Comment 6 for bug 1933332

> Personally I think the main issue here is that all the identity documentation is explaining the roles as if they were enforced and safe to use.

Erno raises another good point here. It would be good for the VMT to review the Keystone docs to determine the extent to which they explain what can be done with Keystone, vs. what the actual situation is.

A big problem is that the oslo.policy config options enabling the scoped "personas" ('enforce_scope' and 'enforce_new_defaults') must be set in *each* service's conf file. If an operator has a "mixed" deployment (some services respecting scope, some not), you get the situation described in this bug.

We've got at least 3 types of policy configurations possible now:
(1) Legacy, relying on 'roles' only (roughly, current Cinder)
(2) Legacy + reliance on is_admin_project (not sure whether most services use this exclusively, or are still using transition rules like Cinder is)
(3) "Consistent and Secure RBAC" ('enforce_scope' + 'enforce_new_defaults' -- in progress in most services)

(1) + (3) is a really bad combination. (2) + (3) is maybe a bit better, though probably not. The key point is that coordination across services in a deployment is very important, and hopefully that comes across in the OpenStack docs somewhere.