The B319 check to ensure no use of xrange is not an issue in a Python
3-only codebase, while the unittest assert-focused B311, B312 and B321
checks duplicate H203, H204 and H203 (again) from hacking respectively.
An unnecessary 'py3pep8' tox environment is removed since the standard
'pep8' environment uses Python 3 now.
Change-Id: I8eb8c6accd1c2f2c7851a08b372235699a971ad9
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This patch updates the installation doc for the devstack plugin. It
also removes the Vagrant option as it has not been maintained in quite
some time.
Change-Id: I97fc2fac0cb29b1059b668bbe817a2778a8a4a70
This patch fixes a zuul syntax error due to a deprecated definition that
was still in use in our configuration.
It also makes the grenade job non-voting as it is currently failing. A
follow up patch will fix grenade and re-enable voting.
Change-Id: I271a3d50dba5f1c7c58c01838fa68b4c8adbd72c
This patch fixes the remaining default policies to ensure they are only
evaluated when enforce_new_defaults=True.
The 'reader' role is removed from the policy tests in thise codebase
because they now correctly fail.
The 'reader' role in was introduced into the policy tests in
060ca2ee369af1fff3bf833d466f33d1889fb72e and the dynamic tests that were
generated passed because of the issue being resolved in this patch.
Now that the new default policies are not being evaluated when
enforce_new_defaults=False the requests using the 'reader' role are
correctly denied.
Story: 2010235
Task: 46036
Change-Id: Ief495c50bb120e2aa671dbcc80734ccb5a839b74
This patch fixes the Consumers API policies to ensure
that they are only evaluated when enforce_new_defaults = True
Change-Id: I4e91ca55e3d4030dfdc55d78b92ec3ad3f94bd64
This patch fixes the Consumers API policies to ensure
that they are only evaluated when enforce_new_defaults = True
Story: 2010235
Change-Id: I191f41372a5c0b334ff858743a9303325db40cb6
This patch fixes policy issues for deployments that have not yet opted
into the Secure RBAC defaults by making sure that the new policies are
only evaluated when enforce_new_defaults = True.
This prevents policy side-effects where some users with roles used in
the new policy defaults are able to access APIs that they were not
allowed to access with the legacy deprecated policies.
This patch also deprecates the old policies using DeprecatedRule objects
from olso_policy to ensure that the enforce_new_defaults option works as
expected.
Story: 2010235
Change-Id: I758cd5030e56c6268017a8b133baba7b74db74cb
This patch fixes policy issues for deployments that have not yet opted
into the Secure RBAC defaults by making sure that the new policies are
only evaluated when enforce_new_defaults = True.
This prevents policy side-effects where some users with roles used in
the new policy defaults are able to access APIs that they were not
allowed to access with the legacy deprecated policies.
This patch also deprecates the old policies using DeprecatedRule objects
from olso_policy to ensure that the enforce_new_defaults option works as
expected.
Story: 2010235
Change-Id: I8131987a5b3fc200674b61a52eebb93717d84baa
This patch fixes the Secure RBAC Secret ACL policies to ensure that they
are only evaluated when enforce_new_defaults = True
Story: 2010235
Change-Id: I176091f8658fff75ba2d55aa937203c22a7f43b4
This patch fixes the deprecated_since parameter for deprecated rules
form ZED to WALLABY when the new policies were introduced.
Change-Id: I1b5f9b925a6fa961ea5bbc29a79927075ba707e0
This patch fixes policy issues for deployments that have not yet opted
into the Secure RBAC defaults by making sure that the new policies are
only evaluated when enforce_new_defaults = True.
This prevents policy side-effects where some users with roles used in
the new policy defaults are able to access APIs that they were not
allowed to access with the legacy deprecated policies.
This patch also deprecates the old policies using DeprecatedRule objects
from olso_policy to ensure that the enforce_new_defaults option works as
expected.
