From 26bd94b45efb63683072006e4281dd34a313d881 Mon Sep 17 00:00:00 2001 From: Ghanshyam Date: Tue, 10 Aug 2021 14:49:54 +0000 Subject: [PATCH] Revert "Add enforce_scope setting support for keystone" This reverts commit 9dc2b88eb42a5f98f43bc8ad3dfa3962a4d44d74. Reason for revert: Devstack creation/setup the things are not yet moved to scope tokens so we need to wait for that first and then do the scope check enable globally. Change-Id: If0368aca39c1325bf90abd23831118b89e746222 --- lib/keystone | 11 ----------- lib/tempest | 9 --------- 2 files changed, 20 deletions(-) diff --git a/lib/keystone b/lib/keystone index e282db0bfa..66e867ca68 100644 --- a/lib/keystone +++ b/lib/keystone @@ -134,12 +134,6 @@ KEYSTONE_PASSWORD_HASH_ROUNDS=${KEYSTONE_PASSWORD_HASH_ROUNDS:-4} # Cache settings KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True} -# Flag to set the oslo_policy.enforce_scope. This is used to switch -# the Identity API policies to start checking the scope of token. By Default, -# this flag is False. -# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope -KEYSTONE_ENFORCE_SCOPE=$(trueorfalse False KEYSTONE_ENFORCE_SCOPE) - # Functions # --------- @@ -287,11 +281,6 @@ function configure_keystone { iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT fi - if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then - iniset $KEYSTONE_CONF oslo_policy enforce_scope true - iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true - iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml - fi } # create_keystone_accounts() - Sets up common required keystone accounts diff --git a/lib/tempest b/lib/tempest index 3fa7ce0fb2..d39fa1c52b 100644 --- a/lib/tempest +++ b/lib/tempest @@ -600,15 +600,6 @@ function configure_tempest { fi done - # ``enforce_scope`` - # If services enable the enforce_scope for their policy - # we need to enable the same on Tempest side so that - # test can be run with scoped token. - if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then - iniset $TEMPEST_CONFIG enforce_scope keystone true - iniset $TEMPEST_CONFIG auth admin_system 'all' - iniset $TEMPEST_CONFIG auth admin_project_name '' - fi iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE" iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE"