Revert "Add enforce_scope setting support for keystone"

This reverts commit 9dc2b88eb4.

Reason for revert: Devstack creation/setup the things are not yet moved to scope tokens so we need to wait for that first and then do the scope check enable globally. 

Change-Id: If0368aca39c1325bf90abd23831118b89e746222
This commit is contained in:
Ghanshyam 2021-08-10 14:49:54 +00:00 committed by Ghanshyam Mann
parent 971dfbf8a0
commit 26bd94b45e
2 changed files with 0 additions and 20 deletions

View File

@ -134,12 +134,6 @@ KEYSTONE_PASSWORD_HASH_ROUNDS=${KEYSTONE_PASSWORD_HASH_ROUNDS:-4}
# Cache settings # Cache settings
KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True} KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True}
# Flag to set the oslo_policy.enforce_scope. This is used to switch
# the Identity API policies to start checking the scope of token. By Default,
# this flag is False.
# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
KEYSTONE_ENFORCE_SCOPE=$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)
# Functions # Functions
# --------- # ---------
@ -287,11 +281,6 @@ function configure_keystone {
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
fi fi
if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
iniset $KEYSTONE_CONF oslo_policy enforce_scope true
iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
fi
} }
# create_keystone_accounts() - Sets up common required keystone accounts # create_keystone_accounts() - Sets up common required keystone accounts

View File

@ -600,15 +600,6 @@ function configure_tempest {
fi fi
done done
# ``enforce_scope``
# If services enable the enforce_scope for their policy
# we need to enable the same on Tempest side so that
# test can be run with scoped token.
if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
iniset $TEMPEST_CONFIG enforce_scope keystone true
iniset $TEMPEST_CONFIG auth admin_system 'all'
iniset $TEMPEST_CONFIG auth admin_project_name ''
fi
iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE" iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE"
iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE" iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE"