diff --git a/etc/glance-api.conf b/etc/glance-api.conf
index 785ddc96b4..0af0dc94b8 100644
--- a/etc/glance-api.conf
+++ b/etc/glance-api.conf
@@ -487,32 +487,6 @@
 #         * [DEFAULT]/node_staging_uri (list value)
 #enabled_import_methods = [glance-direct,web-download,copy-image]
 
-# DEPRECATED:
-# Enforce API access based on common persona definitions used across OpenStack.
-# Enabling this option formalizes project-specific read/write operations, like
-# creating private images or updating the status of shared image, behind the
-# `member` role. It also formalizes a read-only variant useful for
-# project-specific API operations, like listing private images in a project,
-# behind the `reader` role.
-#
-# Operators should take an opportunity to understand glance's new image
-# policies,
-# audit assignments in their deployment, and update permissions using the
-# default
-# roles in keystone (e.g., `admin`, `member`, and `reader`).
-#
-# Related options:
-#     * [oslo_policy]/enforce_new_defaults
-#  (boolean value)
-# This option is deprecated for removal since Wallaby.
-# Its value may be silently ignored in the future.
-# Reason:
-# This option has been introduced to require operators to opt into enforcing
-# authorization based on common RBAC personas, which is EXPERIMENTAL as of the
-# Wallaby release. This behavior will be the default and STABLE in a future
-# release, allowing this option to be removed.
-#enforce_secure_rbac = false
-
 #
 # The URL to this worker.
 #
@@ -1771,6 +1745,11 @@
 # (string value)
 #mysql_sql_mode = TRADITIONAL
 
+# For Galera only, configure wsrep_sync_wait causality checks on new
+# connections.  Default is None, meaning don't configure any setting. (integer
+# value)
+#mysql_wsrep_sync_wait = <None>
+
 # DEPRECATED: If True, transparently enables support for handling MySQL Cluster
 # (NDB). (boolean value)
 # This option is deprecated for removal since 12.1.0.
@@ -2224,6 +2203,22 @@
 #  (string value)
 #s3_store_host = <None>
 
+#
+# The S3 region name.
+#
+# This parameter will set the region_name used by boto.
+# If this parameter is not set, we we will try to compute it from the
+# s3_store_host.
+#
+# Possible values:
+#     * A valid region name
+#
+# Related Options:
+#     * s3_store_host
+#
+#  (string value)
+#s3_store_region_name =
+
 #
 # The S3 query token access key.
 #
@@ -3941,6 +3936,22 @@
 #  (string value)
 #s3_store_host = <None>
 
+#
+# The S3 region name.
+#
+# This parameter will set the region_name used by boto.
+# If this parameter is not set, we we will try to compute it from the
+# s3_store_host.
+#
+# Possible values:
+#     * A valid region name
+#
+# Related Options:
+#     * s3_store_host
+#
+#  (string value)
+#s3_store_region_name =
+
 #
 # The S3 query token access key.
 #
@@ -4872,6 +4883,14 @@
 # Deprecated group/name - [DEFAULT]/disk_formats
 #disk_formats = ami,ari,aki,vhd,vhdx,vmdk,raw,qcow2,vdi,iso,ploop
 
+# A list of strings describing allowed VMDK 'create-type' subformats that will
+# be allowed. This is recommended to only include single-file-with-sparse-header
+# variants to avoid potential host file exposure due to processing named
+# extents. If this list is empty, then no VDMK image types allowed. Note that
+# this is currently only checked during image conversion (if enabled), and
+# limits the types of VMDK images we will convert from. (list value)
+#vmdk_allowed_types = streamOptimized,monolithicSparse
+
 
 [key_manager]
 
@@ -5761,7 +5780,7 @@
 # ``InvalidScope`` exception will be raised. If ``False``, a message will be
 # logged informing operators that policies are being invoked with mismatching
 # scope. (boolean value)
-#enforce_scope = false
+#enforce_scope = true
 
 # This option controls whether or not to use old deprecated defaults when
 # evaluating policies. If ``True``, the old deprecated defaults are not going to
@@ -5772,7 +5791,7 @@
 # deprecated policy check string is logically OR'd with the new policy check
 # string, allowing for a graceful upgrade experience between releases with new
 # policies, which is the default behavior. (boolean value)
-#enforce_new_defaults = false
+#enforce_new_defaults = true
 
 # The relative or absolute path of a file that maps roles to permissions for a
 # given service. Relative paths must be specified in relation to the
diff --git a/etc/glance-cache.conf b/etc/glance-cache.conf
index 9aeabff981..62c90638db 100644
--- a/etc/glance-cache.conf
+++ b/etc/glance-cache.conf
@@ -429,32 +429,6 @@
 #         * [DEFAULT]/node_staging_uri (list value)
 #enabled_import_methods = [glance-direct,web-download,copy-image]
 
-# DEPRECATED:
-# Enforce API access based on common persona definitions used across OpenStack.
-# Enabling this option formalizes project-specific read/write operations, like
-# creating private images or updating the status of shared image, behind the
-# `member` role. It also formalizes a read-only variant useful for
-# project-specific API operations, like listing private images in a project,
-# behind the `reader` role.
-#
-# Operators should take an opportunity to understand glance's new image
-# policies,
-# audit assignments in their deployment, and update permissions using the
-# default
-# roles in keystone (e.g., `admin`, `member`, and `reader`).
-#
-# Related options:
-#     * [oslo_policy]/enforce_new_defaults
-#  (boolean value)
-# This option is deprecated for removal since Wallaby.
-# Its value may be silently ignored in the future.
-# Reason:
-# This option has been introduced to require operators to opt into enforcing
-# authorization based on common RBAC personas, which is EXPERIMENTAL as of the
-# Wallaby release. This behavior will be the default and STABLE in a future
-# release, allowing this option to be removed.
-#enforce_secure_rbac = false
-
 #
 # The URL to this worker.
 #
@@ -1557,6 +1531,22 @@
 #  (string value)
 #s3_store_host = <None>
 
