Enable new defaults and scope checks by default
Based on the agreed steps to implement the SRBAC community goal, this enables the new policy defaults and scope checks by default. Change-Id: I315893150549d1174c3270c37c031e6a519f9a28
This commit is contained in:
parent
4421498cd3
commit
6d13e93a37
|
@ -63,9 +63,9 @@ HEAT_CFN_API_UWSGI=$HEAT_BIN_DIR/heat-wsgi-api-cfn
|
|||
|
||||
# Flag to set the oslo_policy.enforce_scope and oslo_policy.enforce_new_defaults.
|
||||
# This is used to disable the compute API policies scope and new defaults.
|
||||
# By Default, it is False.
|
||||
# By Default, it is True.
|
||||
# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
|
||||
HEAT_ENFORCE_SCOPE=$(trueorfalse False HEAT_ENFORCE_SCOPE)
|
||||
HEAT_ENFORCE_SCOPE=$(trueorfalse True HEAT_ENFORCE_SCOPE)
|
||||
|
||||
# other default options
|
||||
if [[ "$HEAT_STANDALONE" == "True" ]]; then
|
||||
|
|
|
@ -38,7 +38,11 @@ DEFAULT_RESOURCE_RULES = policy.Rules.from_dict({'default': '@'})
|
|||
# once oslo_policy change the default value to 'policy.yaml'.
|
||||
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
||||
DEFAULT_POLICY_FILE = 'policy.yaml'
|
||||
opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
|
||||
opts.set_defaults(
|
||||
CONF,
|
||||
DEFAULT_POLICY_FILE,
|
||||
enforce_scope=True,
|
||||
enforce_new_defaults=True)
|
||||
|
||||
ENFORCER = None
|
||||
|
||||
|
|
|
@ -71,18 +71,20 @@ class TestPolicyEnforcer(common.HeatTestCase):
|
|||
@ddt.file_data('policy/test_acl_personas.yaml')
|
||||
@ddt.unpack
|
||||
def test_legacy_rbac_policies(self, **kwargs):
|
||||
self.fixture.config(group='oslo_policy', enforce_scope=False)
|
||||
self.fixture.config(group='oslo_policy', enforce_new_defaults=False)
|
||||
self._test_legacy_rbac_policies(**kwargs)
|
||||
|
||||
@ddt.file_data('policy/test_deprecated_access.yaml')
|
||||
@ddt.unpack
|
||||
def test_deprecated_policies(self, **kwargs):
|
||||
self.fixture.config(group='oslo_policy', enforce_scope=False)
|
||||
self.fixture.config(group='oslo_policy', enforce_new_defaults=False)
|
||||
self._test_legacy_rbac_policies(**kwargs)
|
||||
|
||||
@ddt.file_data('policy/test_new_acl_personas.yaml')
|
||||
@ddt.unpack
|
||||
def test_secure_rbac_policies(self, **kwargs):
|
||||
self.fixture.config(group='oslo_policy', enforce_scope=True)
|
||||
self.fixture.config(group='oslo_policy', enforce_new_defaults=True)
|
||||
scope = kwargs.get("scope")
|
||||
actions = kwargs.get("actions")
|
||||
allowed_personas = kwargs.get("allowed", [])
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
upgrade:
|
||||
- |
|
||||
Now heat enables the API policies (RBAC) new defaults and scope by default.
|
||||
The default value of config options ``[oslo_policy] enforce_scope`` and
|
||||
``[oslo_policy] enforce_new_defaults`` have been changed from ``False`` to
|
||||
``True``.
|
|
@ -21,7 +21,7 @@ oslo.i18n>=3.20.0 # Apache-2.0
|
|||
oslo.log>=4.3.0 # Apache-2.0
|
||||
oslo.messaging>=14.1.0 # Apache-2.0
|
||||
oslo.middleware>=3.31.0 # Apache-2.0
|
||||
oslo.policy>=3.7.0 # Apache-2.0
|
||||
oslo.policy>=3.11.0 # Apache-2.0
|
||||
oslo.reports>=1.18.0 # Apache-2.0
|
||||
oslo.serialization>=2.25.0 # Apache-2.0
|
||||
oslo.service!=1.28.1,>=1.24.0 # Apache-2.0
|
||||
|
|
Loading…
Reference in New Issue