From bd0d0fde24a5654507e02d32eea7ea0c1fc46821 Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Sat, 6 Mar 2021 17:23:39 -0600 Subject: [PATCH] Add enforce_scope setting support for Cinder Conder started moving to new RBAC and cinder-tempest-plugin and Tempest need to set few configuration to enable the scope checks on cinder side and on Temepst side to tell cinder is all configured with scope checks and test can be run with scoped token. Change-Id: Ic7cd919c000c4e7b9a3a06638a5bd87b1617e749 --- lib/cinder | 11 +++++++++++ lib/tempest | 2 ++ 2 files changed, 13 insertions(+) diff --git a/lib/cinder b/lib/cinder index 33deff61f2..da6f32728e 100644 --- a/lib/cinder +++ b/lib/cinder @@ -125,6 +125,12 @@ CINDER_IMG_CACHE_SIZE_COUNT=${CINDER_IMG_CACHE_SIZE_COUNT:-} # enable the cache for all cinder backends. CINDER_CACHE_ENABLED_FOR_BACKENDS=${CINDER_CACHE_ENABLED_FOR_BACKENDS:-$CINDER_ENABLED_BACKENDS} +# Flag to set the oslo_policy.enforce_scope. This is used to switch +# the Volume API policies to start checking the scope of token. by default, +# this flag is False. +# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope +CINDER_ENFORCE_SCOPE=$(trueorfalse False CINDER_ENFORCE_SCOPE) + # Functions # --------- @@ -326,6 +332,11 @@ function configure_cinder { elif is_service_enabled etcd3; then iniset $CINDER_CONF coordination backend_url "etcd3+http://${SERVICE_HOST}:$ETCD_PORT" fi + + if [[ "$CINDER_ENFORCE_SCOPE" == True ]] ; then + iniset $CINDER_CONF oslo_policy enforce_scope true + iniset $CINDER_CONF oslo_policy enforce_new_defaults true + fi } # create_cinder_accounts() - Set up common required cinder accounts diff --git a/lib/tempest b/lib/tempest index f210e4014b..238e25f07b 100644 --- a/lib/tempest +++ b/lib/tempest @@ -611,6 +611,8 @@ function configure_tempest { iniset $TEMPEST_CONFIG auth admin_project_name '' fi + iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE" + if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then # libvirt-lxc does not support boot from volume or attaching volumes # so basically anything with cinder is out of the question.