openstack/manila
Code Issues Proposed changes
14ef891611
manila/releasenotes/notes/zed-secure-rbac-direction-change-2329bbf442b9a2da.yaml
Goutham Pacha Ravi 755a150318 [RBAC] Retain legacy admin behaviour 
The cross project effort around establishing
secure default RBAC policies has transformed over
the last release reacting to operator feedback.
The intended change to use system scope breaks
established workflows and requires a large effort
to transition deployments:

- https://etherpad.opendev.org/p/BER-2022-OPS-SRBAC
- https://etherpad.opendev.org/p/rbac-operator-feedback

So for now, all services are going to revert to
only supporting project scoped users by default.
This allows a legacy admin behavior to continue
working as intended; and does not prevent operators
overriding these defaults and using system scoped
personas.

https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
Change-Id: I5d3c1041738214ec8382edfd5494c10ff0be351a
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2022-09-15 15:35:48 +00:00

19 lines
1.2 KiB
YAML
Raw Blame History

---
prelude: >
RBAC defaults of all Shared File System service (manila) APIs have been
updated to remove "system" scope personas. This is being done in concert
with other OpenStack services, and in reaction to operator feedback that
the use of system "scope" introduces backwards incompatibility in existing
workflows. The new defaults support the use of "scope", however, no RBAC
rule by default includes "system" scope. At this time, we do not recommend
the use of system scoped personas to interact with the Shared File
Systems service (manila) APIs since it is largely un-tested. "reader"
role from the OpenStack Identity service (keystone) is fully supported
with this release. Currently, these new "defaults" are available as
"opt-in" only to prevent breaking existing deployments. To enforce default
RBAC rules, set ``[oslo_policy]/enforce_new_defaults`` to True in your
deployment. This option will be set to True by default in a future
release. See `the OpenStack TC Secure RBAC goal <https://governance.openstack
.org/tc/goals/selected/consistent-and-secure-rbac.html>`_ for more
information regarding these changes.
View Git Blame Copy Permalink