The Keystone policy.json file I created with oslo-policy-generator contains lines I don't understand. For example list_users. The comment says:
# DEPRECATED "identity:list_users":"rule:admin_required" has
been
# deprecated since S in favor of
"identity:list_users":"(role:reader
# and system_scope:all) or (role:reader and
# domain_id:%(target.domain_id)s)".
I do understand the expression starting with (role:reader .... , but contrarily to the comment, the policy is
"identity:list_users": "rule:identity:list_users"
This looks like a circular definition, and in any case, nowhere
do I see rule:identity:list_users defined.
Can someone in the know explain how this policy is processed?
Thanks much,
Bernd