ironic-inspector/releasenotes/notes/policy-engine-c44828e3131e6c62.yaml

---
features:
  - |
    Adds an API access policy enforcement based on **oslo.policy** rules.
    Similar to other OpenStack services, operators now can configure
    fine-grained access policies using ``policy.yaml`` file. See
    `policy.yaml.sample`_ in the code tree for the list of available policies
    and their default rules. This file can also be generated from the code tree
    with the following command::

        tox -egenpolicy

    See the `oslo.policy package documentation`_ for more information
    on using and configuring API access policies.

    .. _policy.yaml.sample: https://git.openstack.org/cgit/openstack/ironic-inspector/plain/policy.yaml.sample
    .. _oslo.policy package documentation: https://docs.openstack.org/oslo.policy/latest/    
upgrade:
  - |
    Due to the choice of default values for API access policies rules,
    some API parts of the **ironic-inspector** service will become available
    to wider range of users after upgrade:

    - general access to the whole API is by default granted to a user
      with either ``admin``, ``administrator`` or ``baremetal_admin`` role
      (previously it allowed access only to a user with ``admin`` role)
    - listing of current introspection statuses and showing a given
      introspection is by default also allowed to a user with the
      ``baremetal_observer`` role

    If these access policies are not appropriate for your deployment, override
    them in a ``policy.json`` file in the **ironic-inspector** configuration
    directory (usually ``/etc/ironic-inspector``).

    See the `oslo.policy package documentation`_ for more information
    on using and configuring API access policies.

    .. _oslo.policy package documentation: https://docs.openstack.org/oslo.policy/latest/