Revert "Revert "Add enforce_scope setting support for keystone""

This reverts commit 26bd94b45e. Reason for revert: Devstack keystone creation/setup are moved to scope tokens, so we can reintroduce the scope check enable. Change-Id: I6e1c261196dbcaf632748fb6f04e0867648b76c7
2021-10-26 10:50:37 +02:00 · 2021-10-26 10:50:37 +02:00 · 5f5002a378
commit 5f5002a378
parent ae40825df6
2 changed files with 20 additions and 0 deletions
--- a/lib/keystone
+++ b/lib/keystone
@ -124,6 +124,12 @@ KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True}
 # Whether to create a keystone admin endpoint for legacy applications
 KEYSTONE_ADMIN_ENDPOINT=$(trueorfalse False KEYSTONE_ADMIN_ENDPOINT)

+# Flag to set the oslo_policy.enforce_scope. This is used to switch
+# the Identity API policies to start checking the scope of token. By Default,
+# this flag is False.
+# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
+KEYSTONE_ENFORCE_SCOPE=$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)
+
 # Functions
 # ---------

@ -259,6 +265,11 @@ function configure_keystone {
        iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
        iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
    fi
+    if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
+        iniset $KEYSTONE_CONF oslo_policy enforce_scope true
+        iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
+        iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
+    fi
 }

 # create_keystone_accounts() - Sets up common required keystone accounts
--- a/lib/tempest
+++ b/lib/tempest
@ -608,6 +608,15 @@ function configure_tempest {
        fi
    done

+    # ``enforce_scope``
+    # If services enable the enforce_scope for their policy
+    # we need to enable the same on Tempest side so that
+    # test can be run with scoped token.
+    if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
+        iniset $TEMPEST_CONFIG enforce_scope keystone true
+        iniset $TEMPEST_CONFIG auth admin_system 'all'
+        iniset $TEMPEST_CONFIG auth admin_project_name ''
+    fi
    iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE"

    iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE"