Merge "Allow configuring secure RBAC in nova"

deployment/nova/nova-api-container-puppet.yaml

@@ -59,6 +59,17 @@ parameters:
     default: 0
     description: Number of workers for Nova services.
     type: number
+  EnforceSecureRbac:
+    type: boolean
+    default: false
+    description: >-
+      Setting this option to True will configure each OpenStack service to
+      enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
+      `[oslo_policy] enforce_scope` to True. This introduces a consistent set
+      of RBAC personas across OpenStack services that include support for
+      system and project scope, as well as keystone's default roles, admin,
+      member, and reader. Do not enable this functionality until all services in
+      your deployment actually support secure RBAC.
   KeystoneRegion:
     type: string
     default: 'regionOne'
@@ -431,6 +442,8 @@ outputs:
             nova::cron::archive_deleted_rows::all_cells: {get_param: NovaCronArchiveDeleteAllCells}
             nova::cron::archive_deleted_rows::age: {get_param: NovaCronArchiveDeleteRowsAge}
             nova::cron::archive_deleted_rows::task_log: {get_param: NovaCronArchiveDeleteRowsTaskLog}
+            nova::policy::enforce_new_defaults: {get_param: EnforceSecureRbac}
+            nova::policy::enforce_scope: {get_param: EnforceSecureRbac}
           - if:
             - nova_workers_set
             - nova::api::osapi_compute_workers: {get_param: NovaWorkers}