From 121aa3d25852660827d8263fd8650f72f2e37d5f Mon Sep 17 00:00:00 2001 From: Bartosz Bezak Date: Tue, 6 Feb 2024 14:38:21 +0100 Subject: [PATCH] Ironic: enable elevated access for project scoped service role Ironic recently started to enforce new policies and scope [1]. And Ironic is one of the sole openstack project which need system scope for some admin related api calls [2]. However Ironic also started to allow project-scope behaviour for service role with setting ``rbac_service_role_elevated_access``[3] [4]. This change enables this setting to get similar behaviour of service role as other openstack projects. [1] https://review.opendev.org/c/openstack/ironic/+/902009 [2] https://opendev.org/openstack/governance/src/commit/e2a47de10a689a78c31765fd1b020f17c0d3109c/goals/selected/consistent-and-secure-rbac.rst?display=source#L261 [3] https://review.opendev.org/c/openstack/ironic/+/907148 [4] https://opendev.org/openstack/ironic/src/commit/8ec56066223301230ac0ed0f0c471a10d366b474/releasenotes/notes/service-project-service-role-fix-e4d1a8c23856926a.yaml Related-Bug: #2051837 Change-Id: If8d7cf1663145d0398a2e936486e2b316d4df5e0 --- ansible/roles/ironic/templates/ironic.conf.j2 | 2 ++ .../notes/ironic-rbac-elevated-6804dab4061ab236.yaml | 12 ++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 releasenotes/notes/ironic-rbac-elevated-6804dab4061ab236.yaml diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2 index 9f0dc42c2d..109f917ee2 100644 --- a/ansible/roles/ironic/templates/ironic.conf.j2 +++ b/ansible/roles/ironic/templates/ironic.conf.j2 @@ -18,6 +18,8 @@ my_ip = {{ api_interface_address }} notification_level = info {% endif %} +rbac_service_role_elevated_access = True + [oslo_messaging_notifications] transport_url = {{ notify_transport_url }} {% if ironic_enabled_notification_topics or enable_ironic_prometheus_exporter | bool %} diff --git a/releasenotes/notes/ironic-rbac-elevated-6804dab4061ab236.yaml b/releasenotes/notes/ironic-rbac-elevated-6804dab4061ab236.yaml new file mode 100644 index 0000000000..7a34074aa1 --- /dev/null +++ b/releasenotes/notes/ironic-rbac-elevated-6804dab4061ab236.yaml @@ -0,0 +1,12 @@ +--- +features: + - | + Enable elevated access for project scoped service role + in Ironic. Ironic recently started to enforce new policies + and scope. And Ironic is one of the sole openstack project + which need system scope for some admin related api calls. + However Ironic also started to allow project-scope behaviour + for service role with setting + ``rbac_service_role_elevated_access``. This change enables + this setting to get similar behaviour of service role as other + openstack projects.