f7b0d1cba1
Based on the operator feedback, we have updated the RBAC community wide goal to drop the system scope from all the OpenStack services except Ironic and Keystone[1]. We are keeping scope_type in policy-in-code and every policy will be scoped to project whihc will help to return better error code (403) if system token is used to access the glance APIs (in case deployment having Ironic, Keystone using the scope checks). [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html Change-Id: Ie3174593454e35d23a3e2be439a9213bbfa1a89e
27 lines
1.1 KiB
YAML
27 lines
1.1 KiB
YAML
---
|
|
features:
|
|
- |
|
|
The Glance policies have been modified to drop the system scope. Every
|
|
API policy is scoped to project. This means that system scoped users
|
|
will get 403 permission denied error.
|
|
|
|
Also, the project reader role is ready to use. Users with reader role
|
|
can only perform the read-only operations within their project. This
|
|
role can be used for the audit purposes.
|
|
|
|
For the details on what changed from the existing policy, please refer
|
|
to the `RBAC new guidelines`_. We have implemented only phase-1 of the
|
|
`RBAC new guidelines`_.
|
|
Currently, scope checks and new defaults are disabled by default. You can
|
|
enable them by switching the below config option in ``glance.conf`` file::
|
|
|
|
[oslo_policy]
|
|
enforce_new_defaults=True
|
|
enforce_scope=True
|
|
|
|
We recommend to enable the both scope as well new defaults together
|
|
otherwise you may experience some late failures with unclear error
|
|
messages.
|
|
|
|
.. _`RBAC new guidelines`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1
|