Merge "Ironic: enable elevated access for project scoped service role"

2024-02-19 12:40:00 +00:00 · 2024-02-19 12:40:00 +00:00 · a6fa564499
commit a6fa564499
parent a3f3dc7ab5 121aa3d258
2 changed files with 14 additions and 0 deletions
--- a/ansible/roles/ironic/templates/ironic.conf.j2
+++ b/ansible/roles/ironic/templates/ironic.conf.j2
@ -18,6 +18,8 @@ my_ip = {{ api_interface_address }}
 notification_level = info
 {% endif %}

+rbac_service_role_elevated_access = True
+
 [oslo_messaging_notifications]
 transport_url = {{ notify_transport_url }}
 {% if ironic_enabled_notification_topics or enable_ironic_prometheus_exporter | bool %}
--- a/releasenotes/notes/ironic-rbac-elevated-6804dab4061ab236.yaml
+++ b/releasenotes/notes/ironic-rbac-elevated-6804dab4061ab236.yaml
@ -0,0 +1,12 @@
+---
+features:
+  - |
+    Enable elevated access for project scoped service role
+    in Ironic.  Ironic recently started to enforce new policies
+    and scope. And Ironic is one of the sole openstack project
+    which need system scope for some admin related api calls.
+    However Ironic also started to allow project-scope behaviour
+    for service role with setting
+    ``rbac_service_role_elevated_access``. This change enables
+    this setting to get similar behaviour of service role as other
+    openstack projects.