Deprecate strict_policy_enforce configuration option

The configuration option ``[patrole] strict_policy_check``
is deprecated and will be removed in the Rocky release cycle.

The default value for ``[patrole] strict_policy_check`` has
been changed to ``True`` because a Patrole test should always
fail if the policy action is invalid, to avoid false positives.

Change-Id: Idb902f23b1845bdbc9ac8fb490f3e74e262c1451

devstack/plugin.sh

@@ -20,7 +20,6 @@ function install_patrole_tempest_plugin() {
 
         iniset $TEMPEST_CONFIG rbac enable_rbac True
         iniset $TEMPEST_CONFIG rbac rbac_test_role $RBAC_TEST_ROLE
-        iniset $TEMPEST_CONFIG rbac strict_policy_check False
     fi
 }
 

patrole_tempest_plugin/config.py

@@ -30,8 +30,12 @@ tests."""),
                 deprecated_group='rbac',
                 help="Enables RBAC tests."),
     cfg.BoolOpt('strict_policy_check',
-                default=False,
+                default=True,
                 deprecated_group='rbac',
+                deprecated_for_removal=True,
+                deprecated_reason="""This option allows for the possibility
+of false positives. As a testing framework, Patrole should fail any test that
+passes in an invalid policy.""",
                 help="""If true, throws RbacParsingException for policies which
 don't exist or are not included in the service's policy file. If false, throws
 skipException."""),

releasenotes/notes/deprecate-strict-policy-enforce-option-e15d2be4e753608e.yaml

@@ -0,0 +1,10 @@
+---
+deprecations:
+  - |
+    The configuration option ``[patrole] strict_policy_check`` is deprecated
+    and will be removed in the Rocky release cycle.
+other:
+  - |
+    The default value for ``[patrole] strict_policy_check`` has been changed
+    to ``True`` because a Patrole test should always fail if the policy action
+    is invalid, to avoid false positives.