openstack/barbican
Code Issues Proposed changes

Enable Secure RBAC by default

Browse Source 
This patch sets both `enforce_new_defaults` and `enforce_scope` to the
default value of `True` as the next step in the implementation of Secure
RBAC [1].

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

Change-Id: I935cb34877c8edf62f33f1ba1fe31c942780b3a0
This commit is contained in:
Douglas Mendizábal 2023-08-31 13:48:17 -05:00
parent c8e3dc14e6
commit 6dcb00f8b9
2 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
barbican/common/config.py
View File

@ -338,7 +338,11 @@ def set_lib_defaults():
# once oslo_policy change the default value to 'policy.yaml'. # once oslo_policy change the default value to 'policy.yaml'.
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
DEFAULT_POLICY_FILE = 'policy.yaml' DEFAULT_POLICY_FILE = 'policy.yaml'
policy_opts.set_defaults(CONF, DEFAULT_POLICY_FILE) policy_opts.set_defaults(
CONF,
DEFAULT_POLICY_FILE,
enforce_scope=True,
enforce_new_defaults=True)
def set_middleware_defaults(): def set_middleware_defaults():

7
releasenotes/notes/use-secure-rbac-by-default-bae44e5c36451928.yaml Normal file
View File

@ -0,0 +1,7 @@
---
security:
- |
This release uses Secure RBAC by default (See: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html )
To opt out of this change and continue using the legacy policies set
enforce_new_defaults=False and enforce_scope=False in the [oslo_policy]
section of barbican.conf.