Merge "RBAC: Enable "new" defaults and scope checks"

This commit is contained in:
Zuul 2024-05-21 03:58:19 +00:00 committed by Gerrit Code Review
commit 45268b6a58
4 changed files with 33 additions and 1 deletions

View File

@ -37,6 +37,11 @@ _ENFORCER = None
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
DEFAULT_POLICY_FILE = 'policy.yaml' DEFAULT_POLICY_FILE = 'policy.yaml'
opts.set_defaults(CONF, DEFAULT_POLICY_FILE) opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
opts.set_defaults(
cfg.CONF,
DEFAULT_POLICY_FILE,
enforce_scope=True,
enforce_new_defaults=True)
def reset(): def reset():

View File

@ -66,6 +66,9 @@ class ShareSnapshotAPITest(test.TestCase):
stubs.stub_snapshot_get) stubs.stub_snapshot_get)
self.mock_object(share_api.API, 'snapshot_update', self.mock_object(share_api.API, 'snapshot_update',
stubs.stub_snapshot_update) stubs.stub_snapshot_update)
self.mock_object(
policy, 'check_policy', mock.Mock(return_value=True)
)
self.snp_example = { self.snp_example = {
'share_id': 100, 'share_id': 100,
'size': 12, 'size': 12,

View File

@ -0,0 +1,24 @@
---
upgrade:
- |
The service now requires a user's "scope" to be defined with the OpenStack
Identity service (Keystone) by the virtue of default Role Based Access
Control (RBAC). This is being done in addition to changing the
RBAC rules for GET requests to permit users possessing the "reader" role.
The Default value of config options ``[oslo_policy] enforce_scope`` and
``[oslo_policy] oslo_policy.enforce_new_defaults`` has now changed
to ``True``. This means that, if you are using system scoped tokens to
access Manila's API, requests will fail with HTTP 403. Users must
obtain a project scoped token to interact with the Manila API. You
may also provide users with "reader" role where appropriate if they
intend to make read-only API requests to Manila. If you would like to
disable these changes, modify ``manila.conf`` file to set::
[oslo_policy]
enforce_new_defaults=False
enforce_scope=False
However, be aware that you may not be able to disable these options in
the future. Please see `OpenStack's Consistent and Secure Default RBAC
goal <https://governance.openstack
.org/tc/goals/selected/consistent-and-secure-rbac.html>`_ for more details

View File

@ -18,7 +18,7 @@ oslo.i18n>=5.0.1 # Apache-2.0
oslo.log>=4.4.0 # Apache-2.0 oslo.log>=4.4.0 # Apache-2.0
oslo.messaging>=14.1.0 # Apache-2.0 oslo.messaging>=14.1.0 # Apache-2.0
oslo.middleware>=4.1.1 # Apache-2.0 oslo.middleware>=4.1.1 # Apache-2.0
oslo.policy>=3.7.0 # Apache-2.0 oslo.policy>=3.11.0 # Apache-2.0
oslo.privsep>=2.4.0 # Apache-2.0 oslo.privsep>=2.4.0 # Apache-2.0
oslo.reports>=2.2.0 # Apache-2.0 oslo.reports>=2.2.0 # Apache-2.0
oslo.rootwrap>=6.2.0 # Apache-2.0 oslo.rootwrap>=6.2.0 # Apache-2.0