ironic/releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml

---
features:
  - |
    The Baremetal API, provided by the ``ironic-api`` process, now supports use of
    ``system`` scoped ``keystone`` authentication for the following endpoints:
    nodes, ports, portgroups, chassis, drivers, driver vendor passthru,
    volume targets, volume connectors, conductors, allocations, events,
    deploy templates    
upgrade:
  - |
    Deprecated policy rules are not expressed via a default policy file
    generation from the source code. The generated default policy file
    indicates the new default policies with notes on the deprecation
    to which ``oslo.policy`` falls back to, until the
    ``[oslo_policy]enforce_scope`` and ``[oslo_policy]enforce_new_defaults``
    have been set to ``True``.
    Please see the `Victoria policy configuration <https://docs.openstack.org/ironic/victoria/configuration/policy.html>`_
    documentation to reference prior policy configuration.    
  - |
    Operators are encouraged to move to ``system`` scope based authentication
    by setting ``[oslo_policy]enforce_scope`` and
    ``[oslo_policy]enforce_new_defaults``. This requires a migration from
    using an ``admin project`` with the ``baremetal_admin`` and
    ``baremetal_observer``. System wide administrators using ``system``
    scoped ``admin`` and ``reader`` accounts supersede the deprecated
    model.    
deprecations:
  - |
    Use of an ``admin project`` with ironic is deprecated. With this the
    custom roles, ``baremetal_admin`` and ``baremetal_observer`` are also
    deprecated. Please migrate to using a ``system`` scoped account with the
    ``admin`` and ``reader`` roles, respectively.