cyborg/releasenotes/notes/policy_refresh_base_and_dev...

88 lines
3.1 KiB
YAML

---
features:
- |
In the Victoria release, cyborg introduced the new scoped RBAC policy
authorization for API access, and partially implemented the blueprints.
What implemented are new default rules in base policy and device_profile
policy.
During the development period(victoria and wallaby releases), the new and
old policy will both work because a deployment sets
``cyborg.conf [oslo_policy] enforce_scope = False`` as the default set.
Although users can set ``cyborg.conf [oslo_policy] enforce_scope = True``
by default in their deployment, if they want to ignore old rules and
support new rules only. After we implement all the features, we'll give
two cycles transition period for operators. For specification of
new policy, please refer to `policy default refresh`_.
- Scope
Cyborg introduced ``scope_type`` to protect each policy. Cyborg support
two types of ``sope_type`` with their combination. ``['system']``,
``['project']`` and ``['system', 'project']``.
To know each policy ``scope_type``, please refer the `Policy Reference`_
This feature is disabled by default can be enabled via config option
``[oslo_policy]enforce_scope`` in ``cyborg.conf``
- New Defaults Configuration
Policies are default to Admin, Member and Reader roles. Old roles
are also supproted. You can switch to new defaults via config option
``[oslo_policy]enforce_new_defaults`` in ``cyborg.conf`` file.
- New Base policy roles
Cyborg introduced seven basic roles based on the new defaults combined
with different scope_types.
- project_reader
- project_member
- project_admin
- system_admin
- system_reader
- system_admin_or_owner
- system_or_project_reader
- New Defaults for device_profile APIs
Rewrite check string(authorization rules) using new personas for
device profile APIs.
Add ``checkstr=base.PROJECT_READER_OR_SYSTEM_READER`` and
deprecated ``checkstr=base.deprecated_default`` for
- ``cyborg:device_profile:get_one``
- ``cyborg:device_profile:get_all``
Add ``check_str=base.SYSTEM_ADMIN`` and
deprecated ``check_str=base.deprecated_is_admin`` for
- ``cyborg:device_profile:create``
Add ``check_str=base.SYSTEM_ADMIN`` and
deprecated ``base.deprecated_default`` for
- ``cyborg:device_profile:delete``
- Added policy configuration guide on cyborg doc page
Please refer to `policy configuration guide`_
.. _policy default refresh: https://specs.openstack.org/openstack/cyborg-specs/specs/ussuri/approved/policy-defaults-refresh.html
.. _Policy Reference: https://docs.openstack.org/cyborg/latest/configuration/policy.html
.. _policy configuration guide: https://docs.openstack.org/cyborg/latest/configuration/policy-guide.html
deprecations:
- |
The old basic personas below are marked as deprecated rules in base policy.
- public_api
- allow
- deny
- admin_api
- is_admin
- admin_or_owner
- admin_or_user