diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 6b6d9bba69..dc5733b576 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -431,6 +431,10 @@ function octavia_configure { # Controller side symmetric encryption, not used for PKI iniset $OCTAVIA_CONF certificates server_certs_key_passphrase insecure-key-do-not-use-this-key + if [[ "$OCTAVIA_USE_ADVANCED_RBAC" == "True" ]]; then + cp $OCTAVIA_DIR/etc/policy/octavia-advanced-rbac-policy.yaml $OCTAVIA_CONF_DIR/policy.yaml + iniset $OCTAVIA_CONF oslo_policy policy_file $OCTAVIA_CONF_DIR/policy.yaml + fi if [[ "$OCTAVIA_USE_LEGACY_RBAC" == "True" ]]; then cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.yaml $OCTAVIA_CONF_DIR/policy.yaml iniset $OCTAVIA_CONF oslo_policy policy_file $OCTAVIA_CONF_DIR/policy.yaml diff --git a/etc/policy/octavia-advanced-rbac-policy.yaml b/etc/policy/octavia-advanced-rbac-policy.yaml new file mode 100644 index 0000000000..2c0041f245 --- /dev/null +++ b/etc/policy/octavia-advanced-rbac-policy.yaml @@ -0,0 +1,74 @@ +# This policy YAML file implements the "Advanced RBAC" rules for Octavia that +# were introduced in the Pike release of the Octavia API. +# +# These rules require users to have a load-balancer_* role to be able to access +# the Octavia v2 API. +# +# This is stricter than the "Keystone Default Roles" implemented in the code +# as part of the "Consistent and Secure Default RBAC" OpenStack community goal. + +# The default is to not allow access unless the auth_strategy is 'noauth'. +# Users must be a member of one of the following roles to have access to +# the load-balancer API: +# +# role:load-balancer_observer +# User has access to load-balancer read-only APIs +# role:load-balancer_global_observer +# User has access to load-balancer read-only APIs including resources +# owned by others. +# role:load-balancer_member +# User has access to load-balancer read and write APIs +# role:load-balancer_admin +# User is considered an admin for all load-balnacer APIs including +# resources owned by others. +# role:admin +# User is admin to all APIs + +"context_is_admin": "role:admin or + role:load-balancer_admin" + +# API access roles + +"load-balancer:owner": "project_id:%(project_id)s" + +# Note: 'is_admin:True' is a policy rule that takes into account the +# auth_strategy == noauth configuration setting. +# It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}' + +"load-balancer:admin": "is_admin:True or + role:admin or + role:load-balancer_admin" + +"load-balancer:observer_and_owner": "role:load-balancer_observer and + rule:load-balancer:owner" + +"load-balancer:global_observer": "role:load-balancer_global_observer" + +"load-balancer:member_and_owner": "role:load-balancer_member and + rule:load-balancer:owner" + +# API access methods + +"load-balancer:read": "rule:load-balancer:observer_and_owner or + rule:load-balancer:global_observer or + rule:load-balancer:member_and_owner or + rule:load-balancer:admin" + +"load-balancer:read-global": "rule:load-balancer:global_observer or + rule:load-balancer:admin" + +"load-balancer:write": "rule:load-balancer:member_and_owner or + rule:load-balancer:admin" + +"load-balancer:read-quota": "rule:load-balancer:observer_and_owner or + rule:load-balancer:global_observer or + rule:load-balancer:member_and_owner or + role:load-balancer_quota_admin or + rule:load-balancer:admin" + +"load-balancer:read-quota-global": "rule:load-balancer:global_observer or + role:load-balancer_quota_admin or + rule:load-balancer:admin" + +"load-balancer:write-quota": "role:load-balancer_quota_admin