From ea5dff48ca90007123e0549733f18ef93e28c910 Mon Sep 17 00:00:00 2001
From: Alan Bishop <abishop@redhat.com>
Date: Mon, 20 Sep 2021 13:37:40 -0700
Subject: [PATCH] Support project personas in cinder

In Xena, cinder adds support for project personas but not system
personas. This patch adds a CinderPolicyEnforceNewDefaults parameter
that controls whether cinder disables its deprecated policies, which
in turn enforces the project-admin, project-member, and project-reader
personas. The parameter defaults to False (cinder's deprecated policies
are enabled).

Change-Id: Ia97fda640b6476b2eade5d202eb0192ee7d79e9b
---
 deployment/cinder/cinder-base.yaml                       | 9 +++++++++
 ...pport-keystone-project-personas-b71c35c4c1a8bbd8.yaml | 9 +++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 releasenotes/notes/cinder-support-keystone-project-personas-b71c35c4c1a8bbd8.yaml

diff --git a/deployment/cinder/cinder-base.yaml b/deployment/cinder/cinder-base.yaml
index 5a0347d7fe..8c40307797 100644
--- a/deployment/cinder/cinder-base.yaml
+++ b/deployment/cinder/cinder-base.yaml
@@ -105,6 +105,14 @@ parameters:
     type: string
     description: The password for the nova service and db account
     hidden: true
+  CinderPolicyEnforceNewDefaults:
+    default: false
+    description: Set to True to disable cinder's deprecated default policies.
+                 Doing so causes cinder's default policies to enforce the
+                 project based personas associated with secure RBAC. This
+                 parameter will be deprecated in favor of a global EnforceSecureRbac
+                 parameter after cinder adds support for system scoped policies.
+    type: boolean
 
 outputs:
   role_data:
@@ -161,3 +169,4 @@ outputs:
         cinder::nova::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
         cinder::nova::password: {get_param: NovaPassword}
         cinder::nova::region_name: {get_param: KeystoneRegion}
+        cinder::policy::enforce_new_defaults: {get_param: CinderPolicyEnforceNewDefaults}
diff --git a/releasenotes/notes/cinder-support-keystone-project-personas-b71c35c4c1a8bbd8.yaml b/releasenotes/notes/cinder-support-keystone-project-personas-b71c35c4c1a8bbd8.yaml
new file mode 100644
index 0000000000..0e4d1ce785
--- /dev/null
+++ b/releasenotes/notes/cinder-support-keystone-project-personas-b71c35c4c1a8bbd8.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    A new ``CinderPolicyEnforceNewDefaults`` parameter adds the ability to
+    disable Cinder's deprecated authorization policies. The default value
+    is False, which means Cinder's deprecated policies are enabled. Setting
+    the parameter to True disables the deprecated policies, which causes
+    Cinder to enforce the project-admin, project-member, and project-reader
+    RBAC personas. Support for system personas is planned for a future release.