Merge "Remove deprecated public share policies"

2021-03-02 01:42:30 +00:00 · 2021-03-02 01:42:30 +00:00 · 8d9fb9250d
commit 8d9fb9250d
parent d116218778 e3e0486de9
2 changed files with 13 additions and 30 deletions
--- a/manila/policies/shares.py
+++ b/manila/policies/shares.py
@ -17,17 +17,6 @@ from manila.policies import base

 BASE_POLICY_NAME = 'share:%s'

-# These deprecated rules can be removed in the 'Train' release.
-deprecated_create_public_share_rule = policy.DeprecatedRule(
-    name=BASE_POLICY_NAME % 'create_public_share',
-    check_str=base.RULE_DEFAULT,
-)
-
-deprecated_set_public_share_rule = policy.DeprecatedRule(
-    name=BASE_POLICY_NAME % 'set_public_share',
-    check_str=base.RULE_DEFAULT,
-)
-

 shares_policies = [
    policy.DocumentedRuleDefault(
@ -43,16 +32,7 @@ shares_policies = [
    policy.DocumentedRuleDefault(
        name=BASE_POLICY_NAME % 'create_public_share',
        check_str=base.RULE_ADMIN_API,
-        description="Create shares visible across all projects in the cloud. "
-                    "This option will default to rule:admin_api in the "
-                    "9.0.0 (Train) release of the OpenStack Shared File "
-                    "Systems (manila) service.",
-        deprecated_rule=deprecated_create_public_share_rule,
-        deprecated_reason="Public shares must be accessible across the "
-                          "cloud, irrespective of project namespaces. To "
-                          "avoid unintended consequences, rule:admin_api "
-                          "serves as a better default for this policy.",
-        deprecated_since='S',
+        description="Create shares visible across all projects in the cloud.",
        operations=[
            {
                'method': 'POST',
@ -97,15 +77,7 @@ shares_policies = [
        name=BASE_POLICY_NAME % 'set_public_share',
        check_str=base.RULE_ADMIN_API,
        description="Update shares to be visible across all projects in the "
-                    "cloud. This option will default to rule:admin_api in the "
-                    "9.0.0 (Train) release of the OpenStack Shared File "
-                    "Systems (manila) service.",
-        deprecated_rule=deprecated_set_public_share_rule,
-        deprecated_reason="Public shares must be accessible across the "
-                          "cloud, irrespective of project namespaces. To "
-                          "avoid unintended consequences, rule:admin_api "
-                          "serves as a better default for this policy.",
-        deprecated_since='S',
+                    "cloud.",
        operations=[
            {
                'method': 'PUT',
--- a/releasenotes/notes/remove-deprecated-public-share-creation-policies-051d59249e556b44.yaml
+++ b/releasenotes/notes/remove-deprecated-public-share-creation-policies-051d59249e556b44.yaml
@ -0,0 +1,11 @@
+---
+upgrade:
+  - |
+    The ability to create a public share (RBAC: "share:create_public_share")
+    and to update a share to become publicly visible
+    (RBAC: "share:set_public_share") are now restricted to administator
+    users operating at system scope. Adjust your policy file overrides if
+    you would like to retain the older behavior of allowing all users to
+    create public shares or to update private ones to public. If you do
+    that, be sure that your users are aware of the security implications of
+    publicly accessible shares.