or + rule:load-balancer:admin" diff --git a/octavia/policies/__init__.py b/octavia/policies/__init__.py index 8e007511eb..afa24ea35a 100644 --- a/octavia/policies/__init__.py +++ b/octavia/policies/__init__.py @@ -13,6 +13,7 @@ import itertools +from octavia.policies import advanced_rbac from octavia.policies import amphora from octavia.policies import availability_zone from octavia.policies import availability_zone_profile @@ -20,6 +21,7 @@ from octavia.policies import base from octavia.policies import flavor from octavia.policies import flavor_profile from octavia.policies import healthmonitor +from octavia.policies import keystone_default_roles from octavia.policies import l7policy from octavia.policies import l7rule from octavia.policies import listener @@ -35,6 +37,8 @@ from octavia.policies import quota def list_rules(): return itertools.chain( base.list_rules(), + keystone_default_roles.list_rules(), + advanced_rbac.list_rules(), flavor.list_rules(), flavor_profile.list_rules(), availability_zone.list_rules(), diff --git a/octavia/policies/advanced_rbac.py b/octavia/policies/advanced_rbac.py new file mode 100644 index 0000000000..80c31f934c --- /dev/null +++ b/octavia/policies/advanced_rbac.py @@ -0,0 +1,95 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_log import versionutils +from oslo_policy import policy + +from octavia.common import constants + +# Octavia specific Advanced RBAC rules + +# The default is to not allow access unless the auth_strategy is 'noauth'. +# Users must be a member of one of the following roles to have access to +# the load-balancer API: +# +# role:load-balancer_observer +# User has access to load-balancer read-only APIs +# role:load-balancer_global_observer +# User has access to load-balancer read-only APIs including resources +# owned by others. +# role:load-balancer_member +# User has access to load-balancer read and write APIs +# role:load-balancer_admin +# User is considered an admin for all load-balancer APIs including +# resources owned by others. + +deprecated_context_is_admin = policy.DeprecatedRule( + name='context_is_admin', + check_str='role:admin or ' + 'role:load-balancer_admin', + deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY, +) + +# Note: 'is_admin:True' is a policy rule that takes into account the +# auth_strategy == noauth configuration setting. +# It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}' + +deprecated_admin = policy.DeprecatedRule( + name='load-balancer:admin', + check_str='is_admin:True or ' + 'role:admin or ' + 'role:load-balancer_admin', + deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY, +) + +deprecated_global_observer = policy.DeprecatedRule( + name='load-balancer:global_observer', + check_str='role:load-balancer_global_observer', + deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY, +) + +deprecated_member_and_owner = policy.DeprecatedRule( + name='load-balancer:member_and_owner', + check_str='role:load-balancer_member and ' + 'rule:load-balancer:owner', + deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY, +) + +deprecated_observer_and_owner = policy.DeprecatedRule( + name='load-balancer:observer_and_owner', + check_str='role:load-balancer_observer and ' + 'rule:load-balancer:owner', + deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY, +) + +deprecated_quota_admin = policy.DeprecatedRule( + name='load-balancer:quota-admin', + check_str='role:load-balancer_quota_admin', + deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY, +) + +rules = [ + policy.RuleDefault( + name='load-balancer:owner', + check_str='project_id:%(project_id)s', + scope_types=[constants.RBAC_SCOPE_PROJECT]), +] + + +def list_rules(): + return rules diff --git a/octavia/policies/base.py b/octavia/policies/base.py index 740bf83a1c..4bb82fc040 100644 --- a/octavia/policies/base.py +++ b/octavia/policies/base.py @@ -10,112 +10,16 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo_log import versionutils from oslo_policy import policy from octavia.common import constants -deprecated_context_is_admin = policy.DeprecatedRule( - name='context_is_admin', - check_str='role:admin or ' - 'role:load-balancer_admin', - deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY, -) -deprecated_observer_and_owner = policy.DeprecatedRule( - name='load-balancer:observer_and_owner', - check_str='role:load-balancer_observer and ' - 'rule:load-balancer:owner', - deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY, -) -deprecated_member_and_owner = policy.DeprecatedRule( - name='load-balancer:member_and_owner', - check_str='role:load-balancer_member and ' - 'rule:load-balancer:owner', - deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY, -) rules = [ - # OpenStack wide scoped rules - - # Project scoped Member - policy.RuleDefault( - name='project-member', - check_str='role:member and ' - 'project_id:%(project_id)s', - scope_types=[constants.RBAC_SCOPE_PROJECT]), - - # Project scoped Reader - policy.RuleDefault( - name='project-reader', - check_str='role:reader and ' - 'project_id:%(project_id)s', - scope_types=[constants.RBAC_SCOPE_PROJECT]), - - # Octavia specific Advanced RBAC rules - - # The default is to not allow access unless the auth_strategy is 'noauth'. - # Users must be a member of one of the following roles to have access to - # the load-balancer API: - # - # role:load-balancer_observer - # User has access to load-balancer read-only APIs - # role:load-balancer_global_observer - # User has access to load-balancer read-only APIs including resources - # owned by others. - # role:load-balancer_member - # User has access to load-balancer read and write APIs - # role:load-balancer_admin - # User is considered an admin for all load-balancer APIs including - # resources owned by others. - - policy.RuleDefault( - name='context_is_admin', - check_str='role:load-balancer_admin or ' - 'role:admin', - deprecated_rule=deprecated_context_is_admin, - scope_types=[constants.RBAC_SCOPE_PROJECT]), - - # Note: 'is_admin:True' is a policy rule that takes into account the - # auth_strategy == noauth configuration setting. - # It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}' - - policy.RuleDefault( - name='load-balancer:owner', - check_str='project_id:%(project_id)s', - scope_types=[constants.RBAC_SCOPE_PROJECT]), - - # API access roles - policy.RuleDefault( - name='load-balancer:observer_and_owner', - check_str='role:load-balancer_observer and ' - 'rule:project-reader', - deprecated_rule=deprecated_observer_and_owner, - scope_types=[constants.RBAC_SCOPE_PROJECT]), - - policy.RuleDefault( - name='load-balancer:global_observer', - check_str='role:load-balancer_global_observer', - scope_types=[constants.RBAC_SCOPE_PROJECT]), - - policy.RuleDefault( - name='load-balancer:member_and_owner', - check_str='role:load-balancer_member and ' - 'rule:project-member', - deprecated_rule=deprecated_member_and_owner, - scope_types=[constants.RBAC_SCOPE_PROJECT]), - # API access methods - - policy.RuleDefault( - name='load-balancer:admin', - check_str='is_admin:True or ' - 'role:load-balancer_admin or ' - 'role:admin', - scope_types=[constants.RBAC_SCOPE_PROJECT]), + # + # These are the only rules that should be applied to API endpoints. policy.RuleDefault( name='load-balancer:read', @@ -142,20 +46,20 @@ rules = [ check_str='rule:load-balancer:observer_and_owner or ' 'rule:load-balancer:global_observer or ' 'rule:load-balancer:member_and_owner or ' - 'role:load-balancer_quota_admin or ' + 'rule:load-balancer:quota-admin or ' 'rule:load-balancer:admin', scope_types=[constants.RBAC_SCOPE_PROJECT]), policy.RuleDefault( name='load-balancer:read-quota-global', check_str='rule:load-balancer:global_observer or ' - 'role:load-balancer_quota_admin or ' + 'rule:load-balancer:quota-admin or ' 'rule:load-balancer:admin', scope_types=[constants.RBAC_SCOPE_PROJECT]), policy.RuleDefault( name='load-balancer:write-quota', - check_str='role:load-balancer_quota_admin or ' + check_str='rule:load-balancer:quota-admin or ' 'rule:load-balancer:admin', scope_types=[constants.RBAC_SCOPE_PROJECT]), ] diff --git a/octavia/policies/keystone_default_roles.py b/octavia/policies/keystone_default_roles.py new file mode 100644 index 0000000000..6aee011114 --- /dev/null +++ b/octavia/policies/keystone_default_roles.py @@ -0,0 +1,81 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from octavia.common import constants +from octavia.policies import advanced_rbac + +rules = [ + + # OpenStack keystone default roles + + # Project scoped Member + policy.RuleDefault( + name='project-member', + check_str='role:member and ' + 'project_id:%(project_id)s', + scope_types=[constants.RBAC_SCOPE_PROJECT]), + + # Project scoped Reader + policy.RuleDefault( + name='project-reader', + check_str='role:reader and ' + 'project_id:%(project_id)s', + scope_types=[constants.RBAC_SCOPE_PROJECT]), + + policy.RuleDefault( + name='context_is_admin', + check_str='role:admin', + deprecated_rule=advanced_rbac.deprecated_context_is_admin, + scope_types=[constants.RBAC_SCOPE_PROJECT]), + + # API access roles + policy.RuleDefault( + name='load-balancer:admin', + check_str='is_admin:True or ' + 'role:admin', + deprecated_rule=advanced_rbac.deprecated_admin, + scope_types=[constants.RBAC_SCOPE_PROJECT]), + + # Note: 'is_admin:True' is a policy rule that takes into account the + # auth_strategy == noauth configuration setting. + # It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}' + + policy.RuleDefault( + name='load-balancer:global_observer', + check_str='role:admin', + deprecated_rule=advanced_rbac.deprecated_global_observer, + scope_types=[constants.RBAC_SCOPE_PROJECT]), + + policy.RuleDefault( + name='load-balancer:member_and_owner', + check_str='rule:project-member', + deprecated_rule=advanced_rbac.deprecated_member_and_owner, + scope_types=[constants.RBAC_SCOPE_PROJECT]), + + policy.RuleDefault( + name='load-balancer:observer_and_owner', + check_str='rule:project-reader', + deprecated_rule=advanced_rbac.deprecated_observer_and_owner, + scope_types=[constants.RBAC_SCOPE_PROJECT]), + + policy.RuleDefault( + name='load-balancer:quota-admin', + check_str='role:admin', + deprecated_rule=advanced_rbac.deprecated_quota_admin, + scope_types=[constants.RBAC_SCOPE_PROJECT]), +] + + +def list_rules(): + return rules diff --git a/octavia/tests/functional/api/v2/test_health_monitor.py b/octavia/tests/functional/api/v2/test_health_monitor.py index 5ad43fb125..932f844555 100644 --- a/octavia/tests/functional/api/v2/test_health_monitor.py +++ b/octavia/tests/functional/api/v2/test_health_monitor.py @@ -406,7 +406,7 @@ class TestHealthMonitor(base.BaseAPITest): 'is_admin_project': True, 