Merge "Global option for enforcing scope (ENFORCE_SCOPE)"
This commit is contained in:
Zuul
Gerrit Code Review
commit
d450e146cc
@ -637,10 +637,7 @@
|
|||||||
This job runs the devstack with scope checks enabled.
|
This job runs the devstack with scope checks enabled.
|
||||||
vars:
|
vars:
|
||||||
devstack_localrc:
|
devstack_localrc:
|
||||||
# Keep enabeling the services here to run with system scope
|
ENFORCE_SCOPE: true
|
||||||
CINDER_ENFORCE_SCOPE: true
|
|
||||||
GLANCE_ENFORCE_SCOPE: true
|
|
||||||
NEUTRON_ENFORCE_SCOPE: true
|
|
||||||
|
|
||||||
- job:
|
- job:
|
||||||
name: devstack-multinode
|
name: devstack-multinode
|
||||||
|
|||||||
@ -1166,7 +1166,7 @@ function is_ironic_hardware {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function is_ironic_enforce_scope {
|
function is_ironic_enforce_scope {
|
||||||
is_service_enabled ironic && [[ "$IRONIC_ENFORCE_SCOPE" == "True" ]] && return 0
|
is_service_enabled ironic && [[ "$IRONIC_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]] && return 0
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -380,7 +380,7 @@ function configure_cinder {
|
|||||||
iniset $CINDER_CONF coordination backend_url "etcd3+http://${SERVICE_HOST}:$ETCD_PORT"
|
iniset $CINDER_CONF coordination backend_url "etcd3+http://${SERVICE_HOST}:$ETCD_PORT"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$CINDER_ENFORCE_SCOPE" == True ]] ; then
|
if [[ "$CINDER_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
|
||||||
iniset $CINDER_CONF oslo_policy enforce_scope true
|
iniset $CINDER_CONF oslo_policy enforce_scope true
|
||||||
iniset $CINDER_CONF oslo_policy enforce_new_defaults true
|
iniset $CINDER_CONF oslo_policy enforce_new_defaults true
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -432,7 +432,7 @@ function configure_glance {
|
|||||||
iniset $GLANCE_API_CONF DEFAULT workers "$API_WORKERS"
|
iniset $GLANCE_API_CONF DEFAULT workers "$API_WORKERS"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$GLANCE_ENFORCE_SCOPE" == True ]] ; then
|
if [[ "$GLANCE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
|
||||||
iniset $GLANCE_API_CONF oslo_policy enforce_scope true
|
iniset $GLANCE_API_CONF oslo_policy enforce_scope true
|
||||||
iniset $GLANCE_API_CONF oslo_policy enforce_new_defaults true
|
iniset $GLANCE_API_CONF oslo_policy enforce_new_defaults true
|
||||||
iniset $GLANCE_API_CONF DEFAULT enforce_secure_rbac true
|
iniset $GLANCE_API_CONF DEFAULT enforce_secure_rbac true
|
||||||
|
|||||||
@ -265,7 +265,7 @@ function configure_keystone {
|
|||||||
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
|
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
|
||||||
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
|
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
|
||||||
fi
|
fi
|
||||||
if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
|
if [[ "$KEYSTONE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
|
||||||
iniset $KEYSTONE_CONF oslo_policy enforce_scope true
|
iniset $KEYSTONE_CONF oslo_policy enforce_scope true
|
||||||
iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
|
iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
|
||||||
iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
|
iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
|
||||||
|
|||||||
@ -632,7 +632,7 @@ function configure_neutron {
|
|||||||
# configure_rbac_policies() - Configure Neutron to enforce new RBAC
|
# configure_rbac_policies() - Configure Neutron to enforce new RBAC
|
||||||
# policies and scopes if NEUTRON_ENFORCE_SCOPE == True
|
# policies and scopes if NEUTRON_ENFORCE_SCOPE == True
|
||||||
function configure_rbac_policies {
|
function configure_rbac_policies {
|
||||||
if [ "$NEUTRON_ENFORCE_SCOPE" == "True" ]; then
|
