diff options
Diffstat (limited to 'etc/glance-scrubber.conf')
-rw-r--r-- | etc/glance-scrubber.conf | 51 |
1 files changed, 49 insertions, 2 deletions
diff --git a/etc/glance-scrubber.conf b/etc/glance-scrubber.conf index 72849e5ba..d460c8367 100644 --- a/etc/glance-scrubber.conf +++ b/etc/glance-scrubber.conf @@ -412,6 +412,53 @@ # * [DEFAULT]/node_staging_uri (list value) #enabled_import_methods = [glance-direct,web-download,copy-image] +# DEPRECATED: +# Enforce API access based on common persona definitions used across OpenStack. +# Enabling this option formalizes project-specific read/write operations, like +# creating private images or updating the status of shared image, behind the +# `member` role. It also formalizes a read-only variant useful for +# project-specific API operations, like listing private images in a project, +# behind the `reader` role. +# +# Operators should take an opportunity to understand glance's new image +# policies, +# audit assignments in their deployment, and update permissions using the +# default +# roles in keystone (e.g., `admin`, `member`, and `reader`). +# +# Related options: +# * [oslo_policy]/enforce_new_defaults +# (boolean value) +# This option is deprecated for removal since Wallaby. +# Its value may be silently ignored in the future. +# Reason: +# This option has been introduced to require operators to opt into enforcing +# authorization based on common RBAC personas, which is EXPERIMENTAL as of the +# Wallaby release. This behavior will be the default and STABLE in a future +# release, allowing this option to be removed. +#enforce_secure_rbac = false + +# +# The URL to this worker. +# +# If this is set, other glance workers will know how to contact this one +# directly if needed. For image import, a single worker stages the image +# and other workers need to be able to proxy the import request to the +# right one. +# +# If unset, this will be considered to be `public_endpoint`, which +# normally would be set to the same value on all workers, effectively +# disabling the proxying behavior. +# +# Possible values: +# * A URL by which this worker is reachable from other workers +# +# Related options: +# * public_endpoint +# +# (string value) +#worker_self_reference_url = <None> + # # The amount of time, in seconds, to delay image scrubbing. # @@ -927,7 +974,7 @@ # * cinder_store_password # # (string value) -#cinder_catalog_info = volumev2::publicURL +#cinder_catalog_info = volumev3::publicURL # # Override service catalog lookup with template for cinder endpoint. @@ -2481,7 +2528,7 @@ # The relative or absolute path of a file that maps roles to permissions for a # given service. Relative paths must be specified in relation to the # configuration file setting this option. (string value) -#policy_file = policy.json +#policy_file = policy.yaml # Default rule. Enforced when a requested rule is not found. (string value) #policy_default_rule = default |