releasenotes/notes/bp-policy-defaults-refresh-b8e6e2d6b1a7bc21.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

---
features:
  - |
    The Nova policies implemented the scope concept and new default roles
    (``admin``, ``member``, and ``reader``) provided by keystone.
upgrade:
  - |
    All the policies except the deprecated APIs policy have been changed to
    implement the ``scope_type`` and new defaults. Deprecated APIs policy will
    be moved to ``scope_type`` and new defaults in the next release.

    Please refer `Policy New Defaults`_ for detail about policy new defaults
    and migration plan.

    * **Scope**

      Each policy is protected with appropriate ``scope_type``. Nova support
      two types of ``sope_type`` with their combination. ``['system']``,
      ``['project']`` and ``['system', 'project']``.

      To know each policy scope_type, please refer the `Policy Reference`_

      This feature is disabled by default can be enabled via config option
      ``[oslo_policy]enforce_scope`` in ``nova.conf``

    * **New Defaults(Admin, Member and Reader)**

      Policies are default to Admin, Member and Reader roles. Old roles
      are also supproted. You can switch to new defaults via config option
      ``[oslo_policy]enforce_new_defaults`` in ``nova.conf`` file.

    * **Policies granularity**

      To implement the reader roles, Below policies are made more granular

      - ``os_compute_api:os-agents`` is made granular to

        - ``os_compute_api:os-agents:create``
        - ``os_compute_api:os-agents:update``
        - ``os_compute_api:os-agents:delete``
        - ``os_compute_api:os-agents:list``

      - ``os_compute_api:os-attach-interfaces`` is made granular to

        - ``os_compute_api:os-attach-interfaces:create``
        - ``os_compute_api:os-attach-interfaces:delete``
        - ``os_compute_api:os-attach-interfaces:show``
        - ``os_compute_api:os-attach-interfaces:list``

      - ``os_compute_api:os-deferred-delete`` is made granular to

        - ``os_compute_api:os-deferred-delete:restore``
        - ``os_compute_api:os-deferred-delete:force``

      - ``os_compute_api:os-hypervisors`` is made granular to

        - ``os_compute_api:os-hypervisors:list``
        - ``os_compute_api:os-hypervisors:list-detail``
        - ``os_compute_api:os-hypervisors:statistics``
        - ``os_compute_api:os-hypervisors:show``
        - ``os_compute_api:os-hypervisors:uptime``
        - ``os_compute_api:os-hypervisors:search``
        - ``os_compute_api:os-hypervisors:servers``

      - ``os_compute_api:os-security-groups`` is made granular to

        - ``os_compute_api:os-security-groups:add``
        - ``os_compute_api:os-security-groups:remove``
        - ``os_compute_api:os-security-groups:list``

      - ``os_compute_api:os-instance-usage-audit-log`` is made granular to

        - ``os_compute_api:os-instance-usage-audit-log:list``
        - ``os_compute_api:os-instance-usage-audit-log:show``

      - ``os_compute_api:os-instance-actions`` is made granular to

        - ``os_compute_api:os-instance-actions:list``
        - ``os_compute_api:os-instance-actions:show``

      - ``os_compute_api:os-server-password`` is made granular to

        - ``os_compute_api:os-server-password:show``
        - ``os_compute_api:os-server-password:clear``

      - ``os_compute_api:os-rescue`` is made granular to

        - ``os_compute_api:os-rescue``
        - ``os_compute_api:os-unrescue``

      - ``os_compute_api:os-used-limits`` is renamed to

        - ``os_compute_api:limits:other_project``

      - ``os_compute_api:os-services`` is made granular to

        - ``os_compute_api:os-services:list``
        - ``os_compute_api:os-services:update``
        - ``os_compute_api:os-services:delete``
deprecations:
  - |
    During Policy new defaults, below policies are deprecated and will be
    removed in 23.0.0 release. These are replaced by the new granular
    policies listed in feature section.

    - ``os_compute_api:os-agents``
    - ``os_compute_api:os-attach-interfaces``
    - ``os_compute_api:os-deferred-delete``
    - ``os_compute_api:os-hypervisors``
    - ``os_compute_api:os-security-groups``
    - ``os_compute_api:os-instance-usage-audit-log``
    - ``os_compute_api:os-instance-actions``
    - ``os_compute_api:os-server-password``
    - ``os_compute_api:os-used-limits``
    - ``os_compute_api:os-services``
fixes:
  - |
    Below bugs are fixed for policies default values

    - https://bugs.launchpad.net/nova/+bug/1863009
    - https://bugs.launchpad.net/nova/+bug/1869396
    - https://bugs.launchpad.net/nova/+bug/1867840
    - https://bugs.launchpad.net/nova/+bug/1869791
    - https://bugs.launchpad.net/nova/+bug/1869841
    - https://bugs.launchpad.net/nova/+bug/1869543
    - https://bugs.launchpad.net/nova/+bug/1870883
    - https://bugs.launchpad.net/nova/+bug/1871287
    - https://bugs.launchpad.net/nova/+bug/1870488
    - https://bugs.launchpad.net/nova/+bug/1870872
    - https://bugs.launchpad.net/nova/+bug/1870484
    - https://bugs.launchpad.net/nova/+bug/1870881
    - https://bugs.launchpad.net/nova/+bug/1871665
    - https://bugs.launchpad.net/nova/+bug/1870226

    .. _policy-defaults-refresh: https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html
    .. _Policy Reference: https://docs.openstack.org/nova/latest/configuration/policy.html
    .. _Policy New Defaults: https://docs.openstack.org/nova/latest/configuration/policy-concepts.html