Enable new defaults and scope checks by default

Based on the agreed steps to implement the SRBAC community goal, this enables the new policy defaults and scope checks by default. Change-Id: I315893150549d1174c3270c37c031e6a519f9a28
2023-10-23 22:16:12 +09:00 · 2023-10-23 22:16:12 +09:00 · 6d13e93a37
parent 4421498cd3
commit 6d13e93a37
5 changed files with 19 additions and 6 deletions
--- a/devstack/lib/heat
+++ b/devstack/lib/heat
@ -63,9 +63,9 @@ HEAT_CFN_API_UWSGI=$HEAT_BIN_DIR/heat-wsgi-api-cfn

 # Flag to set the oslo_policy.enforce_scope and oslo_policy.enforce_new_defaults.
 # This is used to disable the compute API policies scope and new defaults.
-# By Default, it is False.
+# By Default, it is True.
 # For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
-HEAT_ENFORCE_SCOPE=$(trueorfalse False HEAT_ENFORCE_SCOPE)
+HEAT_ENFORCE_SCOPE=$(trueorfalse True HEAT_ENFORCE_SCOPE)

 # other default options
 if [[ "$HEAT_STANDALONE" == "True" ]]; then
--- a/heat/common/policy.py
+++ b/heat/common/policy.py
@ -38,7 +38,11 @@ DEFAULT_RESOURCE_RULES = policy.Rules.from_dict({'default': '@'})
 # once oslo_policy change the default value to 'policy.yaml'.
 # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
 DEFAULT_POLICY_FILE = 'policy.yaml'
-opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
+opts.set_defaults(
+    CONF,
+    DEFAULT_POLICY_FILE,
+    enforce_scope=True,
+    enforce_new_defaults=True)

 ENFORCER = None

--- a/heat/tests/test_common_policy.py
+++ b/heat/tests/test_common_policy.py
@ -71,18 +71,20 @@ class TestPolicyEnforcer(common.HeatTestCase):
    @ddt.file_data('policy/test_acl_personas.yaml')
    @ddt.unpack
    def test_legacy_rbac_policies(self, **kwargs):
+        self.fixture.config(group='oslo_policy', enforce_scope=False)
+        self.fixture.config(group='oslo_policy', enforce_new_defaults=False)
        self._test_legacy_rbac_policies(**kwargs)

    @ddt.file_data('policy/test_deprecated_access.yaml')
    @ddt.unpack
    def test_deprecated_policies(self, **kwargs):
+        self.fixture.config(group='oslo_policy', enforce_scope=False)
+        self.fixture.config(group='oslo_policy', enforce_new_defaults=False)
        self._test_legacy_rbac_policies(**kwargs)

    @ddt.file_data('policy/test_new_acl_personas.yaml')
    @ddt.unpack
    def test_secure_rbac_policies(self, **kwargs):
-        self.fixture.config(group='oslo_policy', enforce_scope=True)
-        self.fixture.config(group='oslo_policy', enforce_new_defaults=True)
        scope = kwargs.get("scope")
        actions = kwargs.get("actions")
        allowed_personas = kwargs.get("allowed", [])
--- a/releasenotes/notes/enable-enforce-scope-and-new-defaults-76e9b64cc5bed89e.yaml
+++ b/releasenotes/notes/enable-enforce-scope-and-new-defaults-76e9b64cc5bed89e.yaml
@ -0,0 +1,7 @@
+---
+upgrade:
+  - |
+    Now heat enables the API policies (RBAC) new defaults and scope by default.
+    The default value of config options ``[oslo_policy] enforce_scope`` and
+    ``[oslo_policy] enforce_new_defaults`` have been changed from ``False`` to
+    ``True``.
--- a/requirements.txt
+++ b/requirements.txt
@ -21,7 +21,7 @@ oslo.i18n>=3.20.0 # Apache-2.0
 oslo.log>=4.3.0 # Apache-2.0
 oslo.messaging>=14.1.0 # Apache-2.0
 oslo.middleware>=3.31.0 # Apache-2.0
-oslo.policy>=3.7.0 # Apache-2.0
+oslo.policy>=3.11.0 # Apache-2.0
 oslo.reports>=1.18.0 # Apache-2.0
 oslo.serialization>=2.25.0 # Apache-2.0
 oslo.service!=1.28.1,>=1.24.0 # Apache-2.0