From ab00dac26f44d85a946e45231ee659efdc2c548b Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Thu, 1 Aug 2024 12:25:45 -0700
Subject: [PATCH] Keep new RBAC disable by default

oslo.policy has enabled the new RBAC config options
enforce_scope and enforce_new_defaults by default[1][2].

Until Aodh is ready with the new RBAC, we need to continue
disable them by overriding their default values.

NOTE: there is no change in behaviour, aodh continue with the
old RBAC as default.

Needed-By: https://review.opendev.org/c/openstack/requirements/+/925464

[1] https://review.opendev.org/c/openstack/oslo.policy/+/924283
[2] https://review.opendev.org/c/openstack/releases/+/925032

Change-Id: Ifac31d1fc11b44fd6d3d18041f8bacee8287bccf
---
 aodh/api/hooks.py     | 14 ++++++++++----
 aodh/conf/defaults.py |  7 +++++--
 requirements.txt      |  2 +-
 3 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/aodh/api/hooks.py b/aodh/api/hooks.py
index bfc951e25..741a773be 100644
--- a/aodh/api/hooks.py
+++ b/aodh/api/hooks.py
@@ -19,11 +19,17 @@ from pecan import hooks
 
 from aodh.api import policies
 
-# TODO(gmann): Remove setting the default value of config policy_file
-# once oslo_policy change the default value to 'policy.yaml'.
-# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+# TODO(gmann): Remove overriding the default value of config options:
+# - 'policy_file' once oslo_policy change their default value to what is
+# overridden here.
+# - 'enforce_scope', and 'enforce_new_defaults' once aodh is ready with the
+# new RBAC (oslo_policy enable them by default)
 DEFAULT_POLICY_FILE = 'policy.yaml'
-opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
+opts.set_defaults(
+    cfg.CONF,
+    DEFAULT_POLICY_FILE,
+    enforce_scope=False,
+    enforce_new_defaults=False)
 
 
 class ConfigHook(hooks.PecanHook):
diff --git a/aodh/conf/defaults.py b/aodh/conf/defaults.py
index e6ace8550..f59c95eaf 100644
--- a/aodh/conf/defaults.py
+++ b/aodh/conf/defaults.py
@@ -27,8 +27,11 @@ def set_lib_defaults():
     """
     set_cors_middleware_defaults()
 
-    # Update default value of oslo.policy policy_file config option.
-    policy_opts.set_defaults(cfg.CONF, 'policy.yaml')
+    # Update default value of oslo.policy policy_file, ,
+    # enforce_scope, and enforce_new_defaults config options.
+    policy_opts.set_defaults(cfg.CONF, 'policy.yaml',
+                             enforce_scope=False,
+                             enforce_new_defaults=False)
 
 
 def set_cors_middleware_defaults():
diff --git a/requirements.txt b/requirements.txt
index 0e5fa54e9..f6e068611 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -10,7 +10,7 @@ oslo.config>=6.8.0 # Apache-2.0
 oslo.i18n>=1.5.0 # Apache-2.0
 oslo.log>=4.3.0 # Apache-2.0
 oslo.reports>=1.18.0 # Apache-2.0
-oslo.policy>=3.7.0 # Apache-2.0
+oslo.policy>=3.11.0 # Apache-2.0
 oslo.upgradecheck>=1.3.0 # Apache-2.0
 PasteDeploy>=1.5.0
 pbr>=2.0.0 # Apache-2.0