36 lines
1.5 KiB
YAML
36 lines
1.5 KiB
YAML
---
|
|
features:
|
|
- |
|
|
Added an API access policy enforcment (based on oslo.policy rules).
|
|
Similar to other OpenStack services, operators now can configure
|
|
fine-grained access policies using ``policy.yaml`` file.
|
|
See example ``policy.yaml.sample`` file included in the code tree
|
|
for the list of available policies and their default rules.
|
|
This file can also be generated from the code tree
|
|
with ``tox -egenpolicy`` command.
|
|
|
|
See ``oslo.policy`` package documentation for more information
|
|
on using and configuring API access policies.
|
|
|
|
upgrade:
|
|
- |
|
|
Due to the choice of default values for API access policies rules,
|
|
some API parts of the ironic-inspector service will become available
|
|
to wider range of users after upgrade:
|
|
|
|
- general access to the whole API is by default granted to a user
|
|
with either ``admin``, ``administrator`` or ``baremetal_admin``
|
|
role (previously it allowed access only to a user with ``admin``
|
|
role)
|
|
- listing of current introspections and showing a given
|
|
introspection is by default also allowed to the user with the
|
|
``baremetal_observer`` role
|
|
|
|
If these access policies are not suiting a given deployment before
|
|
upgrade, operator will have to create a ``policy.json`` file
|
|
in the inspector configuration folder (usually ``/etc/inspector``)
|
|
that redefines the API rules as required.
|
|
|
|
See ``oslo.policy`` package documentation for more information
|
|
on using and configuring API access policies.
|