From 625f203610f17f2b968e5f78a46d398953637174 Mon Sep 17 00:00:00 2001 From: Matt Riedemann Date: Tue, 27 Sep 2016 17:55:08 -0400 Subject: [PATCH] Update newton release notes for default API policy We need to update an older release note for newton that talks about the sample policy file shipped with newton which is a bit confusing after we moved the policy defaults into code and make the sample empty. This also adds a new release note for newton to be more explicit that the policy.json that's shipped with nova is empty and optional and only used for overriding the default policy from what is defined in the code, along with the script used to generate the policy file. There is another release note about merging the policy to get the effective policy so that's left out of this. Change-Id: I0be84124876ee25d821486fd12a7fc5d70e818ec --- .../notes/empty-sample-policy-abfb7d467d2ebd4c.yaml | 9 +++++++++ .../policy-sample-defaults-changed-b5eea1daeb305251.yaml | 6 +++--- 2 files changed, 12 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/empty-sample-policy-abfb7d467d2ebd4c.yaml diff --git a/releasenotes/notes/empty-sample-policy-abfb7d467d2ebd4c.yaml b/releasenotes/notes/empty-sample-policy-abfb7d467d2ebd4c.yaml new file mode 100644 index 000000000000..dc4d057dfc6a --- /dev/null +++ b/releasenotes/notes/empty-sample-policy-abfb7d467d2ebd4c.yaml @@ -0,0 +1,9 @@ +--- +other: + - | + The API policy defaults are now defined in code like configuration options. + Because of this, the sample policy.json file that is shipped with Nova is + empty and should only be necessary if you want to override the API policy + from the defaults in the code. To generate the policy file you can run:: + + oslopolicy-sample-generator --config-file=etc/nova/nova-policy-generator.conf diff --git a/releasenotes/notes/policy-sample-defaults-changed-b5eea1daeb305251.yaml b/releasenotes/notes/policy-sample-defaults-changed-b5eea1daeb305251.yaml index 8b7e53f936b5..5195488674e0 100644 --- a/releasenotes/notes/policy-sample-defaults-changed-b5eea1daeb305251.yaml +++ b/releasenotes/notes/policy-sample-defaults-changed-b5eea1daeb305251.yaml @@ -1,7 +1,7 @@ --- other: - - The sample policy file shipped with Nova contained many policies set to + - The default API policy shipped with Nova contained many policies set to ""(allow all) which was not the proper default for many of those checks. It was also a source of confusion as some people thought "" meant to use the default rule. These empty policies have been updated to be explicit in all @@ -12,5 +12,5 @@ other: restrictiveness of the API calls overall because there are similar checks in the database already. - This does not affect any existing deployment, just the sample file included - for use by new deployments. + This does not affect any existing deployment, just the default policy used + by new deployments.