openstack/manila
Code Issues Proposed changes
03c0d21ca1
manila/releasenotes/notes/new-secure-rbac-defaults-in-wallaby-13c0583afdfcfcc7.yaml
Goutham Pacha Ravi 7a99c6a181 Add release note for secure rbac work 
Call out the feature and its impact.

Change-Id: I3062950e7b9c5b7d93a8332b65881f83226cda4e
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-03-26 15:21:34 +00:00

36 lines
2.2 KiB
YAML
Raw Blame History

---
prelude: >
The default check strings of all manila API RBAC policies have been
updated to support default roles and system-scope from the OpenStack
Identity Service (Keystone). This includes support for project member,
project reader, project administrator user roles as well as system
member, system reader and system administrator roles. A manila "admin"
persona is eventually expected to transition to the system scoped
"admin" persona and some isolated project administrator privileges (like
force-deleting a resource, resyncing a share replica or resetting state
of a resource) are retained to an admin user operating within the scope
of a project. Do read further impact in the ``upgrade`` section of these
notes.
upgrade:
- |
During the Wallaby release, API RBAC policies have new defaults, however,
all old behavior is preserved as is, and the new defaults are not enabled.
We encourage operators to generate the default policies via
``oslopolicy-sample-generator --namespace manila`` and compare them with
any overrides you may currently have. These new default rules may
enable you to remove matching overrides and reduce your policy
maintenance burden. Refer to `the document on Service API protection
<https://docs.openstack.org/keystone/latest/admin/service-api-protection.html>`_
from the OpenStack Identity Service to understand roles, scopes,
user personas and the motivation behind these changes. To be able to use
systems scoped personas, you will need to enable the ``enforce_scope``
configuration option in the ``[oslo_policy]`` section of manila.conf. To
enforce the new defaults, the configuration option
``enforce_new_defaults`` must be enabled from the ``[oslo_policy]``
section of manila.conf. We do not advise enabling the new defaults in
production deployments yet. The manila developer community is actively
adding test coverage and we aim to backport fixes to the Wallaby release
and update code when we find any deficiencies. Refer to the future service
release notes and the administrator documentation to keep abreast of the
changes and the progress with these new defaults.
View Git Blame Copy Permalink