From f0a23fb1bf307ff291bd583b19e7d8afdcb1ede7 Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Wed, 12 Apr 2023 14:42:59 -0500 Subject: [PATCH] Correct the old deprecated policies removal timeline for SLURP release In vPTG (bobcat), we discussed about removal of old deprecated rules and we should have at least one SLURP release between we enable the new defaults by default and remove the old rules. For example, if new rules are enabled in B(non SLURP) then removal should not be done in C (SLURP) so that SLURP upgrade can notice the new rules enable for at least one SLURP release. - https://etherpad.opendev.org/p/rbac-2023.2-ptg#L36 Change-Id: I2cc408c4c7b8b147217b2f11697d36e58017db91 --- goals/selected/consistent-and-secure-rbac.rst | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/goals/selected/consistent-and-secure-rbac.rst b/goals/selected/consistent-and-secure-rbac.rst index b213b99de..3608744e7 100644 --- a/goals/selected/consistent-and-secure-rbac.rst +++ b/goals/selected/consistent-and-secure-rbac.rst @@ -802,8 +802,11 @@ of project-member. ^^^^^^^^^^^^^^^^^^^^^^^ #. Any service that implemented `Phase 1`_ in 2023.1 and enabled - ``enforce_secure_defaults`` in 2023.2 release can remove deprecated policies - used to implement `Phase 1`_. + ``enforce_secure_defaults`` in the 2023.2 release (non SLURP) needs to + keep the old deprecated policies for the 2024.1 release (SLURP) also and + can remove them after that. The Idea here is to have at least one SLURP + release between the point when the new defaults are enabled and the + old policies are removed. #. Remove the oslo.policy ``enforce_scope`` config flag