[all][rbac][tacker][horizon][neutron][octavia] oslo.policy 4.4.0 enable the RBAC new defaults by default
Hi All,
You might have seen some fixes and testing changes on your project to test the oslo.policy 4.4.0. oslo.policy 4.4.0 enables the RBAC new defaults by default, which means those will be enabled for all the OpenStack services unless they have disabled them by overriding the default value. It enables both enforce_scope as well enforce_new_defaults.
The requirement change[1] adds the oslo.policy 4.4.0 in upper-constraints which will enable the latest oslo.policy in upstream CI. Along with jobs failing on requirement change, I tested more integration jobs and fixing the failures[2].
Most of the fixes have been merged, and a few of them are up for review. Below is the list of fixes up for review, please merge them before the requirement change is merged. If there is something else I missed to test and failed, let me know on IRC or here.
In-progress fixes:
- Horizon: - https://review.opendev.org/c/openstack/horizon/+/927571 - Tacker: - https://review.opendev.org/c/openstack/tacker/+/926089/5 - Neutron + Designates job (making it non-voting until we figure out the root cause): - https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/927648 - Octavia (Michael is working on more modifications on this ): - https://review.opendev.org/c/openstack/octavia-tempest-plugin/+/926867
[1] https://review.opendev.org/c/openstack/requirements/+/925464 [2] https://review.opendev.org/q/topic:%22secure-rbac%22+owner:gmann@ghanshyamma...
-gmann
Hi Ghanshyam,
I am involved in some projects (Blazar and CloudKitty) which to my knowledge have not received any patches related to these changes. Is this oslo.policy requirement change likely to break our projects?
Thanks, Pierre Riteau (priteau)
On Fri, 30 Aug 2024 at 23:48, Ghanshyam Mann gmann@ghanshyammann.com wrote:
Hi All,
You might have seen some fixes and testing changes on your project to test the oslo.policy 4.4.0. oslo.policy 4.4.0 enables the RBAC new defaults by default, which means those will be enabled for all the OpenStack services unless they have disabled them by overriding the default value. It enables both enforce_scope as well enforce_new_defaults.
The requirement change[1] adds the oslo.policy 4.4.0 in upper-constraints which will enable the latest oslo.policy in upstream CI. Along with jobs failing on requirement change, I tested more integration jobs and fixing the failures[2].
Most of the fixes have been merged, and a few of them are up for review. Below is the list of fixes up for review, please merge them before the requirement change is merged. If there is something else I missed to test and failed, let me know on IRC or here.
In-progress fixes:
- Horizon:
- Tacker:
- Neutron + Designates job (making it non-voting until we figure out the
root cause):
https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/927648
- Octavia (Michael is working on more modifications on this ):
[1] https://review.opendev.org/c/openstack/requirements/+/925464 [2] https://review.opendev.org/q/topic:%22secure-rbac%22+owner:gmann@ghanshyamma...
-gmann
Hi Pierre,
Blazar and Cloudkitty have not implemented the new RBAC yet, so there is no impact on either of the projects. But in case there is any cross-service change impact, I have submitted the testing changes:
- https://review.opendev.org/c/openstack/cloudkitty/+/927753 - https://review.opendev.org/c/openstack/blazar/+/927754
In the 2025.1 cycle, I can work on both projects to implement phase 1 of the RBAC goal.
-gmann
---- On Mon, 02 Sep 2024 05:46:36 -0700 Pierre Riteau wrote ---
Hi Ghanshyam, I am involved in some projects (Blazar and CloudKitty) which to my knowledge have not received any patches related to these changes. Is this oslo.policy requirement change likely to break our projects? Thanks,Pierre Riteau (priteau) On Fri, 30 Aug 2024 at 23:48, Ghanshyam Mann gmann@ghanshyammann.com> wrote: Hi All,
You might have seen some fixes and testing changes on your project to test the oslo.policy 4.4.0. oslo.policy 4.4.0 enables the RBAC new defaults by default, which means those will be enabled for all the OpenStack services unless they have disabled them by overriding the default value. It enables both enforce_scope as well enforce_new_defaults.
The requirement change[1] adds the oslo.policy 4.4.0 in upper-constraints which will enable the latest oslo.policy in upstream CI. Along with jobs failing on requirement change, I tested more integration jobs and fixing the failures[2].
Most of the fixes have been merged, and a few of them are up for review. Below is the list of fixes up for review, please merge them before the requirement change is merged. If there is something else I missed to test and failed, let me know on IRC or here.
In-progress fixes:
- Horizon:
- https://review.opendev.org/c/openstack/horizon/+/927571
- Tacker:
- https://review.opendev.org/c/openstack/tacker/+/926089/5
- Neutron + Designates job (making it non-voting until we figure out the root cause):
- https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/927648
- Octavia (Michael is working on more modifications on this ):
- https://review.opendev.org/c/openstack/octavia-tempest-plugin/+/926867
[1] https://review.opendev.org/c/openstack/requirements/+/925464 [2] https://review.opendev.org/q/topic:%22secure-rbac%22+owner:gmann@ghanshyamma...
-gmann
The requirement change for oslo.policy 4.4.0 in upper constraints has been merged.
- https://review.opendev.org/c/openstack/requirements/+/925464
If you see any failure related to it, feel free to ping me.
-gmann
---- On Mon, 02 Sep 2024 11:46:14 -0700 Ghanshyam Mann wrote ---
Hi Pierre,
Blazar and Cloudkitty have not implemented the new RBAC yet, so there is no impact on either of the projects. But in case there is any cross-service change impact, I have submitted the testing changes:
- https://review.opendev.org/c/openstack/cloudkitty/+/927753
- https://review.opendev.org/c/openstack/blazar/+/927754
In the 2025.1 cycle, I can work on both projects to implement phase 1 of the RBAC goal.
-gmann
---- On Mon, 02 Sep 2024 05:46:36 -0700 Pierre Riteau wrote ---
Hi Ghanshyam, I am involved in some projects (Blazar and CloudKitty) which to my knowledge have not received any patches related to these changes. Is this oslo.policy requirement change likely to break our projects? Thanks,Pierre Riteau (priteau) On Fri, 30 Aug 2024 at 23:48, Ghanshyam Mann gmann@ghanshyammann.com> wrote: Hi All,
You might have seen some fixes and testing changes on your project to test the oslo.policy 4.4.0. oslo.policy 4.4.0 enables the RBAC new defaults by default, which means those will be enabled for all the OpenStack services unless they have disabled them by overriding the default value. It enables both enforce_scope as well enforce_new_defaults.
The requirement change[1] adds the oslo.policy 4.4.0 in upper-constraints which will enable the latest oslo.policy in upstream CI. Along with jobs failing on requirement change, I tested more integration jobs and fixing the failures[2].
Most of the fixes have been merged, and a few of them are up for review. Below is the list of fixes up for review, please merge them before the requirement change is merged. If there is something else I missed to test and failed, let me know on IRC or here.
In-progress fixes:
- Horizon:
- https://review.opendev.org/c/openstack/horizon/+/927571
- Tacker:
- https://review.opendev.org/c/openstack/tacker/+/926089/5
- Neutron + Designates job (making it non-voting until we figure out the root cause):
- https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/927648
- Octavia (Michael is working on more modifications on this ):
- https://review.opendev.org/c/openstack/octavia-tempest-plugin/+/926867
[1] https://review.opendev.org/c/openstack/requirements/+/925464 [2] https://review.opendev.org/q/topic:%22secure-rbac%22+owner:gmann@ghanshyamma...
-gmann
Thank you, that is very helpful.
On Mon, 2 Sept 2024 at 20:46, Ghanshyam Mann gmann@ghanshyammann.com wrote:
Hi Pierre,
Blazar and Cloudkitty have not implemented the new RBAC yet, so there is no impact on either of the projects. But in case there is any cross-service change impact, I have submitted the testing changes:
- https://review.opendev.org/c/openstack/cloudkitty/+/927753
- https://review.opendev.org/c/openstack/blazar/+/927754
In the 2025.1 cycle, I can work on both projects to implement phase 1 of the RBAC goal.
-gmann
---- On Mon, 02 Sep 2024 05:46:36 -0700 Pierre Riteau wrote ---
Hi Ghanshyam, I am involved in some projects (Blazar and CloudKitty) which to my
knowledge have not received any patches related to these changes. Is this oslo.policy requirement change likely to break our projects?
Thanks,Pierre Riteau (priteau) On Fri, 30 Aug 2024 at 23:48, Ghanshyam Mann gmann@ghanshyammann.com>
wrote:
Hi All,
You might have seen some fixes and testing changes on your project to
test the oslo.policy 4.4.0. oslo.policy
4.4.0 enables the RBAC new defaults by default, which means those will
be enabled for all the OpenStack services
unless they have disabled them by overriding the default value. It
enables both enforce_scope as well enforce_new_defaults.
The requirement change[1] adds the oslo.policy 4.4.0 in
upper-constraints which will enable the latest oslo.policy
in upstream CI. Along with jobs failing on requirement change, I
tested more integration jobs and fixing the failures[2].
Most of the fixes have been merged, and a few of them are up for
review. Below is the list of fixes up for review,
please merge them before the requirement change is merged. If there is
something else I missed to test and failed,
let me know on IRC or here.
In-progress fixes:
- Horizon:
- Tacker:
- Neutron + Designates job (making it non-voting until we figure out
the root cause):
https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/927648
- Octavia (Michael is working on more modifications on this ):
https://review.opendev.org/c/openstack/octavia-tempest-plugin/+/926867
[1] https://review.opendev.org/c/openstack/requirements/+/925464 [2]
https://review.opendev.org/q/topic:%22secure-rbac%22+owner:gmann@ghanshyamma...
-gmann
participants (2)
-
Ghanshyam Mann
-
Pierre Riteau