Merge "Allow neutron to configure secure RBAC options"

deployment/neutron/neutron-api-container-puppet.yaml

@@ -209,6 +209,17 @@ parameters:
     description: The password for the Ironic service and db account, used by the Ironic services
     type: string
     hidden: true
+  EnforceSecureRbac:
+    type: boolean
+    default: false
+    description: >-
+      Setting this option to True will configure each OpenStack service to
+      enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
+      `[oslo_policy] enforce_scope` to True. This introduces a consistent set
+      of RBAC personas across OpenStack services that include support for
+      system and project scope, as well as keystone's default roles, admin,
+      member, and reader. Do not enable this functionality until all services in
+      your deployment actually support secure RBAC.
 
 parameter_groups:
 - label: deprecated
@@ -319,6 +330,10 @@ outputs:
                     - read_default_file: /etc/my.cnf.d/tripleo.cnf
                       read_default_group: tripleo
             neutron::policy::policies: {get_param: NeutronApiPolicies}
+          - if:
+            - {get_param: EnforceSecureRbac}
+            - neutron::policy::enforce_scope: true
+              neutron::policy::enforce_new_defaults: true
             neutron::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
             neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             neutron::server::agent_down_time: {get_param: NeutronAgentDownTime}

releasenotes/notes/enable-secure-rbac-for-neutron-842bd41339a48f26.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Neutron can now be configured to support secure RBAC using
+    `EnforceSecureRbac`. Note, you may not be able to use this until Neutron
+    upstream has support for common RBAC `personas
+    <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#roles-definitions>`_.
+