42 lines
2.1 KiB
Plaintext
42 lines
2.1 KiB
Plaintext
---
|
|
features:
|
|
- |
|
|
The Tacker v1 API policies implemented the SRBAC project personas with
|
|
new default roles (``admin``, ``member``, and ``reader``) provided
|
|
by keystone. Also, v1 API policies are scoped to ``project``.
|
|
upgrade:
|
|
- |
|
|
Tacker v1 API policies defaults have been changed to SRBAC new defaults
|
|
roles (``admin``, ``member``, and ``reader``) and scoped to ``project``.
|
|
Legacy ``admin`` is unchanged instead project reader role is introduced.
|
|
The old defaults are deprecated but they are still supported and enabled
|
|
by defaults. In future release, new defaults will be enabled by defaults
|
|
and old defaults will be removed.
|
|
Please refer `Policy Concepts`_ and `SRBAC Project Personas`_ for
|
|
detail about policy new defaults and migration plan.
|
|
|
|
* **New Defaults(Admin, Member and Reader)**
|
|
Policies are default to Admin, Member and Reader roles. Old roles
|
|
are also supported. You can switch to new defaults by setting the
|
|
config option ``[oslo_policy]enforce_new_defaults`` to True in
|
|
``tacker.conf`` file.
|
|
|
|
* **Scope**
|
|
Each policy is protected with appropriate ``scope_type``. API policies
|
|
are scoped to ``project`` only which mean no change in current access
|
|
level but it will give better error message if system user try to
|
|
access Tacker APIs. The scope checks are disabled by default and you
|
|
can enable them by setting the config option
|
|
``[oslo_policy]enforce_scope`` to True in ``tacker.conf`` file.
|
|
|
|
To know the new defaults, please refer the `Policy Reference`_ doc.
|
|
This feature is disabled by default can be enabled via config option
|
|
deprecations:
|
|
- |
|
|
Tacker v1 APIs policies old defaults are deprecated and will be removed
|
|
in future release.
|
|
|
|
.. _SRBAC Project Personas: https://specs.openstack.org/openstack/tacker-specs/specs/2023.1/srbac-implement-project-personas.html
|
|
.. _Policy Reference: https://docs.openstack.org/tacker/latest/configuration/policy.html
|
|
.. _Policy Concepts: https://docs.openstack.org/tacker/latest/configuration/index.html#policy
|