+#
+# The S3 region name.
+#
+# This parameter will set the region_name used by boto.
+# If this parameter is not set, we we will try to compute it from the
+# s3_store_host.
+#
+# Possible values:
+#     * A valid region name
+#
+# Related Options:
+#     * s3_store_host
+#
+#  (string value)
+#s3_store_region_name =
+
 #
 # The S3 query token access key.
 #
@@ -2468,7 +2458,7 @@
 # ``InvalidScope`` exception will be raised. If ``False``, a message will be
 # logged informing operators that policies are being invoked with mismatching
 # scope. (boolean value)
-#enforce_scope = false
+#enforce_scope = true
 
 # This option controls whether or not to use old deprecated defaults when
 # evaluating policies. If ``True``, the old deprecated defaults are not going to
@@ -2479,7 +2469,7 @@
 # deprecated policy check string is logically OR'd with the new policy check
 # string, allowing for a graceful upgrade experience between releases with new
 # policies, which is the default behavior. (boolean value)
-#enforce_new_defaults = false
+#enforce_new_defaults = true
 
 # The relative or absolute path of a file that maps roles to permissions for a
 # given service. Relative paths must be specified in relation to the
diff --git a/etc/glance-manage.conf b/etc/glance-manage.conf
index 55eebdca59..33fc33be50 100644
--- a/etc/glance-manage.conf
+++ b/etc/glance-manage.conf
@@ -178,6 +178,11 @@
 # (string value)
 #mysql_sql_mode = TRADITIONAL
 
+# For Galera only, configure wsrep_sync_wait causality checks on new
+# connections.  Default is None, meaning don't configure any setting. (integer
+# value)
+#mysql_wsrep_sync_wait = <None>
+
 # DEPRECATED: If True, transparently enables support for handling MySQL Cluster
 # (NDB). (boolean value)
 # This option is deprecated for removal since 12.1.0.
diff --git a/etc/glance-scrubber.conf b/etc/glance-scrubber.conf
index a71cb2907b..b2d80567f5 100644
--- a/etc/glance-scrubber.conf
+++ b/etc/glance-scrubber.conf
@@ -429,32 +429,6 @@
 #         * [DEFAULT]/node_staging_uri (list value)
 #enabled_import_methods = [glance-direct,web-download,copy-image]
 
-# DEPRECATED:
-# Enforce API access based on common persona definitions used across OpenStack.
-# Enabling this option formalizes project-specific read/write operations, like
-# creating private images or updating the status of shared image, behind the
-# `member` role. It also formalizes a read-only variant useful for
-# project-specific API operations, like listing private images in a project,
-# behind the `reader` role.
-#
-# Operators should take an opportunity to understand glance's new image
-# policies,
-# audit assignments in their deployment, and update permissions using the
-# default
-# roles in keystone (e.g., `admin`, `member`, and `reader`).
-#
-# Related options:
-#     * [oslo_policy]/enforce_new_defaults
-#  (boolean value)
-# This option is deprecated for removal since Wallaby.
-# Its value may be silently ignored in the future.
-# Reason:
-# This option has been introduced to require operators to opt into enforcing
-# authorization based on common RBAC personas, which is EXPERIMENTAL as of the
-# Wallaby release. This behavior will be the default and STABLE in a future
-# release, allowing this option to be removed.
-#enforce_secure_rbac = false
-
 #
 # The URL to this worker.
 #
@@ -789,6 +763,11 @@
 # (string value)
 #mysql_sql_mode = TRADITIONAL
 
+# For Galera only, configure wsrep_sync_wait causality checks on new
+# connections.  Default is None, meaning don't configure any setting. (integer
+# value)
+#mysql_wsrep_sync_wait = <None>
+
 # DEPRECATED: If True, transparently enables support for handling MySQL Cluster
 # (NDB). (boolean value)
 # This option is deprecated for removal since 12.1.0.
@@ -1654,6 +1633,22 @@
 #  (string value)
 #s3_store_host = <None>
 
+#
+# The S3 region name.
+#
+# This parameter will set the region_name used by boto.
+# If this parameter is not set, we we will try to compute it from the
+# s3_store_host.
+#
+# Possible values:
+#     * A valid region name
+#
+# Related Options:
+#     * s3_store_host
+#
+#  (string value)
+#s3_store_region_name =
+
 #
 # The S3 query token access key.
 #
@@ -2581,7 +2576,7 @@
 # ``InvalidScope`` exception will be raised. If ``False``, a message will be
 # logged informing operators that policies are being invoked with mismatching
 # scope. (boolean value)
-#enforce_scope = false
+#enforce_scope = true
 
 # This option controls whether or not to use old deprecated defaults when
 # evaluating policies. If ``True``, the old deprecated defaults are not going to
@@ -2592,7 +2587,7 @@
 # deprecated policy check string is logically OR'd with the new policy check
 # string, allowing for a graceful upgrade experience between releases with new
 # policies, which is the default behavior. (boolean value)
-#enforce_new_defaults = false
+#enforce_new_defaults = true
 
 # The relative or absolute path of a file that maps roles to permissions for a
 # given service. Relative paths must be specified in relation to the