Allow configuring secure RBAC in glance

Adding new parameter GlanceEnforceSecureRbac to support for project
persona of secure RBAC.

To make the secure RBAC work, 'oslo_policy/enforce_new_defaults' is
also required to be enabled with 'enforce_secure_rbac' in glance.

Depends-On: I1db7fa2694bc9a448a47e435cfd95264504086c6
Partially Implements: blueprint secure-rbac

Change-Id: I312f9255adbaec270d4e3379e9f8c8fdf716c190

deployment/glance/glance-api-container-puppet.yaml

@@ -193,6 +193,17 @@ parameters:
     description: >
       When using GlanceBackend 'file' and 'rbd' to enable or not sparse upload.
     type: boolean
+  EnforceSecureRbac:
+    type: boolean
+    default: false
+    description: >-
+      Setting this option to True will configure each OpenStack service to
+      enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
+      `[oslo_policy] enforce_scope` to True. This introduces a consistent set
+      of RBAC personas across OpenStack services that include support for
+      system and project scope, as well as keystone's default roles, admin,
+      member, and reader. Do not enable this functionality until all services in
+      your deployment actually support secure RBAC.
   KeystoneRegion:
     type: string
     default: 'regionOne'
@@ -574,6 +585,10 @@ outputs:
           - if:
             - glance_workers_set
             - glance::api::workers: {get_param: GlanceWorkers}
+          - if:
+            - {get_param: EnforceSecureRbac}
+            - glance::api::enforce_secure_rbac: true
+              glance::policy::enforce_new_defaults: true
           - if:
             - cinder_backend_enabled
             - glance::backend::cinder::cinder_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri]}

releasenotes/notes/enable_secure_rbac_support_for_glance-167d53c491cd326c.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    The new parameter ``EnforceSecureRbac`` has been added to
+    enforce authorization based on common RBAC personas.
+    Currently in glance the support is only available for project-admin,
+    project-member and project-reader personas and system personas
+    will come in a later release.