Revert "[S-RBAC] Switch to new policies by default"

This reverts commit 62b7315092318296e23451d956989d672b6a4584. Reason for revert: new defaults are enabled by default in current ongoing release cycle which is not yet released so our old defaults is something enabled by default in latest release. Due to that, in devstack we still have them disabled by default[1] which configure all the jobs with old defaults[2], that is why in all the jobs old defaults are enabled[3]. Let's continue testing the old defaults as default and keep this new defaults job until 2023.2 is released. and after 2023.1(2024.1 cycle) we can switch it 1. run all jobs with new defaults 2. a single job with old defaults. [1] 34afa91fc9/lib/neutron (L96) [2] 34afa91fc9/lib/neutron (L564) [3] https://zuul.opendev.org/t/openstack/build/190cdd3f0479408b87dc10c4f9396f10/log/controller/logs/etc/neutron/neutron_conf.txt#2091 Change-Id: I1610f8b13b8fa7567e6f8c41f804ff3b774424e3
2023-05-09 03:41:06 +00:00 · 2023-05-09 03:41:06 +00:00 · 2f1856baf8
commit 2f1856baf8
parent 62b7315092
2 changed files with 13 additions and 8 deletions
--- a/zuul.d/master_jobs.yaml
+++ b/zuul.d/master_jobs.yaml
@ -409,15 +409,20 @@
      - ^zuul.d/(?!(project)).*\.yaml

 - job:
-    name: neutron-tempest-plugin-openvswitch-enforce-scope-old-defaults
+    name: neutron-tempest-plugin-openvswitch-enforce-scope-new-defaults
    parent: neutron-tempest-plugin-openvswitch
    vars:
      devstack_localrc:
-        # Disabling the scope and new defaults for services to use old,
-        # deprecated policies
-        NOVA_ENFORCE_SCOPE: false
-        GLANCE_ENFORCE_SCOPE: false
-        NEUTRON_ENFORCE_SCOPE: false
+        # Enabeling the scope and new defaults for services.
+        # NOTE: (gmann) We need to keep keystone scope check disable as
+        # services (except ironic) does not support the system scope and
+        # they need keystone to continue working with project scope. Until
+        # Keystone policies are changed to work for both system as well as
+        # for project scoped, we need to keep scope check disable for
+        # keystone.
+        NOVA_ENFORCE_SCOPE: true
+        GLANCE_ENFORCE_SCOPE: true
+        NEUTRON_ENFORCE_SCOPE: true


 # TODO(slaweq): remove that job's definition as soon as new job
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@ -5,7 +5,7 @@
        - neutron-tempest-plugin-linuxbridge
        - neutron-tempest-plugin-openvswitch
        - neutron-tempest-plugin-openvswitch-iptables_hybrid
-        - neutron-tempest-plugin-openvswitch-enforce-scope-old-defaults
+        - neutron-tempest-plugin-openvswitch-enforce-scope-new-defaults
        - neutron-tempest-plugin-ovn
        - neutron-tempest-plugin-designate-scenario
    gate:
@ -14,7 +14,7 @@
        - neutron-tempest-plugin-openvswitch
        - neutron-tempest-plugin-ovn
        - neutron-tempest-plugin-openvswitch-iptables_hybrid
-        - neutron-tempest-plugin-openvswitch-enforce-scope-old-defaults
+        - neutron-tempest-plugin-openvswitch-enforce-scope-new-defaults
    #TODO(slaweq): Move neutron-tempest-plugin-dvr-multinode-scenario out of
    #              the experimental queue when it will be more stable
    experimental: