Add a global configuration option for secure RBAC

This commit adds a single option that we can use to turn secure RBAC on
in all the OpenStack services. This is a contrasting approach to using
service-specific variables.

We don't intend anyone to use this functionality until we can update
each OpenStack service to use the correct token when communicating with
other services. Deployers should also only use this if they are sure all
services in their deployment actually support secure RBAC, which might
not be for a while, but this allows us to lay down the plumbing in each
service to turn it on now, which will be useful for testing and flushing
out what we need to change in TripleO as well as the upstream services.

Change-Id: I13262a4f1a6e850d66b2c687e730e0c2004c1f29

deployment/keystone/keystone-container-puppet.yaml

@@ -391,6 +391,17 @@ parameters:
     default: ''
     type: string
     hidden: true
+  EnforceSecureRbac:
+    type: boolean
+    default: false
+    description: >-
+      Setting this option to True will configure each OpenStack service to
+      enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
+      `[oslo_policy] enforce_scope` to True. This introduces a consistent set
+      of RBAC personas across OpenStack services that include support for
+      system and project scope, as well as keystone's default roles, admin,
+      member, and reader. Do not enable this functionality until all services in
+      your deployment actually support secure RBAC.
 
 parameter_groups:
 - label: deprecated