3a0eaa1ffe
This is a preparatory step to add access-control for read-level
access to the API and web UI. Because we will likely end up with
tenant config that looks like:
- tenant:
name: example
admin-rules: ['my-admin-rule']
access-rules: ['my-read-only-rule']
It does not make sense for 'my-read-only-rule' to be defined as:
- admin-rule:
name: read-only-rule
In other words, the current nomenclature conflates (new word:
nomenconflature) the idea of an abstract authorization rule and
what it authorizes. The new name makes it more clear than an
authorization-rule can be used to authorize more than just admin
access.
Change-Id: I44da8060a804bc789720bd207c34d802a52b6975
25 lines
798 B
YAML
25 lines
798 B
YAML
---
|
|
upgrade:
|
|
- |
|
|
In preparation for expanded access control features in the web
|
|
interface, and REST API, the ``admin-rule`` tenant configuration
|
|
object has been renamed to ``authorization-rule``. When applied
|
|
to a tenant, the tenant attribute is still ``admin-rules`` since
|
|
it determines admin access to that tenant. This change will allow
|
|
similar rules to be applied to non-admin level access in the
|
|
future.
|
|
|
|
Tenant configs should now follow this example:
|
|
|
|
.. code-block:: yaml
|
|
|
|
- authorization-rule:
|
|
name: example-rule
|
|
- tenant:
|
|
name: example-tenant
|
|
admin-rules:
|
|
- example-rule
|
|
|
|
The old form is still permitted for backwards compatability, but
|
|
will be removed in a later version of Zuul.
|