Deprecate admin_role

Implements: bp deprecate-admin-role
Change-Id: I0f61f85a0aaa4f68e345fa08fbb6b039d3d32587

glance/api/middleware/context.py

@@ -56,14 +56,32 @@ Related options:
 
 """)),
 
-    cfg.StrOpt('admin_role', default='admin',
+    cfg.StrOpt('admin_role',
+               default=('__NOT_A_ROLE_07697c71e6174332989d3d5f2a7d2e7c'
+                        '_NOT_A_ROLE__'),
+               deprecated_for_removal=True,
+               deprecated_since="Ussuri",
+               deprecated_reason=_("""
+This option is redundant as its goal can be achieved via policy file
+configuration.  Additionally, it can override any configured policies,
+leading to unexpected behavior and difficulty in policy configuration.
+The option will be removed early in the Victoria development cycle,
+following the standard OpenStack deprecation policy.
+
+Because this can be a security issue, the default value of this
+configuration option has been changed in this release.
+
+Please see the 'Deprecation Notes' section of the Ussuri Glance
+Release Notes for more information.
+"""),
                help=_("""
 Role used to identify an authenticated user as administrator.
 
 Provide a string value representing a Keystone role to identify an
 administrative user. Users with this role will be granted
-administrative privileges. The default value for this option is
-'admin'.
+administrative privileges.
+
+NOTE: The default value for this option has changed in this release.
 
 Possible values:
     * A string value which is a valid Keystone role

releasenotes/notes/deprecate-admin_role-2f9d33ed0785d082.yaml

@@ -0,0 +1,53 @@
+---
+deprecations:
+  - |
+    The Glance API configuration option ``admin_role`` is deprecated in this
+    release and is subject to removal at the beginning of the Victoria
+    development cycle, following the `OpenStack standard deprecation policy
+    <https://governance.openstack.org/reference/tags/assert_follows-standard-deprecation.html>`_.
+
+    What this option does is to grant complete admin access to any
+    authenticated user with a particular role.  *This overrides any policy
+    rules configured in the policy configuration file.*  While everything
+    will behave as expected if you are also using the default policy settings,
+    this setting may cause anomalous behavior when you are configuring custom
+    policies.
+
+    Additionally, the default value of this option has been changed in
+    this release.  See the "Upgrade Notes" section of this document for
+    more information.
+
+    If you were previously aware of this option and were actually using it,
+    we apologize for the inconvenience its removal will cause, but overall
+    it will be better for everyone if policy configuration is confined to
+    the policy configuration file and this backdoor is eliminated.  The
+    migration path is to explictly mention the role you configured for this
+    option in appropriate places in your policy configuration file.
+upgrade:
+  - |
+    The default value of the Glance API configuration option ``admin_role``
+    has been changed in this release.  If you were also using the default
+    policy configuration, this change will not affect you.  If you were
+    *not* using the default policy configuration, please read on.
+
+    With the previous default value, any user with the ``admin`` role
+    could act in an administrative context *regardless of what your
+    policy file defined as the administrative context*.  And this might
+    not be a problem because usually the ``admin`` role is not assigned
+    to "regular" end users.  It does become a problem, however, when
+    operators attempt to configure different gradations of administrator.
+
+    In this release, the default value of ``admin_role`` has been defined
+    as ``__NOT_A_ROLE_07697c71e6174332989d3d5f2a7d2e7c_NOT_A_ROLE__``.
+    This effectively makes it inoperable (unless your Keystone administrator
+    has actually created such a role and assigned it to someone, which is
+    unlikely but possible, so you should check).  If your local policy tests
+    (you have some, right?) indicate that your Glance policies no longer
+    function as expected, then you have been relying on the ``admin_role``
+    configuration option and need to revise your policy file.  (A short
+    term fix would be to set the ``admin_role`` option back to ``admin``,
+    but keep in mind that it *is* a short-term fix, because this
+    configuration option is deprecated and subject to removal.)
+
+    See the "Deprecation Notes" section of this document for more
+    information.