Deprecate [token] infer_roles=False

The option `[token] infer_roles=False` is being deprecated in
favor of always expanding role implications during token
validation.

Default roles depend on a chain of implied role assignments.
Ex: an admin user will also have the reader and member role.
By ensuring that all these roles will always appear on the
token validation response, we can improve the simplicity and
readability of policy files.

blueprint deprecated-as-of-rocky

Change-Id: Id36c5b8f6a92f5f3e42e4bcedc3e2dd64eaeb130

keystone/conf/token.py

@@ -114,6 +114,14 @@ request for a scoped token to avoid re-scoping altogether.
 infer_roles = cfg.BoolOpt(
     'infer_roles',
     default=True,
+    deprecated_since=versionutils.deprecated.ROCKY,
+    deprecated_reason=utils.fmt("""
+Default roles depend on a chain of implied role assignments. Ex: an admin user
+will also have the reader and member role. By ensuring that all these roles
+will always appear on the token validation response, we can improve the
+simplicity and readability of policy files.
+"""),
+    deprecated_for_removal=True,
     help=utils.fmt("""
 This controls whether roles should be included with tokens that are not
 directly assigned to the token's scope, but are instead linked implicitly to

releasenotes/notes/deprecated-as-of-rocky-60b2fa05d07d3a28.yaml

@@ -0,0 +1,11 @@
+---
+deprecations:
+  - >
+    The option ``[token] infer_roles=False`` is being deprecated in favor of
+    always expanding role implications during token validation.
+
+    `Default roles <https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html>`_
+    depend on a chain of implied role assignments, ex: an admin user will also
+    have the reader and member role. Therefore by ensuring that all these roles will
+    always appear on the token validation response, we can improve the
+    simplicity and readability of policy files.