948c9e02e3
Since 2023.1 (Anthelope) release Neutron have full support for the new default S-RBAC policies. We have CI job which is testing usage of Neutron with those new API policies currently [1]. In the 2023.2 cycle we are going to switch Neutron to use those new policies by default. [1] https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/867518 Co-authored-by: Brian Haley <haleyb.dev@gmail.com> Change-Id: I2a4f254745accb062582e9a28b14bced1186cc3e
17 lines
766 B
YAML
17 lines
766 B
YAML
---
|
|
features:
|
|
- |
|
|
Neutron now supports API policies with the new default roles
|
|
``project_member`` and ``project_reader``.
|
|
Role ``admin`` is working in the same way as with old policies.
|
|
upgrade:
|
|
- |
|
|
New default API policies are not enabled by default. A cloud operator can
|
|
enable them by setting ``oslo_policy/enforce_new_defaults`` to ``true`` in
|
|
the Neutron config file.
|
|
It is also possible to switch the ``oslo_policy/enforce_scope`` config
|
|
option to ``true`` but currently Neutron does not support any system scope
|
|
APIs. All Neutron API policies are currently project scoped so setting
|
|
``oslo_policy/enforce_scope`` to ``true`` will cause ``Forbidden`` responses
|
|
to any API calls made with the system scope token.
|