glance/releasenotes/notes/deprecate-show-multiple-location-9890a1e961def2f6.yaml
Flavio Percoco dbfc121072 Deprecate show_multiple_locations option
There are currently several ways to disable/enable multiple_locations.
One is through a global config option (show_multiple_locations) and the
other one is through a more granular RBAC using Glance's policies.

Maintaining two different ways to configure, enable and/or disable a
feature is painful for developers and operators. Given that we have a
more granular way to manage this feature and that it's the preferred one
given the provided ability to chose what each role can/cannot do, this
patch proposes to remove the global config option.

There have been concerns about this proposal mostly on the fact that
it'll remove the ability to "turn off" the entire feature with a single
option. This doesn't seem to be a strong enough motivation to warrant
the effort of maintaining these 2 options.

This patch marks the aforementioned option as deprecated.

UpgradeImpact
DocImpact

Co-Authored-By: Flavio Percoco <flaper87@gmail.com>
Co-Authored-By: Nikhil Komawar <nik.komawar@gmail.com>

Lite-spec: https://review.openstack.org/360220
Change-Id: I1c5cb7834c2cf3295e10bad7fd07cfacb8e4ac50
2016-08-29 17:05:35 +00:00

27 lines
1.2 KiB
YAML

---
prelude: >
Deprecate the ``show_multiple_locations`` configuration
option in favor of the existing Role Based Access
Control (RBAC) for Image locations which uses
``policy.json`` file to define the appropriate rules.
Maintaining two different ways to configure, enable
and/or disable a feature is painful for developers and
operators, so the less granular means of controlling
this feature will be eliminated in the **Ocata**
release. Please read upgrade section for more details.
upgrade:
- For the Newton release, this option will still be
honored. However, it is important to update
``policy.json`` file for glance-api nodes. In
particular, please consider updating the policies
``delete_image_location``, ``get_image_location`` and
``set_image_location`` as per your requirements. As this
is an advanced option and prone to expose some risks,
please check the policies to ensure security and privacy
of your cloud.
- Future releases will ignore this option and just
follow the policy rules. It is recommended that this
option is disabled for public endpoints and is being
only used internally for service-to-service
communication.