670cc383e0
As part of the Secure RBAC community goal, we should switch options "enforce_new_defaults" and "enforce_scope" to be True by default. It will be still possible to fallback to old policy rules by configuring those config options to False in Neutron config. Change-Id: I09c0026ccf87e6c0bb1fa59165c03dc508fba6fa
26 lines
1.0 KiB
YAML
26 lines
1.0 KiB
YAML
---
|
|
upgrade:
|
|
- |
|
|
The Neutron service enable the API policies (RBAC) new defaults and scope
|
|
by default. The Default value of config options
|
|
``[oslo_policy] enforce_scope`` and
|
|
``[oslo_policy] oslo_policy.enforce_new_defaults`` have been changed
|
|
to ``True``.
|
|
|
|
This means if you are using system scope token to access Neutron API then
|
|
the request will be failed with 403 error code. Also, new defaults will be
|
|
enforced by default. To know about the new defaults of each policy
|
|
rule, refer to the `Policy New Defaults`_. For more detail about
|
|
the Neutron API policies changes, refer to `Policy Concepts`_.
|
|
|
|
If you want to disable them then modify the below config options value in
|
|
``neutron.conf`` file::
|
|
|
|
[oslo_policy]
|
|
enforce_new_defaults=False
|
|
enforce_scope=False
|
|
|
|
.. _`Policy New Defaults`: https://docs.openstack.org/neutron/latest/configuration/policy.html
|
|
.. _`Policy Concepts`: https://docs.openstack.org/neutron/latest/contributor/internals/policy.html
|
|
|