Global option for enforcing scope (ENFORCE_SCOPE)
This updates each devstack service library, to use it as the
default value for service-specific RBAC configuration.
Change-Id: I41061d042206c411ee3dd94ce91098e612af7ae7
diff --git a/.zuul.yaml b/.zuul.yaml
index fc80e6c..0f04716 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -646,10 +646,7 @@
This job runs the devstack with scope checks enabled.
vars:
devstack_localrc:
- # Keep enabeling the services here to run with system scope
- CINDER_ENFORCE_SCOPE: true
- GLANCE_ENFORCE_SCOPE: true
- NEUTRON_ENFORCE_SCOPE: true
+ ENFORCE_SCOPE: true
- job:
name: devstack-multinode
diff --git a/functions-common b/functions-common
index b2cf9d9..603e7d8 100644
--- a/functions-common
+++ b/functions-common
@@ -1154,7 +1154,7 @@
}
function is_ironic_enforce_scope {
- is_service_enabled ironic && [[ "$IRONIC_ENFORCE_SCOPE" == "True" ]] && return 0
+ is_service_enabled ironic && [[ "$IRONIC_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]] && return 0
return 1
}
diff --git a/lib/cinder b/lib/cinder
index b029fa0..52818a8 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -380,7 +380,7 @@
iniset $CINDER_CONF coordination backend_url "etcd3+http://${SERVICE_HOST}:$ETCD_PORT"
fi
- if [[ "$CINDER_ENFORCE_SCOPE" == True ]] ; then
+ if [[ "$CINDER_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
iniset $CINDER_CONF oslo_policy enforce_scope true
iniset $CINDER_CONF oslo_policy enforce_new_defaults true
fi
diff --git a/lib/glance b/lib/glance
index 9bba938..04b9011 100644
--- a/lib/glance
+++ b/lib/glance
@@ -432,7 +432,7 @@
iniset $GLANCE_API_CONF DEFAULT workers "$API_WORKERS"
fi
- if [[ "$GLANCE_ENFORCE_SCOPE" == True ]] ; then
+ if [[ "$GLANCE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
iniset $GLANCE_API_CONF oslo_policy enforce_scope true
iniset $GLANCE_API_CONF oslo_policy enforce_new_defaults true
iniset $GLANCE_API_CONF DEFAULT enforce_secure_rbac true
diff --git a/lib/keystone b/lib/keystone
index a4c8a52..80a136f 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -265,7 +265,7 @@
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
fi
- if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
+ if [[ "$KEYSTONE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
iniset $KEYSTONE_CONF oslo_policy enforce_scope true
iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
diff --git a/lib/neutron b/lib/neutron
index e7719d4..f24ccfb 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -632,7 +632,7 @@
# configure_rbac_policies() - Configure Neutron to enforce new RBAC
# policies and scopes if NEUTRON_ENFORCE_SCOPE == True
function configure_rbac_policies {
- if [ "$NEUTRON_ENFORCE_SCOPE" == "True" ]; then
+ if [[ "$NEUTRON_ENFORCE_SCOPE" == "True" || "ENFORCE_SCOPE" == "True" ]]; then
iniset $NEUTRON_CONF oslo_policy enforce_new_defaults True
iniset $NEUTRON_CONF oslo_policy enforce_scope True
else
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index b906a1b..253b457 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -500,7 +500,7 @@
# configure_rbac_policies() - Configure Neutron to enforce new RBAC
# policies and scopes if NEUTRON_ENFORCE_SCOPE == True
function configure_rbac_policies {
- if [ "$NEUTRON_ENFORCE_SCOPE" == "True" ]; then
+ if [[ "$NEUTRON_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == True ]]; then
iniset $NEUTRON_CONF oslo_policy enforce_new_defaults True
iniset $NEUTRON_CONF oslo_policy enforce_scope True
else
diff --git a/lib/tempest b/lib/tempest
index 4504663..1fd4184 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -607,14 +607,19 @@
# If services enable the enforce_scope for their policy
# we need to enable the same on Tempest side so that
# test can be run with scoped token.
- if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
+ if [[ "$KEYSTONE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
iniset $TEMPEST_CONFIG enforce_scope keystone true
iniset $TEMPEST_CONFIG auth admin_system 'all'
iniset $TEMPEST_CONFIG auth admin_project_name ''
fi
- iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE"
- iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE"
+ if [[ "$GLANCE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
+ iniset $TEMPEST_CONFIG enforce_scope glance true
+ fi
+
+ if [[ "$CINDER_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
+ iniset $TEMPEST_CONFIG enforce_scope cinder true
+ fi
if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then
# libvirt-lxc does not support boot from volume or attaching volumes
diff --git a/stackrc b/stackrc
index 681e9de..72180d0 100644
--- a/stackrc
+++ b/stackrc
@@ -179,6 +179,10 @@
# TODO(frickler): Drop this when plugins no longer need it
IDENTITY_API_VERSION=3
+# Global option for enforcing scope. If enabled, ENFORCE_SCOPE overrides
+# each services ${SERVICE}_ENFORCE_SCOPE variables
+ENFORCE_SCOPE=$(trueorfalse False ENFORCE_SCOPE)
+
# Enable use of Python virtual environments. Individual project use of
# venvs are controlled by the PROJECT_VENV array; every project with
# an entry in the array will be installed into the named venv.