diff options
author | Lance Bragstad <lbragstad@gmail.com> | 2018-01-02 15:22:22 +0000 |
---|---|---|
committer | Lance Bragstad <lbragstad@gmail.com> | 2018-01-02 17:37:44 +0000 |
commit | 8835af6aa5b3c039b0c1b74a2b697fb654ae24dd (patch) | |
tree | 05362103f0101c75126a6f221a83e349472c648a /releasenotes/notes | |
parent | 5dc2ab7bcda39b0eab2da06f346f3a2ca1603e83 (diff) | |
download | oslo-policy-8835af6aa5b3c039b0c1b74a2b697fb654ae24dd.tar.gz |
Add a release note for enforce_scope1.33.0
A previous change added the ability to enforce scope using a
configuration option:
Ia573b8cac3bf9cee2962790589dea24c7f530ef5
This commit ensures we have a release note to communicate that change.
bp add-scope-to-policy
Change-Id: I1c71aecd247b39c01a3b333e9915aee517079162
Diffstat (limited to 'releasenotes/notes')
-rw-r--r-- | releasenotes/notes/enforce_scope_types-1e92f6a34e4173ef.yaml | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/releasenotes/notes/enforce_scope_types-1e92f6a34e4173ef.yaml b/releasenotes/notes/enforce_scope_types-1e92f6a34e4173ef.yaml new file mode 100644 index 0000000..017e6af --- /dev/null +++ b/releasenotes/notes/enforce_scope_types-1e92f6a34e4173ef.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + A new configuration option has been added to the ``[oslo_policy]`` group + called ``enforce_scope``. When set to ``True``, oslo.policy will raise an + ``InvalidScope`` exception if the context passed into the enforce method + doesn't match the policy's ``scope_types``. If ``False``, a warning will be + logged for operators. Note that operators should only enable this option + once they've audited their users to ensure system users have roles on the + system. This could potentially prevent some users from being able to make + system-level API calls. This will also give other services the flexibility + to fix long-standing RBAC issues in OpenStack once they start introducing + ``scope_types`` for policies used in their service. |