Merge "RBAC: Enable "new" defaults and scope checks"

2024-05-21 03:58:19 +00:00 · 2024-05-21 03:58:19 +00:00 · 45268b6a58
parent 63e54f91e0 b269c140a7
commit 45268b6a58
4 changed files with 33 additions and 1 deletions
--- a/manila/policy.py
+++ b/manila/policy.py
@ -37,6 +37,11 @@ _ENFORCER = None
 # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
 DEFAULT_POLICY_FILE = 'policy.yaml'
 opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
+opts.set_defaults(
+    cfg.CONF,
+    DEFAULT_POLICY_FILE,
+    enforce_scope=True,
+    enforce_new_defaults=True)


 def reset():
--- a/manila/tests/api/v2/test_share_snapshots.py
+++ b/manila/tests/api/v2/test_share_snapshots.py
@ -66,6 +66,9 @@ class ShareSnapshotAPITest(test.TestCase):
                         stubs.stub_snapshot_get)
        self.mock_object(share_api.API, 'snapshot_update',
                         stubs.stub_snapshot_update)
+        self.mock_object(
+            policy, 'check_policy', mock.Mock(return_value=True)
+        )
        self.snp_example = {
            'share_id': 100,
            'size': 12,
--- a/releasenotes/notes/enable-enforce-scope-c2d57db049741896.yaml
+++ b/releasenotes/notes/enable-enforce-scope-c2d57db049741896.yaml
@ -0,0 +1,24 @@
+---
+upgrade:
+  - |
+    The service now requires a user's "scope" to be defined with the OpenStack
+    Identity service (Keystone) by the virtue of default Role Based Access
+    Control (RBAC). This is being done in addition to changing the
+    RBAC rules for GET requests to permit users possessing the "reader" role.
+    The Default value of config options ``[oslo_policy] enforce_scope`` and
+    ``[oslo_policy] oslo_policy.enforce_new_defaults`` has now changed
+    to ``True``. This means that, if you are using system scoped tokens to
+    access Manila's API, requests will fail with HTTP 403. Users must
+    obtain a project scoped token to interact with the Manila API. You
+    may also provide users with "reader" role where appropriate if they
+    intend to make read-only API requests to Manila.  If you would like to
+    disable these changes, modify ``manila.conf`` file to set::
+
+      [oslo_policy]
+      enforce_new_defaults=False
+      enforce_scope=False
+
+    However, be aware that you may not be able to disable these options in
+    the future. Please see `OpenStack's Consistent and Secure Default RBAC
+    goal <https://governance.openstack
+    .org/tc/goals/selected/consistent-and-secure-rbac.html>`_ for more details
--- a/requirements.txt
+++ b/requirements.txt
@ -18,7 +18,7 @@ oslo.i18n>=5.0.1 # Apache-2.0
 oslo.log>=4.4.0 # Apache-2.0
 oslo.messaging>=14.1.0 # Apache-2.0
 oslo.middleware>=4.1.1 # Apache-2.0
-oslo.policy>=3.7.0 # Apache-2.0
+oslo.policy>=3.11.0 # Apache-2.0
 oslo.privsep>=2.4.0 # Apache-2.0
 oslo.reports>=2.2.0 # Apache-2.0
 oslo.rootwrap>=6.2.0 # Apache-2.0