d97af33c06
As discussed in PTG, we need to test the new RBAC in the integrated gate and accordingly enable the new defaults and scope check by default. A new integrated testing job has been added and results show that the new defaults and scope checks are working fine. During testing, we found a few bugs in neutron policies but all are fixed now. enforce_scope and enforce_new_defaults are oslo policy config options but they are per service level and the default value can be overridden. Oslo policy 3.11.0 version allows to override the default value for these config options[1] so upgrading the oslo policy version in requirements.txt Depends-On: https://review.opendev.org/c/openstack/devstack/+/869781 Depends-On: https://review.opendev.org/c/openstack/placement/+/869525 [1] https://github.com/openstack/oslo.policy/blob/3.11.0/oslo_policy/opts.py#L125 Change-Id: I977b2daedf880229c8d364ca011f2ea965b86e3a
24 lines
1013 B
YAML
24 lines
1013 B
YAML
---
|
|
upgrade:
|
|
- |
|
|
The Nova service enable the API policies (RBAC) new defaults and scope by
|
|
default. The Default value of config options ``[oslo_policy] enforce_scope``
|
|
and ``[oslo_policy] oslo_policy.enforce_new_defaults`` have been changed
|
|
to ``True``.
|
|
|
|
This means if you are using system scope token to access Nova API then
|
|
the request will be failed with 403 error code. Also, new defaults will be
|
|
enforced by default. To know about the new defaults of each policy
|
|
rule, refer to the `Policy New Defaults`_. For more detail about the Nova
|
|
API policies changes, refer to `Policy Concepts`_.
|
|
|
|
If you want to disable them then modify the below config options value in
|
|
``nova.conf`` file::
|
|
|
|
[oslo_policy]
|
|
enforce_new_defaults=False
|
|
enforce_scope=False
|
|
|
|
.. _`Policy New Defaults`: https://docs.openstack.org/nova/latest/configuration/policy.html
|
|
.. _`Policy Concepts`: https://docs.openstack.org/nova/latest/configuration/policy-concepts.html
|