Add new config to enforce the new defaults

When policy change their default check_str and not override by
operator then old defaults check_str are added with OrCheck to the
new default check_str so that old defaults keep working.

If operators want to enforce the new defaults with no old defaults then
they have to overwrite the policy rule in poicy file with new default
value. This is not expected and very painful for them especially when
all policies are switching to new defaults. For example:
- https://review.opendev.org/#/q/topic:bp/policy-defaults-refresh+(status:open+OR+status:merged)

This commit adds a new config options to control the new defaults enforcement.
If True then old defaults will not be supported and also no warning will
be logged.

New config option is default to False so no change in behaviour for old users.

Change-Id: I3c2c889af25b723f1eedbe6167d614c6a4bc6cd2

1 files changed, 11 insertions, 0 deletions

diff --git a/releasenotes/notes/enforce_new_defaults-6ae17d8b8d166a2c.yaml b/releasenotes/notes/enforce_new_defaults-6ae17d8b8d166a2c.yaml
new file mode 100644
index 0000000..8ff851f
--- /dev/null
+++ b/releasenotes/notes/enforce_new_defaults-6ae17d8b8d166a2c.yaml
@@ -0,0 +1,11 @@
+features:
+  - |
+    A new configuration option ``enforce_new_defaults`` has been
+    added to the ``[oslo_policy]`` group to control whether or not to
+    use the old deprecated defaults. If ``True``, the old deprecated
+    defaults are not going to be evaluated which mean if any existing
+    token allowed for old defaults but disallowed for new defaults
+    will be disallowed. It is encouraged to enable this flag along
+    with ``enforce_scope`` flag so that you can get benefits of new
+    defaults and ``scope_type`` together. This way operators can switch
+    to new defaults without overwriting the rule in policy file.