I looked over the keystone docs and did some google'ing and I did not find anywhere that keystone specifically calls out to enable "enforce_scope" to avoid this outside of the releasenotes, so this is definitely an area for improvement.
I imagine a warning or note could be added to the roles documentation in keystone, perhaps here[0].
This may need to be propagated across all the services documentation as well since it needs to be configured in each service's conf.
I looked over the keystone docs and did some google'ing and I did not find anywhere that keystone specifically calls out to enable "enforce_scope" to avoid this outside of the releasenotes, so this is definitely an area for improvement.
I imagine a warning or note could be added to the roles documentation in keystone, perhaps here[0].
This may need to be propagated across all the services documentation as well since it needs to be configured in each service's conf.
[0] https:/ /docs.openstack .org/keystone/ latest/ admin/service- api-protection. html