Add enforce_scope setting support for Cinder

Conder started moving to new RBAC and cinder-tempest-plugin
and Tempest need to set few configuration to enable the
scope checks on cinder side and on Temepst side to tell
cinder is all configured with scope checks and test can be run with
scoped token.

Change-Id: Ic7cd919c000c4e7b9a3a06638a5bd87b1617e749

lib/cinder

@@ -125,6 +125,12 @@ CINDER_IMG_CACHE_SIZE_COUNT=${CINDER_IMG_CACHE_SIZE_COUNT:-}
 # enable the cache for all cinder backends.
 CINDER_CACHE_ENABLED_FOR_BACKENDS=${CINDER_CACHE_ENABLED_FOR_BACKENDS:-$CINDER_ENABLED_BACKENDS}
 
+# Flag to set the oslo_policy.enforce_scope. This is used to switch
+# the  Volume API policies to start checking the scope of token. by default,
+# this flag is False.
+# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
+CINDER_ENFORCE_SCOPE=$(trueorfalse False CINDER_ENFORCE_SCOPE)
+
 # Functions
 # ---------
 
@@ -326,6 +332,11 @@ function configure_cinder {
     elif is_service_enabled etcd3; then
         iniset $CINDER_CONF coordination backend_url "etcd3+http://${SERVICE_HOST}:$ETCD_PORT"
     fi
+
+    if [[ "$CINDER_ENFORCE_SCOPE" == True ]] ; then
+        iniset $CINDER_CONF oslo_policy enforce_scope true
+        iniset $CINDER_CONF oslo_policy enforce_new_defaults true
+    fi
 }
 
 # create_cinder_accounts() - Set up common required cinder accounts

lib/tempest

@@ -611,6 +611,8 @@ function configure_tempest {
         iniset $TEMPEST_CONFIG auth admin_project_name ''
     fi
 
+    iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE"
+
     if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then
         # libvirt-lxc does not support boot from volume or attaching volumes
         # so basically anything with cinder is out of the question.