From 8615563df47261d9c6dab7c5badbceb399d0e14d Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Mon, 18 Oct 2021 16:52:06 +0200 Subject: [PATCH] Global option for enforcing scope (ENFORCE_SCOPE) This updates each devstack service library, to use it as the default value for service-specific RBAC configuration. Change-Id: I41061d042206c411ee3dd94ce91098e612af7ae7 --- .zuul.yaml | 5 +---- functions-common | 2 +- lib/cinder | 2 +- lib/glance | 2 +- lib/keystone | 2 +- lib/neutron | 2 +- lib/neutron-legacy | 2 +- lib/tempest | 11 ++++++++--- stackrc | 4 ++++ 9 files changed, 19 insertions(+), 13 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index fc80e6c413..0f047166fa 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -646,10 +646,7 @@ This job runs the devstack with scope checks enabled. vars: devstack_localrc: - # Keep enabeling the services here to run with system scope - CINDER_ENFORCE_SCOPE: true - GLANCE_ENFORCE_SCOPE: true - NEUTRON_ENFORCE_SCOPE: true + ENFORCE_SCOPE: true - job: name: devstack-multinode diff --git a/functions-common b/functions-common index b2cf9d99c6..603e7d896d 100644 --- a/functions-common +++ b/functions-common @@ -1154,7 +1154,7 @@ function is_ironic_hardware { } function is_ironic_enforce_scope { - is_service_enabled ironic && [[ "$IRONIC_ENFORCE_SCOPE" == "True" ]] && return 0 + is_service_enabled ironic && [[ "$IRONIC_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]] && return 0 return 1 } diff --git a/lib/cinder b/lib/cinder index b029fa0db4..52818a81eb 100644 --- a/lib/cinder +++ b/lib/cinder @@ -380,7 +380,7 @@ function configure_cinder { iniset $CINDER_CONF coordination backend_url "etcd3+http://${SERVICE_HOST}:$ETCD_PORT" fi - if [[ "$CINDER_ENFORCE_SCOPE" == True ]] ; then + if [[ "$CINDER_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then iniset $CINDER_CONF oslo_policy enforce_scope true iniset $CINDER_CONF oslo_policy enforce_new_defaults true fi diff --git a/lib/glance b/lib/glance index 9bba938b9d..04b901181c 100644 --- a/lib/glance +++ b/lib/glance @@ -432,7 +432,7 @@ function configure_glance { iniset $GLANCE_API_CONF DEFAULT workers "$API_WORKERS" fi - if [[ "$GLANCE_ENFORCE_SCOPE" == True ]] ; then + if [[ "$GLANCE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then iniset $GLANCE_API_CONF oslo_policy enforce_scope true iniset $GLANCE_API_CONF oslo_policy enforce_new_defaults true iniset $GLANCE_API_CONF DEFAULT enforce_secure_rbac true diff --git a/lib/keystone b/lib/keystone index a4c8a52121..80a136f78d 100644 --- a/lib/keystone +++ b/lib/keystone @@ -265,7 +265,7 @@ function configure_keystone { iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT fi - if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then + if [[ "$KEYSTONE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then iniset $KEYSTONE_CONF oslo_policy enforce_scope true iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml diff --git a/lib/neutron b/lib/neutron index e7719d4ebc..f24ccfb1a9 100644 --- a/lib/neutron +++ b/lib/neutron @@ -632,7 +632,7 @@ function configure_neutron { # configure_rbac_policies() - Configure Neutron to enforce new RBAC # policies and scopes if NEUTRON_ENFORCE_SCOPE == True function configure_rbac_policies { - if [ "$NEUTRON_ENFORCE_SCOPE" == "True" ]; then + if [[ "$NEUTRON_ENFORCE_SCOPE" == "True" || "ENFORCE_SCOPE" == "True" ]]; then iniset $NEUTRON_CONF oslo_policy enforce_new_defaults True iniset $NEUTRON_CONF oslo_policy enforce_scope True else diff --git a/lib/neutron-legacy b/lib/neutron-legacy index b906a1b2ff..253b457ae1 100644 --- a/lib/neutron-legacy +++ b/lib/neutron-legacy @@ -500,7 +500,7 @@ function configure_neutron_after_post_config { # configure_rbac_policies() - Configure Neutron to enforce new RBAC # policies and scopes if NEUTRON_ENFORCE_SCOPE == True function configure_rbac_policies { - if [ "$NEUTRON_ENFORCE_SCOPE" == "True" ]; then + if [[ "$NEUTRON_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == True ]]; then iniset $NEUTRON_CONF oslo_policy enforce_new_defaults True iniset $NEUTRON_CONF oslo_policy enforce_scope True else diff --git a/lib/tempest b/lib/tempest index 45046632b4..1fd4184763 100644 --- a/lib/tempest +++ b/lib/tempest @@ -607,14 +607,19 @@ function configure_tempest { # If services enable the enforce_scope for their policy # we need to enable the same on Tempest side so that # test can be run with scoped token. - if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then + if [[ "$KEYSTONE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then iniset $TEMPEST_CONFIG enforce_scope keystone true iniset $TEMPEST_CONFIG auth admin_system 'all' iniset $TEMPEST_CONFIG auth admin_project_name '' fi - iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE" - iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE" + if [[ "$GLANCE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then + iniset $TEMPEST_CONFIG enforce_scope glance true + fi + + if [[ "$CINDER_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then + iniset $TEMPEST_CONFIG enforce_scope cinder true + fi if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then # libvirt-lxc does not support boot from volume or attaching volumes diff --git a/stackrc b/stackrc index 681e9dee38..72180d07f2 100644 --- a/stackrc +++ b/stackrc @@ -179,6 +179,10 @@ fi # TODO(frickler): Drop this when plugins no longer need it IDENTITY_API_VERSION=3 +# Global option for enforcing scope. If enabled, ENFORCE_SCOPE overrides +# each services ${SERVICE}_ENFORCE_SCOPE variables +ENFORCE_SCOPE=$(trueorfalse False ENFORCE_SCOPE) + # Enable use of Python virtual environments. Individual project use of # venvs are controlled by the PROJECT_VENV array; every project with # an entry in the array will be installed into the named venv.