Deploy Neutron with enforced new RBAC rules
This patch adds new config option NEUTRON_ENFORCE_NEW_DEFAULTS which
if set to True will deploy Neutron with enforce new rbac defaults and
scopes.
It will also use SYSTEM_ADMIN user to interact with Neutron where it is
needed.
Depends-On: https://review.opendev.org/c/openstack/neutron/+/798821
Change-Id: I14d934f0deced34d74003b92824cad3c44ec4f5e
diff --git a/lib/neutron b/lib/neutron
index 885df97..15d548e 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -37,6 +37,11 @@
NEUTRON_AGENT=${NEUTRON_AGENT:-openvswitch}
NEUTRON_DIR=$DEST/neutron
+# If NEUTRON_ENFORCE_SCOPE == True, it will set "enforce_scope"
+# and "enforce_new_defaults" to True in the Neutron's config to enforce usage
+# of the new RBAC policies and scopes.
+NEUTRON_ENFORCE_SCOPE=$(trueorfalse False NEUTRON_ENFORCE_SCOPE)
+
NEUTRON_DISTRIBUTED_ROUTING=$(trueorfalse False NEUTRON_DISTRIBUTED_ROUTING)
# Distributed Virtual Router (DVR) configuration
# Can be:
@@ -232,6 +237,7 @@
if [[ "$NEUTRON_PORT_SECURITY" = "True" ]]; then
neutron_ml2_extension_driver_add port_security
fi
+ configure_rbac_policies
fi
# Neutron OVS or LB agent
@@ -612,6 +618,19 @@
fi
}
+# configure_rbac_policies() - Configure Neutron to enforce new RBAC
+# policies and scopes if NEUTRON_ENFORCE_SCOPE == True
+function configure_rbac_policies {
+ if [ "$NEUTRON_ENFORCE_SCOPE" == "True" ]; then
+ iniset $NEUTRON_CONF oslo_policy enforce_new_defaults True
+ iniset $NEUTRON_CONF oslo_policy enforce_scope True
+ else
+ iniset $NEUTRON_CONF oslo_policy enforce_new_defaults False
+ iniset $NEUTRON_CONF oslo_policy enforce_scope False
+ fi
+}
+
+
function configure_neutron_nova {
if is_neutron_legacy_enabled; then
# Call back to old function