From 857f4993f35fbdc83771b9632d3525766de194a1 Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Wed, 19 Oct 2022 20:15:42 -0500
Subject: [PATCH] Add RBAC scope and new defaults setting support for Nova &
 Tempest

Nova is ready with the scope and new defaults as per the new
RBAC design. Adding devstack flag to enable the scope checks
and new defaults enforcement in nova side.

Change-Id: I305ea626a4b622c5534d523f4b619832f9d35f8d
---
 lib/nova    | 10 ++++++++++
 lib/tempest |  4 ++++
 2 files changed, 14 insertions(+)

diff --git a/lib/nova b/lib/nova
index 8e8ea8a175..63c6a86a66 100644
--- a/lib/nova
+++ b/lib/nova
@@ -97,6 +97,12 @@ NOVA_SERVICE_LISTEN_ADDRESS=${NOVA_SERVICE_LISTEN_ADDRESS:-$(ipv6_unquote $SERVI
 METADATA_SERVICE_PORT=${METADATA_SERVICE_PORT:-8775}
 NOVA_ENABLE_CACHE=${NOVA_ENABLE_CACHE:-True}
 
+# Flag to set the oslo_policy.enforce_scope and oslo_policy.enforce_new_defaults.
+# This is used to switch the compute API policies enable the scope and new defaults.
+# By Default, these flag are False.
+# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
+NOVA_ENFORCE_SCOPE=$(trueorfalse False NOVA_ENFORCE_SCOPE)
+
 if [[ $SERVICE_IP_VERSION == 6 ]]; then
     NOVA_MY_IP="$HOST_IPV6"
 else
@@ -481,6 +487,10 @@ function create_nova_conf {
             NOVA_ENABLED_APIS=$(echo $NOVA_ENABLED_APIS | sed "s/,metadata//")
         fi
         iniset $NOVA_CONF DEFAULT enabled_apis "$NOVA_ENABLED_APIS"
+        if [[ "$NOVA_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]]; then
+            iniset $NOVA_CONF oslo_policy enforce_new_defaults True
+            iniset $NOVA_CONF oslo_policy enforce_scope True
+        fi
         if is_service_enabled tls-proxy && [ "$NOVA_USE_MOD_WSGI" == "False" ]; then
             # Set the service port for a proxy to take the original
             iniset $NOVA_CONF DEFAULT osapi_compute_listen_port "$NOVA_SERVICE_PORT_INT"
diff --git a/lib/tempest b/lib/tempest
index 87a2244784..b232f24540 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -674,6 +674,10 @@ function configure_tempest {
         iniset $TEMPEST_CONFIG auth admin_project_name ''
     fi
 
+    if [[ "$NOVA_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
+        iniset $TEMPEST_CONFIG enforce_scope nova true
+    fi
+
     if [[ "$GLANCE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
         iniset $TEMPEST_CONFIG enforce_scope glance true
     fi