Story: 2010235
Depends-On: I16ed904eeb27ab7110a7e4e56ef7ea89c8c3c2ab
Change-Id: I224c50a8bf9f540f8f643339a4beeaff36ca6509
Add the required services and run a few barbican-specific tests
to validate the upgrade.
The grenade plugin contains a few settings which don't need to be
set anymore explicitly and they are not in the job configuration
(as devstack/upgrade/settings is not used anymore):
- all the image-related variables don't need to be overridden anymore,
the default one from devstack should be used
- Image API v1 has been disabled since tempest 20.0
The job can be switched to voting again.
Change-Id: Id0682aea57d4d1fc49334f2dd11ef9a0ffb355fb
Make devstack's create_barbican_accounts function idempotent by
using get_or_create_XXX functions to configure resources (users,
roles, endpoints, etc.).
This avoids problems in situations such [1], where the cinder service
needs the "creator" role. Cinder ends up creating the role first,
which would cause create_barbican_accounts to subsequently fail if
barbican assumes that it will create the role.
[1] Ia3f414c4b9b0829f60841a6dd63c97a893fdde4d
Change-Id: I216f78e8a300ab3f79bbcbb38110adf2bbec2196
This reverts commit 57fb686b20451753e609729e96a7f04729769bbc.
Reason for revert: FIPS job working now
Depends-On: https://review.opendev.org/c/zuul/zuul-jobs/+/844704
Change-Id: I262ace1bb54192a9c998cf17a0dcd2b9fc7ae0a2
This patch updates the default policy to allow users with the
"creator" role to edit Secret and Container ACLs.
Secrets that have an ACL set to private will only be able to be edited
by the user who owns the secret.
Change-Id: I0dc603a3e3a894fee774483a70285d47b57abdf8
The gate job barbican-tox-functional-fips is failing at the gate due to
a dependency issue when building the environment. Specifically, it
appears that the package "liberasurecode-devel" fails to be found in the
CentOS 9 repositories.
This patch temporarily disables gate-voting for the FIPS job. We should
be able to re-enable voting once this dependency issue is solved.
Change-Id: I9d8028454468f95bae405677dcd492fa2e52f93f
The implementation follows nova and implements an is_supported
function, that can be used in controllers, to check the requested
version and take different code paths depending on the result.
This reverts commit 7b14d983e0dce6dcffe9781b05c52335b8203fc7.
Change-Id: I5651a69f93288ac1dfdc1c8b1ad0f904e370c127
The TripleO team has replaced their CentOS 8 jobs with CentOS 9.
Unfortunately, this broke our gate because we're still looking for the
CentOS 8 jobs. This patch updates our jobs to use CentOS 9, which
should fix the gate.
Change-Id: Id54d0581dfc1426fea50302ea6b5b5ab217fe48d
The options used by service launchers in the oslo.service library were
missing from barbican.conf. This change ensures that these parameters
are picked up by oslo-config-generator.
Change-Id: Ib90fee2d09eec2d6e2755a7d56ec46c9c0154bcc
This change ensures the options of the healthcheck middleware, which is
enabled in api pipeline since [1] was merged, are included in
barbican.conf generated by the oslo-config-generator command.
[1] 3fc072d986f141b7153e4cd4543028f665f04ad0
Change-Id: I95418a2413591f326148fb1ab0954ada8941bfb1
Add file to the reno documentation build to show release notes for
stable/yoga.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/yoga.
Sem-Ver: feature
Change-Id: Ibf5116796e53b70424a7c3fc45e1c91b345ec1a9
This patch modifies the Consumer controller to enable the use of
ownership information in policy checks. e.g. policies that use a target
container:
project_id:%(target.container.project_id)
Story: 2009664
Task: 43872
Depends-On: I8698fc7a9ac849b8c24adfe824ca44dd3e42b999
Change-Id: I1724152839f0f5850f8d32d40b36d1670c0ad996
