From 5f5002a3781e255a16711f99cb784a28d6f27258 Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Tue, 26 Oct 2021 10:50:37 +0200 Subject: [PATCH] Revert "Revert "Add enforce_scope setting support for keystone"" This reverts commit 26bd94b45efb63683072006e4281dd34a313d881. Reason for revert: Devstack keystone creation/setup are moved to scope tokens, so we can reintroduce the scope check enable. Change-Id: I6e1c261196dbcaf632748fb6f04e0867648b76c7 --- lib/keystone | 11 +++++++++++ lib/tempest | 9 +++++++++ 2 files changed, 20 insertions(+) diff --git a/lib/keystone b/lib/keystone index b953972dd3..a4c8a52121 100644 --- a/lib/keystone +++ b/lib/keystone @@ -124,6 +124,12 @@ KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True} # Whether to create a keystone admin endpoint for legacy applications KEYSTONE_ADMIN_ENDPOINT=$(trueorfalse False KEYSTONE_ADMIN_ENDPOINT) +# Flag to set the oslo_policy.enforce_scope. This is used to switch +# the Identity API policies to start checking the scope of token. By Default, +# this flag is False. +# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope +KEYSTONE_ENFORCE_SCOPE=$(trueorfalse False KEYSTONE_ENFORCE_SCOPE) + # Functions # --------- @@ -259,6 +265,11 @@ function configure_keystone { iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT fi + if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then + iniset $KEYSTONE_CONF oslo_policy enforce_scope true + iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true + iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml + fi } # create_keystone_accounts() - Sets up common required keystone accounts diff --git a/lib/tempest b/lib/tempest index adffeda371..9d5e1fce9f 100644 --- a/lib/tempest +++ b/lib/tempest @@ -608,6 +608,15 @@ function configure_tempest { fi done + # ``enforce_scope`` + # If services enable the enforce_scope for their policy + # we need to enable the same on Tempest side so that + # test can be run with scoped token. + if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then + iniset $TEMPEST_CONFIG enforce_scope keystone true + iniset $TEMPEST_CONFIG auth admin_system 'all' + iniset $TEMPEST_CONFIG auth admin_project_name '' + fi iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE" iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE"