Merge "Add support for the oslo_policy/enforce_scope parameter"

manifests/policy.pp

@@ -4,6 +4,10 @@
 #
 # === Parameters
 #
+# [*enforce_scope*]
+#  (Optional) Whether or not to enforce scope when evaluating policies.
+#  Defaults to $::os_service_default.
+#
 # [*policies*]
 #   (Optional) Set of policies to configure for keystone
 #   Example :
@@ -24,8 +28,9 @@
 #   Defaults to /etc/keystone/policy.json
 #
 class keystone::policy (
-  $policies    = {},
+  $enforce_scope = $::os_service_default,
-  $policy_path = '/etc/keystone/policy.json',
+  $policies      = {},
+  $policy_path   = '/etc/keystone/policy.json',
 ) {
 
   include keystone::deps
@@ -41,6 +46,9 @@ class keystone::policy (
 
   create_resources('openstacklib::policy::base', $policies)
 
-  oslo::policy { 'keystone_config': policy_file => $policy_path }
+  oslo::policy { 'keystone_config':
+    enforce_scope => $enforce_scope,
+    policy_file   => $policy_path
+  }
 
 }

releasenotes/notes/oslo_policy-enforce_scope-99b33bde5542e66d.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The new ``keystone::policy::enforce_scope`` parameter has been added to
+    support the corresponding parameter in oslo.policy library.

spec/classes/keystone_policy_spec.rb

@@ -4,8 +4,9 @@ describe 'keystone::policy' do
   shared_examples 'keystone::policy' do
     let :params do
       {
-        :policy_path => '/etc/keystone/policy.json',
+        :enforce_scope => false,
-        :policies    => {
+        :policy_path   => '/etc/keystone/policy.json',
+        :policies      => {
           'context_is_admin' => {
             'key'   => 'context_is_admin',
             'value' => 'foo:bar'
@@ -22,7 +23,8 @@ describe 'keystone::policy' do
         :file_group => 'keystone',
       })
       is_expected.to contain_oslo__policy('keystone_config').with(
-        :policy_file => '/etc/keystone/policy.json',
+        :enforce_scope => false,
+        :policy_file   => '/etc/keystone/policy.json',
       )
     end
   end