Add releasenote for policy refresh base and device profile policies
Change-Id: I08f9d9043a488c8bb55c57f14f8eac860d47eb1f
This commit is contained in:
Yumeng Bao
Brin Zhang
parent
c1f4e3806d
commit
bdc1aab530
@ -0,0 +1,87 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
In the Victoria release, cyborg introduced the new scoped RBAC policy
|
||||||
|
authorization for API access, and partially implemented the blueprints.
|
||||||
|
What implemented are new default rules in base policy and device_profile
|
||||||
|
policy.
|
||||||
|
|
||||||
|
During the development period(victoria and wallaby releases), the new and
|
||||||
|
old policy will both work because a deployment sets
|
||||||
|
``cyborg.conf [oslo_policy] enforce_scope = False`` as the default set.
|
||||||
|
Although users can set ``cyborg.conf [oslo_policy] enforce_scope = True``
|
||||||
|
by default in their deployment, if they want to ignore old rules and
|
||||||
|
support new rules only. After we implement all the features, we'll give
|
||||||
|
two cycles transition period for operators. For specification of
|
||||||
|
new policy, please refer to `policy default refresh`_.
|
||||||
|
|
||||||
|
- Scope
|
||||||
|
|
||||||
|
Cyborg introduced ``scope_type`` to protect each policy. Cyborg support
|
||||||
|
two types of ``sope_type`` with their combination. ``['system']``,
|
||||||
|
``['project']`` and ``['system', 'project']``.
|
||||||
|
|
||||||
|
To know each policy ``scope_type``, please refer the `Policy Reference`_
|
||||||
|
|
||||||
|
This feature is disabled by default can be enabled via config option
|
||||||
|
``[oslo_policy]enforce_scope`` in ``cyborg.conf``
|
||||||
|
|
||||||
|
- New Defaults Configuration
|
||||||
|
|
||||||
|
Policies are default to Admin, Member and Reader roles. Old roles
|
||||||
|
are also supproted. You can switch to new defaults via config option
|
||||||
|
``[oslo_policy]enforce_new_defaults`` in ``cyborg.conf`` file.
|
||||||
|
|
||||||
|
- New Base policy roles
|
||||||
|
|
||||||
|
Cyborg introduced seven basic roles based on the new defaults combined
|
||||||
|
with different scope_types.
|
||||||
|
|
||||||
|
- project_reader
|
||||||
|
- project_member
|
||||||
|
- project_admin
|
||||||
|
- system_admin
|
||||||
|
- system_reader
|
||||||
|
- system_admin_or_owner
|
||||||
|
- system_or_project_reader
|
||||||
|
|
||||||
|
- New Defaults for device_profile APIs
|
||||||
|
|
||||||
|
Rewrite check string(authorization rules) using new personas for
|
||||||
|
device profile APIs.
|
||||||
|
|
||||||
|
Add ``checkstr=base.PROJECT_READER_OR_SYSTEM_READER`` and
|
||||||
|
deprecated ``checkstr=base.deprecated_default`` for
|
||||||
|
|
||||||
|
- ``cyborg:device_profile:get_one``
|
||||||
|
- ``cyborg:device_profile:get_all``
|
||||||
|
|
||||||
|
Add ``check_str=base.SYSTEM_ADMIN`` and
|
||||||
|
deprecated ``check_str=base.deprecated_is_admin`` for
|
||||||
|
|
||||||
|
- ``cyborg:device_profile:create``
|
||||||
|
|
||||||
|
Add ``check_str=base.SYSTEM_ADMIN`` and
|
||||||
|
deprecated ``base.deprecated_default`` for
|
||||||
|
|
||||||
|
- ``cyborg:device_profile:delete``
|
||||||
|
|
||||||
|
- Added policy configuration guide on cyborg doc page
|
||||||
|
|
||||||
|
Please refer to `policy configuration guide`_
|
||||||
|
|
||||||
|
.. _policy default refresh: https://specs.openstack.org/openstack/cyborg-specs/specs/ussuri/approved/policy-defaults-refresh.html
|
||||||
|
.. _Policy Reference: https://docs.openstack.org/cyborg/latest/configuration/policy.html
|
||||||
|
.. _policy configuration guide: https://docs.openstack.org/cyborg/latest/configuration/policy-guide.html
|
||||||
|
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
The old basic personas below are marked as deprecated rules in base policy.
|
||||||
|
|
||||||
|
- public_api
|
||||||
|
- allow
|
||||||
|
- deny
|
||||||
|
- admin_api
|
||||||
|
- is_admin
|
||||||
|
- admin_or_owner
|
||||||
|
- admin_or_user
|
||||||
Loading…
Reference in New Issue
Block a user