From 9dc2b88eb42a5f98f43bc8ad3dfa3962a4d44d74 Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Fri, 5 Mar 2021 09:32:19 -0600 Subject: [PATCH] Add enforce_scope setting support for keystone Keystone-tempest-plugin has implemented the secure RBAC tests and enabling the enforce_scope via keystone devstack plugin. Doing those setting in devstack will help to manage easily and in central place also avoid restarting the api service. Change-Id: I30da189474476d3397152a0a15c2e30a62d712ad --- lib/keystone | 11 +++++++++++ lib/tempest | 10 ++++++++++ 2 files changed, 21 insertions(+) diff --git a/lib/keystone b/lib/keystone index 66e867ca68..e282db0bfa 100644 --- a/lib/keystone +++ b/lib/keystone @@ -134,6 +134,12 @@ KEYSTONE_PASSWORD_HASH_ROUNDS=${KEYSTONE_PASSWORD_HASH_ROUNDS:-4} # Cache settings KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True} +# Flag to set the oslo_policy.enforce_scope. This is used to switch +# the Identity API policies to start checking the scope of token. By Default, +# this flag is False. +# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope +KEYSTONE_ENFORCE_SCOPE=$(trueorfalse False KEYSTONE_ENFORCE_SCOPE) + # Functions # --------- @@ -281,6 +287,11 @@ function configure_keystone { iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT fi + if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then + iniset $KEYSTONE_CONF oslo_policy enforce_scope true + iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true + iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml + fi } # create_keystone_accounts() - Sets up common required keystone accounts diff --git a/lib/tempest b/lib/tempest index 8a5b785927..f210e4014b 100644 --- a/lib/tempest +++ b/lib/tempest @@ -601,6 +601,16 @@ function configure_tempest { fi done + # ``enforce_scope`` + # If services enable the enforce_scope for their policy + # we need to enable the same on Tempest side so that + # test can be run with scoped token. + if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then + iniset $TEMPEST_CONFIG enforce_scope keystone true + iniset $TEMPEST_CONFIG auth admin_system 'all' + iniset $TEMPEST_CONFIG auth admin_project_name '' + fi + if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then # libvirt-lxc does not support boot from volume or attaching volumes # so basically anything with cinder is out of the question.