Scoped RBAC Devstack Plugin support

Adds support to the ironic devstack plugin to configure
ironic to be used in a scope-enforcing mode in line with
the Secure RBAC effort. This change also defines two new
integration jobs *and* changes one of the existing
integration.

In these cases, we're testing functional crub interactions,
integration with nova, and integration with ironic-inspector.

As other services come online with their plugins and
devstack code being able to set the appropriate scope
enforcement configuration, we will be able to change the
overall operating default for all of ironic's jobs and
exclude the differences.

This effort identified issues in ironic-tempest-plugin,
tempest, devstack, and required plugin support in
ironic-inspector as well, and is ultimately required
to ensure we do not break the Secure RBAC.

Luckilly, it all works.

Change-Id: Ic40e47cb11a6b6e9915efcb12e7912861f25cae7

2 files changed, 26 insertions, 0 deletions

diff --git a/zuul.d/ironic-jobs.yaml b/zuul.d/ironic-jobs.yaml
index 56f2301e6..34a757254 100644
--- a/zuul.d/ironic-jobs.yaml
+++ b/zuul.d/ironic-jobs.yaml
@@ -181,6 +181,7 @@
         IRONIC_VM_VOLUME_COUNT: 2
         IRONIC_VM_SPECS_RAM: 1024
         IRONIC_VM_SPECS_CPU: 1
+        IRONIC_ENFORCE_SCOPE: True
         # We're using a lot of disk space in this job. Some testing nodes have
         # a small root partition, so use /opt which is mounted from a bigger
         # ephemeral partition on such nodes
@@ -305,6 +306,7 @@
         IRONIC_TEMPEST_WHOLE_DISK_IMAGE: True
         IRONIC_VM_EPHEMERAL_DISK: 0
         IRONIC_AUTOMATED_CLEAN_ENABLED: False
+        IRONIC_ENFORCE_SCOPE: True
 
 - job:
     name: ironic-tempest-ipa-partition-uefi-pxe_ipmitool
@@ -344,6 +346,7 @@
         IRONIC_AUTOMATED_CLEAN_ENABLED: False
         SWIFT_ENABLE_TEMPURLS: True
         SWIFT_TEMPURL_KEY: secretkey
+        IRONIC_ENFORCE_SCOPE: True
       devstack_services:
         c-api: True
         c-bak: True
@@ -393,6 +396,17 @@
         s-proxy: True
 
 - job:
+    name: ironic-inspector-tempest-rbac-scope-enforced
+    description: ironic-inspector-tempest-rbac-scope-enforced
+    parent: ironic-inspector-tempest
+    required-projects:
+      - openstack/ironic-inspector
+    vars:
+      devstack_localrc:
+        IRONIC_ENFORCE_SCOPE: True
+        IRONIC_INSPECTOR_ENFORCE_SCOPE: True
+
+- job:
     name: ironic-tempest-functional-python3
     description: ironic-tempest-functional-python3
     parent: ironic-base
@@ -428,6 +442,14 @@
         q-svc: False
 
 - job:
+    name: ironic-tempest-functional-rbac-scope-enforced
+    description: ironic-tempest-funcitonal-rbac-scope-enforced
+    parent: ironic-tempest-functional-python3
+    vars:
+      devstack_localrc:
+        IRONIC_ENFORCE_SCOPE: True
+
+- job:
     name: ironic-tempest-ipa-wholedisk-direct-tinyipa-multinode
     description: ironic-tempest-ipa-wholedisk-direct-tinyipa-multinode
     parent: tempest-multinode-full-base
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 676e28011..23aa568fb 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -11,6 +11,7 @@
       jobs:
         - ironic-tox-unit-with-driver-libs
         - ironic-tempest-functional-python3
+        - ironic-tempest-functional-rbac-scope-enforced
         - ironic-grenade
         - ironic-standalone
         - ironic-standalone-redfish
@@ -41,6 +42,8 @@
             voting: false
         - ironic-tempest-ipa-wholedisk-bios-ipmi-direct-dib:
             voting: false
+        - ironic-inspector-tempest-rbac-scope-enforced:
+            voting: false
         - bifrost-integration-tinyipa-ubuntu-focal:
             voting: false
         - bifrost-integration-redfish-vmedia-uefi-centos-8:
@@ -54,6 +57,7 @@
       jobs:
         - ironic-tox-unit-with-driver-libs
         - ironic-tempest-functional-python3
+        - ironic-tempest-functional-rbac-scope-enforced
         - ironic-grenade
         - ironic-standalone
         - ironic-standalone-redfish