f7b0d1cba1
Based on the operator feedback, we have updated the RBAC community wide goal to drop the system scope from all the OpenStack services except Ironic and Keystone[1]. We are keeping scope_type in policy-in-code and every policy will be scoped to project whihc will help to return better error code (403) if system token is used to access the glance APIs (in case deployment having Ironic, Keystone using the scope checks). [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html Change-Id: Ie3174593454e35d23a3e2be439a9213bbfa1a89e
1.1 KiB
1.1 KiB