Add new tempest job enable the rbac scope checks and new defaults

We have many services (Nova, Neutron, Glance etc) implemented the
new RBAC (project scope and project personas). For these services,
all tests should pass as projects personas (project reader) does
not impact existing testing/usage.

keystone has system scope adopted in their policy for now which
we need to make it work for project scope also and until then
we will see test failing.

This commit adds a new tempest full job which enable the scope
and new defaults of RBAC for applicable services.

Depends-On: https://review.opendev.org/c/openstack/neutron/+/865040

Change-Id: Ib8f2f0e25205edba332fb9bd2a73012016d45061

zuul.d/integrated-gate.yaml

@@ -344,6 +344,30 @@
         # ENABLE_FILE_INJECTION: true
         DATABASE_TYPE: postgresql
 
+- job:
+    name: tempest-full-enforce-scope-new-defaults
+    parent: tempest-full-py3
+    description: |
+      This job runs the Tempest tests with scope and new defaults enabled.
+    # TODO: remove this once https://review.opendev.org/c/openstack/neutron-lib/+/864213
+    # fix is released in neutron-lib
+    required-projects:
+      - openstack/neutron-lib
+      - openstack/neutron
+    vars:
+      devstack_localrc:
+        # Enabeling the scope and new defaults for services.
+        # NOTE: (gmann) We need to keep keystone scope check disable as
+        # services (except ironic) does not support the system scope and
+        # they need keystone to continue working with project scope. Until
+        # Keystone policies are changed to work for both system as well as
+        # for project scoped, we need to keep scope check disable for
+        # keystone.
+        NOVA_ENFORCE_SCOPE: true
+        CINDER_ENFORCE_SCOPE: true
+        GLANCE_ENFORCE_SCOPE: true
+        NEUTRON_ENFORCE_SCOPE: true
+
 - project-template:
     name: integrated-gate-networking
     description: |

zuul.d/project.yaml

@@ -103,6 +103,8 @@
             irrelevant-files: *tempest-irrelevant-files
         - nova-live-migration:
             irrelevant-files: *tempest-irrelevant-files
+        - tempest-full-enforce-scope-new-defaults:
+            irrelevant-files: *tempest-irrelevant-files
         - devstack-plugin-ceph-tempest-py3:
             # TODO(kopecmartin): make it voting once the below bug is fixed
             # https://bugs.launchpad.net/devstack-plugin-ceph/+bug/1975648
@@ -150,6 +152,8 @@
             irrelevant-files: *tempest-irrelevant-files-3
         - tempest-multinode-full-py3:
             irrelevant-files: *tempest-irrelevant-files
+        - tempest-full-enforce-scope-new-defaults:
+            irrelevant-files: *tempest-irrelevant-files
         #- devstack-plugin-ceph-tempest-py3:
         #    irrelevant-files: *tempest-irrelevant-files
         #- tempest-full-centos-9-stream: