Add devstack plugin option to enforce new defaults and scope

This is a prep work to enforce new default policy rules and scope checking, and allows users to enable/disable the enforcement by setting the single knob. Change-Id: I8248f825a90b50fe874224c7ee06a1de299f1feb
2023-10-24 13:15:52 +09:00
parent d574808b07
commit 4421498cd3
1 changed files with 14 additions and 0 deletions
--- a/devstack/lib/heat
+++ b/devstack/lib/heat
@@ -61,6 +61,12 @@ HEAT_CFN_API_UWSGI_CONF=$HEAT_CONF_DIR/heat-api-cfn-uwsgi.ini
 HEAT_API_UWSGI=$HEAT_BIN_DIR/heat-wsgi-api
 HEAT_CFN_API_UWSGI=$HEAT_BIN_DIR/heat-wsgi-api-cfn

+# Flag to set the oslo_policy.enforce_scope and oslo_policy.enforce_new_defaults.
+# This is used to disable the compute API policies scope and new defaults.
+# By Default, it is False.
+# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
+HEAT_ENFORCE_SCOPE=$(trueorfalse False HEAT_ENFORCE_SCOPE)
+
 # other default options
 if [[ "$HEAT_STANDALONE" == "True" ]]; then
    # for standalone, use defaults which require no service user
@@ -215,6 +221,14 @@ function configure_heat {
        iniset $HEAT_CONF volumes backups_enabled false
    fi

+    if [[ "$HEAT_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
+        iniset $HEAT_CONF oslo_policy enforce_scope true
+        iniset $HEAT_CONF oslo_policy enforce_new_defaults true
+    else
+        iniset $HEAT_CONF oslo_policy enforce_scope false
+        iniset $HEAT_CONF oslo_policy enforce_new_defaults false
+    fi
+
    sudo install -d -o $STACK_USER $HEAT_ENV_DIR $HEAT_TEMPLATES_DIR

    # copy the default environment