Enable secure rbac

This setting policies (RBAC) new defaults and scope to ``True`` by default.

Note: This should only merged, after at least a cycle gap to allow
operators to adopt new changes.

Depends-On: https://review.opendev.org/c/openstack/magnum-tempest-plugin/+/877086

Change-Id: I6db4eaa64e2efd455dc3d37ccc74ebd8e7a5dbb2

.zuul.yaml

@@ -59,12 +59,10 @@
       - release-notes-jobs-python3
     check:
       jobs:
-        - magnum-tempest-plugin-tests-api
         - magnum-tempest-plugin-tests-api-rbac
         - magnum-container-build
     gate:
       jobs:
-        - magnum-tempest-plugin-tests-api
         - magnum-tempest-plugin-tests-api-rbac
     post:
       jobs:

magnum/common/policy.py

@@ -32,11 +32,16 @@ LOG = logging.getLogger(__name__)
 _ENFORCER = None
 CONF = cfg.CONF
 
-# TODO(gmann): Remove setting the default value of config policy_file
-# once oslo_policy change the default value to 'policy.yaml'.
-# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+# TODO(ricolin): Remove overriding the default value of config options
+# 'policy_file', 'enforce_scope', and 'enforce_new_defaults' once
+# oslo_policy change their default value to what is overridden here.
 DEFAULT_POLICY_FILE = 'policy.yaml'
-opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
+opts.set_defaults(
+    CONF,
+    DEFAULT_POLICY_FILE,
+    enforce_scope=True,
+    enforce_new_defaults=True
+)
 
 
 # we can get a policy enforcer by this init.