diff options
Diffstat (limited to 'releasenotes/notes/rbac-updates-ba0fcb886fe4085c.yaml')
-rw-r--r-- | releasenotes/notes/rbac-updates-ba0fcb886fe4085c.yaml | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/releasenotes/notes/rbac-updates-ba0fcb886fe4085c.yaml b/releasenotes/notes/rbac-updates-ba0fcb886fe4085c.yaml new file mode 100644 index 000000000..bcb3eb08f --- /dev/null +++ b/releasenotes/notes/rbac-updates-ba0fcb886fe4085c.yaml @@ -0,0 +1,26 @@ +--- +features: + - | + The Glance policies have been modified to drop the system scope. Every + API policy is scoped to project. This means that system scoped users + will get 403 permission denied error. + + Also, the project reader role is ready to use. Users with reader role + can only perform the read-only operations within their project. This + role can be used for the audit purposes. + + For the details on what changed from the existing policy, please refer + to the `RBAC new guidelines`_. We have implemented only phase-1 of the + `RBAC new guidelines`_. + Currently, scope checks and new defaults are disabled by default. You can + enable them by switching the below config option in ``glance.conf`` file:: + + [oslo_policy] + enforce_new_defaults=True + enforce_scope=True + + We recommend to enable the both scope as well new defaults together + otherwise you may experience some late failures with unclear error + messages. + + .. _`RBAC new guidelines`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1 |