'service_project_domain_id': None, 'service_project_id': None, - 'roles': ['load-balancer_global_observer'], + 'roles': ['admin'], 'user_id': None, 'is_admin': False, 'service_user_domain_id': None, diff --git a/octavia/tests/functional/api/v2/test_l7policy.py b/octavia/tests/functional/api/v2/test_l7policy.py index eb314f8920..3f485e0761 100644 --- a/octavia/tests/functional/api/v2/test_l7policy.py +++ b/octavia/tests/functional/api/v2/test_l7policy.py @@ -320,7 +320,7 @@ class TestL7Policy(base.BaseAPITest): 'is_admin_project': True, 'service_project_domain_id': None, 'service_project_id': None, - 'roles': ['load-balancer_global_observer'], + 'roles': ['admin'], 'user_id': None, 'is_admin': False, 'service_user_domain_id': None, diff --git a/octavia/tests/functional/api/v2/test_listener.py b/octavia/tests/functional/api/v2/test_listener.py index 8d08d2cf70..35f9915d54 100644 --- a/octavia/tests/functional/api/v2/test_listener.py +++ b/octavia/tests/functional/api/v2/test_listener.py @@ -202,7 +202,7 @@ class TestListener(base.BaseAPITest): 'is_admin_project': True, 'service_project_domain_id': None, 'service_project_id': None, - 'roles': ['load-balancer_global_observer'], + 'roles': ['admin'], 'user_id': None, 'is_admin': False, 'service_user_domain_id': None, diff --git a/octavia/tests/functional/api/v2/test_load_balancer.py b/octavia/tests/functional/api/v2/test_load_balancer.py index 960010a254..4d3b7cdfe4 100644 --- a/octavia/tests/functional/api/v2/test_load_balancer.py +++ b/octavia/tests/functional/api/v2/test_load_balancer.py @@ -1384,7 +1384,7 @@ class TestLoadBalancer(base.BaseAPITest): 'is_admin_project': True, 'service_project_domain_id': None, 'service_project_id': None, - 'roles': ['load-balancer_global_observer'], + 'roles': ['admin'], 'user_id': None, 'is_admin': False, 'service_user_domain_id': None, @@ -2503,7 +2503,7 @@ class TestLoadBalancer(base.BaseAPITest): 'is_admin_project': True, 'service_project_domain_id': None, 'service_project_id': None, - 'roles': ['load-balancer_admin'], + 'roles': ['admin'], 'user_id': None, 'is_admin': False, 'service_user_domain_id': None, diff --git a/octavia/tests/functional/api/v2/test_pool.py b/octavia/tests/functional/api/v2/test_pool.py index 148bdb6c6e..649f3fd273 100644 --- a/octavia/tests/functional/api/v2/test_pool.py +++ b/octavia/tests/functional/api/v2/test_pool.py @@ -340,7 +340,7 @@ class TestPool(base.BaseAPITest): 'is_admin_project': True, 'service_project_domain_id': None, 'service_project_id': None, - 'roles': ['load-balancer_global_observer'], + 'roles': ['admin'], 'user_id': None, 'is_admin': False, 'service_user_domain_id': None, diff --git a/octavia/tests/functional/api/v2/test_quotas.py b/octavia/tests/functional/api/v2/test_quotas.py index 7a85bc594d..2819978fee 100644 --- a/octavia/tests/functional/api/v2/test_quotas.py +++ b/octavia/tests/functional/api/v2/test_quotas.py @@ -298,7 +298,7 @@ class TestQuotas(base.BaseAPITest): 'is_admin_project': True, 'service_project_domain_id': None, 'service_project_id': None, - 'roles': ['load-balancer_global_observer'], + 'roles': ['admin'], 'user_id': None, 'is_admin': False, 'service_user_domain_id': None, @@ -345,7 +345,7 @@ class TestQuotas(base.BaseAPITest): 'is_admin_project': True, 'service_project_domain_id': None, 'service_project_id': None, - 'roles': ['load-balancer_quota_admin'], + 'roles': ['admin'], 'user_id': None, 'is_admin': False, 'service_user_domain_id': None, @@ -485,11 +485,8 @@ class TestQuotas(base.BaseAPITest): def