Merge "RBAC updates: drop system scope"

2022-09-01 19:15:24 +00:00
parent 2f4dd20d5e f7b0d1cba1
commit fbe32cb44b
6 changed files with 84 additions and 69 deletions
--- a/releasenotes/notes/rbac-updates-ba0fcb886fe4085c.yaml
+++ b/releasenotes/notes/rbac-updates-ba0fcb886fe4085c.yaml
@@ -0,0 +1,26 @@
+---
+features:
+  - |
+    The Glance policies have been modified to drop the system scope. Every
+    API policy is scoped to project. This means that system scoped users
+    will get 403 permission denied error.
+
+    Also, the project reader role is ready to use. Users with reader role
+    can only perform the read-only operations within their project. This
+    role can be used for the audit purposes.
+
+    For the details on what changed from the existing policy, please refer
+    to the `RBAC new guidelines`_. We have implemented only phase-1 of the
+    `RBAC new guidelines`_.
+    Currently, scope checks and new defaults are disabled by default. You can
+    enable them by switching the below config option in ``glance.conf`` file::
+
+      [oslo_policy]
+      enforce_new_defaults=True
+      enforce_scope=True
+
+    We recommend to enable the both scope as well new defaults together
+    otherwise you may experience some late failures with unclear error
+    messages.
+
+    .. _`RBAC new guidelines`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1