Add enforce_scope setting support for Glance
Glance started moving to new RBAC and glance-tempest-plugin
and Tempest need to set few configuration to enable the
scope checks on glance side and so does on Temepst side to tell
glance is ready with scope checks so that test can be run with
scoped token.
Conflicts:
lib/tempest
Change-Id: I09f513d08212bc80a3a86a750b29b1c6625d2f89
(cherry picked from commit 8c93049220
)
This commit is contained in:
parent
09d5617def
commit
d451168df2
12
lib/glance
12
lib/glance
@ -85,6 +85,12 @@ GLANCE_TASKS_DIR=${GLANCE_MULTISTORE_FILE_IMAGE_DIR:=$DATA_DIR/os_glance_tasks_s
|
||||
|
||||
GLANCE_USE_IMPORT_WORKFLOW=$(trueorfalse False GLANCE_USE_IMPORT_WORKFLOW)
|
||||
|
||||
# Flag to set the oslo_policy.enforce_scope. This is used to switch
|
||||
# the Image API policies to start checking the scope of token. By Default,
|
||||
# this flag is False.
|
||||
# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
|
||||
GLANCE_ENFORCE_SCOPE=$(trueorfalse False GLANCE_ENFORCE_SCOPE)
|
||||
|
||||
GLANCE_CONF_DIR=${GLANCE_CONF_DIR:-/etc/glance}
|
||||
GLANCE_METADEF_DIR=$GLANCE_CONF_DIR/metadefs
|
||||
GLANCE_API_CONF=$GLANCE_CONF_DIR/glance-api.conf
|
||||
@ -373,6 +379,12 @@ function configure_glance {
|
||||
iniset $GLANCE_API_CONF DEFAULT bind_port $GLANCE_SERVICE_PORT_INT
|
||||
iniset $GLANCE_API_CONF DEFAULT workers "$API_WORKERS"
|
||||
fi
|
||||
|
||||
if [[ "$GLANCE_ENFORCE_SCOPE" == True ]] ; then
|
||||
iniset $GLANCE_API_CONF oslo_policy enforce_scope true
|
||||
iniset $GLANCE_API_CONF oslo_policy enforce_new_defaults true
|
||||
iniset $GLANCE_API_CONF DEFAULT enforce_secure_rbac true
|
||||
fi
|
||||
}
|
||||
|
||||
# create_glance_accounts() - Set up common required glance accounts
|
||||
|
@ -612,6 +612,8 @@ function configure_tempest {
|
||||
fi
|
||||
done
|
||||
|
||||
iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE"
|
||||
|
||||
if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then
|
||||
# libvirt-lxc does not support boot from volume or attaching volumes
|
||||
# so basically anything with cinder is out of the question.
|
||||
|
Loading…
Reference in New Issue
Block a user