From d77372e86ab078711d48dbe2917714f338842ca5 Mon Sep 17 00:00:00 2001
From: Bartosz Bezak <bartosz@stackhpc.com>
Date: Fri, 26 Jan 2024 16:46:14 +0100
Subject: [PATCH] Disable new defaults and scope for Ironic (RBAC)

Ironic started enforcing new RBAC policies [1]. Kolla/Kayobe
CI jobs are failing, as K-A doesn't have service role support.
Moreover Ironic RBAC is not yet stable enough [2].
Disable enforcing new policies until fix merges and Kolla
Ansible service role support is added.

[1] https://review.opendev.org/c/openstack/ironic/+/902009
[2] https://review.opendev.org/c/openstack/ironic/+/907148

Related-Bug: #2051837

Change-Id: I424cff6ac96dfe0dd5dc58afca2b785f494c9f02
---
 ansible/roles/ironic/templates/ironic.conf.j2 | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2
index 425c936a49..9f0dc42c2d 100644
--- a/ansible/roles/ironic/templates/ironic.conf.j2
+++ b/ansible/roles/ironic/templates/ironic.conf.j2
@@ -48,8 +48,14 @@ amqp_durable_queues = true
 rabbit_quorum_queue = true
 {% endif %}
 
-{% if ironic_policy_file is defined %}
 [oslo_policy]
+{% if openstack_release == 'master' %}
+# TODO(bbezak): Remove enforce_* once secure RBAC is supported
+# https://bugs.launchpad.net/kolla-ansible/+bug/2051837
+enforce_scope=False
+enforce_new_defaults=False
+{% endif %}
+{% if ironic_policy_file is defined %}
 policy_file = {{ ironic_policy_file }}
 {% endif %}