From 69d71cfdf9c24d48fbea366714f4595cbd120723 Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Tue, 10 Jan 2023 20:13:47 -0600 Subject: [PATCH] Option to disable the scope & new defaults enforcement In this release cycle, a few services are enabling the enforce scope and new defaults by default. Example Nova: - https://review.opendev.org/c/openstack/nova/+/866218) Until the new defaults enalbing by default is not released we should keep testing the old defaults in existing jobs and we can add new jobs testing new defautls. To do that we can provide the way in devstack to keep scope/new defaults disable by default which can be enabled by setting enforce_scope variable to true. Once any service release the new defaults enabled by default then we can switch the bhavior, enable the scope/new defaults by default and a single job can disbale them to keep testing the old defaults until service does not remove those. Change-Id: I5c2ec3e1667172a75e06458f16cf3d57947b2c53 --- lib/cinder | 3 +++ lib/glance | 4 ++++ lib/keystone | 7 ++++++- lib/nova | 3 +++ lib/placement | 3 +++ 5 files changed, 19 insertions(+), 1 deletion(-) diff --git a/lib/cinder b/lib/cinder index bf2fe50e08..2424f928d1 100644 --- a/lib/cinder +++ b/lib/cinder @@ -411,6 +411,9 @@ function configure_cinder { if [[ "$CINDER_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then iniset $CINDER_CONF oslo_policy enforce_scope true iniset $CINDER_CONF oslo_policy enforce_new_defaults true + else + iniset $CINDER_CONF oslo_policy enforce_scope false + iniset $CINDER_CONF oslo_policy enforce_new_defaults false fi } diff --git a/lib/glance b/lib/glance index ba98f4133e..041acafc92 100644 --- a/lib/glance +++ b/lib/glance @@ -436,6 +436,10 @@ function configure_glance { iniset $GLANCE_API_CONF oslo_policy enforce_scope true iniset $GLANCE_API_CONF oslo_policy enforce_new_defaults true iniset $GLANCE_API_CONF DEFAULT enforce_secure_rbac true + else + iniset $GLANCE_API_CONF oslo_policy enforce_scope false + iniset $GLANCE_API_CONF oslo_policy enforce_new_defaults false + iniset $GLANCE_API_CONF DEFAULT enforce_secure_rbac false fi } diff --git a/lib/keystone b/lib/keystone index 80a136f78d..6cb4aac46a 100644 --- a/lib/keystone +++ b/lib/keystone @@ -265,10 +265,15 @@ function configure_keystone { iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT fi + + iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml + if [[ "$KEYSTONE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then iniset $KEYSTONE_CONF oslo_policy enforce_scope true iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true - iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml + else + iniset $KEYSTONE_CONF oslo_policy enforce_scope false + iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults false fi } diff --git a/lib/nova b/lib/nova index 14eb8fc3da..3aa6b9e3b3 100644 --- a/lib/nova +++ b/lib/nova @@ -490,6 +490,9 @@ function create_nova_conf { if [[ "$NOVA_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]]; then iniset $NOVA_CONF oslo_policy enforce_new_defaults True iniset $NOVA_CONF oslo_policy enforce_scope True + else + iniset $NOVA_CONF oslo_policy enforce_new_defaults False + iniset $NOVA_CONF oslo_policy enforce_scope False fi if is_service_enabled tls-proxy && [ "$NOVA_USE_MOD_WSGI" == "False" ]; then # Set the service port for a proxy to take the original diff --git a/lib/placement b/lib/placement index bc22c564f4..c6bf99f868 100644 --- a/lib/placement +++ b/lib/placement @@ -120,6 +120,9 @@ function configure_placement { if [[ "$PLACEMENT_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]]; then iniset $PLACEMENT_CONF oslo_policy enforce_new_defaults True iniset $PLACEMENT_CONF oslo_policy enforce_scope True + else + iniset $PLACEMENT_CONF oslo_policy enforce_new_defaults False + iniset $PLACEMENT_CONF oslo_policy enforce_scope False fi }