Enable Secure RBAC in Keystone

This patch enables Secure RBAC (enforce_scope and enforce_new_defaults) in Keystone since the policies have been updated to accept both scoped tokens as well as legacy "admin" role tokens. [1] [1] f2f1a5c388 Depends-On: https://review.opendev.org/c/openstack/keystone/+/913999 Change-Id: I4d4c6f250a08a86bd5838679a3ef2c0ad887f265
2024-03-11 15:03:29 -04:00 · 2024-03-11 15:03:29 -04:00 · cdbe43e2e9
commit cdbe43e2e9
parent c0da6e843a
1 changed files with 1 additions and 9 deletions
--- a/zuul.d/integrated-gate.yaml
+++ b/zuul.d/integrated-gate.yaml
@ -374,15 +374,7 @@
      This job runs the Tempest tests with scope and new defaults enabled.
    vars:
      devstack_localrc:
-        # Enabaling the scope and new defaults for services.
-        # NOTE: (gmann) We need to keep keystone scope check disable as
-        # services (except ironic) does not support the system scope and
-        # they need keystone to continue working with project scope. Until
-        # Keystone policies are changed to work for both system as well as
-        # for project scoped, we need to keep scope check disable for
-        # keystone.
-        # Nova, Glance, and Neutron have enabled the new defaults and scope
-        # by default in devstack.
+        KEYSTONE_ENFORCE_SCOPE: true
        CINDER_ENFORCE_SCOPE: true
        PLACEMENT_ENFORCE_SCOPE: true