Merge "Deprecate `show_multiple_locations` option"

This commit is contained in:
Jenkins 2016-08-30 18:22:04 +00:00 committed by Gerrit Code Review
commit 797a12361f
2 changed files with 36 additions and 1 deletions

View File

@ -159,7 +159,16 @@ Related options:
'in image properties. Revealing storage location can '
'be a security risk, so use this setting with '
'caution!')),
cfg.BoolOpt('show_multiple_locations', default=False,
# NOTE(flaper87): The policy.json file should be updated and the locaiton
# related rules set to admin only once this option is finally removed.
cfg.BoolOpt('show_multiple_locations',
default=False, deprecated_for_removal=True,
deprecated_reason=_('This option will be removed in the Ocata '
'release because the same functionality '
'can be achieved with greater granularity '
'by using policies. Please see the Newton '
'release notes for more information.'),
deprecated_since='Newton',
help=_('Whether to include the backend image locations '
'in image properties. '
'For example, if using the file system store a URL of '

View File

@ -0,0 +1,26 @@
---
prelude: >
Deprecate the ``show_multiple_locations`` configuration
option in favor of the existing Role Based Access
Control (RBAC) for Image locations which uses
``policy.json`` file to define the appropriate rules.
Maintaining two different ways to configure, enable
and/or disable a feature is painful for developers and
operators, so the less granular means of controlling
this feature will be eliminated in the **Ocata**
release. Please read upgrade section for more details.
upgrade:
- For the Newton release, this option will still be
honored. However, it is important to update
``policy.json`` file for glance-api nodes. In
particular, please consider updating the policies
``delete_image_location``, ``get_image_location`` and
``set_image_location`` as per your requirements. As this
is an advanced option and prone to expose some risks,
please check the policies to ensure security and privacy
of your cloud.
- Future releases will ignore this option and just
follow the policy rules. It is recommended that this
option is disabled for public endpoints and is being
only used internally for service-to-service
communication.