Gitiles
Code Review Sign In
spfactory.storpool.com / devstack / 9dc2b88eb42a5f98f43bc8ad3dfa3962a4d44d74^! / . / lib
commit9dc2b88eb42a5f98f43bc8ad3dfa3962a4d44d74[log] [tgz]
authorGhanshyam Mann <gmann@ghanshyammann.com>Fri Mar 05 09:32:19 2021 -0600
committerGhanshyam Mann <gmann@ghanshyammann.com>Fri Mar 05 09:32:19 2021 -0600
treedd742367ce8edcd406fdcdb7490378566e8ab873
parent8f3e51d79f392151023f3853a6c8a3f7b868ecfa [diff]
Add enforce_scope setting support for keystone

Keystone-tempest-plugin has implemented the secure RBAC
tests and enabling the enforce_scope via keystone devstack
plugin. Doing those setting in devstack will help to manage
easily and in central place also avoid restarting the api
service.

Change-Id: I30da189474476d3397152a0a15c2e30a62d712ad

diff --git a/lib/keystone b/lib/keystone
index 66e867c..e282db0 100644
--- a/lib/keystone
+++ b/lib/keystone

@@ -134,6 +134,12 @@
 # Cache settings
 KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True}
 
+# Flag to set the oslo_policy.enforce_scope. This is used to switch
+# the Identity API policies to start checking the scope of token. By Default,
+# this flag is False.
+# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
+KEYSTONE_ENFORCE_SCOPE=$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)
+
 # Functions
 # ---------
 
@@ -281,6 +287,11 @@
         iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
         iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
     fi
+    if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
+        iniset $KEYSTONE_CONF oslo_policy enforce_scope true
+        iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
+        iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
+    fi
 }
 
 # create_keystone_accounts() - Sets up common required keystone accounts

diff --git a/lib/tempest b/lib/tempest
index 8a5b785..f210e40 100644
--- a/lib/tempest
+++ b/lib/tempest

@@ -601,6 +601,16 @@
         fi
     done
 
+    # ``enforce_scope``
+    # If services enable the enforce_scope for their policy
+    # we need to enable the same on Tempest side so that
+    # test can be run with scoped token.
+    if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
+        iniset $TEMPEST_CONFIG enforce_scope keystone true
+        iniset $TEMPEST_CONFIG auth admin_system 'all'
+        iniset $TEMPEST_CONFIG auth admin_project_name ''
+    fi
+
     if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then
         # libvirt-lxc does not support boot from volume or attaching volumes
         # so basically anything with cinder is out of the question.