Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / neutron-tempest-plugin / 6a074c9f72d3ee6443ae4e972f3056453b783f36^! / .
commit6a074c9f72d3ee6443ae4e972f3056453b783f36[log] [tgz]
authorSławek Kapłoński <skaplons@redhat.com>Tue Dec 13 15:28:29 2022 +0100
committerSlawek Kaplonski <skaplons@redhat.com>Tue Feb 14 08:17:20 2023 +0000
treede1f4dfe139b9244977f0a166d8aacede103fc8e
parent587ef9da735c0e48ab3a16519d97a0cb26e9d55f [diff]
[Secure RBAC] Add scope enforcement enabled job for master branch

This patch adds one new job

neutron-tempest-plugin-openvswitch-enforce-scope-new-defaults

which have enabled using scope enforcing and new default API policies
in Neutron and other projects (Glance, Nova) which supports that.

In next cycle (2023.2) we will want to make new policies and scope
enforcing to be enabled by default in Neutron but for now lets enable
it in just one job to make sure it's working and is ready to switch in
the future.

Change-Id: Ib51f39e83fbc4cfd2097998f957a76b0ae380caf

diff --git a/zuul.d/master_jobs.yaml b/zuul.d/master_jobs.yaml
index 93c8fe2..d766959 100644
--- a/zuul.d/master_jobs.yaml
+++ b/zuul.d/master_jobs.yaml

@@ -405,6 +405,23 @@
       - ^vagrant/.*$
       - ^zuul.d/(?!(project)).*\.yaml
 
+- job:
+    name: neutron-tempest-plugin-openvswitch-enforce-scope-new-defaults
+    parent: neutron-tempest-plugin-openvswitch
+    vars:
+      devstack_localrc:
+        # Enabeling the scope and new defaults for services.
+        # NOTE: (gmann) We need to keep keystone scope check disable as
+        # services (except ironic) does not support the system scope and
+        # they need keystone to continue working with project scope. Until
+        # Keystone policies are changed to work for both system as well as
+        # for project scoped, we need to keep scope check disable for
+        # keystone.
+        NOVA_ENFORCE_SCOPE: true
+        GLANCE_ENFORCE_SCOPE: true
+        NEUTRON_ENFORCE_SCOPE: true
+
+
 # TODO(slaweq): remove that job's definition as soon as new job
 # "neutron-tempest-plugin-openvswitch-iptables_hybrid" will be used in the
 # neutron repo as a parent for a

diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index f3ea67a..1ea3336 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml

@@ -5,6 +5,7 @@
         - neutron-tempest-plugin-linuxbridge
         - neutron-tempest-plugin-openvswitch
         - neutron-tempest-plugin-openvswitch-iptables_hybrid
+        - neutron-tempest-plugin-openvswitch-enforce-scope-new-defaults
         - neutron-tempest-plugin-ovn
         - neutron-tempest-plugin-designate-scenario
     gate:
@@ -13,6 +14,7 @@
         - neutron-tempest-plugin-openvswitch
         - neutron-tempest-plugin-ovn
         - neutron-tempest-plugin-openvswitch-iptables_hybrid
+        - neutron-tempest-plugin-openvswitch-enforce-scope-new-defaults
     #TODO(slaweq): Move neutron-tempest-plugin-dvr-multinode-scenario out of
     #              the experimental queue when it will be more stable
     experimental: