Support project personas in cinder

In Xena, cinder adds support for project personas but not system
personas. This patch adds a CinderPolicyEnforceNewDefaults parameter
that controls whether cinder disables its deprecated policies, which
in turn enforces the project-admin, project-member, and project-reader
personas. The parameter defaults to False (cinder's deprecated policies
are enabled).

Change-Id: Ia97fda640b6476b2eade5d202eb0192ee7d79e9b

deployment/cinder/cinder-base.yaml

@@ -105,6 +105,14 @@ parameters:
     type: string
     description: The password for the nova service and db account
     hidden: true
+  CinderPolicyEnforceNewDefaults:
+    default: false
+    description: Set to True to disable cinder's deprecated default policies.
+                 Doing so causes cinder's default policies to enforce the
+                 project based personas associated with secure RBAC. This
+                 parameter will be deprecated in favor of a global EnforceSecureRbac
+                 parameter after cinder adds support for system scoped policies.
+    type: boolean
 
 outputs:
   role_data:
@@ -161,3 +169,4 @@ outputs:
         cinder::nova::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
         cinder::nova::password: {get_param: NovaPassword}
         cinder::nova::region_name: {get_param: KeystoneRegion}
+        cinder::policy::enforce_new_defaults: {get_param: CinderPolicyEnforceNewDefaults}

releasenotes/notes/cinder-support-keystone-project-personas-b71c35c4c1a8bbd8.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    A new ``CinderPolicyEnforceNewDefaults`` parameter adds the ability to
+    disable Cinder's deprecated authorization policies. The default value
+    is False, which means Cinder's deprecated policies are enabled. Setting
+    the parameter to True disables the deprecated policies, which causes
+    Cinder to enforce the project-admin, project-member, and project-reader
+    RBAC personas. Support for system personas is planned for a future release.