ keystone:
   - 0.2.15 Reduce log chattiness
   - 0.2.16 Remove extra fsGroup
   - 0.2.17 Update default image references
+  - 0.2.18 Remove default policy
 ...