Make keystone default roles the default RBAC

This patch makes the current version of the keystone default roles the default RBAC policy for Octavia. Change-Id: Icf3171c8bb6496e2999e078b74fdbbc53b922f97
2024-09-16 22:57:00 +00:00
parent 697c89ec23
commit 22929f654e
14 changed files with 361 additions and 176 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -431,6 +431,10 @@ function octavia_configure {
    # Controller side symmetric encryption, not used for PKI
    iniset $OCTAVIA_CONF certificates server_certs_key_passphrase insecure-key-do-not-use-this-key
    if [[ "$OCTAVIA_USE_ADVANCED_RBAC" == "True" ]]; then
        cp $OCTAVIA_DIR/etc/policy/octavia-advanced-rbac-policy.yaml $OCTAVIA_CONF_DIR/policy.yaml
        iniset $OCTAVIA_CONF oslo_policy policy_file $OCTAVIA_CONF_DIR/policy.yaml
    fi
    if [[ "$OCTAVIA_USE_LEGACY_RBAC" == "True" ]]; then
        cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.yaml $OCTAVIA_CONF_DIR/policy.yaml
        iniset $OCTAVIA_CONF oslo_policy policy_file $OCTAVIA_CONF_DIR/policy.yaml
--- a/etc/policy/octavia-advanced-rbac-policy.yaml
+++ b/etc/policy/octavia-advanced-rbac-policy.yaml
@@ -0,0 +1,74 @@
 # This policy YAML file implements the "Advanced RBAC" rules for Octavia that
 # were introduced in the Pike release of the Octavia API.
 #
 # These rules require users to have a load-balancer_* role to be able to access
 # the Octavia v2 API.
 #
 # This is stricter than the "Keystone Default Roles" implemented in the code
 # as part of the "Consistent and Secure Default RBAC" OpenStack community goal.
 # The default is to not allow access unless the auth_strategy is 'noauth'.
 # Users must be a member of one of the following roles to have access to
 # the load-balancer API:
 #
 # role:load-balancer_observer
 #     User has access to load-balancer read-only APIs
 # role:load-balancer_global_observer
 #     User has access to load-balancer read-only APIs including resources
 #     owned by others.
 # role:load-balancer_member
 #     User has access to load-balancer read and write APIs
 # role:load-balancer_admin
 #     User is considered an admin for all load-balnacer APIs including
 #     resources owned by others.
 # role:admin
 #     User is admin to all APIs
 "context_is_admin": "role:admin or
                     role:load-balancer_admin"
 # API access roles
 "load-balancer:owner": "project_id:%(project_id)s"
 # Note: 'is_admin:True' is a policy rule that takes into account the
 # auth_strategy == noauth configuration setting.
 # It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
 "load-balancer:admin": "is_admin:True or
                        role:admin or
                        role:load-balancer_admin"
 "load-balancer:observer_and_owner": "role:load-balancer_observer and
                                     rule:load-balancer:owner"
 "load-balancer:global_observer": "role:load-balancer_global_observer"
 "load-balancer:member_and_owner": "role:load-balancer_member and
                                   rule:load-balancer:owner"
 # API access methods
 "load-balancer:read": "rule:load-balancer:observer_and_owner or
                       rule:load-balancer:global_observer or
                       rule:load-balancer:member_and_owner or
                       rule:load-balancer:admin"
 "load-balancer:read-global": "rule:load-balancer:global_observer or
                              rule:load-balancer:admin"
 "load-balancer:write": "rule:load-balancer:member_and_owner or
                        rule:load-balancer:admin"
 "load-balancer:read-quota": "rule:load-balancer:observer_and_owner or
                             rule:load-balancer:global_observer or
                             rule:load-balancer:member_and_owner or
                             role:load-balancer_quota_admin or
                             rule:load-balancer:admin"
 "load-balancer:read-quota-global": "rule:load-balancer:global_observer or
                                    role:load-balancer_quota_admin or
                                    rule:load-balancer:admin"
