8ccdecc7d1
As we are moving to the new S-RBAC policies, we want to use "service" role for all service to service communication. See [1] for details. This require from Context class property similar to old "is_advsvc" but with new naming convention and using new policy rule. This patch adds this new property together with all required policies and rules. For now "ContextBase.is_advsvc" property will return True if one of the advsvc OR service_role will be True to make it working in the same way with both old and new policies but once we will get rid of the old policies we should also remove is_advsvc property from the ContextBase class. [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-2 Change-Id: Ic401db8b4e2745234e61fe2c05afd5b4ab719a03
12 lines
446 B
YAML
12 lines
446 B
YAML
---
|
|
features:
|
|
- |
|
|
New attribute ``is_service_role`` is added to the
|
|
``neutron_lib.context.ContextBase`` class. This attribute indicates if the
|
|
context belongs to the service user which is used in the new secure RBAC
|
|
policies for service to service communication.
|
|
deprecations:
|
|
- |
|
|
Atrribute ``is_advscv`` from the ``neutron_lib.context.ContextBase`` class
|
|
is deprecated and ``is_service_role`` should be used instead.
|