Enforcing scope with SRBAC breaks heat

[rabi]

Heat won't work when scope is enforced and it's being used by many of our NFV customers. Rather than making a single property to enable SRBAC, let's split them so that enforce_new_defaults can be set to true by default and customers can toggle enforce_scope if they're not using heat.

jira: https://issues.redhat.com/browse/OSPRH-5753

[rabi]

I've mentioned it in the jira and doing it here too.. The other option is changing keystone default policies[1] to allow domain scope.

[1] https://github.com/openstack/keystone/blob/master/keystone/common/policies/role.py#L98

[vyzigold]

I'll note it here. I just tried to create a stack and it was failing with the following until I disabled SRBAC:

Resource CREATE failed: Forbidden: resources.scaledown_policy: You are not authorized to perform the requested action: identity:list_roles.

My hopes are this PR will fix the issue.

[rabi]

My hopes are this PR will fix the issue.

Toggling enforce_scope will fix the issue as explained in the commit message. You can test with the customServiceConfig as below for keystone.

keystone:
  apiOverride:
    route: {}
  enabled: true
  template:
    adminProject: admin
    adminUser: admin
    containerImage: ""
    customServiceConfig: |
      [oslo_policy]
      enforce_scope=false

[abays]

This looks good to me. @dmendiza What do you think?

[abays]

We at least need this now to unblock other things. If there are objections, we can discuss in a follow-up.

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abays, rabi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [abays]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment