RBAC: Enable "new" defaults and scope checks

Enable new defaults and scope checks by default As discussed in PTG, we need to test the new RBAC and accordingly enable the new defaults and scope check by default. Change-Id: I02a2b7e9296e3034d7c20656a12cbdb2cb7a3182 Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2024-04-16 17:13:08 -07:00 · 2024-04-16 17:13:08 -07:00 · b269c140a7
parent d8987589ae
commit b269c140a7
4 changed files with 33 additions and 1 deletions
--- a/manila/policy.py
+++ b/manila/policy.py
@ -37,6 +37,11 @@ _ENFORCER = None
 # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
 DEFAULT_POLICY_FILE = 'policy.yaml'
 opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
+opts.set_defaults(
+    cfg.CONF,
+    DEFAULT_POLICY_FILE,
+    enforce_scope=True,
+    enforce_new_defaults=True)


 def reset():
--- a/manila/tests/api/v2/test_share_snapshots.py
+++ b/manila/tests/api/v2/test_share_snapshots.py
@ -66,6 +66,9 @@ class ShareSnapshotAPITest(test.TestCase):
                         stubs.stub_snapshot_get)
        self.mock_object(share_api.API, 'snapshot_update',
                         stubs.stub_snapshot_update)
+        self.mock_object(
+            policy, 'check_policy', mock.Mock(return_value=True)
+        )
        self.snp_example = {
            'share_id': 100,
            'size': 12,
--- a/releasenotes/notes/enable-enforce-scope-c2d57db049741896.yaml
+++ b/releasenotes/notes/enable-enforce-scope-c2d57db049741896.yaml
@ -0,0 +1,24 @@
+---
+upgrade:
+  - |
+    The service now requires a user's "scope" to be defined with the OpenStack
+    Identity service (Keystone) by the virtue of default Role Based Access
+    Control (RBAC). This is being done in addition to changing the
+    RBAC rules for GET requests to permit users possessing the "reader" role.
+    The Default value of config options ``[oslo_policy] enforce_scope`` and
+    ``[oslo_policy] oslo_policy.enforce_new_defaults`` has now changed
+    to ``True``. This means that, if you are using system scoped tokens to
+    access Manila's API, requests will fail with HTTP 403. Users must
+    obtain a project scoped token to interact with the Manila API. You
+    may also provide users with "reader" role where appropriate if they
+    intend to make read-only API requests to Manila.  If you would like to
+    disable these changes, modify ``manila.conf`` file to set::
+
+      [oslo_policy]
+      enforce_new_defaults=False
+      enforce_scope=False
+
+    However, be aware that you may not be able to disable these options in
+    the future. Please see `OpenStack's Consistent and Secure Default RBAC
+    goal <https://governance.openstack
+    .org/tc/goals/selected/consistent-and-secure-rbac.html>`_ for more details
--- a/requirements.txt
+++ b/requirements.txt
@ -21,7 +21,7 @@ oslo.i18n>=5.0.1 # Apache-2.0
 oslo.log>=4.4.0 # Apache-2.0
 oslo.messaging>=14.1.0 # Apache-2.0
 oslo.middleware>=4.1.1 # Apache-2.0
-oslo.policy>=3.7.0 # Apache-2.0
+oslo.policy>=3.11.0 # Apache-2.0
 oslo.privsep>=2.4.0 # Apache-2.0
 oslo.reports>=2.2.0 # Apache-2.0
 oslo.rootwrap>=6.2.0 # Apache-2.0