Merge "Add a release note for secure RBAC personas"

2 files changed, 53 insertions, 4 deletions

diff --git a/.zuul.yaml b/.zuul.yaml
index 2a557a540..28d9e8080 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -322,9 +322,7 @@
             irrelevant-files: *tempest-irrelevant-files
         - nova-ceph-multistore:
             irrelevant-files: *tempest-irrelevant-files
-        - glance-secure-rbac-protection-functional:
-            voting: false
-        - glance-legacy-rbac-protection-functional
+        - glance-secure-rbac-protection-functional
 
     gate:
       jobs:
@@ -342,7 +340,7 @@
             irrelevant-files: *tempest-irrelevant-files
         - nova-ceph-multistore:
             irrelevant-files: *tempest-irrelevant-files
-        - glance-legacy-rbac-protection-functional
+        - glance-secure-rbac-protection-functional
     experimental:
       jobs:
         - glance-tox-py38-glance_store-tips
diff --git a/releasenotes/notes/secure-rbac-project-personas-fb0d9792b9dc3783.yaml b/releasenotes/notes/secure-rbac-project-personas-fb0d9792b9dc3783.yaml
new file mode 100644
index 000000000..11cb6b7a7
--- /dev/null
+++ b/releasenotes/notes/secure-rbac-project-personas-fb0d9792b9dc3783.yaml
@@ -0,0 +1,51 @@
+---
+features:
+  - |
+    Glance's default policies now use the `member` role on projects to protect
+    writeable and readable image actions. Support was also added for read-only
+    access to image resources when the `reader` role is granted to users on a
+    project. Administrative operations, like creating public images, is still
+    protected using the `admin` role on a project. Administrative actions will
+    be updated in the future to consume system-scope.
+
+    We encourage you to compare any existing overrides in your deployment with
+    the new defaults. You can use `oslopolicy-sample-generator --namespace
+    glance` to generate the default policies and use them for comparison.
+
+    The secure RBAC personas implemented in Wallaby are marked as experimental.
+    They will become stable in a future release. You can read more about the
+    various personas in keystone's `Administrator Guide
+    <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html>`_.
+
+    To enable this functionality, you must specify `glance-api.conf
+    [DEFAULT] enable_secure_rbac=True` and `glance-api.conf [oslo_policy]
+    enforce_new_defaults=True`. Glance will refuse to start if misconfigured.
+upgrade:
+  - |
+    Glance now provides more granular RBAC access to the images API via default
+    personas. This work is marked as experimental in Wallaby, and will be
+    supported in a future release.
+
+    Existing authorization and policies will continue to work, but we encourage
+    operators to review the new policies and consolidate any redundant
+    overrides with the new defaults if possible. Please review the feature
+    section above for more details.
+deprecations:
+  - |
+    The policies protecting the image API have been deprecated in favor of more
+    consistent defaults that use the `member` and `reader` default roles from
+    keystone. If your deployment relies on overriding the default policies,
+    please review the new defaults and how they may impact your deployment.
+
+    The unused `modify_task` policy has been deprecated for
+    removal. It was never honored or checked as part of an API
+    operation. As a result, it has been deprecated for removal since
+    overriding it has no direct impact on the tasks API, which remains
+    a deprecated, admin-only API.
+security:
+  - |
+    Glance now ships experimental policies that support read-only image
+    permissions. Users with the `reader` role on a project will be able to view
+    generic image data, without the ability to make writeable changes using the
+    images API. Please review the features section above for more information
+    on enabling this functionality.