commit 2f1856baf89618c799d0956c95335f3b47460b52
author Ghanshyam <gmann@ghanshyammann.com> Tue May 09 03:41:06 2023 +0000
committer Ghanshyam <gmann@ghanshyammann.com> Tue May 09 03:41:06 2023 +0000
tree de129058ea8e225bef1c10f38fa1615f734442b6
parent 62b7315092318296e23451d956989d672b6a4584

Revert "[S-RBAC] Switch to new policies by default"

This reverts commit 62b7315092318296e23451d956989d672b6a4584.

Reason for revert:

new defaults are enabled by default in current ongoing release cycle which is not yet released so our old defaults is something enabled by default in latest release. Due to that, in devstack we still have them disabled by default[1] which configure all the jobs with old defaults[2], that is why in all the jobs old defaults are enabled[3].

Let's continue testing the old defaults as default and keep this new defaults job until 2023.2 is released. and after 2023.1(2024.1 cycle) we can switch it 1. run all jobs with new defaults 2. a single job with old defaults.

[1] https://github.com/openstack/devstack/blob/34afa91fc9f830fc8e1fdc4d76e7aa6d4248eaaa/lib/neutron#L96

[2] https://github.com/openstack/devstack/blob/34afa91fc9f830fc8e1fdc4d76e7aa6d4248eaaa/lib/neutron#L564

[3] https://zuul.opendev.org/t/openstack/build/190cdd3f0479408b87dc10c4f9396f10/log/controller/logs/etc/neutron/neutron_conf.txt#2091

Change-Id: I1610f8b13b8fa7567e6f8c41f804ff3b774424e3

zuul.d/master_jobs.yaml

diff --git a/zuul.d/master_jobs.yaml b/zuul.d/master_jobs.yaml
index dacf3d5..39d1d89 100644
--- a/zuul.d/master_jobs.yaml
+++ b/zuul.d/master_jobs.yaml
@@ -409,15 +409,20 @@
       - ^zuul.d/(?!(project)).*\.yaml
 
 - job:
-    name: neutron-tempest-plugin-openvswitch-enforce-scope-old-defaults
+    name: neutron-tempest-plugin-openvswitch-enforce-scope-new-defaults
     parent: neutron-tempest-plugin-openvswitch
     vars:
       devstack_localrc:
-        # Disabling the scope and new defaults for services to use old,
-        # deprecated policies
-        NOVA_ENFORCE_SCOPE: false
-        GLANCE_ENFORCE_SCOPE: false
-        NEUTRON_ENFORCE_SCOPE: false
+        # Enabeling the scope and new defaults for services.
+        # NOTE: (gmann) We need to keep keystone scope check disable as
+        # services (except ironic) does not support the system scope and
+        # they need keystone to continue working with project scope. Until
+        # Keystone policies are changed to work for both system as well as
+        # for project scoped, we need to keep scope check disable for
+        # keystone.
+        NOVA_ENFORCE_SCOPE: true
+        GLANCE_ENFORCE_SCOPE: true
+        NEUTRON_ENFORCE_SCOPE: true
 
 
 # TODO(slaweq): remove that job's definition as soon as new job

zuul.d/project.yaml

diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index d1d9717..2347c1b 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -5,7 +5,7 @@
         - neutron-tempest-plugin-linuxbridge
         - neutron-tempest-plugin-openvswitch
         - neutron-tempest-plugin-openvswitch-iptables_hybrid
-        - neutron-tempest-plugin-openvswitch-enforce-scope-old-defaults
+        - neutron-tempest-plugin-openvswitch-enforce-scope-new-defaults
         - neutron-tempest-plugin-ovn
         - neutron-tempest-plugin-designate-scenario
     gate:
@@ -14,7 +14,7 @@
         - neutron-tempest-plugin-openvswitch
         - neutron-tempest-plugin-ovn
         - neutron-tempest-plugin-openvswitch-iptables_hybrid
-        - neutron-tempest-plugin-openvswitch-enforce-scope-old-defaults
+        - neutron-tempest-plugin-openvswitch-enforce-scope-new-defaults
     #TODO(slaweq): Move neutron-tempest-plugin-dvr-multinode-scenario out of
     #              the experimental queue when it will be more stable
     experimental: