Keep new RBAC disable by default

oslo.policy has enabled the new RBAC config options
enforce_scope and enforce_new_defaults by default[1][2].

Barbican new RBAC was disable by default. To give more time
to operator, let's continue the same setting in this release
also.

Also, there are many test modification is needed for the new
RBAC (using the new RBAC default role in tests)
- https://ce83b06baa590a9f8123-eae5def07f653ed6fc0c0045180a6a87.ssl.cf2.rackcdn.com/925464/3/check/cross-barbican-py311/86af837/testr_results.html

As oslo.policy enable them by default, we override the setting
for the Barbican.

NOTE: there is no change in behaviour, Barbican continue with the
old RBAC as default.

ref: https://review.opendev.org/c/openstack/requirements/+/925464

[1] https://review.opendev.org/c/openstack/oslo.policy/+/924283
[2] https://review.opendev.org/c/openstack/releases/+/925032

Change-Id: I8514969e12851d03f3dbee93b040d6c8763ebc5c
This commit is contained in:
Ghanshyam Mann 2024-08-20 18:07:14 -07:00
parent f3f104079a
commit 9d641cef18
2 changed files with 10 additions and 4 deletions

View File

@ -23,11 +23,17 @@ CONF = config.CONF
ENFORCER = None
# TODO(gmann): Remove setting the default value of config policy_file
# once oslo_policy change the default value to 'policy.yaml'.
# TODO(gmann): Remove setting the default value of config:
# - policy_file once oslo_policy change the default value to 'policy.yaml'.
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
# - 'enforce_scope', and 'enforce_new_defaults' once barbican is ready with the
# new RBAC (oslo_policy enable them by default)
DEFAULT_POLICY_FILE = 'policy.yaml'
opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
opts.set_defaults(
CONF,
DEFAULT_POLICY_FILE,
enforce_scope=False,
enforce_new_defaults=False)
def reset():

View File

@ -10,7 +10,7 @@ oslo.i18n>=3.15.3 # Apache-2.0
oslo.messaging>=14.1.0 # Apache-2.0
oslo.middleware>=3.31.0 # Apache-2.0
oslo.log>=4.3.0 # Apache-2.0
oslo.policy>=3.6.0 # Apache-2.0
oslo.policy>=3.11.0 # Apache-2.0
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
oslo.service!=1.28.1,>=1.24.0 # Apache-2.0
oslo.upgradecheck>=1.3.0 # Apache-2.0