Merge "Change policy to enforce only new policy"
This commit is contained in:
commit
212d0b2a9a
@ -26,10 +26,10 @@ IRONIC_INSPECTOR_UWSGI_CONF=$IRONIC_INSPECTOR_CONF_DIR/ironic-inspector-uwsgi.in
|
||||
# explicitly unless otherwise set.
|
||||
IRONIC_INSPECTOR_ENFORCE_SCOPE=${IRONIC_INSPECTOR_ENFORCE_SCOPE:-${IRONIC_ENFORCE_SCOPE:-False}}
|
||||
# and then fallback to trueorfalse to put it into the standardized string format for the jobs.
|
||||
IRONIC_INSPECTOR_ENFORCE_SCOPE=$(trueorfalse False IRONIC_INSPECTOR_ENFORCE_SCOPE)
|
||||
IRONIC_INSPECTOR_ENFORCE_SCOPE=$(trueorfalse True IRONIC_INSPECTOR_ENFORCE_SCOPE)
|
||||
# Reset the input in the event the plugin is running separately from ironic's
|
||||
# devstack plugin.
|
||||
IRONIC_ENFORCE_SCOPE=$(trueorfalse False IRONIC_ENFORCE_SCOPE)
|
||||
IRONIC_ENFORCE_SCOPE=$(trueorfalse True IRONIC_ENFORCE_SCOPE)
|
||||
|
||||
|
||||
if [[ -n ${IRONIC_INSPECTOR_MANAGE_FIREWALL} ]] ; then
|
||||
|
@ -28,7 +28,9 @@ _ENFORCER = None
|
||||
# once oslo_policy change the default value to 'policy.yaml'.
|
||||
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
||||
DEFAULT_POLICY_FILE = 'policy.yaml'
|
||||
opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
|
||||
opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE,
|
||||
enforce_scope=True,
|
||||
enforce_new_defaults=True)
|
||||
|
||||
# Generic policy check string for system administrators. These are the people
|
||||
# who need the highest level of authorization to operate the deployment.
|
||||
|
@ -0,0 +1,35 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
The legacy Role Based Access Control policy used by ironic-inspector has
|
||||
been disabled by default. The end result of this is that the legacy
|
||||
``baremetal_admin`` and ``baremetal_observer`` roles are no longer enabled
|
||||
by default. System scoped access can be utilized to connect to the
|
||||
``ironic-inspector`` service, or alternatively a user with an ``admin``
|
||||
or ``service`` role.
|
||||
|
||||
The Ironic project does not anticipate any issues with this change, as the
|
||||
the ``ironic-inspector`` service is a service *for* the system itself.
|
||||
That being said, if the operator deployed configuration is reliant upon
|
||||
the deprecated roles, configuration changes will be required.
|
||||
|
||||
This change is a result of the new policy which was introduced as part of
|
||||
`Consistent and Secure RBAC`_ community goal and the underlying
|
||||
``[oslo_policy] enforce_scope`` and ``[oslo_policy] enforce_new_defaults``
|
||||
settings being changed to ``True``.
|
||||
|
||||
Operators wishing to revert to the old policy configuration may do so
|
||||
by setting the following values in ``ironic-inspector.conf``.::
|
||||
|
||||
[oslo_policy]
|
||||
enforce_new_defaults=False
|
||||
enforce_scope=False
|
||||
|
||||
Operators who revert the configuration are encouraged to make the
|
||||
necessary changes to their configuration, as the legacy RBAC policy
|
||||
will be removed at some point in the future. Please review
|
||||
`2024.1-Release Timeline`_. Failure to do so will may force operators
|
||||
to craft custom policy override configuration.
|
||||
|
||||
.. _`Consistent and Secure RBAC`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
|
||||
.. _`2024.1-Release Timeline`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#id3
|
@ -173,6 +173,8 @@
|
||||
CIRROS_VERSION: 0.6.1
|
||||
MYSQL_GATHER_PERFORMANCE: False
|
||||
INSTANCE_WAIT: 120
|
||||
IRONIC_INSPECTOR_ENFORCE_SCOPE: True
|
||||
IRONIC_ENFORCE_SCOPE: True
|
||||
old:
|
||||
IRONIC_VM_LOG_DIR: '{{ devstack_bases.old }}/ironic-bm-logs'
|
||||
grenade_localrc:
|
||||
|
Loading…
Reference in New Issue
Block a user