From da2cc29ec05d2c893fb2cea6a46fbe68791fb492 Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Fri, 26 Mar 2021 08:40:51 +0100
Subject: [PATCH] Add release note about support for new secure RBAC policies

Partially-Implements blueprint: secure-rbac-roles

Change-Id: I8aab83f0b145cfec70defed0bbf0221b0fe664b2
---
 ...secure-rbac-policies-a05bb75f2575cede.yaml | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 releasenotes/notes/secure-rbac-policies-a05bb75f2575cede.yaml

diff --git a/releasenotes/notes/secure-rbac-policies-a05bb75f2575cede.yaml b/releasenotes/notes/secure-rbac-policies-a05bb75f2575cede.yaml
new file mode 100644
index 00000000000..c81ea84b788
--- /dev/null
+++ b/releasenotes/notes/secure-rbac-policies-a05bb75f2575cede.yaml
@@ -0,0 +1,23 @@
+---
+features:
+  - |
+    Neutron now experimentally supports new API policies with the system scope
+    and the default roles (member, reader, admin).
+issues:
+  - |
+    Support for new policies and system scope context is experimentatal in
+    Neutron. When config option ``enforce_new_defaults`` is enabled in Neutron,
+    new default rules will be enforced and things may not work properly in
+    some cases.
+deprecations:
+  - |
+    Old API policies are deprecated now. They will be removed in future.
+other:
+  - |
+    When new default values for API policies are enabled, some API requests may
+    not be available for project admin users anymore as they are possible only
+    for system scope users.
+    Please note that system scope tokens don't have project_id included so for
+    example creation of the provider network, with specified physical network
+    details will now require from system scope admin user to explicitly set
+    project_id.