From fff80086d6b48b06944f0d0fa0e2dd243174e40d Mon Sep 17 00:00:00 2001
From: Julia Kreger <juliaashleykreger@gmail.com>
Date: Tue, 9 Jan 2024 06:19:39 -0800
Subject: [PATCH] Change policy to enforce only new policy

Change's inspector's default policy to align with the 2023.2
release goal.

Depends-On: https://review.opendev.org/c/openstack/ironic/+/902009
Change-Id: Iaa271bd13e3a62c4a3b35b6e6b556984f7b1d09c
---
 devstack/plugin.sh                            |  4 +--
 ironic_inspector/policy.py                    |  4 ++-
 ...rbac-policy-disabled-6fc45ad1237f4d57.yaml | 35 +++++++++++++++++++
 zuul.d/ironic-inspector-jobs.yaml             |  2 ++
 4 files changed, 42 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/legacy-rbac-policy-disabled-6fc45ad1237f4d57.yaml

diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index eed1e61e8..de4a73951 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -26,10 +26,10 @@ IRONIC_INSPECTOR_UWSGI_CONF=$IRONIC_INSPECTOR_CONF_DIR/ironic-inspector-uwsgi.in
 # explicitly unless otherwise set.
 IRONIC_INSPECTOR_ENFORCE_SCOPE=${IRONIC_INSPECTOR_ENFORCE_SCOPE:-${IRONIC_ENFORCE_SCOPE:-False}}
 # and then fallback to trueorfalse to put it into the standardized string format for the jobs.
-IRONIC_INSPECTOR_ENFORCE_SCOPE=$(trueorfalse False IRONIC_INSPECTOR_ENFORCE_SCOPE)
+IRONIC_INSPECTOR_ENFORCE_SCOPE=$(trueorfalse True IRONIC_INSPECTOR_ENFORCE_SCOPE)
 # Reset the input in the event the plugin is running separately from ironic's
 # devstack plugin.
-IRONIC_ENFORCE_SCOPE=$(trueorfalse False IRONIC_ENFORCE_SCOPE)
+IRONIC_ENFORCE_SCOPE=$(trueorfalse True IRONIC_ENFORCE_SCOPE)
 
 
 if [[ -n ${IRONIC_INSPECTOR_MANAGE_FIREWALL} ]] ; then
diff --git a/ironic_inspector/policy.py b/ironic_inspector/policy.py
index f2aeb6509..90640db1e 100644
--- a/ironic_inspector/policy.py
+++ b/ironic_inspector/policy.py
@@ -28,7 +28,9 @@ _ENFORCER = None
 # once oslo_policy change the default value to 'policy.yaml'.
 # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
 DEFAULT_POLICY_FILE = 'policy.yaml'
-opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
+opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE,
+                  enforce_scope=True,
+                  enforce_new_defaults=True)
 
 # Generic policy check string for system administrators. These are the people
 # who need the highest level of authorization to operate the deployment.
diff --git a/releasenotes/notes/legacy-rbac-policy-disabled-6fc45ad1237f4d57.yaml b/releasenotes/notes/legacy-rbac-policy-disabled-6fc45ad1237f4d57.yaml
new file mode 100644
index 000000000..f2e0672e2
--- /dev/null
+++ b/releasenotes/notes/legacy-rbac-policy-disabled-6fc45ad1237f4d57.yaml
@@ -0,0 +1,35 @@
+---
+upgrade:
+  - |
+    The legacy Role Based Access Control policy used by ironic-inspector has
+    been disabled by default. The end result of this is that the legacy
+    ``baremetal_admin`` and ``baremetal_observer`` roles are no longer enabled
+    by default. System scoped access can be utilized to connect to the
+    ``ironic-inspector`` service, or alternatively a user with an ``admin``
+    or ``service`` role.
+
+    The Ironic project does not anticipate any issues with this change, as the
+    the ``ironic-inspector`` service is a service *for* the system itself.
+    That being said, if the operator deployed configuration is reliant upon
+    the deprecated roles, configuration changes will be required.
+
+    This change is a result of the new policy which was introduced as part of
+    `Consistent and Secure RBAC`_ community goal and the underlying
+    ``[oslo_policy] enforce_scope`` and ``[oslo_policy] enforce_new_defaults``
+    settings being changed to ``True``.
+
+    Operators wishing to revert to the old policy configuration may do so
+    by setting the following values in ``ironic-inspector.conf``.::
+
+      [oslo_policy]
+      enforce_new_defaults=False
+      enforce_scope=False
+
+    Operators who revert the configuration are encouraged to make the
+    necessary changes to their configuration, as the legacy RBAC policy
+    will be removed at some point in the future. Please review
+    `2024.1-Release Timeline`_. Failure to do so will may force operators
+    to craft custom policy override configuration.
+
+    .. _`Consistent and Secure RBAC`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
+    .. _`2024.1-Release Timeline`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#id3
diff --git a/zuul.d/ironic-inspector-jobs.yaml b/zuul.d/ironic-inspector-jobs.yaml
index b03ca54d6..ba864f38a 100644
--- a/zuul.d/ironic-inspector-jobs.yaml
+++ b/zuul.d/ironic-inspector-jobs.yaml
@@ -173,6 +173,8 @@
           CIRROS_VERSION: 0.6.1
           MYSQL_GATHER_PERFORMANCE: False
           INSTANCE_WAIT: 120
+          IRONIC_INSPECTOR_ENFORCE_SCOPE: True
+          IRONIC_ENFORCE_SCOPE: True
         old:
           IRONIC_VM_LOG_DIR: '{{ devstack_bases.old }}/ironic-bm-logs'
       grenade_localrc: