Add a release note for enforce_scope1.33.0

A previous change added the ability to enforce scope using a
configuration option:

  Ia573b8cac3bf9cee2962790589dea24c7f530ef5

This commit ensures we have a release note to communicate that change.

bp add-scope-to-policy

Change-Id: I1c71aecd247b39c01a3b333e9915aee517079162

1 files changed, 13 insertions, 0 deletions

diff --git a/releasenotes/notes/enforce_scope_types-1e92f6a34e4173ef.yaml b/releasenotes/notes/enforce_scope_types-1e92f6a34e4173ef.yaml
new file mode 100644
index 0000000..017e6af
--- /dev/null
+++ b/releasenotes/notes/enforce_scope_types-1e92f6a34e4173ef.yaml
@@ -0,0 +1,13 @@
+---
+features:
+  - |
+    A new configuration option has been added to the ``[oslo_policy]`` group
+    called ``enforce_scope``. When set to ``True``, oslo.policy will raise an
+    ``InvalidScope`` exception if the context passed into the enforce method
+    doesn't match the policy's ``scope_types``. If ``False``, a warning will be
+    logged for operators. Note that operators should only enable this option
+    once they've audited their users to ensure system users have roles on the
+    system. This could potentially prevent some users from being able to make
+    system-level API calls. This will also give other services the flexibility
+    to fix long-standing RBAC issues in OpenStack once they start introducing
+    ``scope_types`` for policies used in their service.