From 371313214a5b7eafa8e8f9cd2471de9880b33739 Mon Sep 17 00:00:00 2001
From: Julia Kreger <juliaashleykreger@gmail.com>
Date: Mon, 4 Oct 2021 16:39:31 -0700
Subject: [PATCH] SRBAC - Prepare for additional services

In order to effectively handle cross-service integrations, we need to
evaluate two separate items which are not standardized in devstack.

Names, and common service references. Unfortunately, only a couple
services presently have support in devstack for these settings, and
cases where it was previously supported has been removed for unknown
reasons, but this seems to be the overall plan.

Sets the stage, so we can be early to the cross-service testing party
of secure rbac.

Change-Id: I8794374c02a24185b6e24a675ad9cb7b3dfd69df
---
 devstack/lib/ironic | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/devstack/lib/ironic b/devstack/lib/ironic
index aa0571e703..18cd5535f2 100644
--- a/devstack/lib/ironic
+++ b/devstack/lib/ironic
@@ -1616,14 +1616,25 @@ function configure_ironic_api {
 function configure_client_for {
     local service_config_section
     service_config_section=$1
+    local use_system_scope="False"
     # keystoneauth auth plugin options
     iniset $IRONIC_CONF_FILE $service_config_section auth_type password
     iniset $IRONIC_CONF_FILE $service_config_section auth_url $KEYSTONE_SERVICE_URI
-    # NOTE(TheJulia): This list is likely to become long as we turn on
-    # support for system scoped enforcement of other services, but for now,
-    # we really only care about inspector and we can figure out the others
-    # as time and their devstack code supports it.
+
+    # NOTE(TheJulia): Below are services which we know, as of late 2021, which support
+    # explicit scope based ops *and* have knobs.
+    # Needed: Neutron, swift, nova ?service_catalog?
+    # Neutron - https://review.opendev.org/c/openstack/devstack/+/797450
+
     if [[ "$service_config_section" == "inspector" ]] && [[ "$IRONIC_INSPECTOR_ENFORCE_SCOPE" == "True" ]]; then
+        use_system_scope="True"
+    elif [[ "$service_config_section" == "cinder" ]] && [[ "${CINDER_ENFORCE_SCOPE:-False}" == "True" ]]; then
+        use_system_scope="True"
+    elif [[ "$service_config_section" == "glance" ]] && [[ "${GLANCE_ENFORCE_SCOPE:-False}" == "True" ]]; then
+        use_system_scope="True"
+    fi
+
+    if [[ "$use_system_scope" == "True" ]]; then
         iniset $IRONIC_CONF_FILE $service_config_section system_scope all
         iniset $IRONIC_CONF_FILE $service_config_section username admin
         iniset $IRONIC_CONF_FILE $service_config_section password $ADMIN_PASSWORD