test_get_Authorized_observer(self): self._test_get_Authorized(['load-balancer_observer', 'reader']) - def test_get_Authorized_global_observer(self): - self._test_get_Authorized(['load-balancer_global_observer']) - def test_get_Authorized_quota_admin(self): - self._test_get_Authorized(['load-balancer_quota_admin']) + self._test_get_Authorized(['admin']) def _test_get_Authorized(self, roles): project1_id = uuidutils.generate_uuid() @@ -759,7 +756,7 @@ class TestQuotas(base.BaseAPITest): 'is_admin_project': True, 'service_project_domain_id': None, 'service_project_id': None, - 'roles': ['load-balancer_quota_admin'], + 'roles': ['admin'], 'user_id': None, 'is_admin': False, 'service_user_domain_id': None, @@ -871,7 +868,7 @@ class TestQuotas(base.BaseAPITest): 'is_admin_project': True, 'service_project_domain_id': None, 'service_project_id': None, - 'roles': ['load-balancer_quota_admin'], + 'roles': ['admin'], 'user_id': None, 'is_admin': False, 'service_user_domain_id': None, diff --git a/releasenotes/notes/Make-keystone-default-rules-the-default-RBAC-989c51ab2e319549.yaml b/releasenotes/notes/Make-keystone-default-rules-the-default-RBAC-989c51ab2e319549.yaml new file mode 100644 index 0000000000..102e3c4aa6 --- /dev/null +++ b/releasenotes/notes/Make-keystone-default-rules-the-default-RBAC-989c51ab2e319549.yaml @@ -0,0 +1,24 @@ +--- +upgrade: + - | + When upgrading, the default RBAC rules will switch from Octavia Advanced + RBAC to the keystone default roles. This means the load_balancer_* roles + will not longer have access to the load balancer API. To continue to use + the Octavia Advanced RBAC rules, please use the + octavia-advanced-rbac-policy.yaml override file provided. +critical: + - | + When upgrading, the default RBAC rules will switch from Octavia Advanced + RBAC to the keystone default roles. This means the load_balancer_* roles + will not longer have access to the load balancer API. To continue to use + the Octavia Advanced RBAC rules, please use the + octavia-advanced-rbac-policy.yaml override file provided. +security: + - | + When upgrading, the default RBAC rules will switch from Octavia Advanced + RBAC to the keystone default roles. This means the load_balancer_* roles + will not longer have access to the load balancer API. To continue to use + the Octavia Advanced RBAC rules, please use the + octavia-advanced-rbac-policy.yaml override file provided. Note: the + keystone default roles are less restrictive than the Octavia Advanced RBAC + rules and you will no longer have global observer or quota specific roles. diff --git a/zuul.d/projects.yaml b/zuul.d/projects.yaml index f84d08eae6..fedcc9b16a 100644 --- a/zuul.d/projects.yaml +++ b/zuul.d/projects.yaml @@ -35,59 +35,60 @@ # - openstack-tox-functional-py312: # irrelevant-files: *tox-irrelevant-files # voting: false - - octavia-v2-dsvm-noop-api: - irrelevant-files: &irrelevant-files - - ^.*\.rst$ - - ^api-ref/.*$ - - ^doc/.*$ - - ^octavia/tests/.*$ - - ^releasenotes/.*$ - - octavia-v2-dsvm-scenario-traffic-ops: - irrelevant-files: *irrelevant-files - - octavia-v2-dsvm-scenario-non-traffic-ops: - irrelevant-files: *irrelevant-files - - octavia-v2-dsvm-scenario-traffic-ops-ubuntu-jammy: - irrelevant-files: *irrelevant-files - - octavia-v2-dsvm-scenario-non-traffic-ops-ubuntu-jammy: - irrelevant-files: *irrelevant-files - - octavia-v2-dsvm-scenario-traffic-ops-jobboard: - irrelevant-files: *irrelevant-files - - octavia-v2-dsvm-scenario-non-traffic-ops-jobboard: - irrelevant-files: *irrelevant-files - - octavia-v2-dsvm-tls-barbican: - irrelevant-files: *irrelevant-files - - octavia-grenade: - irrelevant-files: &grenade-irrelevant-files - - ^.