diff options
author | Zuul <zuul@review.opendev.org> | 2023-03-01 07:39:19 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2023-03-01 07:39:19 +0000 |
commit | 814f60b046a5628f0e65bdc13596ebbf9f0fb8c1 (patch) | |
tree | 84201429355b5f25635d2c8b77ccd284709ef70b | |
parent | 2718edf76ee5835adfe9aa99d6fbb756a256d801 (diff) | |
parent | 948c9e02e369b47587f6abadc19f241838f79619 (diff) | |
download | neutron-814f60b046a5628f0e65bdc13596ebbf9f0fb8c1.tar.gz |
Merge "[S-RBAC] Add release note about full support for new policies"
-rw-r--r-- | releasenotes/notes/secure-rbac-policies-fully-supported-e95271a3ab175dca.yaml | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/releasenotes/notes/secure-rbac-policies-fully-supported-e95271a3ab175dca.yaml b/releasenotes/notes/secure-rbac-policies-fully-supported-e95271a3ab175dca.yaml new file mode 100644 index 0000000000..f07dacc24c --- /dev/null +++ b/releasenotes/notes/secure-rbac-policies-fully-supported-e95271a3ab175dca.yaml @@ -0,0 +1,16 @@ +--- +features: + - | + Neutron now supports API policies with the new default roles + ``project_member`` and ``project_reader``. + Role ``admin`` is working in the same way as with old policies. +upgrade: + - | + New default API policies are not enabled by default. A cloud operator can + enable them by setting ``oslo_policy/enforce_new_defaults`` to ``true`` in + the Neutron config file. + It is also possible to switch the ``oslo_policy/enforce_scope`` config + option to ``true`` but currently Neutron does not support any system scope + APIs. All Neutron API policies are currently project scoped so setting + ``oslo_policy/enforce_scope`` to ``true`` will cause ``Forbidden`` responses + to any API calls made with the system scope token. |