Deploy Neutron with enforced new RBAC rules
This patch adds new config option NEUTRON_ENFORCE_NEW_DEFAULTS which
if set to True will deploy Neutron with enforce new rbac defaults and
scopes.
It will also use SYSTEM_ADMIN user to interact with Neutron where it is
needed.
Depends-On: https://review.opendev.org/c/openstack/neutron/+/798821
Change-Id: I14d934f0deced34d74003b92824cad3c44ec4f5e
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index a5a608d..b906a1b 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -90,6 +90,11 @@
NEUTRON_UWSGI_CONF=$NEUTRON_CONF_DIR/neutron-api-uwsgi.ini
+# If NEUTRON_ENFORCE_SCOPE == True, it will set "enforce_scope"
+# and "enforce_new_defaults" to True in the Neutron's config to enforce usage
+# of the new RBAC policies and scopes.
+NEUTRON_ENFORCE_SCOPE=$(trueorfalse False NEUTRON_ENFORCE_SCOPE)
+
# Agent binaries. Note, binary paths for other agents are set in per-service
# scripts in lib/neutron_plugins/services/
AGENT_DHCP_BINARY="$NEUTRON_BIN_DIR/neutron-dhcp-agent"
@@ -489,6 +494,19 @@
if [[ $Q_SERVICE_PLUGIN_CLASSES != '' ]]; then
iniset $NEUTRON_CONF DEFAULT service_plugins $Q_SERVICE_PLUGIN_CLASSES
fi
+ configure_rbac_policies
+}
+
+# configure_rbac_policies() - Configure Neutron to enforce new RBAC
+# policies and scopes if NEUTRON_ENFORCE_SCOPE == True
+function configure_rbac_policies {
+ if [ "$NEUTRON_ENFORCE_SCOPE" == "True" ]; then
+ iniset $NEUTRON_CONF oslo_policy enforce_new_defaults True
+ iniset $NEUTRON_CONF oslo_policy enforce_scope True
+ else
+ iniset $NEUTRON_CONF oslo_policy enforce_new_defaults False
+ iniset $NEUTRON_CONF oslo_policy enforce_scope False
+ fi
}
# Start running OVN processes