Add a release note for secure RBAC personas

Provide some literature on what we introduced for operators in wallaby, how they can configure it, and actions we recommend they take. Since this marks the point at which we consider the feature implemented, this also removes the legacy-rbac job and makes the secure-rbac job voting. Implements: blueprint secure-rbac Change-Id: I8f980cf7731d26b92b5392fdada21e5be0f541c4
author: Lance Bragstad <lbragstad@gmail.com> 2021-03-06 04:32:21 +0000
committer: Dan Smith <dansmith@redhat.com> 2021-03-09 09:51:47 -0800
commit: aec2de7ffd21fb553114c9f27a260062cafbc3b8 (patch)
tree: dab8cd03d1c733cce7ef6690eac179d24f3e0858
parent: 165cce6d6e11504c85a71449fdca9608c7fd1d6c (diff)
download: glance-aec2de7ffd21fb553114c9f27a260062cafbc3b8.tar.gz
2 files changed, 53 insertions, 4 deletions
diff --git a/.zuul.yaml b/.zuul.yaml
index 2a557a540..28d9e8080 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -322,9 +322,7 @@
             irrelevant-files: *tempest-irrelevant-files
         - nova-ceph-multistore:
             irrelevant-files: *tempest-irrelevant-files
-        - glance-secure-rbac-protection-functional:
-            voting: false
-        - glance-legacy-rbac-protection-functional
+        - glance-secure-rbac-protection-functional
 
     gate:
       jobs:
@@ -342,7 +340,7 @@
             irrelevant-files: *tempest-irrelevant-files
         - nova-ceph-multistore:
             irrelevant-files: *tempest-irrelevant-files
-        - glance-legacy-rbac-protection-functional
+        - glance-secure-rbac-protection-functional
     experimental:
       jobs:
         - glance-tox-py38-glance_store-tips
diff --git a/releasenotes/notes/secure-rbac-project-personas-fb0d9792b9dc3783.yaml b/releasenotes/notes/secure-rbac-project-personas-fb0d9792b9dc3783.yaml
new file mode 100644
index 000000000..11cb6b7a7
--- /dev/null
+++ b/releasenotes/notes/secure-rbac-project-personas-fb0d9792b9dc3783.yaml
@@ -0,0 +1,51 @@
+---
+features:
+  - |
+    Glance's default policies now use the `member` role on projects to protect
+    writeable and readable image actions. Support was also added for read-only
+    access to image resources when the `reader` role is granted to users on a
+    project. Administrative operations, like creating public images, is still
+    protected using the `admin` role on a project. Administrative actions will
+    be updated in the future to consume system-scope.
+
+    We encourage you to compare any existing overrides in your deployment with
+    the new defaults. You can use `oslopolicy-sample-generator --namespace
+    glance` to generate the default policies and use them for comparison.
+
+    The secure RBAC personas implemented in Wallaby are marked as experimental.
+    They will become stable in a future release. You can read more about the
+    various personas in keystone's `Administrator Guide
+    <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html>`_.
+
+    To enable this functionality, you must specify `glance-api.conf
+    [DEFAULT] enable_secure_rbac=True` and `glance-api.conf [oslo_policy]
+    enforce_new_defaults=True`. Glance will refuse to start if misconfigured.
+upgrade:
+  - |
+    Glance now provides more granular RBAC access to the images API via default
+    personas. This work is marked as experimental in Wallaby, and will be
+    supported in a future release.
+
+    Existing authorization and policies will continue to work, but we encourage
+    operators to review the new policies and consolidate any redundant
+    overrides with the new defaults if possible. Please review the feature
+    section above for more details.
+deprecations:
+  - |
+    The policies protecting the image API have been deprecated in favor of more
+    consistent defaults that use the `member` and `reader` default roles from
+    keystone. If your deployment relies on overriding the default policies,
+    please review the new defaults and how they may impact your deployment.
+
+    The unused `modify_task` policy has been deprecated for
+    removal. It was never honored or checked as part of an API
+    operation. As a result, it has been deprecated for removal since
+    overriding it has no direct impact on the tasks API, which remains
+    a deprecated, admin-only API.
+security:
+  - |
+    Glance now ships experimental policies that support read-only image
+    permissions. Users with the `reader` role on a project will be able to view
+    generic image data, without the ability to make writeable changes using the
+    images API. Please review the features section above for more information
+    on enabling this functionality.
author	Lance Bragstad <lbragstad@gmail.com>	2021-03-06 04:32:21 +0000
committer	Dan Smith <dansmith@redhat.com>	2021-03-09 09:51:47 -0800
commit	aec2de7ffd21fb553114c9f27a260062cafbc3b8 (patch)
tree	dab8cd03d1c733cce7ef6690eac179d24f3e0858
parent	165cce6d6e11504c85a71449fdca9608c7fd1d6c (diff)
download	glance-aec2de7ffd21fb553114c9f27a260062cafbc3b8.tar.gz