Change policy to enforce only new policy

Change's inspector's default policy to align with the 2023.2
release goal.

Depends-On: https://review.opendev.org/c/openstack/ironic/+/902009
Change-Id: Iaa271bd13e3a62c4a3b35b6e6b556984f7b1d09c

devstack/plugin.sh

@@ -26,10 +26,10 @@ IRONIC_INSPECTOR_UWSGI_CONF=$IRONIC_INSPECTOR_CONF_DIR/ironic-inspector-uwsgi.in
 # explicitly unless otherwise set.
 IRONIC_INSPECTOR_ENFORCE_SCOPE=${IRONIC_INSPECTOR_ENFORCE_SCOPE:-${IRONIC_ENFORCE_SCOPE:-False}}
 # and then fallback to trueorfalse to put it into the standardized string format for the jobs.
-IRONIC_INSPECTOR_ENFORCE_SCOPE=$(trueorfalse False IRONIC_INSPECTOR_ENFORCE_SCOPE)
+IRONIC_INSPECTOR_ENFORCE_SCOPE=$(trueorfalse True IRONIC_INSPECTOR_ENFORCE_SCOPE)
 # Reset the input in the event the plugin is running separately from ironic's
 # devstack plugin.
-IRONIC_ENFORCE_SCOPE=$(trueorfalse False IRONIC_ENFORCE_SCOPE)
+IRONIC_ENFORCE_SCOPE=$(trueorfalse True IRONIC_ENFORCE_SCOPE)
 
 
 if [[ -n ${IRONIC_INSPECTOR_MANAGE_FIREWALL} ]] ; then

ironic_inspector/policy.py

@@ -28,7 +28,9 @@ _ENFORCER = None
 # once oslo_policy change the default value to 'policy.yaml'.
 # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
 DEFAULT_POLICY_FILE = 'policy.yaml'
-opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
+opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE,
+                  enforce_scope=True,
+                  enforce_new_defaults=True)
 
 # Generic policy check string for system administrators. These are the people
 # who need the highest level of authorization to operate the deployment.

releasenotes/notes/legacy-rbac-policy-disabled-6fc45ad1237f4d57.yaml

@@ -0,0 +1,35 @@
+---
+upgrade:
+  - |
+    The legacy Role Based Access Control policy used by ironic-inspector has
+    been disabled by default. The end result of this is that the legacy
+    ``baremetal_admin`` and ``baremetal_observer`` roles are no longer enabled
+    by default. System scoped access can be utilized to connect to the
+    ``ironic-inspector`` service, or alternatively a user with an ``admin``
+    or ``service`` role.
+
+    The Ironic project does not anticipate any issues with this change, as the
+    the ``ironic-inspector`` service is a service *for* the system itself.
+    That being said, if the operator deployed configuration is reliant upon
+    the deprecated roles, configuration changes will be required.
+
+    This change is a result of the new policy which was introduced as part of
+    `Consistent and Secure RBAC`_ community goal and the underlying
+    ``[oslo_policy] enforce_scope`` and ``[oslo_policy] enforce_new_defaults``
+    settings being changed to ``True``.
+
+    Operators wishing to revert to the old policy configuration may do so
+    by setting the following values in ``ironic-inspector.conf``.::
+
+      [oslo_policy]
+      enforce_new_defaults=False
+      enforce_scope=False
+
+    Operators who revert the configuration are encouraged to make the
+    necessary changes to their configuration, as the legacy RBAC policy
+    will be removed at some point in the future. Please review
+    `2024.1-Release Timeline`_. Failure to do so will may force operators
+    to craft custom policy override configuration.
+
+    .. _`Consistent and Secure RBAC`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
+    .. _`2024.1-Release Timeline`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#id3

zuul.d/ironic-inspector-jobs.yaml

@@ -173,6 +173,8 @@
           CIRROS_VERSION: 0.6.1
           MYSQL_GATHER_PERFORMANCE: False
           INSTANCE_WAIT: 120
+          IRONIC_INSPECTOR_ENFORCE_SCOPE: True
+          IRONIC_ENFORCE_SCOPE: True
         old:
           IRONIC_VM_LOG_DIR: '{{ devstack_bases.old }}/ironic-bm-logs'
       grenade_localrc: