commit 26bd94b45efb63683072006e4281dd34a313d881
author Ghanshyam <gmann@ghanshyammann.com> Tue Aug 10 14:49:54 2021 +0000
committer Ghanshyam Mann <gmann@ghanshyammann.com> Tue Aug 10 09:54:01 2021 -0500
tree c22e17eca5f6e81ffa456303c49d952f5180844b
parent 971dfbf8a0500497463a02e2d868e8d5eeb54826

Revert "Add enforce_scope setting support for keystone"

This reverts commit 9dc2b88eb42a5f98f43bc8ad3dfa3962a4d44d74.

Reason for revert: Devstack creation/setup the things are not yet moved to scope tokens so we need to wait for that first and then do the scope check enable globally. 

Change-Id: If0368aca39c1325bf90abd23831118b89e746222

lib/keystone

diff --git a/lib/keystone b/lib/keystone
index e282db0..66e867c 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -134,12 +134,6 @@
 # Cache settings
 KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True}
 
-# Flag to set the oslo_policy.enforce_scope. This is used to switch
-# the Identity API policies to start checking the scope of token. By Default,
-# this flag is False.
-# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
-KEYSTONE_ENFORCE_SCOPE=$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)
-
 # Functions
 # ---------
 
@@ -287,11 +281,6 @@
         iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
         iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
     fi
-    if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
-        iniset $KEYSTONE_CONF oslo_policy enforce_scope true
-        iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
-        iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
-    fi
 }
 
 # create_keystone_accounts() - Sets up common required keystone accounts

lib/tempest

diff --git a/lib/tempest b/lib/tempest
index 3fa7ce0..d39fa1c 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -600,15 +600,6 @@
         fi
     done
 
-    # ``enforce_scope``
-    # If services enable the enforce_scope for their policy
-    # we need to enable the same on Tempest side so that
-    # test can be run with scoped token.
-    if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
-        iniset $TEMPEST_CONFIG enforce_scope keystone true
-        iniset $TEMPEST_CONFIG auth admin_system 'all'
-        iniset $TEMPEST_CONFIG auth admin_project_name ''
-    fi
     iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE"
 
     iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE"