From 7ab45a9be8ee6fd4c8ded8d76e3237c14fa8727a Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Mon, 21 Nov 2022 19:14:05 -0600
Subject: [PATCH] Add new tempest job enable the rbac scope checks and new
 defaults

We have many services (Nova, Neutron, Glance etc) implemented the
new RBAC (project scope and project personas). For these services,
all tests should pass as projects personas (project reader) does
not impact existing testing/usage.

keystone has system scope adopted in their policy for now which
we need to make it work for project scope also and until then
we will see test failing.

This commit adds a new tempest full job which enable the scope
and new defaults of RBAC for applicable services.

Depends-On: https://review.opendev.org/c/openstack/neutron/+/865040

Change-Id: Ib8f2f0e25205edba332fb9bd2a73012016d45061
---
 zuul.d/integrated-gate.yaml | 24 ++++++++++++++++++++++++
 zuul.d/project.yaml         |  4 ++++
 2 files changed, 28 insertions(+)

diff --git a/zuul.d/integrated-gate.yaml b/zuul.d/integrated-gate.yaml
index 121e04dfa8..7d0246b519 100644
--- a/zuul.d/integrated-gate.yaml
+++ b/zuul.d/integrated-gate.yaml
@@ -344,6 +344,30 @@
         # ENABLE_FILE_INJECTION: true
         DATABASE_TYPE: postgresql
 
+- job:
+    name: tempest-full-enforce-scope-new-defaults
+    parent: tempest-full-py3
+    description: |
+      This job runs the Tempest tests with scope and new defaults enabled.
+    # TODO: remove this once https://review.opendev.org/c/openstack/neutron-lib/+/864213
+    # fix is released in neutron-lib
+    required-projects:
+      - openstack/neutron-lib
+      - openstack/neutron
+    vars:
+      devstack_localrc:
+        # Enabeling the scope and new defaults for services.
+        # NOTE: (gmann) We need to keep keystone scope check disable as
+        # services (except ironic) does not support the system scope and
+        # they need keystone to continue working with project scope. Until
+        # Keystone policies are changed to work for both system as well as
+        # for project scoped, we need to keep scope check disable for
+        # keystone.
+        NOVA_ENFORCE_SCOPE: true
+        CINDER_ENFORCE_SCOPE: true
+        GLANCE_ENFORCE_SCOPE: true
+        NEUTRON_ENFORCE_SCOPE: true
+
 - project-template:
     name: integrated-gate-networking
     description: |
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 6412e78db9..46c0d8d888 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -103,6 +103,8 @@
             irrelevant-files: *tempest-irrelevant-files
         - nova-live-migration:
             irrelevant-files: *tempest-irrelevant-files
+        - tempest-full-enforce-scope-new-defaults:
+            irrelevant-files: *tempest-irrelevant-files
         - devstack-plugin-ceph-tempest-py3:
             # TODO(kopecmartin): make it voting once the below bug is fixed
             # https://bugs.launchpad.net/devstack-plugin-ceph/+bug/1975648
@@ -150,6 +152,8 @@
             irrelevant-files: *tempest-irrelevant-files-3
         - tempest-multinode-full-py3:
             irrelevant-files: *tempest-irrelevant-files
+        - tempest-full-enforce-scope-new-defaults:
+            irrelevant-files: *tempest-irrelevant-files
         #- devstack-plugin-ceph-tempest-py3:
         #    irrelevant-files: *tempest-irrelevant-files
         #- tempest-full-centos-9-stream: