policy: Add releasenote for RBAC work

Now that this feature is complete, we should document it. Do so with a release note. Change-Id: I69c4923463dea6f528d4fb98ac0d78b8b4cad12f Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2021-02-09 14:51:37 +00:00 · 2021-02-09 14:51:37 +00:00 · b2ecae242d
parent 94279af1e1
commit b2ecae242d
1 changed files with 61 additions and 0 deletions
--- a/releasenotes/notes/rbac-policy-support-94f84c29da81c331.yaml
+++ b/releasenotes/notes/rbac-policy-support-94f84c29da81c331.yaml
@ -0,0 +1,61 @@
+---
+features:
+  - |
+    The default policies provided by placement have been updated to add support
+    for read-only roles. This is part of a broader community effort to support
+    read-only roles and implement secure, consistent default policies.
+    Refer to `the Keystone documentation`__ for more information on the reason
+    for these changes.
+
+    Previously, all policies defaulted to ``rule:admin_api``, which mapped to
+    ``role:admin``. The following rules now default to
+    ``role:admin and system_scope:all`` instead:
+
+    - ``placement:allocation_candidates:list``
+    - ``placement:allocations:delete``
+    - ``placement:allocations:list``
+    - ``placement:allocations:manage``
+    - ``placement:allocations:update``
+    - ``placement:reshaper:reshape``
+    - ``placement:resource_classes:list``
+    - ``placement:resource_classes:create``
+    - ``placement:resource_classes:show``
+    - ``placement:resource_classes:update``
+    - ``placement:resource_classes:delete``
+    - ``placement:resource_providers:create``
+    - ``placement:resource_providers:delete``
+    - ``placement:resource_providers:list``
+    - ``placement:resource_providers:show``
+    - ``placement:resource_providers:update``
+    - ``placement:resource_providers:aggregates:list``
+    - ``placement:resource_providers:aggregates:update``
+    - ``placement:resource_providers:allocations:list``
+    - ``placement:resource_providers:inventories:create``
+    - ``placement:resource_providers:inventories:delete``
+    - ``placement:resource_providers:inventories:list``
+    - ``placement:resource_providers:inventories:show``
+    - ``placement:resource_providers:inventories:update``
+    - ``placement:resource_providers:traits:delete``
+    - ``placement:resource_providers:traits:list``
+    - ``placement:resource_providers:traits:update``
+    - ``placement:resource_providers:usages``
+    - ``placement:traits:list``
+    - ``placement:traits:show``
+    - ``placement:traits:update``
+    - ``placement:traits:delete``
+
+    The following rule now defaults to ``(role:reader and system_scope:all) or
+    role:reader and project_id:%(project_id)s`` instead:
+
+    - ``placement:usages``
+
+    More information on these policy defaults can be found in the
+    `documentation`__.
+
+    __ https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
+    __ https://docs.openstack.org/placement/latest/configuration/policy.html
+  - |
+    The default policy used for the ``/usages`` API, ``placement:usages``, has
+    been updated to allow project users to view information about resource
+    usage for their project, specified using the ``project_id`` query string
+    parameter. Previously this API was restricted to admins.