Option to disable the scope & new defaults enforcement
In this release cycle, a few services are enabling the enforce scope and new defaults by default. Example Nova: - https://review.opendev.org/c/openstack/nova/+/866218) Until the new defaults enalbing by default is not released we should keep testing the old defaults in existing jobs and we can add new jobs testing new defautls. To do that we can provide the way in devstack to keep scope/new defaults disable by default which can be enabled by setting enforce_scope variable to true. Once any service release the new defaults enabled by default then we can switch the bhavior, enable the scope/new defaults by default and a single job can disbale them to keep testing the old defaults until service does not remove those. Change-Id: I5c2ec3e1667172a75e06458f16cf3d57947b2c53
This commit is contained in:
parent
a52041cd3f
commit
69d71cfdf9
@ -411,6 +411,9 @@ function configure_cinder {
|
|||||||
if [[ "$CINDER_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
|
if [[ "$CINDER_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
|
||||||
iniset $CINDER_CONF oslo_policy enforce_scope true
|
iniset $CINDER_CONF oslo_policy enforce_scope true
|
||||||
iniset $CINDER_CONF oslo_policy enforce_new_defaults true
|
iniset $CINDER_CONF oslo_policy enforce_new_defaults true
|
||||||
|
else
|
||||||
|
iniset $CINDER_CONF oslo_policy enforce_scope false
|
||||||
|
iniset $CINDER_CONF oslo_policy enforce_new_defaults false
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -436,6 +436,10 @@ function configure_glance {
|
|||||||
iniset $GLANCE_API_CONF oslo_policy enforce_scope true
|
iniset $GLANCE_API_CONF oslo_policy enforce_scope true
|
||||||
iniset $GLANCE_API_CONF oslo_policy enforce_new_defaults true
|
iniset $GLANCE_API_CONF oslo_policy enforce_new_defaults true
|
||||||
iniset $GLANCE_API_CONF DEFAULT enforce_secure_rbac true
|
iniset $GLANCE_API_CONF DEFAULT enforce_secure_rbac true
|
||||||
|
else
|
||||||
|
iniset $GLANCE_API_CONF oslo_policy enforce_scope false
|
||||||
|
iniset $GLANCE_API_CONF oslo_policy enforce_new_defaults false
|
||||||
|
iniset $GLANCE_API_CONF DEFAULT enforce_secure_rbac false
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -265,10 +265,15 @@ function configure_keystone {
|
|||||||
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
|
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
|
||||||
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
|
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
|
||||||
|
|
||||||
if [[ "$KEYSTONE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
|
if [[ "$KEYSTONE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
|
||||||
iniset $KEYSTONE_CONF oslo_policy enforce_scope true
|
iniset $KEYSTONE_CONF oslo_policy enforce_scope true
|
||||||
iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
|
iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
|
||||||
iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
|
else
|
||||||
|
iniset $KEYSTONE_CONF oslo_policy enforce_scope false
|
||||||
|
iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults false
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
3
lib/nova
3
lib/nova
@ -490,6 +490,9 @@ function create_nova_conf {
|
|||||||
if [[ "$NOVA_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]]; then
|
if [[ "$NOVA_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]]; then
|
||||||
iniset $NOVA_CONF oslo_policy enforce_new_defaults True
|
iniset $NOVA_CONF oslo_policy enforce_new_defaults True
|
||||||
iniset $NOVA_CONF oslo_policy enforce_scope True
|
iniset $NOVA_CONF oslo_policy enforce_scope True
|
||||||
|
else
|
||||||
|
iniset $NOVA_CONF oslo_policy enforce_new_defaults False
|
||||||
|
iniset $NOVA_CONF oslo_policy enforce_scope False
|
||||||
fi
|
fi
|
||||||
if is_service_enabled tls-proxy && [ "$NOVA_USE_MOD_WSGI" == "False" ]; then
|
if is_service_enabled tls-proxy && [ "$NOVA_USE_MOD_WSGI" == "False" ]; then
|
||||||
# Set the service port for a proxy to take the original
|
# Set the service port for a proxy to take the original
|
||||||
|
@ -120,6 +120,9 @@ function configure_placement {
|
|||||||
if [[ "$PLACEMENT_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]]; then
|
if [[ "$PLACEMENT_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]]; then
|
||||||
iniset $PLACEMENT_CONF oslo_policy enforce_new_defaults True
|
iniset $PLACEMENT_CONF oslo_policy enforce_new_defaults True
|
||||||
iniset $PLACEMENT_CONF oslo_policy enforce_scope True
|
iniset $PLACEMENT_CONF oslo_policy enforce_scope True
|
||||||
|
else
|
||||||
|
iniset $PLACEMENT_CONF oslo_policy enforce_new_defaults False
|
||||||
|
iniset $PLACEMENT_CONF oslo_policy enforce_scope False
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user