From 0406cb6c41393297b0ded56ebfef9b593cecb397 Mon Sep 17 00:00:00 2001
From: Dan Smith <dansmith@redhat.com>
Date: Wed, 25 Aug 2021 09:41:59 -0700
Subject: [PATCH] Add release note about policy-refactor

Related to blueprint policy-refactor

Change-Id: I0f6ff686df6449eecd23e1c64f21a5b4ccae652b
---
 .../policy-refactor-xena-0cddb7f2d492cb3a.yaml     | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 releasenotes/notes/policy-refactor-xena-0cddb7f2d492cb3a.yaml

diff --git a/releasenotes/notes/policy-refactor-xena-0cddb7f2d492cb3a.yaml b/releasenotes/notes/policy-refactor-xena-0cddb7f2d492cb3a.yaml
new file mode 100644
index 0000000000..080e2459d0
--- /dev/null
+++ b/releasenotes/notes/policy-refactor-xena-0cddb7f2d492cb3a.yaml
@@ -0,0 +1,14 @@
+---
+security:
+  - |
+    The Xena release of Glance is a midpoint in the process of
+    refactoring how our policies are applied to API operations. The
+    goal of applying policy enforcement in the API will ultimately
+    increase the flexibility operators have over which users can do
+    what operations to which images, and provides a path for compliant
+    Secure RBAC and scoped tokens. In Xena, some policies are more
+    flexible than they once were, allowing for more fine-grained
+    assignment of responsibilities, but not all things are possible
+    yet. If `enforce_secure_rbac` is not enabled, most things are
+    still enforcing the legacy behavior of hard and fast
+    admin-or-owner requirements.