-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforcing scope with SRBAC breaks heat #395
Enforcing scope with SRBAC breaks heat #395
Conversation
Heat won't work when scope is enforced and it's being used by many of our NFV customers. Rather than making a single property to enable SRBAC, let's split them so that `enforce_new_defaults` can be set to true by default and customers can toggle `enforce_scope` if they're not using heat.
I've mentioned it in the jira and doing it here too.. The other option is changing keystone default policies[1] to allow domain scope. [1] https://github.com/openstack/keystone/blob/master/keystone/common/policies/role.py#L98 |
I'll note it here. I just tried to create a stack and it was failing with the following until I disabled SRBAC:
My hopes are this PR will fix the issue. |
Toggling
|
This looks good to me. @dmendiza What do you think? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We at least need this now to unblock other things. If there are objections, we can discuss in a follow-up.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abays, rabi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
d8230c2
into
openstack-k8s-operators:main
Heat won't work when scope is enforced and it's being used by many of our NFV customers. Rather than making a single property to enable SRBAC, let's split them so that
enforce_new_defaults
can be set to true by default and customers can toggleenforce_scope
if they're not using heat.jira: https://issues.redhat.com/browse/OSPRH-5753