Merge "Change policy to enforce only new policy"

This commit is contained in:
Zuul 2024-01-26 04:03:33 +00:00 committed by Gerrit Code Review
commit 212d0b2a9a
4 changed files with 42 additions and 3 deletions

View File

@ -26,10 +26,10 @@ IRONIC_INSPECTOR_UWSGI_CONF=$IRONIC_INSPECTOR_CONF_DIR/ironic-inspector-uwsgi.in
# explicitly unless otherwise set.
IRONIC_INSPECTOR_ENFORCE_SCOPE=${IRONIC_INSPECTOR_ENFORCE_SCOPE:-${IRONIC_ENFORCE_SCOPE:-False}}
# and then fallback to trueorfalse to put it into the standardized string format for the jobs.
IRONIC_INSPECTOR_ENFORCE_SCOPE=$(trueorfalse False IRONIC_INSPECTOR_ENFORCE_SCOPE)
IRONIC_INSPECTOR_ENFORCE_SCOPE=$(trueorfalse True IRONIC_INSPECTOR_ENFORCE_SCOPE)
# Reset the input in the event the plugin is running separately from ironic's
# devstack plugin.
IRONIC_ENFORCE_SCOPE=$(trueorfalse False IRONIC_ENFORCE_SCOPE)
IRONIC_ENFORCE_SCOPE=$(trueorfalse True IRONIC_ENFORCE_SCOPE)
if [[ -n ${IRONIC_INSPECTOR_MANAGE_FIREWALL} ]] ; then

View File

@ -28,7 +28,9 @@ _ENFORCER = None
# once oslo_policy change the default value to 'policy.yaml'.
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
DEFAULT_POLICY_FILE = 'policy.yaml'
opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE,
enforce_scope=True,
enforce_new_defaults=True)
# Generic policy check string for system administrators. These are the people
# who need the highest level of authorization to operate the deployment.

View File

@ -0,0 +1,35 @@
---
upgrade:
- |
The legacy Role Based Access Control policy used by ironic-inspector has
been disabled by default. The end result of this is that the legacy
``baremetal_admin`` and ``baremetal_observer`` roles are no longer enabled
by default. System scoped access can be utilized to connect to the
``ironic-inspector`` service, or alternatively a user with an ``admin``
or ``service`` role.
The Ironic project does not anticipate any issues with this change, as the
the ``ironic-inspector`` service is a service *for* the system itself.
That being said, if the operator deployed configuration is reliant upon
the deprecated roles, configuration changes will be required.
This change is a result of the new policy which was introduced as part of
`Consistent and Secure RBAC`_ community goal and the underlying
``[oslo_policy] enforce_scope`` and ``[oslo_policy] enforce_new_defaults``
settings being changed to ``True``.
Operators wishing to revert to the old policy configuration may do so
by setting the following values in ``ironic-inspector.conf``.::
[oslo_policy]
enforce_new_defaults=False
enforce_scope=False
Operators who revert the configuration are encouraged to make the
necessary changes to their configuration, as the legacy RBAC policy
will be removed at some point in the future. Please review
`2024.1-Release Timeline`_. Failure to do so will may force operators
to craft custom policy override configuration.
.. _`Consistent and Secure RBAC`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
.. _`2024.1-Release Timeline`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#id3

View File

@ -173,6 +173,8 @@
CIRROS_VERSION: 0.6.1
MYSQL_GATHER_PERFORMANCE: False
INSTANCE_WAIT: 120
IRONIC_INSPECTOR_ENFORCE_SCOPE: True
IRONIC_ENFORCE_SCOPE: True
old:
IRONIC_VM_LOG_DIR: '{{ devstack_bases.old }}/ironic-bm-logs'
grenade_localrc: