From ab5e01a0da1c9cbfce150495cede27a059e172e6 Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Fri, 30 Aug 2024 00:43:24 -0700 Subject: [PATCH] Keep new RBAC disable by default oslo.policy has enabled the new RBAC config options enforce_scope and enforce_new_defaults by default[1][2]. There are more changes (test fixes also) needed to make Horizon work with new RBAC. Some of the required changes can be seen in the below changes: - https://zuul.opendev.org/t/openstack/build/dad4aacd73ae4eee8dc58fced1730732 - https://review.opendev.org/c/openstack/horizon/+/927341 - https://review.opendev.org/c/openstack/horizon/+/927342 NOTE: Horizon has not enabled the new BRAC yet so there is no change in behaviour in this release. Needed-By: https://review.opendev.org/c/openstack/requirements/+/925464 [1] https://review.opendev.org/c/openstack/oslo.policy/+/924283 [2] https://review.opendev.org/c/openstack/releases/+/925032 Change-Id: Idfe9336df9f98badc1773a07c848b521a1323f3e --- openstack_auth/policy.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/openstack_auth/policy.py b/openstack_auth/policy.py index 74ca0aabb2..767561ad28 100644 --- a/openstack_auth/policy.py +++ b/openstack_auth/policy.py @@ -35,7 +35,12 @@ def _get_policy_conf(policy_file, policy_dirs=None): conf = cfg.ConfigOpts() # Passing [] is required. Otherwise oslo.config looks up sys.argv. conf([]) - policy_opts.set_defaults(conf) + # TODO(gmann): Remove setting the default value of 'enforce_scope' + # and 'enforce_new_defaults' once Horizon is ready with the + # new RBAC (oslo_policy enabled them by default). + policy_opts.set_defaults(conf, + enforce_scope=False, + enforce_new_defaults=False) conf.set_default('policy_file', policy_file, 'oslo_policy') # Policy Enforcer has been updated to take in a policy directory # as a config option. However, the default value in is set to