--- features: - | The Tacker v1 API policies implemented the SRBAC project personas with new default roles (``admin``, ``member``, and ``reader``) provided by keystone. Also, v1 API policies are scoped to ``project``. upgrade: - | Tacker v1 API policies defaults have been changed to SRBAC new defaults roles (``admin``, ``member``, and ``reader``) and scoped to ``project``. Legacy ``admin`` is unchanged instead project reader role is introduced. The old defaults are deprecated but they are still supported and enabled by defaults. In future release, new defaults will be enabled by defaults and old defaults will be removed. Please refer `Policy Concepts`_ and `SRBAC Project Personas`_ for detail about policy new defaults and migration plan. * **New Defaults(Admin, Member and Reader)** Policies are default to Admin, Member and Reader roles. Old roles are also supported. You can switch to new defaults by setting the config option ``[oslo_policy]enforce_new_defaults`` to True in ``tacker.conf`` file. * **Scope** Each policy is protected with appropriate ``scope_type``. API policies are scoped to ``project`` only which mean no change in current access level but it will give better error message if system user try to access Tacker APIs. The scope checks are disabled by default and you can enable them by setting the config option ``[oslo_policy]enforce_scope`` to True in ``tacker.conf`` file. To know the new defaults, please refer the `Policy Reference`_ doc. This feature is disabled by default can be enabled via config option deprecations: - | Tacker v1 APIs policies old defaults are deprecated and will be removed in future release. .. _SRBAC Project Personas: https://specs.openstack.org/openstack/tacker-specs/specs/2023.1/srbac-implement-project-personas.html .. _Policy Reference: https://docs.openstack.org/tacker/latest/configuration/policy.html .. _Policy Concepts: https://docs.openstack.org/tacker/latest/configuration/index.html#policy