Enable Secure RBAC in Keystone
This patch enables Secure RBAC (enforce_scope and enforce_new_defaults)
in Keystone since the policies have been updated to accept both scoped
tokens as well as legacy "admin" role tokens. [1]
[1] https://opendev.org/openstack/keystone/commit/f2f1a5c38847ddc5aa28eec9722885d9c64c6e7b
Depends-On: https://review.opendev.org/c/openstack/keystone/+/913999
Change-Id: I4d4c6f250a08a86bd5838679a3ef2c0ad887f265
diff --git a/zuul.d/integrated-gate.yaml b/zuul.d/integrated-gate.yaml
index f508240..67a7bb1 100644
--- a/zuul.d/integrated-gate.yaml
+++ b/zuul.d/integrated-gate.yaml
@@ -374,15 +374,7 @@
This job runs the Tempest tests with scope and new defaults enabled.
vars:
devstack_localrc:
- # Enabaling the scope and new defaults for services.
- # NOTE: (gmann) We need to keep keystone scope check disable as
- # services (except ironic) does not support the system scope and
- # they need keystone to continue working with project scope. Until
- # Keystone policies are changed to work for both system as well as
- # for project scoped, we need to keep scope check disable for
- # keystone.
- # Nova, Glance, and Neutron have enabled the new defaults and scope
- # by default in devstack.
+ KEYSTONE_ENFORCE_SCOPE: true
CINDER_ENFORCE_SCOPE: true
PLACEMENT_ENFORCE_SCOPE: true