openstack/placement
Code Issues Proposed changes
Files
1628b6c55617e3dc2efb1b48f8bd32fa5f39ff59
placement/releasenotes/notes/rbac-policy-support-94f84c29da81c331.yaml
Stephen Finucane b2ecae242d policy: Add releasenote for RBAC work 
Now that this feature is complete, we should document it. Do so with a
release note.

Change-Id: I69c4923463dea6f528d4fb98ac0d78b8b4cad12f
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2021-02-10 11:10:06 +00:00

62 lines
2.7 KiB
YAML
Raw Blame History

---
features:
- |
The default policies provided by placement have been updated to add support
for read-only roles. This is part of a broader community effort to support
read-only roles and implement secure, consistent default policies.
Refer to `the Keystone documentation`__ for more information on the reason
for these changes.
Previously, all policies defaulted to ``rule:admin_api``, which mapped to
``role:admin``. The following rules now default to
``role:admin and system_scope:all`` instead:
- ``placement:allocation_candidates:list``
- ``placement:allocations:delete``
- ``placement:allocations:list``
- ``placement:allocations:manage``
- ``placement:allocations:update``
- ``placement:reshaper:reshape``
- ``placement:resource_classes:list``
- ``placement:resource_classes:create``
- ``placement:resource_classes:show``
- ``placement:resource_classes:update``
- ``placement:resource_classes:delete``
- ``placement:resource_providers:create``
- ``placement:resource_providers:delete``
- ``placement:resource_providers:list``
- ``placement:resource_providers:show``
- ``placement:resource_providers:update``
- ``placement:resource_providers:aggregates:list``
- ``placement:resource_providers:aggregates:update``
- ``placement:resource_providers:allocations:list``
- ``placement:resource_providers:inventories:create``
- ``placement:resource_providers:inventories:delete``
- ``placement:resource_providers:inventories:list``
- ``placement:resource_providers:inventories:show``
- ``placement:resource_providers:inventories:update``
- ``placement:resource_providers:traits:delete``
- ``placement:resource_providers:traits:list``
- ``placement:resource_providers:traits:update``
- ``placement:resource_providers:usages``
- ``placement:traits:list``
- ``placement:traits:show``
- ``placement:traits:update``
- ``placement:traits:delete``
The following rule now defaults to ``(role:reader and system_scope:all) or
role:reader and project_id:%(project_id)s`` instead:
- ``placement:usages``
More information on these policy defaults can be found in the
`documentation`__.
__ https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
__ https://docs.openstack.org/placement/latest/configuration/policy.html
- |
The default policy used for the ``/usages`` API, ``placement:usages``, has
been updated to allow project users to view information about resource
usage for their project, specified using the ``project_id`` query string
parameter. Previously this API was restricted to admins.
View Git Blame Copy Permalink