Enabled new defaults and scope checks by default

Enabling the enforce scope and new defaults by default in glance

Related blueprint secure-rbac

Change-Id: I0808dc0b1b34b527e38aa137c1dd25e1fc06409f

Author: PranaliDeore

.zuul.yaml

@@ -289,6 +289,20 @@
             glance_store:
               rbd_thin_provisioning: True
 
+# TODO(pdeore): Remove this jobs once all the glance jobs will be tested
+# with new RBAC in integrated way and we do not need this separate job.
+- job:
+    name: tempest-integrated-storage-enforce-scope-new-defaults
+    parent: tempest-integrated-storage
+    description: |
+      This job runs the Tempest tests with scope and new defaults enabled
+      Glance services.
+    vars:
+      devstack_localrc:
+        NOVA_ENFORCE_SCOPE: true
+        CINDER_ENFORCE_SCOPE: true
+        GLANCE_ENFORCE_SCOPE: true
+
 - project:
     templates:
       - check-requirements
@@ -319,6 +333,8 @@
               - ^\.zuul\.yaml$
         - tempest-integrated-storage:
             irrelevant-files: *tempest-irrelevant-files
+        - tempest-integrated-storage-enforce-scope-new-defaults:
+            irrelevant-files: *tempest-irrelevant-files
         - tempest-integrated-storage-import:
             irrelevant-files: *tempest-irrelevant-files
         - tempest-integrated-storage-import-standalone:
@@ -339,6 +355,8 @@
         - openstack-tox-functional-py39
         - tempest-integrated-storage:
             irrelevant-files: *tempest-irrelevant-files
+        - tempest-integrated-storage-enforce-scope-new-defaults:
+            irrelevant-files: *tempest-irrelevant-files
         - tempest-integrated-storage-import:
             irrelevant-files: *tempest-irrelevant-files
         - tempest-integrated-storage-import-standalone:

glance/api/policy.py

@@ -34,11 +34,15 @@
 _ENFORCER = None
 
 
-# TODO(gmann): Remove setting the default value of config policy_file
-# once oslo_policy change the default value to 'policy.yaml'.
-# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+# TODO(gmann): Remove overriding the default value of config options
+# 'policy_file', 'enforce_scope', and 'enforce_new_defaults' once
+# oslo_policy change their default value to what is overridden here.
 DEFAULT_POLICY_FILE = 'policy.yaml'
-opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
+opts.set_defaults(
+    cfg.CONF,
+    DEFAULT_POLICY_FILE,
+    enforce_scope=True,
+    enforce_new_defaults=True)
 
 
 class Enforcer(policy.Enforcer):

glance/common/config.py

@@ -593,7 +593,7 @@
 
     Related options:
         * [DEFAULT]/node_staging_uri""")),
-    cfg.BoolOpt('enforce_secure_rbac', default=False,
+    cfg.BoolOpt('enforce_secure_rbac', default=True,
                 deprecated_for_removal=True,
                 deprecated_reason=_("""
 This option has been introduced to require operators to opt into enforcing

glance/tests/functional/__init__.py

@@ -585,6 +585,9 @@ def __init__(self, test_dir, port, policy_file, delayed_delete=False,
         self.image_location_quota = 2
         self.disable_path = None
 
+        self.enforce_secure_rbac = True
+        self.enforce_new_defaults = True
+
         self.needs_database = True
         default_sql_connection = SQLITE_CONN_TEMPLATE % self.test_dir
         self.sql_connection = os.environ.get('GLANCE_TEST_SQL_CONNECTION',
@@ -626,9 +629,11 @@ def __init__(self, test_dir, port, policy_file, delayed_delete=False,
 location_strategy=%(location_strategy)s
 allow_additional_image_properties = True
 enabled_backends=file1:file,file2:file,file3:file
+enforce_secure_rbac=%(enforce_secure_rbac)s
 [oslo_policy]
 policy_file = %(policy_file)s
 policy_default_rule = %(policy_default_rule)s
+enforce_new_defaults=%(enforce_new_defaults)s
 [paste_deploy]
 flavor = %(deployment_flavor)s
 [store_type_location_strategy]

glance/tests/unit/test_cache_middleware.py

@@ -409,7 +409,8 @@ def fake_get_v2_image_metadata(*args, **kwargs):
         rules = {
             "restricted":
             "not ('test_1234':%(x_test_key)s and role:_member_)",
-            "download_image": "role:admin or rule:restricted"
+            "download_image": "role:admin or rule:restricted",
+            "get_image": ""
         }
         self.set_policy_rules(rules)
         cache_filter.policy = glance.api.policy.Enforcer(

glance/tests/unit/test_policy.py

@@ -320,7 +320,8 @@ def test_policy_file_check(self):
         self.assertEqual(False, enforcer.check(context, 'get_image', {}))
 
     def test_policy_file_get_image_default_everybody(self):
-        rules = {"default": ''}
+        rules = {"default": '',
+                 "get_image": ''}
         self.set_policy_rules(rules)
 
         enforcer = glance.api.policy.Enforcer(

glance/tests/unit/utils.py

@@ -20,6 +20,7 @@
 import urllib
 
 from oslo_config import cfg
+from oslo_policy import policy
 
 from glance.async_.flows._internal_plugins import base_download
 from glance.common import exception
@@ -87,6 +88,14 @@ def get_fake_request(path='', method='POST', is_admin=False, user=USER1,
     return req
 
 
+def enforcer_from_rules(unparsed_rules):
+    rules = policy.Rules.from_dict(unparsed_rules)
+    enforcer = glance.api.policy.Enforcer(
+        suppress_deprecation_warnings=True)
+    enforcer.set_rules(rules, overwrite=True)
+    return enforcer
+
+
 def fake_get_size_from_backend(uri, context=None):
     return 1