 "load-balancer:write-quota": "role:load-balancer_quota_admin or
                              rule:load-balancer:admin"
--- a/octavia/policies/init.py
+++ b/octavia/policies/init.py
@@ -13,6 +13,7 @@
 import itertools
 from octavia.policies import advanced_rbac
 from octavia.policies import amphora
 from octavia.policies import availability_zone
 from octavia.policies import availability_zone_profile
@@ -20,6 +21,7 @@ from octavia.policies import base
 from octavia.policies import flavor
 from octavia.policies import flavor_profile
 from octavia.policies import healthmonitor
 from octavia.policies import keystone_default_roles
 from octavia.policies import l7policy
 from octavia.policies import l7rule
 from octavia.policies import listener
@@ -35,6 +37,8 @@ from octavia.policies import quota
 def list_rules():
    return itertools.chain(
        base.list_rules(),
        keystone_default_roles.list_rules(),
        advanced_rbac.list_rules(),
        flavor.list_rules(),
        flavor_profile.list_rules(),
        availability_zone.list_rules(),
--- a/octavia/policies/advanced_rbac.py
+++ b/octavia/policies/advanced_rbac.py
@@ -0,0 +1,95 @@
 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
 #    not use this file except in compliance with the License. You may obtain
 #    a copy of the License at
 #
 #         http://www.apache.org/licenses/LICENSE-2.0
 #
 #    Unless required by applicable law or agreed to in writing, software
 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
 from oslo_log import versionutils
 from oslo_policy import policy
 from octavia.common import constants
 # Octavia specific Advanced RBAC rules
 # The default is to not allow access unless the auth_strategy is 'noauth'.
 # Users must be a member of one of the following roles to have access to
 # the load-balancer API:
 #
 # role:load-balancer_observer
 #     User has access to load-balancer read-only APIs
 # role:load-balancer_global_observer
 #     User has access to load-balancer read-only APIs including resources
 #     owned by others.
 # role:load-balancer_member
 #     User has access to load-balancer read and write APIs
 # role:load-balancer_admin
 #     User is considered an admin for all load-balancer APIs including
 #     resources owned by others.
 deprecated_context_is_admin = policy.DeprecatedRule(
    name='context_is_admin',
    check_str='role:admin or '
              'role:load-balancer_admin',
    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
    deprecated_since=versionutils.deprecated.WALLABY,
 )
 # Note: 'is_admin:True' is a policy rule that takes into account the
 # auth_strategy == noauth configuration setting.
 # It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
 deprecated_admin = policy.DeprecatedRule(
    name='load-balancer:admin',
    check_str='is_admin:True or '
              'role:admin or '
              'role:load-balancer_admin',
    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
    deprecated_since=versionutils.deprecated.WALLABY,
 )
 deprecated_global_observer = policy.DeprecatedRule(
    name='load-balancer:global_observer',
    check_str='role:load-balancer_global_observer',
    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
    deprecated_since=versionutils.deprecated.WALLABY,
 )
 deprecated_member_and_owner = policy.DeprecatedRule(
    name='load-balancer:member_and_owner',
    check_str='role:load-balancer_member and '
              'rule:load-balancer:owner',
    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
    deprecated_since=versionutils.deprecated.WALLABY,
 )
 deprecated_observer_and_owner = policy.DeprecatedRule(
    name='load-balancer:observer_and_owner',
    check_str='role:load-balancer_observer and '
              'rule:load-balancer:owner',
    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
    deprecated_since=versionutils.deprecated.WALLABY,
 )
 deprecated_quota_admin = policy.DeprecatedRule(
    name='load-balancer:quota-admin',
    check_str='role:load-balancer_quota_admin',
    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
    deprecated_since=versionutils.deprecated.WALLABY,
 )
 rules = [
    policy.RuleDefault(
        name='load-balancer:owner',
        check_str='project_id:%(project_id)s',
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
 ]
 def list_rules():
    return rules
--- a/octavia/policies/base.py
+++ b/octavia/policies/base.py
@@ -10,112 +10,16 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 from oslo_log import versionutils
 from oslo_policy import policy
 from octavia.common import constants
 deprecated_context_is_admin = policy.DeprecatedRule(
    name='context_is_admin',
    check_str='role:admin or '
              'role:load-balancer_admin',
    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
    deprecated_since=versionutils.deprecated.WALLABY,
 )
 deprecated_observer_and_owner = policy.DeprecatedRule(
    name='load-balancer:observer_and_owner',
    check_str='role:load-balancer_observer and '
              'rule:load-balancer:owner',
    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
    deprecated_since=versionutils.deprecated.WALLABY,
 )
 deprecated_member_and_owner = policy.DeprecatedRule(
    name='load-balancer:member_and_owner',
    check_str='role:load-balancer_member and '
              'rule:load-balancer:owner',
    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
    deprecated_since=versionutils.deprecated.WALLABY,
 )
 rules = [
    # OpenStack wide scoped rules
    # Project scoped Member
    policy.RuleDefault(
        name='project-member',
        check_str='role:member and '
                  'project_id:%(project_id)s',
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    # Project scoped Reader
    policy.RuleDefault(
        name='project-reader',
        check_str='role:reader and '
                  'project_id:%(project_id)s',
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    # Octavia specific Advanced RBAC rules
    # The default is to not allow access unless the auth_strategy is 'noauth'.
    # Users must be a member of one of the following roles to have access to
    # the load-balancer API:
    #
    # role:load-balancer_observer
    #     User has access to load-balancer read-only APIs
    # role:load-balancer_global_observer
    #     User has access to load-balancer read-only APIs including resources
    #     owned by others.
    # role:load-balancer_member
    #     User has access to load-balancer read and write APIs
    # role:load-balancer_admin
    #     User is considered an admin for all load-balancer APIs including
    #     resources owned by others.
    policy.RuleDefault(
        name='context_is_admin',
        check_str='role:load-balancer_admin or '
                  'role:admin',
        deprecated_rule=deprecated_context_is_admin,
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    # Note: 'is_admin:True' is a policy rule that takes into account the
    # auth_strategy == noauth configuration setting.
    # It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
    policy.RuleDefault(
        name='load-balancer:owner',
        check_str='project_id:%(project_id)s',
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    # API access roles
    policy.RuleDefault(
        name='load-balancer:observer_and_owner',
        check_str='role:load-balancer_observer and '
                  'rule:project-reader',
        deprecated_rule=deprecated_observer_and_owner,
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    policy.RuleDefault(
        name='load-balancer:global_observer',
        check_str='role:load-balancer_global_observer',
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    policy.RuleDefault(
        name='load-balancer:member_and_owner',
        check_str='role:load-balancer_member and '
                  'rule:project-member',
        deprecated_rule=deprecated_member_and_owner,
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    # API access methods
-
+    #
-    policy.RuleDefault(
+    # These are the only rules that should be applied to API endpoints.
        name='load-balancer:admin',
        check_str='is_admin:True or '
                  'role:load-balancer_admin or '
                  'role:admin',
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    policy.RuleDefault(
        name='load-balancer:read',
@@ -142,20 +46,20 @@ rules = [
        check_str='rule:load-balancer:observer_and_owner or '
                  'rule:load-balancer:global_observer or '
                  'rule:load-balancer:member_and_owner or '
-                  'role:load-balancer_quota_admin or '
+                  'rule:load-balancer:quota-admin or '
                  'rule:load-balancer:admin',
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    policy.RuleDefault(
        name='load-balancer:read-quota-global',
        check_str='rule:load-balancer:global_observer or '
-                  'role:load-balancer_quota_admin or '
+                  'rule:load-balancer:quota-admin or '
                  'rule:load-balancer:admin',
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    policy.RuleDefault(
        name='load-balancer:write-quota',
-        check_str='role:load-balancer_quota_admin or '
+        check_str='rule:load-balancer:quota-admin or '
                  'rule:load-balancer:admin',
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
 ]
--- a/octavia/policies/keystone_default_roles.py
+++ b/octavia/policies/keystone_default_roles.py
@@ -0,0 +1,81 @@
 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
 #    not use this file except in compliance with the License. You may obtain
 #    a copy of the License at
 #
 #         http://www.apache.org/licenses/LICENSE-2.0
 #
 #    Unless required by applicable law or agreed to in writing, software
 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
 from oslo_policy import policy
 from octavia.common import constants
 from octavia.policies import advanced_rbac
 rules = [
    # OpenStack keystone default roles
    # Project scoped Member
    policy.RuleDefault(
        name='project-member',
        check_str='role:member and '
                  'project_id:%(project_id)s',
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    # Project scoped Reader
    policy.RuleDefault(
        name='project-reader',
        check_str='role:reader and '
                  'project_id:%(project_id)s',
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    policy.RuleDefault(
        name='context_is_admin',
        check_str='role:admin',
        deprecated_rule=advanced_rbac.deprecated_context_is_admin,
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    # API access roles
    policy.RuleDefault(
        name='load-balancer:admin',
        check_str='is_admin:True or '
                  'role:admin',
        deprecated_rule=advanced_rbac.deprecated_admin,
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    # Note: 'is_admin:True' is a policy rule that takes into account the
    # auth_strategy == noauth configuration setting.
    # It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
    policy.RuleDefault(
        name='load-balancer:global_observer',
        check_str='role:admin',
        deprecated_rule=advanced_rbac.deprecated_global_observer,
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    policy.RuleDefault(
        name='load-balancer:member_and_owner',
        check_str='rule:project-member',
        deprecated_rule=advanced_rbac.deprecated_member_and_owner,
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    policy.RuleDefault(
        name='load-balancer:observer_and_owner',
        check_str='rule:project-reader',
        deprecated_rule=advanced_rbac.deprecated_observer_and_owner,
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
    policy.RuleDefault(
        name='load-balancer:quota-admin',
        check_str='role:admin',
        deprecated_rule=advanced_rbac.deprecated_quota_admin,
        scope_types=[constants.RBAC_SCOPE_PROJECT]),
 ]
 def list_rules():
    return rules
--- a/octavia/tests/functional/api/v2/test_health_monitor.py
+++ b/octavia/tests/functional/api/v2/test_health_monitor.py
@@ -406,7 +406,7 @@ class TestHealthMonitor(base.BaseAPITest):
                'is_admin_project': True,
                'service_project_domain_id': None,
                'service_project_id': None,
-                'roles': ['load-balancer_global_observer'],
+                'roles': ['admin'],
                'user_id': None,
                'is_admin': False,
                'service_user_domain_id': None,
--- a/octavia/tests/functional/api/v2/test_l7policy.py
+++ b/octavia/tests/functional/api/v2/test_l7policy.py
@@ -320,7 +320,7 @@ class TestL7Policy(base.BaseAPITest):
                'is_admin_project': True,
                'service_project_domain_id': None,
                'service_project_id': None,
-                'roles': ['load-balancer_global_observer'],
+                'roles': ['admin'],
                'user_id': None,
                'is_admin': False,
                'service_user_domain_id': None,
--- a/octavia/tests/functional/api/v2/test_listener.py
+++ b/octavia/tests/functional/api/v2/test_listener.py
@@ -202,7 +202,7 @@ class TestListener(base.BaseAPITest):
                'is_admin_project': True,
                'service_project_domain_id': None,
                'service_project_id': None,
-                'roles': ['load-balancer_global_observer'],
+                'roles': ['admin'],
                'user_id': None,
                'is_admin': False,
                'service_user_domain_id': None,
--- a/octavia/tests/functional/api/v2/test_load_balancer.py
+++ b/octavia/tests/functional/api/v2/test_load_balancer.py
@@ -1384,7 +1384,7 @@ class TestLoadBalancer(base.BaseAPITest):
                'is_admin_project': True,
                'service_project_domain_id': None,
                'service_project_id': None,
-                'roles': ['load-balancer_global_observer'],
+                'roles': ['admin'],
                'user_id': None,
                'is_admin': False,
                'service_user_domain_id': None,
@@ -2503,7 +2503,7 @@ class TestLoadBalancer(base.BaseAPITest):
                'is_admin_project': True,
                'service_project_domain_id': None,
                'service_project_id': None,
-                'roles': ['load-balancer_admin'],
+                'roles': ['admin'],
                'user_id': None,
                'is_admin': False,
                'service_user_domain_id': None,
--- a/octavia/tests/functional/api/v2/test_pool.py
+++ b/octavia/tests/functional/api/v2/test_pool.py
@@ -340,7 +340,7 @@ class TestPool(base.BaseAPITest):
                'is_admin_project': True,
                'service_project_domain_id': None,
                'service_project_id': None,
-                'roles': ['load-balancer_global_observer'],
+                'roles': ['admin'],
                'user_id': None,
                'is_admin': False,
                'service_user_domain_id': None,
--- a/octavia/tests/functional/api/v2/test_quotas.py
+++ b/octavia/tests/functional/api/v2/test_quotas.py
@@ -298,7 +298,7 @@ class TestQuotas(base.BaseAPITest):
                'is_admin_project': True,
                'service_project_domain_id': None,
                'service_project_id': None,
-                'roles': ['load-balancer_global_observer'],
+                'roles': ['admin'],
                'user_id': None,
                'is_admin': False,
                'service_user_domain_id': None,
@@ -345,7 +345,7 @@ class TestQuotas(base.BaseAPITest):
                'is_admin_project': True,
                'service_project_domain_id': None,
                'service_project_id': None,
-                'roles': ['load-balancer_quota_admin'],
+                'roles': ['admin'],
                'user_id': None,
                'is_admin': False,
                'service_user_domain_id': None,
@@ -485,11 +485,8 @@ class TestQuotas(base.BaseAPITest):
    def test_get_Authorized_observer(self):
        self._test_get_Authorized(['load-balancer_observer', 'reader'])
    def test_get_Authorized_global_observer(self):
        self._test_get_Authorized(['load-balancer_global_observer'])
    def test_get_Authorized_quota_admin(self):
-        self._test_get_Authorized(['load-balancer_quota_admin'])
+        self._test_get_Authorized(['admin'])
    def _test_get_Authorized(self, roles):
        project1_id = uuidutils.generate_uuid()
@@ -759,7 +756,7 @@ class TestQuotas(base.BaseAPITest):
                'is_admin_project': True,
                'service_project_domain_id': None,
                'service_project_id': None,
-                'roles': ['load-balancer_quota_admin'],
+                'roles': ['admin'],
                'user_id': None,
                'is_admin': False,
                'service_user_domain_id': None,
@@ -871,7 +868,7 @@ class TestQuotas(base.BaseAPITest):
                'is_admin_project': True,
                'service_project_domain_id': None,
                'service_project_id': None,
-                'roles': ['load-balancer_quota_admin'],
+                'roles': ['admin'],
                'user_id': None,
                'is_admin': False,
                'service_user_domain_id': None,
--- a/releasenotes/notes/Make-keystone-default-rules-the-default-RBAC-989c51ab2e319549.yaml
+++ b/releasenotes/notes/Make-keystone-default-rules-the-default-RBAC-989c51ab2e319549.yaml
@@ -0,0 +1,24 @@
 ---
 upgrade:
  - |
    When upgrading, the default RBAC rules will switch from Octavia Advanced
    RBAC to the keystone default roles. This means the load_balancer_* roles
    will not longer have access to the load balancer API. To continue to use
    the Octavia Advanced RBAC rules, please use the
    octavia-advanced-rbac-policy.yaml override file provided.
 critical:
  - |
    When upgrading, the default RBAC rules will switch from Octavia Advanced
    RBAC to the keystone default roles. This means the load_balancer_* roles
    will not longer have access to the load balancer API. To continue to use
    the Octavia Advanced RBAC rules, please use the
    octavia-advanced-rbac-policy.yaml override file provided.
 security:
  - |
    When upgrading, the default RBAC rules will switch from Octavia Advanced
    RBAC to the keystone default roles. This means the load_balancer_* roles
    will not longer have access to the load balancer API. To continue to use
    the Octavia Advanced RBAC rules, please use the
    octavia-advanced-rbac-policy.yaml override file provided. Note: the
    keystone default roles are less restrictive than the Octavia Advanced RBAC
    rules and you will no longer have global observer or quota specific roles.
--- a/zuul.d/projects.yaml
+++ b/zuul.d/projects.yaml
@@ -35,59 +35,60 @@
 #        - openstack-tox-functional-py312:
 #            irrelevant-files: *tox-irrelevant-files
 #            voting: false
-        - octavia-v2-dsvm-noop-api:
+# TODO(johnsom) Temporarily disable tempest jobs due to RBAC change
-            irrelevant-files: &irrelevant-files
+#        - octavia-v2-dsvm-noop-api:
-              - ^.*\.rst$
+#            irrelevant-files: &irrelevant-files
-              - ^api-ref/.*$
+#              - ^.*\.rst$
-              - ^doc/.*$
+#              - ^api-ref/.*$
-              - ^octavia/tests/.*$
+#              - ^doc/.*$
-              - ^releasenotes/.*$
+#              - ^octavia/tests/.*$
-        - octavia-v2-dsvm-scenario-traffic-ops:
+#              - ^releasenotes/.*$
-            irrelevant-files: *irrelevant-files
+#        - octavia-v2-dsvm-scenario-traffic-ops:
-        - octavia-v2-dsvm-scenario-non-traffic-ops:
+#            irrelevant-files: *irrelevant-files
-            irrelevant-files: *irrelevant-files
+#        - octavia-v2-dsvm-scenario-non-traffic-ops:
-        - octavia-v2-dsvm-scenario-traffic-ops-ubuntu-jammy:
+#            irrelevant-files: *irrelevant-files
-            irrelevant-files: *irrelevant-files
+#        - octavia-v2-dsvm-scenario-traffic-ops-ubuntu-jammy:
-        - octavia-v2-dsvm-scenario-non-traffic-ops-ubuntu-jammy:
+#            irrelevant-files: *irrelevant-files
-            irrelevant-files: *irrelevant-files
+#        - octavia-v2-dsvm-scenario-non-traffic-ops-ubuntu-jammy:
-        - octavia-v2-dsvm-scenario-traffic-ops-jobboard:
+#            irrelevant-files: *irrelevant-files
-            irrelevant-files: *irrelevant-files
+#        - octavia-v2-dsvm-scenario-traffic-ops-jobboard:
-        - octavia-v2-dsvm-scenario-non-traffic-ops-jobboard:
+#            irrelevant-files: *irrelevant-files
-            irrelevant-files: *irrelevant-files
+#        - octavia-v2-dsvm-scenario-non-traffic-ops-jobboard:
-        - octavia-v2-dsvm-tls-barbican:
+#            irrelevant-files: *irrelevant-files
-            irrelevant-files: *irrelevant-files
+#        - octavia-v2-dsvm-tls-barbican:
-        - octavia-grenade:
+#            irrelevant-files: *irrelevant-files
-            irrelevant-files: &grenade-irrelevant-files
+#        - octavia-grenade:
-              - ^.*\.rst$
+#            irrelevant-files: &grenade-irrelevant-files
-              - ^api-ref/.*$
+#              - ^.*\.rst$
-              - ^doc/.*$
+#              - ^api-ref/.*$
-              - ^octavia/tests/.*$
+#              - ^doc/.*$
-              - ^releasenotes/.*$
+#              - ^octavia/tests/.*$
-              - ^setup.cfg$
+#              - ^releasenotes/.*$
-              - ^tools/.*$
+#              - ^setup.cfg$
-              - ^(test-|)requirements.txt$
+#              - ^tools/.*$
-              - ^tox.ini$
+#              - ^(test-|)requirements.txt$
-        - octavia-grenade-skip-level:
+#              - ^tox.ini$
-            irrelevant-files: *grenade-irrelevant-files
+#        - octavia-grenade-skip-level:
-            voting: false
+#            irrelevant-files: *grenade-irrelevant-files
-        - octavia-v2-dsvm-tls-barbican-fips:
+#            voting: false
-            irrelevant-files: *irrelevant-files
+#        - octavia-v2-dsvm-tls-barbican-fips:
-            voting: false
+#            irrelevant-files: *irrelevant-files
-        - octavia-v2-act-stdby-dsvm-scenario:
+#            voting: false
-            irrelevant-files: *irrelevant-files
+#        - octavia-v2-act-stdby-dsvm-scenario:
-            voting: false
+#            irrelevant-files: *irrelevant-files
-        - octavia-v2-dsvm-cinder-amphora:
+#            voting: false
-            irrelevant-files: *irrelevant-files
+#        - octavia-v2-dsvm-cinder-amphora:
-            voting: false
+#            irrelevant-files: *irrelevant-files
-        - octavia-v2-dsvm-scenario-two-node:
+#            voting: false
-            irrelevant-files: *irrelevant-files
+#        - octavia-v2-dsvm-scenario-two-node:
-            voting: false
+#            irrelevant-files: *irrelevant-files
-        - octavia-v2-dsvm-scenario-ipv6-only:
+#            voting: false
-            irrelevant-files: *irrelevant-files
+#        - octavia-v2-dsvm-scenario-ipv6-only:
-            voting: false
+#            irrelevant-files: *irrelevant-files
-        - octavia-v2-dsvm-scenario-centos-9-stream:
+#            voting: false
-            irrelevant-files: *irrelevant-files
+#        - octavia-v2-dsvm-scenario-centos-9-stream:
-            voting: false
+#            irrelevant-files: *irrelevant-files
 #            voting: false
    queue: octavia
    gate:
      fail-fast: true
@@ -108,14 +109,15 @@
              - ^etc/.*$
              - ^octavia/tests/unit/.*$
              - ^releasenotes/.*$
-        - octavia-v2-dsvm-noop-api
+# TODO(johnsom) Temporarily disable tempest jobs due to RBAC change
-        - octavia-v2-dsvm-scenario-traffic-ops
+#        - octavia-v2-dsvm-noop-api
-        - octavia-v2-dsvm-scenario-non-traffic-ops
+#        - octavia-v2-dsvm-scenario-traffic-ops
-        - octavia-v2-dsvm-scenario-traffic-ops-ubuntu-jammy
+#        - octavia-v2-dsvm-scenario-non-traffic-ops
-        - octavia-v2-dsvm-scenario-non-traffic-ops-ubuntu-jammy
+#        - octavia-v2-dsvm-scenario-traffic-ops-ubuntu-jammy
-        - octavia-v2-dsvm-tls-barbican
+#        - octavia-v2-dsvm-scenario-non-traffic-ops-ubuntu-jammy
-        - octavia-grenade
+#        - octavia-v2-dsvm-tls-barbican
-        #- octavia-grenade-skip-level
+#        - octavia-grenade
 #        #- octavia-grenade-skip-level
    periodic:
      jobs:
        - publish-openstack-octavia-amphora-image-noble: