Merge "Remove default override for RBAC config options"

This commit is contained in:
Zuul 2024-09-05 01:22:20 +00:00 committed by Gerrit Code Review
commit e1208abe38
3 changed files with 22 additions and 19 deletions

@ -29,16 +29,6 @@
- name: openstack/stevedore
- name: openstack/taskflow
- job:
name: glance-tox-functional-py39-rbac-defaults
parent: openstack-tox-functional-py39
voting: false
description: |
Glance py39 functional tests with enforce_secure_rbac=True
vars:
python_version: 3.9
tox_envlist: functional-py39-rbac
- job:
name: glance-tox-functional-py312-oslo-tips
parent: glance-tox-oslo-tips-base
@ -357,8 +347,9 @@
glance_store:
rbd_thin_provisioning: True
# TODO(pdeore): Remove this jobs once all the glance jobs will be tested
# with new RBAC in integrated way and we do not need this separate job.
# TODO(pdeore): Remove this jobs once Cinder enable the RBAC new defaults
# by default. All other services including glance enable new defaults by
# default.
- job:
name: tempest-integrated-storage-enforce-scope-new-defaults
parent: tempest-integrated-storage
@ -373,6 +364,18 @@
# Devstack so we do not need to explicitly set that to True.
CINDER_ENFORCE_SCOPE: true
# NOTE(gmann): Remove this job once Glance remove the RBAC old defaults.
- job:
name: tempest-integrated-storage-rbac-old-defaults
parent: tempest-integrated-storage
description: |
This job runs the Tempest tests with glance RBAC old defaults.
timeout: 10800
vars:
tempest_concurrency: 3
devstack_localrc:
GLANCE_ENFORCE_SCOPE: false
- project:
templates:
- check-requirements
@ -387,7 +390,6 @@
- openstack-tox-functional-py39
- openstack-tox-functional-py310
- openstack-tox-functional-py312
- glance-tox-functional-py39-rbac-defaults
- glance-ceph-thin-provisioning:
voting: false
irrelevant-files: &tempest-irrelevant-files
@ -459,6 +461,7 @@
irrelevant-files: *tempest-irrelevant-files
- glance-multistore-cinder-import-fips:
irrelevant-files: *tempest-irrelevant-files
- tempest-integrated-storage-rbac-old-defaults
periodic:
jobs:
# NOTE(rosmaita): we only want the "tips" jobs to be run against
@ -503,3 +506,5 @@
branches: master
- glance-multistore-cinder-import-fips:
branches: master
- tempest-integrated-storage-rbac-old-defaults:
branches: master

@ -34,14 +34,12 @@ _ENFORCER = None
# TODO(gmann): Remove overriding the default value of config options
# 'policy_file', 'enforce_scope', and 'enforce_new_defaults' once
# oslo_policy change their default value to what is overridden here.
# 'policy_file' once oslo_policy changes its default value to what
# is overridden here.
DEFAULT_POLICY_FILE = 'policy.yaml'
opts.set_defaults(
cfg.CONF,
DEFAULT_POLICY_FILE,
enforce_scope=True,
enforce_new_defaults=True)
DEFAULT_POLICY_FILE)
class Enforcer(policy.Enforcer):

@ -35,7 +35,7 @@ oslo.log>=4.5.0 # Apache-2.0
oslo.messaging>=5.29.0,!=9.0.0 # Apache-2.0
oslo.middleware>=3.31.0 # Apache-2.0
oslo.reports>=1.18.0 # Apache-2.0
oslo.policy>=3.11.0 # Apache-2.0
oslo.policy>=4.4.0 # Apache-2.0
retrying!=1.3.0,>=1.2.3 # Apache-2.0
osprofiler>=1.4.0 # Apache-2.0