Enable secure rbac

This setting policies (RBAC) new defaults and scope to ``True`` by default. Note: This should only merged, after at least a cycle gap to allow operators to adopt new changes. Depends-On: https://review.opendev.org/c/openstack/magnum-tempest-plugin/+/877086 Change-Id: I6db4eaa64e2efd455dc3d37ccc74ebd8e7a5dbb2
2023-03-08 14:56:56 +08:00 · 2023-03-08 14:56:56 +08:00 · a48df816cb
parent 1b2261de26
commit a48df816cb
3 changed files with 32 additions and 6 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -59,11 +59,11 @@
      - release-notes-jobs-python3
    check:
      jobs:
-        - magnum-tempest-plugin-tests-api
+        - magnum-tempest-plugin-tests-api-rbac
        - magnum-container-build
    gate:
      jobs:
-        - magnum-tempest-plugin-tests-api
+        - magnum-tempest-plugin-tests-api-rbac
    post:
      jobs:
        - magnum-container-publish
--- a/magnum/common/policy.py
+++ b/magnum/common/policy.py
@ -32,11 +32,16 @@ LOG = logging.getLogger(__name__)
 _ENFORCER = None
 CONF = cfg.CONF

-# TODO(gmann): Remove setting the default value of config policy_file
-# once oslo_policy change the default value to 'policy.yaml'.
-# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+# TODO(ricolin): Remove overriding the default value of config options
+# 'policy_file', 'enforce_scope', and 'enforce_new_defaults' once
+# oslo_policy change their default value to what is overridden here.
 DEFAULT_POLICY_FILE = 'policy.yaml'
-opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
+opts.set_defaults(
+    CONF,
+    DEFAULT_POLICY_FILE,
+    enforce_scope=True,
+    enforce_new_defaults=True
+)


 # we can get a policy enforcer by this init.
--- a/releasenotes/notes/enable-enforce-scope-and-new-defaults-572730ea8804a843.yaml
+++ b/releasenotes/notes/enable-enforce-scope-and-new-defaults-572730ea8804a843.yaml
@ -0,0 +1,21 @@
+---
+upgrade:
+  - |
+    The Magnum service enable the API policies (RBAC) new defaults and scope by
+    default. The Default value of config options ``[oslo_policy] enforce_scope``
+    and ``[oslo_policy] enforce_new_defaults`` have been changed
+    to ``True``.
+
+    This means if you are using system scope token to access Magnum API then
+    the request will be failed with 403 error code. Also, new defaults will be
+    enforced by default. To know about the new defaults of each policy
+    rule, refer to the `Policy New Defaults Sample File`_.
+
+    If you want to disable them then modify the below config options value in
+    ``magnum.conf`` file::
+
+      [oslo_policy]
+      enforce_new_defaults=False
+      enforce_scope=False
+
+    .. _`Policy New Defaults Sample File`: https://docs.openstack.org/magnum/latest/configuration/samples/policy-yaml.html