Option to disable the scope & new defaults enforcement
In this release cycle, a few services are enabling the
enforce scope and new defaults by default. Example Nova:
- https://review.opendev.org/c/openstack/nova/+/866218)
Until the new defaults enalbing by default is not released we
should keep testing the old defaults in existing jobs and we can
add new jobs testing new defautls. To do that we can provide the
way in devstack to keep scope/new defaults disable by default which
can be enabled by setting enforce_scope variable to true.
Once any service release the new defaults enabled by default then
we can switch the bhavior, enable the scope/new defaults by default
and a single job can disbale them to keep testing the old defaults
until service does not remove those.
Change-Id: I5c2ec3e1667172a75e06458f16cf3d57947b2c53
diff --git a/lib/cinder b/lib/cinder
index bf2fe50..2424f92 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -411,6 +411,9 @@
if [[ "$CINDER_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
iniset $CINDER_CONF oslo_policy enforce_scope true
iniset $CINDER_CONF oslo_policy enforce_new_defaults true
+ else
+ iniset $CINDER_CONF oslo_policy enforce_scope false
+ iniset $CINDER_CONF oslo_policy enforce_new_defaults false
fi
}
diff --git a/lib/glance b/lib/glance
index ba98f41..041acaf 100644
--- a/lib/glance
+++ b/lib/glance
@@ -436,6 +436,10 @@
iniset $GLANCE_API_CONF oslo_policy enforce_scope true
iniset $GLANCE_API_CONF oslo_policy enforce_new_defaults true
iniset $GLANCE_API_CONF DEFAULT enforce_secure_rbac true
+ else
+ iniset $GLANCE_API_CONF oslo_policy enforce_scope false
+ iniset $GLANCE_API_CONF oslo_policy enforce_new_defaults false
+ iniset $GLANCE_API_CONF DEFAULT enforce_secure_rbac false
fi
}
diff --git a/lib/keystone b/lib/keystone
index 80a136f..6cb4aac 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -265,10 +265,15 @@
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
fi
+
+ iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
+
if [[ "$KEYSTONE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
iniset $KEYSTONE_CONF oslo_policy enforce_scope true
iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
- iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
+ else
+ iniset $KEYSTONE_CONF oslo_policy enforce_scope false
+ iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults false
fi
}
diff --git a/lib/nova b/lib/nova
index 14eb8fc..3aa6b9e 100644
--- a/lib/nova
+++ b/lib/nova
@@ -490,6 +490,9 @@
if [[ "$NOVA_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]]; then
iniset $NOVA_CONF oslo_policy enforce_new_defaults True
iniset $NOVA_CONF oslo_policy enforce_scope True
+ else
+ iniset $NOVA_CONF oslo_policy enforce_new_defaults False
+ iniset $NOVA_CONF oslo_policy enforce_scope False
fi
if is_service_enabled tls-proxy && [ "$NOVA_USE_MOD_WSGI" == "False" ]; then
# Set the service port for a proxy to take the original
diff --git a/lib/placement b/lib/placement
index bc22c56..c6bf99f 100644
--- a/lib/placement
+++ b/lib/placement
@@ -120,6 +120,9 @@
if [[ "$PLACEMENT_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]]; then
iniset $PLACEMENT_CONF oslo_policy enforce_new_defaults True
iniset $PLACEMENT_CONF oslo_policy enforce_scope True
+ else
+ iniset $PLACEMENT_CONF oslo_policy enforce_new_defaults False
+ iniset $PLACEMENT_CONF oslo_policy enforce_scope False
fi
}