ironic/releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml
Julia Kreger 67394c3cd4 Revise release notes for 17.0 release
Change-Id: I2799fb1634747cde451a787c567711dcdad2d688
2021-03-22 10:24:52 -07:00

33 lines
1.6 KiB
YAML

---
features:
- |
The Baremetal API, provided by the ``ironic-api`` process, now supports use of
``system`` scoped ``keystone`` authentication for the following endpoints:
nodes, ports, portgroups, chassis, drivers, driver vendor passthru,
volume targets, volume connectors, conductors, allocations, events,
deploy templates
upgrade:
- |
Deprecated policy rules are not expressed via a default policy file
generation from the source code. The generated default policy file
indicates the new default policies with notes on the deprecation
to which ``oslo.policy`` falls back to, until the
``[oslo_policy]enforce_scope`` and ``[oslo_policy]enforce_new_defaults``
have been set to ``True``.
Please see the `Victoria policy configuration <https://docs.openstack.org/ironic/victoria/configuration/policy.html>`_
documentation to reference prior policy configuration.
- |
Operators are encouraged to move to ``system`` scope based authentication
by setting ``[oslo_policy]enforce_scope`` and
``[oslo_policy]enforce_new_defaults``. This requires a migration from
using an ``admin project`` with the ``baremetal_admin`` and
``baremetal_observer``. System wide administrators using ``system``
scoped ``admin`` and ``reader`` accounts superceed the deprecated
model.
deprecations:
- |
Use of an ``admin project`` with ironic is deprecated. With this the
custom roles, ``baremetal_admin`` and ``baremetal_observer`` are also
deprecated. Please migrate to using a ``system`` scoped account with the
``admin`` and ``reader`` roles, respectively.