diff --git a/manila/policy.py b/manila/policy.py index 16c90a7435..a551404f1f 100644 --- a/manila/policy.py +++ b/manila/policy.py @@ -37,6 +37,11 @@ _ENFORCER = None # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 DEFAULT_POLICY_FILE = 'policy.yaml' opts.set_defaults(CONF, DEFAULT_POLICY_FILE) +opts.set_defaults( + cfg.CONF, + DEFAULT_POLICY_FILE, + enforce_scope=True, + enforce_new_defaults=True) def reset(): diff --git a/manila/tests/api/v2/test_share_snapshots.py b/manila/tests/api/v2/test_share_snapshots.py index b2ee957a57..c37d601c95 100644 --- a/manila/tests/api/v2/test_share_snapshots.py +++ b/manila/tests/api/v2/test_share_snapshots.py @@ -66,6 +66,9 @@ class ShareSnapshotAPITest(test.TestCase): stubs.stub_snapshot_get) self.mock_object(share_api.API, 'snapshot_update', stubs.stub_snapshot_update) + self.mock_object( + policy, 'check_policy', mock.Mock(return_value=True) + ) self.snp_example = { 'share_id': 100, 'size': 12, diff --git a/releasenotes/notes/enable-enforce-scope-c2d57db049741896.yaml b/releasenotes/notes/enable-enforce-scope-c2d57db049741896.yaml new file mode 100644 index 0000000000..0051546ec5 --- /dev/null +++ b/releasenotes/notes/enable-enforce-scope-c2d57db049741896.yaml @@ -0,0 +1,24 @@ +--- +upgrade: + - | + The service now requires a user's "scope" to be defined with the OpenStack + Identity service (Keystone) by the virtue of default Role Based Access + Control (RBAC). This is being done in addition to changing the + RBAC rules for GET requests to permit users possessing the "reader" role. + The Default value of config options ``[oslo_policy] enforce_scope`` and + ``[oslo_policy] oslo_policy.enforce_new_defaults`` has now changed + to ``True``. This means that, if you are using system scoped tokens to + access Manila's API, requests will fail with HTTP 403. Users must + obtain a project scoped token to interact with the Manila API. You + may also provide users with "reader" role where appropriate if they + intend to make read-only API requests to Manila. If you would like to + disable these changes, modify ``manila.conf`` file to set:: + + [oslo_policy] + enforce_new_defaults=False + enforce_scope=False + + However, be aware that you may not be able to disable these options in + the future. Please see `OpenStack's Consistent and Secure Default RBAC + goal `_ for more details \ No newline at end of file diff --git a/requirements.txt b/requirements.txt index 31ebe87cf3..f68430af18 100644 --- a/requirements.txt +++ b/requirements.txt @@ -18,7 +18,7 @@ oslo.i18n>=5.0.1 # Apache-2.0 oslo.log>=4.4.0 # Apache-2.0 oslo.messaging>=14.1.0 # Apache-2.0 oslo.middleware>=4.1.1 # Apache-2.0 -oslo.policy>=3.7.0 # Apache-2.0 +oslo.policy>=3.11.0 # Apache-2.0 oslo.privsep>=2.4.0 # Apache-2.0 oslo.reports>=2.2.0 # Apache-2.0 oslo.rootwrap>=6.2.0 # Apache-2.0