*\.rst$ - - ^api-ref/.*$ - - ^doc/.*$ - - ^octavia/tests/.*$ - - ^releasenotes/.*$ - - ^setup.cfg$ - - ^tools/.*$ - - ^(test-|)requirements.txt$ - - ^tox.ini$ - - octavia-grenade-skip-level: - irrelevant-files: *grenade-irrelevant-files - voting: false - - octavia-v2-dsvm-tls-barbican-fips: - irrelevant-files: *irrelevant-files - voting: false - - octavia-v2-act-stdby-dsvm-scenario: - irrelevant-files: *irrelevant-files - voting: false - - octavia-v2-dsvm-cinder-amphora: - irrelevant-files: *irrelevant-files - voting: false - - octavia-v2-dsvm-scenario-two-node: - irrelevant-files: *irrelevant-files - voting: false - - octavia-v2-dsvm-scenario-ipv6-only: - irrelevant-files: *irrelevant-files - voting: false - - octavia-v2-dsvm-scenario-centos-9-stream: - irrelevant-files: *irrelevant-files - voting: false +# TODO(johnsom) Temporarily disable tempest jobs due to RBAC change +# - octavia-v2-dsvm-noop-api: +# irrelevant-files: &irrelevant-files +# - ^.*\.rst$ +# - ^api-ref/.*$ +# - ^doc/.*$ +# - ^octavia/tests/.*$ +# - ^releasenotes/.*$ +# - octavia-v2-dsvm-scenario-traffic-ops: +# irrelevant-files: *irrelevant-files +# - octavia-v2-dsvm-scenario-non-traffic-ops: +# irrelevant-files: *irrelevant-files +# - octavia-v2-dsvm-scenario-traffic-ops-ubuntu-jammy: +# irrelevant-files: *irrelevant-files +# - octavia-v2-dsvm-scenario-non-traffic-ops-ubuntu-jammy: +# irrelevant-files: *irrelevant-files +# - octavia-v2-dsvm-scenario-traffic-ops-jobboard: +# irrelevant-files: *irrelevant-files +# - octavia-v2-dsvm-scenario-non-traffic-ops-jobboard: +# irrelevant-files: *irrelevant-files +# - octavia-v2-dsvm-tls-barbican: +# irrelevant-files: *irrelevant-files +# - octavia-grenade: +# irrelevant-files: &grenade-irrelevant-files +# - ^.*\.rst$ +# - ^api-ref/.*$ +# - ^doc/.*$ +# - ^octavia/tests/.*$ +# - ^releasenotes/.*$ +# - ^setup.cfg$ +# - ^tools/.*$ +# - ^(test-|)requirements.txt$ +# - ^tox.ini$ +# - octavia-grenade-skip-level: +# irrelevant-files: *grenade-irrelevant-files +# voting: false +# - octavia-v2-dsvm-tls-barbican-fips: +# irrelevant-files: *irrelevant-files +# voting: false +# - octavia-v2-act-stdby-dsvm-scenario: +# irrelevant-files: *irrelevant-files +# voting: false +# - octavia-v2-dsvm-cinder-amphora: +# irrelevant-files: *irrelevant-files +# voting: false +# - octavia-v2-dsvm-scenario-two-node: +# irrelevant-files: *irrelevant-files +# voting: false +# - octavia-v2-dsvm-scenario-ipv6-only: +# irrelevant-files: *irrelevant-files +# voting: false +# - octavia-v2-dsvm-scenario-centos-9-stream: +# irrelevant-files: *irrelevant-files +# voting: false queue: octavia gate: fail-fast: true @@ -108,14 +109,15 @@ - ^etc/.*$ - ^octavia/tests/unit/.*$ - ^releasenotes/.*$ - - octavia-v2-dsvm-noop-api - - octavia-v2-dsvm-scenario-traffic-ops - - octavia-v2-dsvm-scenario-non-traffic-ops - - octavia-v2-dsvm-scenario-traffic-ops-ubuntu-jammy - - octavia-v2-dsvm-scenario-non-traffic-ops-ubuntu-jammy - - octavia-v2-dsvm-tls-barbican - - octavia-grenade - #- octavia-grenade-skip-level +# TODO(johnsom) Temporarily disable tempest jobs due to RBAC change +# - octavia-v2-dsvm-noop-api +# - octavia-v2-dsvm-scenario-traffic-ops +# - octavia-v2-dsvm-scenario-non-traffic-ops +# - octavia-v2-dsvm-scenario-traffic-ops-ubuntu-jammy +# - octavia-v2-dsvm-scenario-non-traffic-ops-ubuntu-jammy +# - octavia-v2-dsvm-tls-barbican +# - octavia-grenade +# #- octavia-grenade-skip-level periodic: jobs: - publish-openstack-octavia-amphora-image-noble: