Deprecate admin_role
Implements: bp deprecate-admin-role Change-Id: I0f61f85a0aaa4f68e345fa08fbb6b039d3d32587
This commit is contained in:
Brian Rosmaita
Abhishek Kekane
parent
d5a0ce18aa
commit
28afc9fc6f
|
|
@ -56,14 +56,32 @@ Related options:
|
||||||
|
|
||||||
""")),
|
""")),
|
||||||
|
|
||||||
cfg.StrOpt('admin_role', default='admin',
|
cfg.StrOpt('admin_role',
|
||||||
|
default=('__NOT_A_ROLE_07697c71e6174332989d3d5f2a7d2e7c'
|
||||||
|
'_NOT_A_ROLE__'),
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_since="Ussuri",
|
||||||
|
deprecated_reason=_("""
|
||||||
|
This option is redundant as its goal can be achieved via policy file
|
||||||
|
configuration. Additionally, it can override any configured policies,
|
||||||
|
leading to unexpected behavior and difficulty in policy configuration.
|
||||||
|
The option will be removed early in the Victoria development cycle,
|
||||||
|
following the standard OpenStack deprecation policy.
|
||||||
|
|
||||||
|
Because this can be a security issue, the default value of this
|
||||||
|
configuration option has been changed in this release.
|
||||||
|
|
||||||
|
Please see the 'Deprecation Notes' section of the Ussuri Glance
|
||||||
|
Release Notes for more information.
|
||||||
|
"""),
|
||||||
help=_("""
|
help=_("""
|
||||||
Role used to identify an authenticated user as administrator.
|
Role used to identify an authenticated user as administrator.
|
||||||
|
|
||||||
Provide a string value representing a Keystone role to identify an
|
Provide a string value representing a Keystone role to identify an
|
||||||
administrative user. Users with this role will be granted
|
administrative user. Users with this role will be granted
|
||||||
administrative privileges. The default value for this option is
|
administrative privileges.
|
||||||
'admin'.
|
|
||||||
|
NOTE: The default value for this option has changed in this release.
|
||||||
|
|
||||||
Possible values:
|
Possible values:
|
||||||
* A string value which is a valid Keystone role
|
* A string value which is a valid Keystone role
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,53 @@
|
||||||
|
---
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
The Glance API configuration option ``admin_role`` is deprecated in this
|
||||||
|
release and is subject to removal at the beginning of the Victoria
|
||||||
|
development cycle, following the `OpenStack standard deprecation policy
|
||||||
|
<https://governance.openstack.org/reference/tags/assert_follows-standard-deprecation.html>`_.
|
||||||
|
|
||||||
|
What this option does is to grant complete admin access to any
|
||||||
|
authenticated user with a particular role. *This overrides any policy
|
||||||
|
rules configured in the policy configuration file.* While everything
|
||||||
|
will behave as expected if you are also using the default policy settings,
|
||||||
|
this setting may cause anomalous behavior when you are configuring custom
|
||||||
|
policies.
|
||||||
|
|
||||||
|
Additionally, the default value of this option has been changed in
|
||||||
|
this release. See the "Upgrade Notes" section of this document for
|
||||||
|
more information.
|
||||||
|
|
||||||
|
If you were previously aware of this option and were actually using it,
|
||||||
|
we apologize for the inconvenience its removal will cause, but overall
|
||||||
|
it will be better for everyone if policy configuration is confined to
|
||||||
|
the policy configuration file and this backdoor is eliminated. The
|
||||||
|
migration path is to explictly mention the role you configured for this
|
||||||
|
option in appropriate places in your policy configuration file.
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
The default value of the Glance API configuration option ``admin_role``
|
||||||
|
has been changed in this release. If you were also using the default
|
||||||
|
policy configuration, this change will not affect you. If you were
|
||||||
|
*not* using the default policy configuration, please read on.
|
||||||
|
|
||||||
|
With the previous default value, any user with the ``admin`` role
|
||||||
|
could act in an administrative context *regardless of what your
|
||||||
|
policy file defined as the administrative context*. And this might
|
||||||
|
not be a problem because usually the ``admin`` role is not assigned
|
||||||
|
to "regular" end users. It does become a problem, however, when
|
||||||
|
operators attempt to configure different gradations of administrator.
|
||||||
|
|
||||||
|
In this release, the default value of ``admin_role`` has been defined
|
||||||
|
as ``__NOT_A_ROLE_07697c71e6174332989d3d5f2a7d2e7c_NOT_A_ROLE__``.
|
||||||
|
This effectively makes it inoperable (unless your Keystone administrator
|
||||||
|
has actually created such a role and assigned it to someone, which is
|
||||||
|
unlikely but possible, so you should check). If your local policy tests
|
||||||
|
(you have some, right?) indicate that your Glance policies no longer
|
||||||
|
function as expected, then you have been relying on the ``admin_role``
|
||||||
|
configuration option and need to revise your policy file. (A short
|
||||||
|
term fix would be to set the ``admin_role`` option back to ``admin``,
|
||||||
|
but keep in mind that it *is* a short-term fix, because this
|
||||||
|
configuration option is deprecated and subject to removal.)
|
||||||
|
|
||||||
|
See the "Deprecation Notes" section of this document for more
|
||||||
|
information.
|
||||||
Loading…
Reference in New Issue