openstack
/
keystone
Code Issues Proposed changes

Use enforce_new_defaults when setting up keystone protection tests 

The `keystone.conf [oslo_policy] enforce_new_defaults` option is meant
to help deployments that want to opt into the new policy enforcement
model (with scope checking) but without having to generate override
files. This is the case for devstack and tempest.

We can use this to bypass generating a policy file with just the new
policies for tempest testing.

Change-Id: I3b219bde569c5a8001aec0c243027b6881254304
This commit is contained in:
Lance Bragstad 2020-10-29 18:28:22 +00:00
parent 5d7c92e204
commit 5d2f716e4b
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
devstack/lib/scope.sh
View File

@ -14,9 +14,9 @@
function configure_enforce_scope {
iniset $KEYSTONE_CONF oslo_policy enforce_scope true
iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
sudo systemctl restart devstack@keystone
oslopolicy-policy-generator --namespace keystone > /etc/keystone/policy.yaml
}
function configure_protection_tests {