blob: 579444bd198796107b37fbadd145e6f8b2215570 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
---
features:
- |
RESTful access to every API resource may now be controlled by adjusting
policy settings. Defaults are set in code, and remain backwards compatible
with the previously-included policy.json file. Two new roles are checked
by default, "baremetal_admin" and "baremetal_observer", though these may be
replaced or overridden by configuration. The "baremetal_observer" role
grants read-only access to Ironic's API.
security:
- |
Previously, access to Ironic's REST API was "all or nothing". With this
release, it is now possible to restrict read and write access to API
resources to specific cloud roles.
upgrade:
- |
During an upgrade, it is recommended that all deployers re-evaluate the
settings in their ``/etc/ironic/policy.json`` file. This file should now be
used only to override default configuration, such as by limiting access to
the ironic service to specific tenants or restricting access to
specific API endpoints. A ``policy.json.sample`` file is provided that
lists all supported policies.
|