From cdbe43e2e95cac88210820639079bfae8a3431a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= <dmendiza@redhat.com>
Date: Mon, 11 Mar 2024 15:03:29 -0400
Subject: [PATCH] Enable Secure RBAC in Keystone

This patch enables Secure RBAC (enforce_scope and enforce_new_defaults)
in Keystone since the policies have been updated to accept both scoped
tokens as well as legacy "admin" role tokens. [1]

[1] https://opendev.org/openstack/keystone/commit/f2f1a5c38847ddc5aa28eec9722885d9c64c6e7b

Depends-On: https://review.opendev.org/c/openstack/keystone/+/913999
Change-Id: I4d4c6f250a08a86bd5838679a3ef2c0ad887f265
---
 zuul.d/integrated-gate.yaml | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/zuul.d/integrated-gate.yaml b/zuul.d/integrated-gate.yaml
index f508240095..67a7bb1338 100644
--- a/zuul.d/integrated-gate.yaml
+++ b/zuul.d/integrated-gate.yaml
@@ -374,15 +374,7 @@
       This job runs the Tempest tests with scope and new defaults enabled.
     vars:
       devstack_localrc:
-        # Enabaling the scope and new defaults for services.
-        # NOTE: (gmann) We need to keep keystone scope check disable as
-        # services (except ironic) does not support the system scope and
-        # they need keystone to continue working with project scope. Until
-        # Keystone policies are changed to work for both system as well as
-        # for project scoped, we need to keep scope check disable for
-        # keystone.
-        # Nova, Glance, and Neutron have enabled the new defaults and scope
-        # by default in devstack.
+        KEYSTONE_ENFORCE_SCOPE: true
         CINDER_ENFORCE_SCOPE: true
         PLACEMENT_ENFORCE_SCOPE: true