diff --git a/glance/api/middleware/context.py b/glance/api/middleware/context.py index 9ed4fe644b..80cd46c9f1 100644 --- a/glance/api/middleware/context.py +++ b/glance/api/middleware/context.py @@ -56,14 +56,32 @@ Related options: """)), - cfg.StrOpt('admin_role', default='admin', + cfg.StrOpt('admin_role', + default=('__NOT_A_ROLE_07697c71e6174332989d3d5f2a7d2e7c' + '_NOT_A_ROLE__'), + deprecated_for_removal=True, + deprecated_since="Ussuri", + deprecated_reason=_(""" +This option is redundant as its goal can be achieved via policy file +configuration. Additionally, it can override any configured policies, +leading to unexpected behavior and difficulty in policy configuration. +The option will be removed early in the Victoria development cycle, +following the standard OpenStack deprecation policy. + +Because this can be a security issue, the default value of this +configuration option has been changed in this release. + +Please see the 'Deprecation Notes' section of the Ussuri Glance +Release Notes for more information. +"""), help=_(""" Role used to identify an authenticated user as administrator. Provide a string value representing a Keystone role to identify an administrative user. Users with this role will be granted -administrative privileges. The default value for this option is -'admin'. +administrative privileges. + +NOTE: The default value for this option has changed in this release. Possible values: * A string value which is a valid Keystone role diff --git a/releasenotes/notes/deprecate-admin_role-2f9d33ed0785d082.yaml b/releasenotes/notes/deprecate-admin_role-2f9d33ed0785d082.yaml new file mode 100644 index 0000000000..ab1263f943 --- /dev/null +++ b/releasenotes/notes/deprecate-admin_role-2f9d33ed0785d082.yaml @@ -0,0 +1,53 @@ +--- +deprecations: + - | + The Glance API configuration option ``admin_role`` is deprecated in this + release and is subject to removal at the beginning of the Victoria + development cycle, following the `OpenStack standard deprecation policy + `_. + + What this option does is to grant complete admin access to any + authenticated user with a particular role. *This overrides any policy + rules configured in the policy configuration file.* While everything + will behave as expected if you are also using the default policy settings, + this setting may cause anomalous behavior when you are configuring custom + policies. + + Additionally, the default value of this option has been changed in + this release. See the "Upgrade Notes" section of this document for + more information. + + If you were previously aware of this option and were actually using it, + we apologize for the inconvenience its removal will cause, but overall + it will be better for everyone if policy configuration is confined to + the policy configuration file and this backdoor is eliminated. The + migration path is to explictly mention the role you configured for this + option in appropriate places in your policy configuration file. +upgrade: + - | + The default value of the Glance API configuration option ``admin_role`` + has been changed in this release. If you were also using the default + policy configuration, this change will not affect you. If you were + *not* using the default policy configuration, please read on. + + With the previous default value, any user with the ``admin`` role + could act in an administrative context *regardless of what your + policy file defined as the administrative context*. And this might + not be a problem because usually the ``admin`` role is not assigned + to "regular" end users. It does become a problem, however, when + operators attempt to configure different gradations of administrator. + + In this release, the default value of ``admin_role`` has been defined + as ``__NOT_A_ROLE_07697c71e6174332989d3d5f2a7d2e7c_NOT_A_ROLE__``. + This effectively makes it inoperable (unless your Keystone administrator + has actually created such a role and assigned it to someone, which is + unlikely but possible, so you should check). If your local policy tests + (you have some, right?) indicate that your Glance policies no longer + function as expected, then you have been relying on the ``admin_role`` + configuration option and need to revise your policy file. (A short + term fix would be to set the ``admin_role`` option back to ``admin``, + but keep in mind that it *is* a short-term fix, because this + configuration option is deprecated and subject to removal.) + + See the "Deprecation Notes" section of this document for more + information.