[S-RBAC] Add release note about full support for new policies

Since 2023.1 (Anthelope) release Neutron have full support for the new default S-RBAC policies. We have CI job which is testing usage of Neutron with those new API policies currently [1]. In the 2023.2 cycle we are going to switch Neutron to use those new policies by default. [1] https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/867518 Co-authored-by: Brian Haley <haleyb.dev@gmail.com> Change-Id: I2a4f254745accb062582e9a28b14bced1186cc3e
2023-02-21 22:33:39 +01:00 · 2023-02-21 22:33:39 +01:00 · 948c9e02e3
commit 948c9e02e3
parent c178c28fb8
1 changed files with 16 additions and 0 deletions
--- a/releasenotes/notes/secure-rbac-policies-fully-supported-e95271a3ab175dca.yaml
+++ b/releasenotes/notes/secure-rbac-policies-fully-supported-e95271a3ab175dca.yaml
@ -0,0 +1,16 @@
+---
+features:
+  - |
+    Neutron now supports API policies with the new default roles
+    ``project_member`` and ``project_reader``.
+    Role ``admin`` is working in the same way as with old policies.
+upgrade:
+  - |
+    New default API policies are not enabled by default. A cloud operator can
+    enable them by setting ``oslo_policy/enforce_new_defaults`` to ``true`` in
+    the Neutron config file.
+    It is also possible to switch the ``oslo_policy/enforce_scope`` config
+    option to ``true`` but currently Neutron does not support any system scope
+    APIs. All Neutron API policies are currently project scoped so setting
+    ``oslo_policy/enforce_scope`` to ``true`` will cause ``Forbidden`` responses
+    to any API calls made with the system scope token.