diff --git a/lib/cinder b/lib/cinder index f6fd095e69..7f2f29f892 100644 --- a/lib/cinder +++ b/lib/cinder @@ -144,6 +144,12 @@ CINDER_IMG_CACHE_SIZE_COUNT=${CINDER_IMG_CACHE_SIZE_COUNT:-} # enable the cache for all cinder backends. CINDER_CACHE_ENABLED_FOR_BACKENDS=${CINDER_CACHE_ENABLED_FOR_BACKENDS:-$CINDER_ENABLED_BACKENDS} +# Flag to set the oslo_policy.enforce_scope. This is used to switch +# the Volume API policies to start checking the scope of token. by default, +# this flag is False. +# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope +CINDER_ENFORCE_SCOPE=$(trueorfalse False CINDER_ENFORCE_SCOPE) + # Functions # --------- @@ -347,6 +353,11 @@ function configure_cinder { elif is_service_enabled etcd3; then iniset $CINDER_CONF coordination backend_url "etcd3+http://${SERVICE_HOST}:$ETCD_PORT" fi + + if [[ "$CINDER_ENFORCE_SCOPE" == True ]] ; then + iniset $CINDER_CONF oslo_policy enforce_scope true + iniset $CINDER_CONF oslo_policy enforce_new_defaults true + fi } # create_cinder_accounts() - Set up common required cinder accounts diff --git a/lib/tempest b/lib/tempest index 4eacfa09ca..c60a47b549 100644 --- a/lib/tempest +++ b/lib/tempest @@ -607,6 +607,8 @@ function configure_tempest { iniset $TEMPEST_CONFIG auth admin_project_name '' fi + iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE" + if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then # libvirt-lxc does not support boot from volume or attaching volumes # so basically anything with cinder is out of the question.