neutron/releasenotes/notes/enable-enforce-scope-and-new-defaults-1f82a9eb71125f5d.yaml
Slawek Kaplonski 670cc383e0 [S-RBAC] Switch to new policies by default
As part of the Secure RBAC community goal, we should switch options
"enforce_new_defaults" and "enforce_scope" to be True by default.
It will be still possible to fallback to old policy rules by configuring
those config options to False in Neutron config.

Change-Id: I09c0026ccf87e6c0bb1fa59165c03dc508fba6fa
2023-04-21 16:22:42 +02:00

26 lines
1.0 KiB
YAML

---
upgrade:
- |
The Neutron service enable the API policies (RBAC) new defaults and scope
by default. The Default value of config options
``[oslo_policy] enforce_scope`` and
``[oslo_policy] oslo_policy.enforce_new_defaults`` have been changed
to ``True``.
This means if you are using system scope token to access Neutron API then
the request will be failed with 403 error code. Also, new defaults will be
enforced by default. To know about the new defaults of each policy
rule, refer to the `Policy New Defaults`_. For more detail about
the Neutron API policies changes, refer to `Policy Concepts`_.
If you want to disable them then modify the below config options value in
``neutron.conf`` file::
[oslo_policy]
enforce_new_defaults=False
enforce_scope=False
.. _`Policy New Defaults`: https://docs.openstack.org/neutron/latest/configuration/policy.html
.. _`Policy Concepts`: https://docs.openstack.org/neutron/latest/contributor/internals/policy.html