Enable Secure RBAC by default

This patch sets both `enforce_new_defaults` and `enforce_scope` to the default value of `True` as the next step in the implementation of Secure RBAC [1]. [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html Change-Id: I935cb34877c8edf62f33f1ba1fe31c942780b3a0
2023-08-31 13:48:17 -05:00 · 2023-08-31 13:48:17 -05:00 · 6dcb00f8b9
commit 6dcb00f8b9
parent c8e3dc14e6
2 changed files with 12 additions and 1 deletions
--- a/barbican/common/config.py
+++ b/barbican/common/config.py
@ -338,7 +338,11 @@ def set_lib_defaults():
    # once oslo_policy change the default value to 'policy.yaml'.
    # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
    DEFAULT_POLICY_FILE = 'policy.yaml'
-    policy_opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
+    policy_opts.set_defaults(
+        CONF,
+        DEFAULT_POLICY_FILE,
+        enforce_scope=True,
+        enforce_new_defaults=True)


 def set_middleware_defaults():
--- a/releasenotes/notes/use-secure-rbac-by-default-bae44e5c36451928.yaml
+++ b/releasenotes/notes/use-secure-rbac-by-default-bae44e5c36451928.yaml
@ -0,0 +1,7 @@
+---
+security:
+  - |
+    This release uses Secure RBAC by default (See: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html )
+    To opt out of this change and continue using the legacy policies set 
+    enforce_new_defaults=False and enforce_scope=False in the [oslo_policy]
+    section of barbican.conf.