Comment 5 for bug 2017056

OK, I have a few questions!

#1 Just to confirm: the concept of system scope is being phased out for everything but ironic? So for example even though project-scoped tokens can't list services right now, they'll be able to again in a future release?

#2 This sample file[1] shows scope requirements being set in policy.yaml in very many places. What am I to make of that w/r/t you asserting here that scope can never be changed in that file?

#3 What is the currently recommended transition path to new policy models? I've now spent many many hours getting ready to switch 'enforce_scope' and 'enforce_new_defaults' to True but now I'm getting the impression that I should definitely NOT do that since everything will just change again in a future release... can you advise about how I should go forward? Will enforce_scope=False remain supported until this is sorted out? (The deprecation warnings imply otherwise!)

[1] https://docs.openstack.org/keystone/latest/configuration/samples/policy-yaml.html