diff options
author | Ghanshyam Mann <gmann@ghanshyammann.com> | 2022-11-30 14:57:51 -0600 |
---|---|---|
committer | Ghanshyam Mann <gmann@ghanshyammann.com> | 2023-01-10 23:37:13 -0600 |
commit | d97af33c0639b548f8a66ab14019259e9b4210be (patch) | |
tree | 0be5f69694b00ddedd1286f98d18d82eab543810 /.zuul.yaml | |
parent | 5e5b6751d32aa50dc372c55b5c2044d0dade51f4 (diff) | |
download | nova-d97af33c0639b548f8a66ab14019259e9b4210be.tar.gz |
Enable new defaults and scope checks by default
As discussed in PTG, we need to test the new RBAC in the
integrated gate and accordingly enable the new defaults
and scope check by default. A new integrated testing job
has been added and results show that the new defaults and
scope checks are working fine. During testing, we found a
few bugs in neutron policies but all are fixed now.
enforce_scope and enforce_new_defaults are oslo policy config
options but they are per service level and the default value
can be overridden. Oslo policy 3.11.0 version allows to override
the default value for these config options[1] so upgrading the
oslo policy version in requirements.txt
Depends-On: https://review.opendev.org/c/openstack/devstack/+/869781
Depends-On: https://review.opendev.org/c/openstack/placement/+/869525
[1] https://github.com/openstack/oslo.policy/blob/3.11.0/oslo_policy/opts.py#L125
Change-Id: I977b2daedf880229c8d364ca011f2ea965b86e3a
Diffstat (limited to '.zuul.yaml')
-rw-r--r-- | .zuul.yaml | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/.zuul.yaml b/.zuul.yaml index 1a35975d3a..25d6cc6819 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -665,6 +665,36 @@ parent: tempest-integrated-compute nodeset: openstack-single-node-focal +# TODO(gmann): Remove this jobs once all the required services for intergrate +# compute gate (Cinder, Glance, Neutron) by default enable scope and new +# defaults which means all the nova jobs will be tested with new RBAC in +# integrated way and we do not need this separate job. +- job: + name: tempest-integrated-compute-enforce-scope-new-defaults + parent: tempest-integrated-compute + description: | + This job runs the Tempest tests with scope and new defaults enabled + for Nova, Neutron, Glance, and Cinder services. + # TODO (gmann): There were few fixes in neutron and neutron-lib for the + # RBAC but they are not yet released so we need to add both projcts as + # the required-projects. Those can be removed once new version of neutron + # and neutron-lib is released. + required-projects: + - openstack/neutron + - openstack/neutron-lib + vars: + devstack_localrc: + # Enabeling the scope and new defaults for services implemented it. + # NOTE (gmann): We need to keep keystone scope check disable as + # services (except ironic) does not support the system scope and + # they need keystone to continue working with project scope. Until + # Keystone policies are changed to work for project scoped also, we + # need to keep scope check disable for keystone. + NOVA_ENFORCE_SCOPE: true + CINDER_ENFORCE_SCOPE: true + GLANCE_ENFORCE_SCOPE: true + NEUTRON_ENFORCE_SCOPE: true + - project: # Please try to keep the list of job names sorted alphabetically. templates: @@ -723,6 +753,8 @@ - ^tox.ini$ - tempest-integrated-compute-ubuntu-focal: irrelevant-files: *policies-irrelevant-files + - tempest-integrated-compute-enforce-scope-new-defaults: + irrelevant-files: *policies-irrelevant-files - grenade-skip-level: irrelevant-files: *policies-irrelevant-files - nova-grenade-multinode: @@ -758,6 +790,8 @@ irrelevant-files: *policies-irrelevant-files - tempest-integrated-compute-ubuntu-focal: irrelevant-files: *policies-irrelevant-files + - tempest-integrated-compute-enforce-scope-new-defaults: + irrelevant-files: *policies-irrelevant-files - nova-grenade-multinode: irrelevant-files: *policies-irrelevant-files - tempest-ipv6-only: |