diff options
| author | Ghanshyam Mann <gmann@ghanshyammann.com> | 2022-11-30 14:57:51 -0600 |
|---|---|---|
| committer | Ghanshyam Mann <gmann@ghanshyammann.com> | 2023-01-10 23:37:13 -0600 |
| commit | d97af33c0639b548f8a66ab14019259e9b4210be (patch) | |
| tree | 0be5f69694b00ddedd1286f98d18d82eab543810 /releasenotes | |
| parent | 5e5b6751d32aa50dc372c55b5c2044d0dade51f4 (diff) | |
| download | nova-d97af33c0639b548f8a66ab14019259e9b4210be.tar.gz | |
Enable new defaults and scope checks by default
As discussed in PTG, we need to test the new RBAC in the
integrated gate and accordingly enable the new defaults
and scope check by default. A new integrated testing job
has been added and results show that the new defaults and
scope checks are working fine. During testing, we found a
few bugs in neutron policies but all are fixed now.
enforce_scope and enforce_new_defaults are oslo policy config
options but they are per service level and the default value
can be overridden. Oslo policy 3.11.0 version allows to override
the default value for these config options[1] so upgrading the
oslo policy version in requirements.txt
Depends-On: https://review.opendev.org/c/openstack/devstack/+/869781
Depends-On: https://review.opendev.org/c/openstack/placement/+/869525
[1] https://github.com/openstack/oslo.policy/blob/3.11.0/oslo_policy/opts.py#L125
Change-Id: I977b2daedf880229c8d364ca011f2ea965b86e3a
Diffstat (limited to 'releasenotes')
| -rw-r--r-- | releasenotes/notes/enable-enforce-scope-and-new-defaults-14db8c75b263b599.yaml | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/releasenotes/notes/enable-enforce-scope-and-new-defaults-14db8c75b263b599.yaml b/releasenotes/notes/enable-enforce-scope-and-new-defaults-14db8c75b263b599.yaml new file mode 100644 index 0000000000..72a6f861b6 --- /dev/null +++ b/releasenotes/notes/enable-enforce-scope-and-new-defaults-14db8c75b263b599.yaml @@ -0,0 +1,23 @@ +--- +upgrade: + - | + The Nova service enable the API policies (RBAC) new defaults and scope by + default. The Default value of config options ``[oslo_policy] enforce_scope`` + and ``[oslo_policy] oslo_policy.enforce_new_defaults`` have been changed + to ``True``. + + This means if you are using system scope token to access Nova API then + the request will be failed with 403 error code. Also, new defaults will be + enforced by default. To know about the new defaults of each policy + rule, refer to the `Policy New Defaults`_. For more detail about the Nova + API policies changes, refer to `Policy Concepts`_. + + If you want to disable them then modify the below config options value in + ``nova.conf`` file:: + + [oslo_policy] + enforce_new_defaults=False + enforce_scope=False + + .. _`Policy New Defaults`: https://docs.openstack.org/nova/latest/configuration/policy.html + .. _`Policy Concepts`: https://docs.openstack.org/nova/latest/configuration/policy-concepts.html |