2016-06-03 15:43:12 -07:00
|
|
|
---
|
|
|
|
features:
|
|
|
|
- |
|
|
|
|
RESTful access to every API resource may now be controlled by adjusting
|
|
|
|
policy settings. Defaults are set in code, and remain backwards compatible
|
|
|
|
with the previously-included policy.json file. Two new roles are checked
|
|
|
|
by default, "baremetal_admin" and "baremetal_observer", though these may be
|
|
|
|
replaced or overridden by configuration. The "baremetal_observer" role
|
|
|
|
grants read-only access to Ironic's API.
|
|
|
|
security:
|
|
|
|
- |
|
|
|
|
Previously, access to Ironic's REST API was "all or nothing". With this
|
|
|
|
release, it is now possible to restrict read and write access to API
|
|
|
|
resources to specific cloud roles.
|
|
|
|
upgrade:
|
|
|
|
- |
|
|
|
|
During an upgrade, it is recommended that all deployers re-evaluate the
|
2016-08-08 21:09:13 -04:00
|
|
|
settings in their ``/etc/ironic/policy.json`` file. This file should now be
|
2016-06-03 15:43:12 -07:00
|
|
|
used only to override default configuration, such as by limiting access to
|
2016-08-08 21:09:13 -04:00
|
|
|
the ironic service to specific tenants or restricting access to
|
|
|
|
specific API endpoints. A ``policy.json.sample`` file is provided that
|
|
|
|
lists all supported policies.
|