Add enforce_scope setting support for keystone
Keystone-tempest-plugin has implemented the secure RBAC tests and enabling the enforce_scope via keystone devstack plugin. Doing those setting in devstack will help to manage easily and in central place also avoid restarting the api service. Change-Id: I30da189474476d3397152a0a15c2e30a62d712ad
This commit is contained in:
parent
8f3e51d79f
commit
9dc2b88eb4
11
lib/keystone
11
lib/keystone
@ -134,6 +134,12 @@ KEYSTONE_PASSWORD_HASH_ROUNDS=${KEYSTONE_PASSWORD_HASH_ROUNDS:-4}
|
|||||||
# Cache settings
|
# Cache settings
|
||||||
KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True}
|
KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True}
|
||||||
|
|
||||||
|
# Flag to set the oslo_policy.enforce_scope. This is used to switch
|
||||||
|
# the Identity API policies to start checking the scope of token. By Default,
|
||||||
|
# this flag is False.
|
||||||
|
# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
|
||||||
|
KEYSTONE_ENFORCE_SCOPE=$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)
|
||||||
|
|
||||||
# Functions
|
# Functions
|
||||||
# ---------
|
# ---------
|
||||||
|
|
||||||
@ -281,6 +287,11 @@ function configure_keystone {
|
|||||||
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
|
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
|
||||||
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
|
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
|
||||||
fi
|
fi
|
||||||
|
if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
|
||||||
|
iniset $KEYSTONE_CONF oslo_policy enforce_scope true
|
||||||
|
iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
|
||||||
|
iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# create_keystone_accounts() - Sets up common required keystone accounts
|
# create_keystone_accounts() - Sets up common required keystone accounts
|
||||||
|
10
lib/tempest
10
lib/tempest
@ -601,6 +601,16 @@ function configure_tempest {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# ``enforce_scope``
|
||||||
|
# If services enable the enforce_scope for their policy
|
||||||
|
# we need to enable the same on Tempest side so that
|
||||||
|
# test can be run with scoped token.
|
||||||
|
if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
|
||||||
|
iniset $TEMPEST_CONFIG enforce_scope keystone true
|
||||||
|
iniset $TEMPEST_CONFIG auth admin_system 'all'
|
||||||
|
iniset $TEMPEST_CONFIG auth admin_project_name ''
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then
|
if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then
|
||||||
# libvirt-lxc does not support boot from volume or attaching volumes
|
# libvirt-lxc does not support boot from volume or attaching volumes
|
||||||
# so basically anything with cinder is out of the question.
|
# so basically anything with cinder is out of the question.
|
||||||
|
Loading…
Reference in New Issue
Block a user