From 227b9bcc5b58f0d5aa07cec02cad4a43a888d436 Mon Sep 17 00:00:00 2001
From: Julia Kreger <juliaashleykreger@gmail.com>
Date: Tue, 23 Jan 2024 10:00:45 -0800
Subject: [PATCH] force rbac policy to only leverage the new policy

Upstream, Ironic has put forth a lot of work on improved policies,
to improve security and overall capabilities. This change locks the
default to use only the new policies which overall sets the most
appropriate state for usage moving forward.

Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
---
 templates/common/config/ironic.conf             | 3 +++
 templates/ironicinspector/config/inspector.conf | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/templates/common/config/ironic.conf b/templates/common/config/ironic.conf
index d74b828c..331c4793 100644
--- a/templates/common/config/ironic.conf
+++ b/templates/common/config/ironic.conf
@@ -106,6 +106,9 @@ user_domain_name=Default
 project_name=service
 project_domain_name=Default
 
+[oslo_policy]
+enforce_scope=True
+enforce_new_defaults=True
 {{end}}
 
 [conductor]
diff --git a/templates/ironicinspector/config/inspector.conf b/templates/ironicinspector/config/inspector.conf
index ec1283ba..c15a4bdd 100644
--- a/templates/ironicinspector/config/inspector.conf
+++ b/templates/ironicinspector/config/inspector.conf
@@ -56,6 +56,9 @@ project_domain_name=Default
 project_name=services
 user_domain_name=Default
 
+[oslo_policy]
+enforce_scope=True
+enforce_new_defaults=True
 {{end}}
 
 [processing]