if [[ "$NEUTRON_ENFORCE_SCOPE" == "True" || "ENFORCE_SCOPE" == "True" ]]; then
|
||||||
iniset $NEUTRON_CONF oslo_policy enforce_new_defaults True
|
iniset $NEUTRON_CONF oslo_policy enforce_new_defaults True
|
||||||
iniset $NEUTRON_CONF oslo_policy enforce_scope True
|
iniset $NEUTRON_CONF oslo_policy enforce_scope True
|
||||||
else
|
else
|
||||||
|
|||||||
@ -500,7 +500,7 @@ function configure_neutron_after_post_config {
|
|||||||
# configure_rbac_policies() - Configure Neutron to enforce new RBAC
|
# configure_rbac_policies() - Configure Neutron to enforce new RBAC
|
||||||
# policies and scopes if NEUTRON_ENFORCE_SCOPE == True
|
# policies and scopes if NEUTRON_ENFORCE_SCOPE == True
|
||||||
function configure_rbac_policies {
|
function configure_rbac_policies {
|
||||||
if [ "$NEUTRON_ENFORCE_SCOPE" == "True" ]; then
|
if [[ "$NEUTRON_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == True ]]; then
|
||||||
iniset $NEUTRON_CONF oslo_policy enforce_new_defaults True
|
iniset $NEUTRON_CONF oslo_policy enforce_new_defaults True
|
||||||
iniset $NEUTRON_CONF oslo_policy enforce_scope True
|
iniset $NEUTRON_CONF oslo_policy enforce_scope True
|
||||||
else
|
else
|
||||||
|
|||||||
11
lib/tempest
11
lib/tempest
@ -607,14 +607,19 @@ function configure_tempest {
|
|||||||
# If services enable the enforce_scope for their policy
|
# If services enable the enforce_scope for their policy
|
||||||
# we need to enable the same on Tempest side so that
|
# we need to enable the same on Tempest side so that
|
||||||
# test can be run with scoped token.
|
# test can be run with scoped token.
|
||||||
if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
|
if [[ "$KEYSTONE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
|
||||||
iniset $TEMPEST_CONFIG enforce_scope keystone true
|
iniset $TEMPEST_CONFIG enforce_scope keystone true
|
||||||
iniset $TEMPEST_CONFIG auth admin_system 'all'
|
iniset $TEMPEST_CONFIG auth admin_system 'all'
|
||||||
iniset $TEMPEST_CONFIG auth admin_project_name ''
|
iniset $TEMPEST_CONFIG auth admin_project_name ''
|
||||||
fi
|
fi
|
||||||
iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE"
|
|
||||||
|
|
||||||
iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE"
|
if [[ "$GLANCE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
|
||||||
|
iniset $TEMPEST_CONFIG enforce_scope glance true
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ "$CINDER_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
|
||||||
|
iniset $TEMPEST_CONFIG enforce_scope cinder true
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then
|
if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then
|
||||||
# libvirt-lxc does not support boot from volume or attaching volumes
|
# libvirt-lxc does not support boot from volume or attaching volumes
|
||||||
|
|||||||
4
stackrc
4
stackrc
@ -179,6 +179,10 @@ fi
|
|||||||
# TODO(frickler): Drop this when plugins no longer need it
|
# TODO(frickler): Drop this when plugins no longer need it
|
||||||
IDENTITY_API_VERSION=3
|
IDENTITY_API_VERSION=3
|
||||||
|
|
||||||
|
# Global option for enforcing scope. If enabled, ENFORCE_SCOPE overrides
|
||||||
|
# each services ${SERVICE}_ENFORCE_SCOPE variables
|
||||||
|
ENFORCE_SCOPE=$(trueorfalse False ENFORCE_SCOPE)
|
||||||
|
|
||||||
# Enable use of Python virtual environments. Individual project use of
|
# Enable use of Python virtual environments. Individual project use of
|
||||||
# venvs are controlled by the PROJECT_VENV array; every project with
|
# venvs are controlled by the PROJECT_VENV array; every project with
|
||||||
# an entry in the array will be installed into the named venv.
|
# an entry in the array will be installed into the named venv.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user