Add spec-lite to deprecate admin_role

Change-Id: I4484903886a09d4556ce11e671b1ae0dd8d9b16f
2020-03-24 08:45:10 -04:00 · 2020-03-24 08:45:10 -04:00 · 644b7ec2af
parent fccfd5d7f0
commit 644b7ec2af
1 changed files with 33 additions and 0 deletions
--- a/specs/ussuri/approved/glance/spec-lite-deprecate-admin_role.rst
+++ b/specs/ussuri/approved/glance/spec-lite-deprecate-admin_role.rst
@ -0,0 +1,33 @@
+..
+ This work is licensed under a Creative Commons Attribution 3.0 Unported
+ License.
+
+ http://creativecommons.org/licenses/by/3.0/legalcode
+
+===============================
+Spec Lite: Deprecate admin_role
+===============================
+
+..
+  Mandatory sections
+
+:project: glance
+
+:problem: Glance has a configuration option that grants complete admin access
+          to anyone with a particular role.  This is confusing because it
+          overrides any settings in the policy configuration file.  Further,
+          the default value is 'admin', which is likely to be an actual role
+          defined in any OpenStack cloud.
+
+:solution: Deprecate the 'admin_role' configuration option in Ussuri and
+           remove it during the Victoria development cycle.  Additionally,
+           change the default setting to something that would never match
+           any actual role, for example,
+           '__NOT_A_ROLE_07697c71e6174332989d3d5f2a7d2e7c_NOT_A_ROLE__'.
+           That way, the 'admin_role' would only be effective if an
+           operator configured it on purpose, and this "backdoor" will
+           be effectively closed immediately.
+
+:impacts: Possibly documentation (though our policy docs are woefully out
+          of date).
+