From 948c9e02e369b47587f6abadc19f241838f79619 Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Tue, 21 Feb 2023 22:33:39 +0100 Subject: [PATCH] [S-RBAC] Add release note about full support for new policies Since 2023.1 (Anthelope) release Neutron have full support for the new default S-RBAC policies. We have CI job which is testing usage of Neutron with those new API policies currently [1]. In the 2023.2 cycle we are going to switch Neutron to use those new policies by default. [1] https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/867518 Co-authored-by: Brian Haley Change-Id: I2a4f254745accb062582e9a28b14bced1186cc3e --- ...olicies-fully-supported-e95271a3ab175dca.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 releasenotes/notes/secure-rbac-policies-fully-supported-e95271a3ab175dca.yaml diff --git a/releasenotes/notes/secure-rbac-policies-fully-supported-e95271a3ab175dca.yaml b/releasenotes/notes/secure-rbac-policies-fully-supported-e95271a3ab175dca.yaml new file mode 100644 index 00000000000..f07dacc24cf --- /dev/null +++ b/releasenotes/notes/secure-rbac-policies-fully-supported-e95271a3ab175dca.yaml @@ -0,0 +1,16 @@ +--- +features: + - | + Neutron now supports API policies with the new default roles + ``project_member`` and ``project_reader``. + Role ``admin`` is working in the same way as with old policies. +upgrade: + - | + New default API policies are not enabled by default. A cloud operator can + enable them by setting ``oslo_policy/enforce_new_defaults`` to ``true`` in + the Neutron config file. + It is also possible to switch the ``oslo_policy/enforce_scope`` config + option to ``true`` but currently Neutron does not support any system scope + APIs. All Neutron API policies are currently project scoped so setting + ``oslo_policy/enforce_scope`` to ``true`` will cause ``Forbidden`` responses + to any API calls made with the system scope token.