From 6dcb00f8b9fd8e94189af66e592bcaa408fa2822 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Thu, 31 Aug 2023 13:48:17 -0500 Subject: [PATCH] Enable Secure RBAC by default This patch sets both `enforce_new_defaults` and `enforce_scope` to the default value of `True` as the next step in the implementation of Secure RBAC [1]. [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html Change-Id: I935cb34877c8edf62f33f1ba1fe31c942780b3a0 --- barbican/common/config.py | 6 +++++- .../notes/use-secure-rbac-by-default-bae44e5c36451928.yaml | 7 +++++++ 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/use-secure-rbac-by-default-bae44e5c36451928.yaml diff --git a/barbican/common/config.py b/barbican/common/config.py index a372f35fd..80d734f7a 100644 --- a/barbican/common/config.py +++ b/barbican/common/config.py @@ -338,7 +338,11 @@ def set_lib_defaults(): # once oslo_policy change the default value to 'policy.yaml'. # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 DEFAULT_POLICY_FILE = 'policy.yaml' - policy_opts.set_defaults(CONF, DEFAULT_POLICY_FILE) + policy_opts.set_defaults( + CONF, + DEFAULT_POLICY_FILE, + enforce_scope=True, + enforce_new_defaults=True) def set_middleware_defaults(): diff --git a/releasenotes/notes/use-secure-rbac-by-default-bae44e5c36451928.yaml b/releasenotes/notes/use-secure-rbac-by-default-bae44e5c36451928.yaml new file mode 100644 index 000000000..78676227d --- /dev/null +++ b/releasenotes/notes/use-secure-rbac-by-default-bae44e5c36451928.yaml @@ -0,0 +1,7 @@ +--- +security: + - | + This release uses Secure RBAC by default (See: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html ) + To opt out of this change and continue using the legacy policies set + enforce_new_defaults=False and enforce_scope=False in the [oslo_policy] + section of barbican.conf.