Comment 9 for bug 1703369

To recap the conversation and summarize what was discuss in IRC [0].

There is a security issue if a deployer modifies the default policy role required for an operation but wishes to keep the identity:get_identity_providers protected at the "admin-level". This was deemed as unlikely since the default and get_identity_provider were protected with the same admin_required rule.

For the sake of process, we can merge the proposed fix [1] with a detailed release note explaining the case. After that we can propose the patch to stable/ocata as well as stable/newton. Even though a deployer can technically issue this fix without a new release, the process of issuing a release note seems valuable at least for the sake of process.

[0] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-07-11.log.html#t2017-07-11T21:26:46
[1] https://review.openstack.org/#/c/482142/