summaryrefslogtreecommitdiff
path: root/etc/glance-scrubber.conf
diff options
context:
space:
mode:
Diffstat (limited to 'etc/glance-scrubber.conf')
-rw-r--r--etc/glance-scrubber.conf51
1 files changed, 49 insertions, 2 deletions
diff --git a/etc/glance-scrubber.conf b/etc/glance-scrubber.conf
index 72849e5ba..d460c8367 100644
--- a/etc/glance-scrubber.conf
+++ b/etc/glance-scrubber.conf
@@ -412,6 +412,53 @@
# * [DEFAULT]/node_staging_uri (list value)
#enabled_import_methods = [glance-direct,web-download,copy-image]
+# DEPRECATED:
+# Enforce API access based on common persona definitions used across OpenStack.
+# Enabling this option formalizes project-specific read/write operations, like
+# creating private images or updating the status of shared image, behind the
+# `member` role. It also formalizes a read-only variant useful for
+# project-specific API operations, like listing private images in a project,
+# behind the `reader` role.
+#
+# Operators should take an opportunity to understand glance's new image
+# policies,
+# audit assignments in their deployment, and update permissions using the
+# default
+# roles in keystone (e.g., `admin`, `member`, and `reader`).
+#
+# Related options:
+# * [oslo_policy]/enforce_new_defaults
+# (boolean value)
+# This option is deprecated for removal since Wallaby.
+# Its value may be silently ignored in the future.
+# Reason:
+# This option has been introduced to require operators to opt into enforcing
+# authorization based on common RBAC personas, which is EXPERIMENTAL as of the
+# Wallaby release. This behavior will be the default and STABLE in a future
+# release, allowing this option to be removed.
+#enforce_secure_rbac = false
+
+#
+# The URL to this worker.
+#
+# If this is set, other glance workers will know how to contact this one
+# directly if needed. For image import, a single worker stages the image
+# and other workers need to be able to proxy the import request to the
+# right one.
+#
+# If unset, this will be considered to be `public_endpoint`, which
+# normally would be set to the same value on all workers, effectively
+# disabling the proxying behavior.
+#
+# Possible values:
+# * A URL by which this worker is reachable from other workers
+#
+# Related options:
+# * public_endpoint
+#
+# (string value)
+#worker_self_reference_url = <None>
+
#
# The amount of time, in seconds, to delay image scrubbing.
#
@@ -927,7 +974,7 @@
# * cinder_store_password
#
# (string value)
-#cinder_catalog_info = volumev2::publicURL
+#cinder_catalog_info = volumev3::publicURL
#
# Override service catalog lookup with template for cinder endpoint.
@@ -2481,7 +2528,7 @@
# The relative or absolute path of a file that maps roles to permissions for a
# given service. Relative paths must be specified in relation to the
# configuration file setting this option. (string value)
-#policy_file = policy.json
+#policy_file = policy.yaml
# Default rule. Enforced when a requested rule is not found. (string value)
#policy_default_rule = default
View Lorry Controller Status