2 files changed, 19 insertions, 0 deletions

diff --git a/keystone/conf/token.py b/keystone/conf/token.py
index b93db4d04..6834b0721 100644
--- a/keystone/conf/token.py
+++ b/keystone/conf/token.py
@@ -114,6 +114,14 @@ request for a scoped token to avoid re-scoping altogether.
 infer_roles = cfg.BoolOpt(
     'infer_roles',
     default=True,
+    deprecated_since=versionutils.deprecated.ROCKY,
+    deprecated_reason=utils.fmt("""
+Default roles depend on a chain of implied role assignments. Ex: an admin user
+will also have the reader and member role. By ensuring that all these roles
+will always appear on the token validation response, we can improve the
+simplicity and readability of policy files.
+"""),
+    deprecated_for_removal=True,
     help=utils.fmt("""
 This controls whether roles should be included with tokens that are not
 directly assigned to the token's scope, but are instead linked implicitly to
diff --git a/releasenotes/notes/deprecated-as-of-rocky-60b2fa05d07d3a28.yaml b/releasenotes/notes/deprecated-as-of-rocky-60b2fa05d07d3a28.yaml
new file mode 100644
index 000000000..ad01e535b
--- /dev/null
+++ b/releasenotes/notes/deprecated-as-of-rocky-60b2fa05d07d3a28.yaml
@@ -0,0 +1,11 @@
+---
+deprecations:
+  - >
+    The option ``[token] infer_roles=False`` is being deprecated in favor of
+    always expanding role implications during token validation.
+
+    `Default roles <https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html>`_
+    depend on a chain of implied role assignments, ex: an admin user will also
+    have the reader and member role. Therefore by ensuring that all these roles will
+    always appear on the token validation response, we can improve the
+    simplicity and readability of policy files.