dbfc121072
There are currently several ways to disable/enable multiple_locations. One is through a global config option (show_multiple_locations) and the other one is through a more granular RBAC using Glance's policies. Maintaining two different ways to configure, enable and/or disable a feature is painful for developers and operators. Given that we have a more granular way to manage this feature and that it's the preferred one given the provided ability to chose what each role can/cannot do, this patch proposes to remove the global config option. There have been concerns about this proposal mostly on the fact that it'll remove the ability to "turn off" the entire feature with a single option. This doesn't seem to be a strong enough motivation to warrant the effort of maintaining these 2 options. This patch marks the aforementioned option as deprecated. UpgradeImpact DocImpact Co-Authored-By: Flavio Percoco <flaper87@gmail.com> Co-Authored-By: Nikhil Komawar <nik.komawar@gmail.com> Lite-spec: https://review.openstack.org/360220 Change-Id: I1c5cb7834c2cf3295e10bad7fd07cfacb8e4ac50
27 lines
1.2 KiB
YAML
27 lines
1.2 KiB
YAML
---
|
|
prelude: >
|
|
Deprecate the ``show_multiple_locations`` configuration
|
|
option in favor of the existing Role Based Access
|
|
Control (RBAC) for Image locations which uses
|
|
``policy.json`` file to define the appropriate rules.
|
|
Maintaining two different ways to configure, enable
|
|
and/or disable a feature is painful for developers and
|
|
operators, so the less granular means of controlling
|
|
this feature will be eliminated in the **Ocata**
|
|
release. Please read upgrade section for more details.
|
|
upgrade:
|
|
- For the Newton release, this option will still be
|
|
honored. However, it is important to update
|
|
``policy.json`` file for glance-api nodes. In
|
|
particular, please consider updating the policies
|
|
``delete_image_location``, ``get_image_location`` and
|
|
``set_image_location`` as per your requirements. As this
|
|
is an advanced option and prone to expose some risks,
|
|
please check the policies to ensure security and privacy
|
|
of your cloud.
|
|
- Future releases will ignore this option and just
|
|
follow the policy rules. It is recommended that this
|
|
option is disabled for public endpoints and is being
|
|
only used internally for service-to-service
|
|
communication.
|