From 5d2f716e4be69e31cc48e326cb024aa18c83bbe9 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Thu, 29 Oct 2020 18:28:22 +0000
Subject: [PATCH] Use enforce_new_defaults when setting up keystone protection
 tests

The `keystone.conf [oslo_policy] enforce_new_defaults` option is meant
to help deployments that want to opt into the new policy enforcement
model (with scope checking) but without having to generate override
files. This is the case for devstack and tempest.

We can use this to bypass generating a policy file with just the new
policies for tempest testing.

Change-Id: I3b219bde569c5a8001aec0c243027b6881254304
---
 devstack/lib/scope.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devstack/lib/scope.sh b/devstack/lib/scope.sh
index 05b605cd94..255ed695e1 100644
--- a/devstack/lib/scope.sh
+++ b/devstack/lib/scope.sh
@@ -14,9 +14,9 @@
 
 function configure_enforce_scope {
     iniset $KEYSTONE_CONF oslo_policy enforce_scope true
+    iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
     iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
     sudo systemctl restart devstack@keystone
-    oslopolicy-policy-generator --namespace keystone > /etc/keystone/policy.yaml
 }
 
 function configure_protection_tests {