Gitiles
Code Review Sign In
spfactory.storpool.com / devstack / 5f5002a3781e255a16711f99cb784a28d6f27258^! / .
commit5f5002a3781e255a16711f99cb784a28d6f27258[log] [tgz]
authorGrzegorz Grasza <xek@redhat.com>Tue Oct 26 10:50:37 2021 +0200
committerGrzegorz Grasza <xek@redhat.com>Wed Jan 26 15:41:18 2022 +0100
tree1b7af0d18f99afc3f40c31bb6d99d30b249a2ef4
parentae40825df618a6b8164be8345f5cc1b11a2dc614 [diff]
Revert "Revert "Add enforce_scope setting support for keystone""

This reverts commit 26bd94b45efb63683072006e4281dd34a313d881.

Reason for revert: Devstack keystone creation/setup are moved to
scope tokens, so we can reintroduce the scope check enable.

Change-Id: I6e1c261196dbcaf632748fb6f04e0867648b76c7

diff --git a/lib/keystone b/lib/keystone
index b953972..a4c8a52 100644
--- a/lib/keystone
+++ b/lib/keystone

@@ -124,6 +124,12 @@
 # Whether to create a keystone admin endpoint for legacy applications
 KEYSTONE_ADMIN_ENDPOINT=$(trueorfalse False KEYSTONE_ADMIN_ENDPOINT)
 
+# Flag to set the oslo_policy.enforce_scope. This is used to switch
+# the Identity API policies to start checking the scope of token. By Default,
+# this flag is False.
+# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
+KEYSTONE_ENFORCE_SCOPE=$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)
+
 # Functions
 # ---------
 
@@ -259,6 +265,11 @@
         iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
         iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
     fi
+    if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
+        iniset $KEYSTONE_CONF oslo_policy enforce_scope true
+        iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
+        iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
+    fi
 }
 
 # create_keystone_accounts() - Sets up common required keystone accounts

diff --git a/lib/tempest b/lib/tempest
index adffeda..9d5e1fc 100644
--- a/lib/tempest
+++ b/lib/tempest

@@ -608,6 +608,15 @@
         fi
     done
 
+    # ``enforce_scope``
+    # If services enable the enforce_scope for their policy
+    # we need to enable the same on Tempest side so that
+    # test can be run with scoped token.
+    if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
+        iniset $TEMPEST_CONFIG enforce_scope keystone true
+        iniset $TEMPEST_CONFIG auth admin_system 'all'
+        iniset $TEMPEST_CONFIG auth admin_project_name ''
+    fi
     iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE"
 
     iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE"