c9e312f8b4
The default policy will been replaced with one which aligns with the Secure-RBAC scopes and roles. Since ironic-inspector is a tool used only by system-level admins, only the ``system`` scope is supported, and the only roles in the policy rules are ``admin`` and ``reader``. The is_admin and is_observer rules are deprecated for removal, and every rule which refers to them are deprecated in favor of the system-scoped equivalent (system_scope:all with role:admin or role:reader) No unit tests covered the existing policy, these are now covered by test_acl.TestACLDeprecated. Change-Id: I4d038245c6b97b1504fb47eeec78ad3f9e5a897c
19 lines
875 B
YAML
19 lines
875 B
YAML
---
|
|
features:
|
|
- |
|
|
The default policy will been replaced with one which aligns with the
|
|
Secure-RBAC scopes and roles. Since ironic-inspector is a tool used only
|
|
by system-level admins, only the ``system`` scope is supported, and the
|
|
only roles in the policy rules are ``admin`` and ``reader``.
|
|
upgrade:
|
|
- |
|
|
The new policy is only enforced when ``[oslo_policy]`` config is changed to
|
|
``enforce_new_defaults=True`` and ``enforce_scope=True``, otherwise the
|
|
existing deprecated policy is used. User accounts which rely on having
|
|
the ``baremetal_admin`` or ``baremetal_observer`` roles will need to
|
|
have system-scoped ``admin`` or ``reader`` roles to use the API when the
|
|
new policy is enforced.
|
|
deprecations:
|
|
- |
|
|
The previous policy is still enforced by default, but is now deprecated
|
|
and will be removed in a future release. |