f9c1d1163d
After moving the nova APIs policy as per the new guidlines where system scoped token will be only allowed to access system level APIs and will not be allowed any operation on project level APIs. With that we do not need below base rules (who have hardcoded 'system_scope:all' check_str): - system_admin_api - system_reader_api - system_admin_or_owner - system_or_project_reader At this stage (phase-1 target), we allow below roles as targeted in phase-1 [1] 1. ADMIN(this is System Administrator with scope_type 'system' when scope enabled otherwise legacy admin) 2. PROJECT_ADMIN 3. PROJECT_MEMBER 4. PROJECT_READER & below one specific to nova 5. PROJECT_READER_OR_ADMIN (to allow system admin and project reader to list flavor extra specs) This complete the phase-1 of RBAC community-wide goal[2] for nova. Add release notes too. [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#how-operator [2] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#yoga-timeline-7th-mar-2022 Partial implement blueprint policy-defaults-refresh-2 Change-Id: I075005d13ff6bfe048bbb21d80d71bf1602e4c02 |
||
|---|---|---|
| .. | ||
| config.rst | ||
| extra-specs.rst | ||
| index.rst | ||
| policy-concepts.rst | ||
| policy.rst | ||
| sample-config.rst | ||
| sample-policy.rst | ||