diff options
Diffstat (limited to 'releasenotes/notes/bp-policy-defaults-refresh-b8e6e2d6b1a7bc21.yaml')
-rw-r--r-- | releasenotes/notes/bp-policy-defaults-refresh-b8e6e2d6b1a7bc21.yaml | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/releasenotes/notes/bp-policy-defaults-refresh-b8e6e2d6b1a7bc21.yaml b/releasenotes/notes/bp-policy-defaults-refresh-b8e6e2d6b1a7bc21.yaml new file mode 100644 index 0000000000..b6be3955d7 --- /dev/null +++ b/releasenotes/notes/bp-policy-defaults-refresh-b8e6e2d6b1a7bc21.yaml @@ -0,0 +1,137 @@ +--- +features: + - | + The Nova policies implemented the scope concept and new default roles + (``admin``, ``member``, and ``reader``) provided by keystone. +upgrade: + - | + All the policies except the deprecated APIs policy have been changed to + implement the ``scope_type`` and new defaults. Deprecated APIs policy will + be moved to ``scope_type`` and new defaults in the next release. + + Please refer `Policy New Defaults`_ for detail about policy new defaults + and migration plan. + + * **Scope** + + Each policy is protected with appropriate ``scope_type``. Nova support + two types of ``sope_type`` with their combination. ``['system']``, + ``['project']`` and ``['system', 'project']``. + + To know each policy scope_type, please refer the `Policy Reference`_ + + This feature is disabled by default can be enabled via config option + ``[oslo_policy]enforce_scope`` in ``nova.conf`` + + * **New Defaults(Admin, Member and Reader)** + + Policies are default to Admin, Member and Reader roles. Old roles + are also supproted. You can switch to new defaults via config option + ``[oslo_policy]enforce_new_defaults`` in ``nova.conf`` file. + + * **Policies granularity** + + To implement the reader roles, Below policies are made more granular + + - ``os_compute_api:os-agents`` is made granular to + + - ``os_compute_api:os-agents:create`` + - ``os_compute_api:os-agents:update`` + - ``os_compute_api:os-agents:delete`` + - ``os_compute_api:os-agents:list`` + + - ``os_compute_api:os-attach-interfaces`` is made granular to + + - ``os_compute_api:os-attach-interfaces:create`` + - ``os_compute_api:os-attach-interfaces:delete`` + - ``os_compute_api:os-attach-interfaces:show`` + - ``os_compute_api:os-attach-interfaces:list`` + + - ``os_compute_api:os-deferred-delete`` is made granular to + + - ``os_compute_api:os-deferred-delete:restore`` + - ``os_compute_api:os-deferred-delete:force`` + + - ``os_compute_api:os-hypervisors`` is made granular to + + - ``os_compute_api:os-hypervisors:list`` + - ``os_compute_api:os-hypervisors:list-detail`` + - ``os_compute_api:os-hypervisors:statistics`` + - ``os_compute_api:os-hypervisors:show`` + - ``os_compute_api:os-hypervisors:uptime`` + - ``os_compute_api:os-hypervisors:search`` + - ``os_compute_api:os-hypervisors:servers`` + + - ``os_compute_api:os-security-groups`` is made granular to + + - ``os_compute_api:os-security-groups:add`` + - ``os_compute_api:os-security-groups:remove`` + - ``os_compute_api:os-security-groups:list`` + + - ``os_compute_api:os-instance-usage-audit-log`` is made granular to + + - ``os_compute_api:os-instance-usage-audit-log:list`` + - ``os_compute_api:os-instance-usage-audit-log:show`` + + - ``os_compute_api:os-instance-actions`` is made granular to + + - ``os_compute_api:os-instance-actions:list`` + - ``os_compute_api:os-instance-actions:show`` + + - ``os_compute_api:os-server-password`` is made granular to + + - ``os_compute_api:os-server-password:show`` + - ``os_compute_api:os-server-password:clear`` + + - ``os_compute_api:os-rescue`` is made granular to + + - ``os_compute_api:os-rescue`` + - ``os_compute_api:os-unrescue`` + + - ``os_compute_api:os-used-limits`` is renamed to + + - ``os_compute_api:limits:other_project`` + + - ``os_compute_api:os-services`` is made granular to + + - ``os_compute_api:os-services:list`` + - ``os_compute_api:os-services:update`` + - ``os_compute_api:os-services:delete`` +deprecations: + - | + During Policy new defaults, below policies are deprecated and will be + removed in 23.0.0 release. These are replaced by the new granular + policies listed in feature section. + + - ``os_compute_api:os-agents`` + - ``os_compute_api:os-attach-interfaces`` + - ``os_compute_api:os-deferred-delete`` + - ``os_compute_api:os-hypervisors`` + - ``os_compute_api:os-security-groups`` + - ``os_compute_api:os-instance-usage-audit-log`` + - ``os_compute_api:os-instance-actions`` + - ``os_compute_api:os-server-password`` + - ``os_compute_api:os-used-limits`` + - ``os_compute_api:os-services`` +fixes: + - | + Below bugs are fixed for policies default values + + - https://bugs.launchpad.net/nova/+bug/1863009 + - https://bugs.launchpad.net/nova/+bug/1869396 + - https://bugs.launchpad.net/nova/+bug/1867840 + - https://bugs.launchpad.net/nova/+bug/1869791 + - https://bugs.launchpad.net/nova/+bug/1869841 + - https://bugs.launchpad.net/nova/+bug/1869543 + - https://bugs.launchpad.net/nova/+bug/1870883 + - https://bugs.launchpad.net/nova/+bug/1871287 + - https://bugs.launchpad.net/nova/+bug/1870488 + - https://bugs.launchpad.net/nova/+bug/1870872 + - https://bugs.launchpad.net/nova/+bug/1870484 + - https://bugs.launchpad.net/nova/+bug/1870881 + - https://bugs.launchpad.net/nova/+bug/1871665 + - https://bugs.launchpad.net/nova/+bug/1870226 + + .. _policy-defaults-refresh: https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html + .. _Policy Reference: https://docs.openstack.org/nova/latest/configuration/policy.html + .. _Policy New Defaults: https://docs.openstack.org/nova/latest/configuration/policy-concepts.html |