ironic/releasenotes/notes/implement-policy-in-code-cbb0216ef5f8224f.yaml
Jim Rollenhagen 0fe585ac7c Clean up release notes for 6.1.0
This corrects some typos, some grammar, and makes formatting of notes
generally more consistent.

Change-Id: Ic6b48a1877a9b142a4dd1df2ae22342eef99bc76
2016-08-10 14:02:42 -04:00

23 lines
1.1 KiB
YAML

---
features:
- |
RESTful access to every API resource may now be controlled by adjusting
policy settings. Defaults are set in code, and remain backwards compatible
with the previously-included policy.json file. Two new roles are checked
by default, "baremetal_admin" and "baremetal_observer", though these may be
replaced or overridden by configuration. The "baremetal_observer" role
grants read-only access to Ironic's API.
security:
- |
Previously, access to Ironic's REST API was "all or nothing". With this
release, it is now possible to restrict read and write access to API
resources to specific cloud roles.
upgrade:
- |
During an upgrade, it is recommended that all deployers re-evaluate the
settings in their ``/etc/ironic/policy.json`` file. This file should now be
used only to override default configuration, such as by limiting access to
the ironic service to specific tenants or restricting access to
specific API endpoints. A ``policy.json.sample`` file is provided that
lists all supported policies.