Trust operations in policy.json are misleading

The sample policy.json files included in Keystone have the trust API operations listed. For example:

    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
    "identity:get_trust": "rule:admin_or_owner",
    "identity:list_trusts": "",
    "identity:list_roles_for_trust": "",
    "identity:check_role_for_trust": "",
    "identity:get_role_for_trust": "",
    "identity:delete_trust": "",

This implies that these trust operations are protected by policy, which is true but misleading. While policy does protect these operations, they are hardcoded to be very restrictive. Here are some examples from the controller code:

----------------------------------------------------------------------
    @controller.protected()
    def delete_trust(self, context, trust_id):
        trust = self.trust_api.get_trust(trust_id)
        if not trust:
            raise exception.TrustNotFound(trust_id=trust_id)

        user_id = self._get_user_id(context)
        _admin_trustor_only(context, trust, user_id)
        self.trust_api.delete_trust(trust_id)

    @controller.protected()
    def list_roles_for_trust(self, context, trust_id):
        trust = self.get_trust(context, trust_id)['trust']
        if not trust:
            raise exception.TrustNotFound(trust_id=trust_id)
        user_id = self._get_user_id(context)
        _trustor_trustee_only(trust, user_id)
        return {'roles': trust['roles'],
                'links': trust['roles_links']}
----------------------------------------------------------------------

In the trust controller code, the following restrictions are currently hard-coded:

  create_trust - trustor only
  get_trust - trustor or trustee only
  l ist_trusts - admin only to list all trusts, trustor or trustee only for related trusts
  list_roles_for_trust - trustor or trustee only
  check_role_for_trust - trustor or trustee only
  get_role_for_trust - trustor or trustee only (indirectly via check_role_for_trust)
  delete_trust - admin or trustor only

The policies in policy.json can make these operations more restricted, but not less restricted than the hard-coded restrictions. We can't simply remove these settings from policy.json, as that would cause the "default" rule to be used which makes trusts unusable in the case of the default "default" rule of "admin_required". This only leaves us with the option of clearly documenting the behavior IMHO. Unfortunately, JSON doesn't allow comments, so we can't just add nice comments right there in policy.json. I think that the correct approach is:

- Add a general purpose paragraph to the RBAC section of doc/source/configuration.rst that states that some operations have hard-coded restrictions that policy is unable to circumvent. Mention that policy can still make these operations more restrictive.

- Add documentation for the trust extension at keystone/doc/source/extensions/trust.rst that mentions the hard-coded restrictions for each trust operation. Documentation for the trust extension in this area is completely missing at this time.