Merge "Support project personas in cinder"

This commit is contained in:
Zuul 2021-09-24 16:13:30 +00:00 committed by Gerrit Code Review
commit 51941d3ba6
2 changed files with 18 additions and 0 deletions

View File

@ -105,6 +105,14 @@ parameters:
type: string type: string
description: The password for the nova service and db account description: The password for the nova service and db account
hidden: true hidden: true
CinderPolicyEnforceNewDefaults:
default: false
description: Set to True to disable cinder's deprecated default policies.
Doing so causes cinder's default policies to enforce the
project based personas associated with secure RBAC. This
parameter will be deprecated in favor of a global EnforceSecureRbac
parameter after cinder adds support for system scoped policies.
type: boolean
outputs: outputs:
role_data: role_data:
@ -161,3 +169,4 @@ outputs:
cinder::nova::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]} cinder::nova::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
cinder::nova::password: {get_param: NovaPassword} cinder::nova::password: {get_param: NovaPassword}
cinder::nova::region_name: {get_param: KeystoneRegion} cinder::nova::region_name: {get_param: KeystoneRegion}
cinder::policy::enforce_new_defaults: {get_param: CinderPolicyEnforceNewDefaults}

View File

@ -0,0 +1,9 @@
---
features:
- |
A new ``CinderPolicyEnforceNewDefaults`` parameter adds the ability to
disable Cinder's deprecated authorization policies. The default value
is False, which means Cinder's deprecated policies are enabled. Setting
the parameter to True disables the deprecated policies, which causes
Cinder to enforce the project-admin, project-member, and project-reader
RBAC personas. Support for system personas is planned for a future release.