From 83467b8c68607d2f7551eaf283a354e1b0bb27fa Mon Sep 17 00:00:00 2001 From: Andrew Laski Date: Tue, 15 Mar 2016 11:56:08 -0400 Subject: [PATCH] Add release note for policy sample file update The sample policy file was updated recently and this releasenote explains the changes for operators. A more narrowly scoped releasenote for a previous change along similar lines has been removed since it is covered under this note. Change-Id: I11bde778e9fe1f3a70d9fac213b40f05f07e7e47 --- .../notes/lock_policy-75bea372036acbd5.yaml | 6 ------ ...sample-defaults-changed-b5eea1daeb305251.yaml | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 6 deletions(-) delete mode 100644 releasenotes/notes/lock_policy-75bea372036acbd5.yaml create mode 100644 releasenotes/notes/policy-sample-defaults-changed-b5eea1daeb305251.yaml diff --git a/releasenotes/notes/lock_policy-75bea372036acbd5.yaml b/releasenotes/notes/lock_policy-75bea372036acbd5.yaml deleted file mode 100644 index 3b9cf99913c3..000000000000 --- a/releasenotes/notes/lock_policy-75bea372036acbd5.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -upgrade: - - Default RBAC policy for lock operations has been modified to - admin_or_owner for the stable V2.0 API. Please understand to modify the - policy if you still keep to have anyone to lock an instance and you're - still using the stable API endpoint. diff --git a/releasenotes/notes/policy-sample-defaults-changed-b5eea1daeb305251.yaml b/releasenotes/notes/policy-sample-defaults-changed-b5eea1daeb305251.yaml new file mode 100644 index 000000000000..8b7e53f936b5 --- /dev/null +++ b/releasenotes/notes/policy-sample-defaults-changed-b5eea1daeb305251.yaml @@ -0,0 +1,16 @@ +--- +other: + + - The sample policy file shipped with Nova contained many policies set to + ""(allow all) which was not the proper default for many of those checks. It + was also a source of confusion as some people thought "" meant to use the + default rule. These empty policies have been updated to be explicit in all + cases. + + Many of them were changed to match the default rule of "admin_or_owner" + which is a more restrictive policy check but does not change the + restrictiveness of the API calls overall because there are similar checks + in the database already. + + This does not affect any existing deployment, just the sample file included + for use by new deployments.