diff options
author | Zuul <zuul@review.opendev.org> | 2021-03-09 21:50:50 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2021-03-09 21:50:50 +0000 |
commit | 9afbf466ab322d6b85cfa2d3b06f3b9945edd040 (patch) | |
tree | e77b6d4dcdd61520c556ed11ab9525570da6ff23 | |
parent | 3e7bf199cad654c3a678ce2ee7d1f36e7a622113 (diff) | |
parent | aec2de7ffd21fb553114c9f27a260062cafbc3b8 (diff) | |
download | glance-9afbf466ab322d6b85cfa2d3b06f3b9945edd040.tar.gz |
Merge "Add a release note for secure RBAC personas"
-rw-r--r-- | .zuul.yaml | 6 | ||||
-rw-r--r-- | releasenotes/notes/secure-rbac-project-personas-fb0d9792b9dc3783.yaml | 51 |
2 files changed, 53 insertions, 4 deletions
diff --git a/.zuul.yaml b/.zuul.yaml index 2a557a540..28d9e8080 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -322,9 +322,7 @@ irrelevant-files: *tempest-irrelevant-files - nova-ceph-multistore: irrelevant-files: *tempest-irrelevant-files - - glance-secure-rbac-protection-functional: - voting: false - - glance-legacy-rbac-protection-functional + - glance-secure-rbac-protection-functional gate: jobs: @@ -342,7 +340,7 @@ irrelevant-files: *tempest-irrelevant-files - nova-ceph-multistore: irrelevant-files: *tempest-irrelevant-files - - glance-legacy-rbac-protection-functional + - glance-secure-rbac-protection-functional experimental: jobs: - glance-tox-py38-glance_store-tips diff --git a/releasenotes/notes/secure-rbac-project-personas-fb0d9792b9dc3783.yaml b/releasenotes/notes/secure-rbac-project-personas-fb0d9792b9dc3783.yaml new file mode 100644 index 000000000..11cb6b7a7 --- /dev/null +++ b/releasenotes/notes/secure-rbac-project-personas-fb0d9792b9dc3783.yaml @@ -0,0 +1,51 @@ +--- +features: + - | + Glance's default policies now use the `member` role on projects to protect + writeable and readable image actions. Support was also added for read-only + access to image resources when the `reader` role is granted to users on a + project. Administrative operations, like creating public images, is still + protected using the `admin` role on a project. Administrative actions will + be updated in the future to consume system-scope. + + We encourage you to compare any existing overrides in your deployment with + the new defaults. You can use `oslopolicy-sample-generator --namespace + glance` to generate the default policies and use them for comparison. + + The secure RBAC personas implemented in Wallaby are marked as experimental. + They will become stable in a future release. You can read more about the + various personas in keystone's `Administrator Guide + <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html>`_. + + To enable this functionality, you must specify `glance-api.conf + [DEFAULT] enable_secure_rbac=True` and `glance-api.conf [oslo_policy] + enforce_new_defaults=True`. Glance will refuse to start if misconfigured. +upgrade: + - | + Glance now provides more granular RBAC access to the images API via default + personas. This work is marked as experimental in Wallaby, and will be + supported in a future release. + + Existing authorization and policies will continue to work, but we encourage + operators to review the new policies and consolidate any redundant + overrides with the new defaults if possible. Please review the feature + section above for more details. +deprecations: + - | + The policies protecting the image API have been deprecated in favor of more + consistent defaults that use the `member` and `reader` default roles from + keystone. If your deployment relies on overriding the default policies, + please review the new defaults and how they may impact your deployment. + + The unused `modify_task` policy has been deprecated for + removal. It was never honored or checked as part of an API + operation. As a result, it has been deprecated for removal since + overriding it has no direct impact on the tasks API, which remains + a deprecated, admin-only API. +security: + - | + Glance now ships experimental policies that support read-only image + permissions. Users with the `reader` role on a project will be able to view + generic image data, without the ability to make writeable changes using the + images API. Please review the features section above for more information + on enabling this functionality. |