---
features:
  - |
    RESTful access to every API resource may now be controlled by adjusting
    policy settings. Defaults are set in code, and remain backwards compatible
    with the previously-included policy.json file.  Two new roles are checked
    by default, "baremetal_admin" and "baremetal_observer", though these may be
    replaced or overridden by configuration.  The "baremetal_observer" role
    grants read-only access to Ironic's API.
security:
  - |
    Previously, access to Ironic's REST API was "all or nothing".  With this
    release, it is now possible to restrict read and write access to API
    resources to specific cloud roles.
upgrade:
  - |
    During an upgrade, it is recommended that all deployers re-evaluate the
    settings in their ``/etc/ironic/policy.json`` file. This file should now be
    used only to override default configuration, such as by limiting access to
    the ironic service to specific tenants or restricting access to
    specific API endpoints. A ``policy.json.sample`` file is provided that
    lists all supported policies.