Add RBAC scope and new defaults setting support for Nova & Tempest
Nova is ready with the scope and new defaults as per the new RBAC design. Adding devstack flag to enable the scope checks and new defaults enforcement in nova side. Change-Id: I305ea626a4b622c5534d523f4b619832f9d35f8d
This commit is contained in:
parent
ab162024bb
commit
857f4993f3
10
lib/nova
10
lib/nova
|
@ -97,6 +97,12 @@ NOVA_SERVICE_LISTEN_ADDRESS=${NOVA_SERVICE_LISTEN_ADDRESS:-$(ipv6_unquote $SERVI
|
|||
METADATA_SERVICE_PORT=${METADATA_SERVICE_PORT:-8775}
|
||||
NOVA_ENABLE_CACHE=${NOVA_ENABLE_CACHE:-True}
|
||||
|
||||
# Flag to set the oslo_policy.enforce_scope and oslo_policy.enforce_new_defaults.
|
||||
# This is used to switch the compute API policies enable the scope and new defaults.
|
||||
# By Default, these flag are False.
|
||||
# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
|
||||
NOVA_ENFORCE_SCOPE=$(trueorfalse False NOVA_ENFORCE_SCOPE)
|
||||
|
||||
if [[ $SERVICE_IP_VERSION == 6 ]]; then
|
||||
NOVA_MY_IP="$HOST_IPV6"
|
||||
else
|
||||
|
@ -481,6 +487,10 @@ function create_nova_conf {
|
|||
NOVA_ENABLED_APIS=$(echo $NOVA_ENABLED_APIS | sed "s/,metadata//")
|
||||
fi
|
||||
iniset $NOVA_CONF DEFAULT enabled_apis "$NOVA_ENABLED_APIS"
|
||||
if [[ "$NOVA_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]]; then
|
||||
iniset $NOVA_CONF oslo_policy enforce_new_defaults True
|
||||
iniset $NOVA_CONF oslo_policy enforce_scope True
|
||||
fi
|
||||
if is_service_enabled tls-proxy && [ "$NOVA_USE_MOD_WSGI" == "False" ]; then
|
||||
# Set the service port for a proxy to take the original
|
||||
iniset $NOVA_CONF DEFAULT osapi_compute_listen_port "$NOVA_SERVICE_PORT_INT"
|
||||
|
|
|
@ -674,6 +674,10 @@ function configure_tempest {
|
|||
iniset $TEMPEST_CONFIG auth admin_project_name ''
|
||||
fi
|
||||
|
||||
if [[ "$NOVA_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
|
||||
iniset $TEMPEST_CONFIG enforce_scope nova true
|
||||
fi
|
||||
|
||||
if [[ "$GLANCE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
|
||||
iniset $TEMPEST_CONFIG enforce_scope glance true
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue