openstack/tempest
Code Issues Proposed changes

Enable Secure RBAC in Keystone

Browse Source 
This patch enables Secure RBAC (enforce_scope and enforce_new_defaults)
in Keystone since the policies have been updated to accept both scoped
tokens as well as legacy "admin" role tokens. [1]

[1] f2f1a5c388

Depends-On: https://review.opendev.org/c/openstack/keystone/+/913999
Change-Id: I4d4c6f250a08a86bd5838679a3ef2c0ad887f265
This commit is contained in:
Douglas Mendizábal 2024-03-11 15:03:29 -04:00
parent c0da6e843a
commit cdbe43e2e9
1 changed files with 1 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
zuul.d/integrated-gate.yaml
View File

@ -374,15 +374,7 @@
This job runs the Tempest tests with scope and new defaults enabled. This job runs the Tempest tests with scope and new defaults enabled.
vars: vars:
devstack_localrc: devstack_localrc:
# Enabaling the scope and new defaults for services. KEYSTONE_ENFORCE_SCOPE: true
# NOTE: (gmann) We need to keep keystone scope check disable as
# services (except ironic) does not support the system scope and
# they need keystone to continue working with project scope. Until
# Keystone policies are changed to work for both system as well as
# for project scoped, we need to keep scope check disable for
# keystone.
# Nova, Glance, and Neutron have enabled the new defaults and scope
# by default in devstack.
CINDER_ENFORCE_SCOPE: true CINDER_ENFORCE_SCOPE: true
PLACEMENT_ENFORCE_SCOPE: true PLACEMENT_ENFORCE_SCOPE: true