Add a configuration option to enable secure RBAC in Heat

This adds a new option called EnableSecureRbac so that you can
enable secure RBAC with keystone in TripleO deployments.

This option sets the necessary oslo.policy configuration options in
Heat's configuration file so support secure RBAC.

Change-Id: I865623feb4338c8f51b56d9916fe20f2c515a86e
Signed-off-by: Kevin Carter <kecarter@redhat.com>

deployment/heat/heat-base-puppet.yaml

@@ -140,6 +140,17 @@ parameters:
     description: |
       Use the advanced (eventlet safe) memcached client pool.
     default: true
+  EnforceSecureRbac:
+    type: boolean
+    default: false
+    description: >-
+      Setting this option to True will configure each OpenStack service to
+      enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
+      `[oslo_policy] enforce_scope` to True. This introduces a consistent set
+      of RBAC personas across OpenStack services that include support for
+      system and project scope, as well as keystone's default roles, admin,
+      member, and reader. Do not enable this functionality until all services in
+      your deployment actually support secure RBAC.
 
 conditions:
   tls_cache_enabled:
@@ -156,6 +167,10 @@ outputs:
       service_name: heat_base
       config_settings:
         map_merge:
+          - if:
+            - {get_param: EnforceSecureRbac}
+            - heat::policy::enforce_scope: true
+              heat::policy::enforce_new_defaults: true
           - if:
             - cors_allowed_origin_set
             - heat::cors::allowed_origin: {get_param: HeatCorsAllowedOrigin}