[neutron][Secure RBAC] New policies enabled by default

Slawek Kaplonski skaplons at redhat.com
Tue May 9 07:05:40 UTC 2023


Hi,

Dnia wtorek, 9 maja 2023 05:44:48 CEST Ghanshyam Mann pisze:
> ---- On Mon, 08 May 2023 07:46:44 -0700  Slawek Kaplonski  wrote --- 
>  > Hi,
>  > 
>  > It's just a heads up that [1] was merged recently and Neutron is using new, secure RBAC policies by default now.
>  > If You would see any issues with that, please report bug(s) and let me know.
>  > 
>  > [1] https://review.opendev.org/c/openstack/neutron/+/879827
> 
> Thanks Slawek for doing this.
> 
> I have one comment for testing of old and new defaults. As 'new defaults are enabled by default'
> is not yet released, let's  continue testing the old defaults as default and continue with single
> job testing the new defaults. Once 879827 is released (after 2023.2 release), we can switch the
> testing. That is why devstack does not enable the new defaults as default configuration and after
> 882518 change, new defaults are not tested anywhere.
> 
> I added more details about it in the revert of neutron-tempest-plugin change, please check.
> 
> https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/882518
> 
> -gmann
> 
>  > 
>  > -- 
>  > Slawek Kaplonski
>  > Principal Software Engineer
>  > Red Hat
>  > 
> 
> 

Sorry but I don't think I understand reasons of this revert. IIRC switch policies to new ones by default was part of the phase 1 of the community goal and should be finished even in 2023.1 cycle. We didn't made it then and we catch up now (what was discussed during PTG and there wasn't any objections).
As part of the switch I proposed patch https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/879828 which proposed new job "neutron-tempest-plugin-openvswitch-enforce-scope-old-defaults" and this new job is testing old policies still.
Why do You want us to wait with this switch and revert it now?

-- 
Slawek Kaplonski
Principal Software Engineer
Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230509/ab37c222/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230509/ab37c222/attachment-0001.sig>


More information about the openstack-discuss mailing list