Keep new RBAC disable by default

oslo.policy has enabled the new RBAC config options
enforce_scope and enforce_new_defaults by default[1][2].

Until Cinder is ready with the new RBAC, we need to continue
disable them by overriding their default values.

NOTE: there is no change in behaviour, cinder continue with the
old RBAC as default.

ref: https://review.opendev.org/c/openstack/requirements/+/925464

[1] https://review.opendev.org/c/openstack/oslo.policy/+/924283
[2] https://review.opendev.org/c/openstack/releases/+/925032

Change-Id: I9cbcf1f108ddd93f33c9b929144ed715100a0567

cinder/common/config.py

@@ -257,4 +257,6 @@ def set_external_library_defaults():
     # setup.cfg.
 
     set_middleware_defaults()
-    policy_opts.set_defaults(CONF, policy_file=DEFAULT_POLICY_FILENAME)
+    policy_opts.set_defaults(CONF, policy_file=DEFAULT_POLICY_FILENAME,
+                             enforce_scope=False,
+                             enforce_new_defaults=False)

cinder/policy.py

@@ -32,8 +32,17 @@ from cinder import policies
 
 CONF = cfg.CONF
 LOG = logging.getLogger(__name__)
+# TODO(gmann): Remove overriding the default value of config options:
+# - 'policy_file' once oslo_policy change their default value to what is
+# overridden here.
+# - 'enforce_scope', and 'enforce_new_defaults' once cinder is ready with the
+# new RBAC (oslo_policy enable them by default)
 DEFAULT_POLICY_FILENAME = 'policy.yaml'
-policy_opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILENAME)
+policy_opts.set_defaults(
+    cfg.CONF,
+    DEFAULT_POLICY_FILENAME,
+    enforce_scope=False,
+    enforce_new_defaults=False)
 
 _ENFORCER: Optional[policy.Enforcer] = None
 

requirements.txt

@@ -20,7 +20,7 @@ oslo.db>=11.0.0 # Apache-2.0
 oslo.log>=4.6.1 # Apache-2.0
 oslo.messaging>=14.1.0 # Apache-2.0
 oslo.middleware>=4.1.1 # Apache-2.0
-oslo.policy>=3.8.1 # Apache-2.0
+oslo.policy>=3.11.0 # Apache-2.0
 oslo.privsep>=2.6.2 # Apache-2.0
 oslo.reports>=2.2.0 # Apache-2.0
 oslo.rootwrap>=6.2.0 # Apache-2.0