Policy sample - Identity v3 resources management

Adds the following rules to ``etc/policy.v3cloudsample.json``,
providing an operational Identity v3 API enabled setting:

* The cloud_admin can manage users in any domain.

* The cloud_admin can manage roles on any domain.

* Domain administrators can manage roles on any project in their own
  domain.

Change-Id: Id6ea8f469d5d05c04042c1395c4eae85b982bb25
Closes-Bug: #1267187

etc/policy.v3cloudsample.json

@@ -7,6 +7,14 @@
     "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
     "admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
 
+    "user_domain_id": "domain_id:%(target.user.domain_id)s or domain_id:%(user.domain_id)s",
+    "project_domain_id": "domain_id:%(target.project.domain_id)s or domain_id:%(project.domain_id)s",
+    "groups_domain_id": "domain_id:%(group.domain_id)s or domain_id:%(target.group.domain_id)s",
+    "same_domain_id": "domain_id:%(domain_id)s or domain_id:%(target.domain.id)s",
+    "match_domain_id": "rule:same_domain_id or rule:user_domain_id or rule:project_domain_id or rule:groups_domain_id",
+    "domain_admin": "rule:admin_required and rule:match_domain_id",
+    "project_admin": "rule:admin_required and project_id:%(target.project.id)s",
+
     "default": "rule:admin_required",
 
     "identity:get_service": "rule:admin_or_cloud_admin",
@@ -34,11 +42,11 @@
     "identity:update_project": "rule:admin_required and domain_id:%(target.project.domain_id)s",
     "identity:delete_project": "rule:admin_required and domain_id:%(target.project.domain_id)s",
 
-    "identity:get_user": "rule:admin_required and domain_id:%(target.user.domain_id)s",
-    "identity:list_users": "rule:admin_required and domain_id:%(domain_id)s",
-    "identity:create_user": "rule:admin_required and domain_id:%(user.domain_id)s",
-    "identity:update_user": "rule:admin_required and domain_id:%(target.user.domain_id)s",
-    "identity:delete_user": "rule:admin_required and domain_id:%(target.user.domain_id)s",
+    "identity:get_user": "rule:cloud_admin or rule:domain_admin",
+    "identity:list_users": "rule:cloud_admin or rule:domain_admin",
+    "identity:create_user": "rule:cloud_admin or rule:domain_admin",
+    "identity:update_user": "rule:cloud_admin or rule:domain_admin",
+    "identity:delete_user": "rule:cloud_admin or rule:domain_admin",
 
     "identity:get_group": "rule:admin_required and domain_id:%(target.group.domain_id)s",
     "identity:list_groups": "rule:admin_required and domain_id:%(domain_id)s",
@@ -63,12 +71,10 @@
     "identity:update_role": "rule:cloud_admin",
     "identity:delete_role": "rule:cloud_admin",
 
-    "admin_on_domain_target" : "rule:admin_required and domain_id:%(target.domain.id)s",
-    "admin_on_project_target" : "rule:admin_required and project_id:%(target.project.id)s",
-    "identity:check_grant": "rule:admin_on_project_target or rule:admin_on_domain_target",
-    "identity:list_grants": "rule:admin_on_project_target or rule:admin_on_domain_target",
-    "identity:create_grant": "rule:admin_on_project_target or rule:admin_on_domain_target",
-    "identity:revoke_grant": "rule:admin_on_project_target or rule:admin_on_domain_target",
+    "identity:check_grant": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
+    "identity:list_grants": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
+    "identity:create_grant": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
+    "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
 
     "admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s",
     "admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s",

keystone/tests/test_v3_protection.py

@@ -595,6 +595,16 @@ def test_user_management(self):
 
         self._test_user_management(self.domainA['id'])
 
+    def test_user_management_by_cloud_admin(self):
+        # Test users management with a cloud admin. This user should
+        # be able to manage users in any domain.
+        self.auth = self.build_authentication_request(
+            user_id=self.cloud_admin_user['id'],
+            password=self.cloud_admin_user['password'],
+            domain_id=self.admin_domain['id'])
+
+        self._test_user_management(self.domainA['id'])
+
     def test_project_management(self):
         # First, authentication with a user that does not have the project
         # admin role - houldn't be able to do much.
@@ -636,6 +646,16 @@ def test_domain_grants(self):
 
         self._test_grants('domains', self.domainA['id'])
 
+    def test_domain_grants_by_cloud_admin(self):
+        # Test domain grants with a cloud admin. This user should be
+        # able to manage roles on any domain.
+        self.auth = self.build_authentication_request(
+            user_id=self.cloud_admin_user['id'],
+            password=self.cloud_admin_user['password'],
+            domain_id=self.admin_domain['id'])
+
+        self._test_grants('domains', self.domainA['id'])
+
     def test_project_grants(self):
         self.auth = self.build_authentication_request(
             user_id=self.just_a_user['id'],
@@ -653,6 +673,16 @@ def test_project_grants(self):
 
         self._test_grants('projects', self.project['id'])
 
+    def test_project_grants_by_domain_admin(self):
+        # Test project grants with a domain admin. This user should be
+        # able to manage roles on any project in its own domain.
+        self.auth = self.build_authentication_request(
+            user_id=self.domain_admin_user['id'],
+            password=self.domain_admin_user['password'],
+            domain_id=self.domainA['id'])
+
+        self._test_grants('projects', self.project['id'])
+
     def test_cloud_admin(self):
         self.auth = self.build_authentication_request(
             user_id=self.domain_admin_user['id'],