ci: allow service role CI account usage to have elevated access
When I thought change I2b4bcc748b6e43e4215dc45137becce301349032 was going to fix everything, that was with the mental model that it was going to be enabled by default. That didn't happen in review as part of the service, but the reality is we still have some adjacent CI jobs which need it to operate properly. Given CI, it is just invoked when scope enforcement is enabled for CI purposes Change-Id: I60074504742d8b09017acbb42d2706215b0169af
This commit is contained in:
parent
8ec5606622
commit
19bc67c196
@ -1535,8 +1535,13 @@ function configure_ironic {
|
|||||||
if [[ "$IRONIC_ENFORCE_SCOPE" == "False" ]]; then
|
if [[ "$IRONIC_ENFORCE_SCOPE" == "False" ]]; then
|
||||||
iniset $IRONIC_CONF_FILE oslo_policy enforce_scope false
|
iniset $IRONIC_CONF_FILE oslo_policy enforce_scope false
|
||||||
iniset $IRONIC_CONF_FILE oslo_policy enforce_new_defaults false
|
iniset $IRONIC_CONF_FILE oslo_policy enforce_new_defaults false
|
||||||
|
else
|
||||||
|
# NOTE(TheJulia): In devstack, services by default get service role
|
||||||
|
# accounts in a service project. Under normal circumstances, they
|
||||||
|
# need to be able to have elevated access if not explicitly
|
||||||
|
# configured for a system scoped account.
|
||||||
|
iniset $IRONIC_CONF_FILE DEFAULT rbac_service_role_elevated_access true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Set fast track options
|
# Set fast track options
|
||||||
iniset $IRONIC_CONF_FILE deploy fast_track $IRONIC_DEPLOY_FAST_TRACK
|
iniset $IRONIC_CONF_FILE deploy fast_track $IRONIC_DEPLOY_FAST_TRACK
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user