Skip to content

Commit 857f499

Browse files
author
Ghanshyam Mann
committed
Add RBAC scope and new defaults setting support for Nova & Tempest
Nova is ready with the scope and new defaults as per the new RBAC design. Adding devstack flag to enable the scope checks and new defaults enforcement in nova side. Change-Id: I305ea626a4b622c5534d523f4b619832f9d35f8d
1 parent ab16202 commit 857f499

2 files changed

Lines changed: 14 additions & 0 deletions

File tree

lib/nova

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,12 @@ NOVA_SERVICE_LISTEN_ADDRESS=${NOVA_SERVICE_LISTEN_ADDRESS:-$(ipv6_unquote $SERVI
9797
METADATA_SERVICE_PORT=${METADATA_SERVICE_PORT:-8775}
9898
NOVA_ENABLE_CACHE=${NOVA_ENABLE_CACHE:-True}
9999

100+
# Flag to set the oslo_policy.enforce_scope and oslo_policy.enforce_new_defaults.
101+
# This is used to switch the compute API policies enable the scope and new defaults.
102+
# By Default, these flag are False.
103+
# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
104+
NOVA_ENFORCE_SCOPE=$(trueorfalse False NOVA_ENFORCE_SCOPE)
105+
100106
if [[ $SERVICE_IP_VERSION == 6 ]]; then
101107
NOVA_MY_IP="$HOST_IPV6"
102108
else
@@ -481,6 +487,10 @@ function create_nova_conf {
481487
NOVA_ENABLED_APIS=$(echo $NOVA_ENABLED_APIS | sed "s/,metadata//")
482488
fi
483489
iniset $NOVA_CONF DEFAULT enabled_apis "$NOVA_ENABLED_APIS"
490+
if [[ "$NOVA_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]]; then
491+
iniset $NOVA_CONF oslo_policy enforce_new_defaults True
492+
iniset $NOVA_CONF oslo_policy enforce_scope True
493+
fi
484494
if is_service_enabled tls-proxy && [ "$NOVA_USE_MOD_WSGI" == "False" ]; then
485495
# Set the service port for a proxy to take the original
486496
iniset $NOVA_CONF DEFAULT osapi_compute_listen_port "$NOVA_SERVICE_PORT_INT"

lib/tempest

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -674,6 +674,10 @@ function configure_tempest {
674674
iniset $TEMPEST_CONFIG auth admin_project_name ''
675675
fi
676676

677+
if [[ "$NOVA_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
678+
iniset $TEMPEST_CONFIG enforce_scope nova true
679+
fi
680+
677681
if [[ "$GLANCE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
678682
iniset $TEMPEST_CONFIG enforce_scope glance true
679683
fi

0 commit comments

Comments
 (0)