Merge "Enable new defaults and scope checks by default"

2023-12-04 09:13:22 +00:00 · 2023-12-04 09:13:22 +00:00 · b207d54612
commit b207d54612
parent d131a1ada2 6d13e93a37
5 changed files with 19 additions and 6 deletions
--- a/devstack/lib/heat
+++ b/devstack/lib/heat
@ -63,9 +63,9 @@ HEAT_CFN_API_UWSGI=$HEAT_BIN_DIR/heat-wsgi-api-cfn

 # Flag to set the oslo_policy.enforce_scope and oslo_policy.enforce_new_defaults.
 # This is used to disable the compute API policies scope and new defaults.
-# By Default, it is False.
+# By Default, it is True.
 # For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
-HEAT_ENFORCE_SCOPE=$(trueorfalse False HEAT_ENFORCE_SCOPE)
+HEAT_ENFORCE_SCOPE=$(trueorfalse True HEAT_ENFORCE_SCOPE)

 # other default options
 if [[ "$HEAT_STANDALONE" == "True" ]]; then
--- a/heat/common/policy.py
+++ b/heat/common/policy.py
@ -38,7 +38,11 @@ DEFAULT_RESOURCE_RULES = policy.Rules.from_dict({'default': '@'})
 # once oslo_policy change the default value to 'policy.yaml'.
 # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
 DEFAULT_POLICY_FILE = 'policy.yaml'
-opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
+opts.set_defaults(
+    CONF,
+    DEFAULT_POLICY_FILE,
+    enforce_scope=True,
+    enforce_new_defaults=True)

 ENFORCER = None

--- a/heat/tests/test_common_policy.py
+++ b/heat/tests/test_common_policy.py
@ -71,18 +71,20 @@ class TestPolicyEnforcer(common.HeatTestCase):
    @ddt.file_data('policy/test_acl_personas.yaml')
    @ddt.unpack
    def test_legacy_rbac_policies(self, **kwargs):
+        self.fixture.config(group='oslo_policy', enforce_scope=False)
+        self.fixture.config(group='oslo_policy', enforce_new_defaults=False)
        self._test_legacy_rbac_policies(**kwargs)

    @ddt.file_data('policy/test_deprecated_access.yaml')
    @ddt.unpack
    def test_deprecated_policies(self, **kwargs):
+        self.fixture.config(group='oslo_policy', enforce_scope=False)
+        self.fixture.config(group='oslo_policy', enforce_new_defaults=False)
        self._test_legacy_rbac_policies(**kwargs)

    @ddt.file_data('policy/test_new_acl_personas.yaml')
    @ddt.unpack
    def test_secure_rbac_policies(self, **kwargs):
-        self.fixture.config(group='oslo_policy', enforce_scope=True)
-        self.fixture.config(group='oslo_policy', enforce_new_defaults=True)
        scope = kwargs.get("scope")
        actions = kwargs.get("actions")
        allowed_personas = kwargs.get("allowed", [])
--- a/releasenotes/notes/enable-enforce-scope-and-new-defaults-76e9b64cc5bed89e.yaml
+++ b/releasenotes/notes/enable-enforce-scope-and-new-defaults-76e9b64cc5bed89e.yaml
@ -0,0 +1,7 @@
+---
+upgrade:
+  - |
+    Now heat enables the API policies (RBAC) new defaults and scope by default.
+    The default value of config options ``[oslo_policy] enforce_scope`` and
+    ``[oslo_policy] enforce_new_defaults`` have been changed from ``False`` to
+    ``True``.
--- a/requirements.txt
+++ b/requirements.txt
@ -21,7 +21,7 @@ oslo.i18n>=3.20.0 # Apache-2.0
 oslo.log>=4.3.0 # Apache-2.0
 oslo.messaging>=14.1.0 # Apache-2.0
 oslo.middleware>=3.31.0 # Apache-2.0
-oslo.policy>=3.7.0 # Apache-2.0
+oslo.policy>=3.11.0 # Apache-2.0
 oslo.reports>=1.18.0 # Apache-2.0
 oslo.serialization>=2.25.0 # Apache-2.0
 oslo.service!=1.28.1,>=1.24.0 # Apache-2.0