Merge "RBAC: Enable "new" defaults and scope checks"
This commit is contained in:
commit
45268b6a58
@ -37,6 +37,11 @@ _ENFORCER = None
|
|||||||
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
||||||
DEFAULT_POLICY_FILE = 'policy.yaml'
|
DEFAULT_POLICY_FILE = 'policy.yaml'
|
||||||
opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
|
opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
|
||||||
|
opts.set_defaults(
|
||||||
|
cfg.CONF,
|
||||||
|
DEFAULT_POLICY_FILE,
|
||||||
|
enforce_scope=True,
|
||||||
|
enforce_new_defaults=True)
|
||||||
|
|
||||||
|
|
||||||
def reset():
|
def reset():
|
||||||
|
@ -66,6 +66,9 @@ class ShareSnapshotAPITest(test.TestCase):
|
|||||||
stubs.stub_snapshot_get)
|
stubs.stub_snapshot_get)
|
||||||
self.mock_object(share_api.API, 'snapshot_update',
|
self.mock_object(share_api.API, 'snapshot_update',
|
||||||
stubs.stub_snapshot_update)
|
stubs.stub_snapshot_update)
|
||||||
|
self.mock_object(
|
||||||
|
policy, 'check_policy', mock.Mock(return_value=True)
|
||||||
|
)
|
||||||
self.snp_example = {
|
self.snp_example = {
|
||||||
'share_id': 100,
|
'share_id': 100,
|
||||||
'size': 12,
|
'size': 12,
|
||||||
|
@ -0,0 +1,24 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
The service now requires a user's "scope" to be defined with the OpenStack
|
||||||
|
Identity service (Keystone) by the virtue of default Role Based Access
|
||||||
|
Control (RBAC). This is being done in addition to changing the
|
||||||
|
RBAC rules for GET requests to permit users possessing the "reader" role.
|
||||||
|
The Default value of config options ``[oslo_policy] enforce_scope`` and
|
||||||
|
``[oslo_policy] oslo_policy.enforce_new_defaults`` has now changed
|
||||||
|
to ``True``. This means that, if you are using system scoped tokens to
|
||||||
|
access Manila's API, requests will fail with HTTP 403. Users must
|
||||||
|
obtain a project scoped token to interact with the Manila API. You
|
||||||
|
may also provide users with "reader" role where appropriate if they
|
||||||
|
intend to make read-only API requests to Manila. If you would like to
|
||||||
|
disable these changes, modify ``manila.conf`` file to set::
|
||||||
|
|
||||||
|
[oslo_policy]
|
||||||
|
enforce_new_defaults=False
|
||||||
|
enforce_scope=False
|
||||||
|
|
||||||
|
However, be aware that you may not be able to disable these options in
|
||||||
|
the future. Please see `OpenStack's Consistent and Secure Default RBAC
|
||||||
|
goal <https://governance.openstack
|
||||||
|
.org/tc/goals/selected/consistent-and-secure-rbac.html>`_ for more details
|
@ -18,7 +18,7 @@ oslo.i18n>=5.0.1 # Apache-2.0
|
|||||||
oslo.log>=4.4.0 # Apache-2.0
|
oslo.log>=4.4.0 # Apache-2.0
|
||||||
oslo.messaging>=14.1.0 # Apache-2.0
|
oslo.messaging>=14.1.0 # Apache-2.0
|
||||||
oslo.middleware>=4.1.1 # Apache-2.0
|
oslo.middleware>=4.1.1 # Apache-2.0
|
||||||
oslo.policy>=3.7.0 # Apache-2.0
|
oslo.policy>=3.11.0 # Apache-2.0
|
||||||
oslo.privsep>=2.4.0 # Apache-2.0
|
oslo.privsep>=2.4.0 # Apache-2.0
|
||||||
oslo.reports>=2.2.0 # Apache-2.0
|
oslo.reports>=2.2.0 # Apache-2.0
|
||||||
oslo.rootwrap>=6.2.0 # Apache-2.0
|
oslo.rootwrap>=6.2.0 # Apache-2.0
|
||||||
|
Loading…
Reference in New Issue
Block a user