commit 62d784210c9d234cd7838f040685bbd56f2c763f Author: Yumeng Bao Date: Fri Sep 11 18:02:57 2020 +0800 Add releasenote for policy refresh base and device profile policies Change-Id: I08f9d9043a488c8bb55c57f14f8eac860d47eb1f (cherry picked from commit bdc1aab530e18b86f39a102578c02a99a3c3abe0) diff --git a/releasenotes/notes/policy_refresh_base_and_device_profile-cef00fca580d2323.yaml b/releasenotes/notes/policy_refresh_base_and_device_profile-cef00fca580d2323.yaml new file mode 100644 index 0000000..d7e2693 --- /dev/null +++ b/releasenotes/notes/policy_refresh_base_and_device_profile-cef00fca580d2323.yaml @@ -0,0 +1,87 @@ +--- +features: + - | + In the Victoria release, cyborg introduced the new scoped RBAC policy + authorization for API access, and partially implemented the blueprints. + What implemented are new default rules in base policy and device_profile + policy. + + During the development period(victoria and wallaby releases), the new and + old policy will both work because a deployment sets + ``cyborg.conf [oslo_policy] enforce_scope = False`` as the default set. + Although users can set ``cyborg.conf [oslo_policy] enforce_scope = True`` + by default in their deployment, if they want to ignore old rules and + support new rules only. After we implement all the features, we'll give + two cycles transition period for operators. For specification of + new policy, please refer to `policy default refresh`_. + + - Scope + + Cyborg introduced ``scope_type`` to protect each policy. Cyborg support + two types of ``sope_type`` with their combination. ``['system']``, + ``['project']`` and ``['system', 'project']``. + + To know each policy ``scope_type``, please refer the `Policy Reference`_ + + This feature is disabled by default can be enabled via config option + ``[oslo_policy]enforce_scope`` in ``cyborg.conf`` + + - New Defaults Configuration + + Policies are default to Admin, Member and Reader roles. Old roles + are also supproted. You can switch to new defaults via config option + ``[oslo_policy]enforce_new_defaults`` in ``cyborg.conf`` file. + + - New Base policy roles + + Cyborg introduced seven basic roles based on the new defaults combined + with different scope_types. + + - project_reader + - project_member + - project_admin + - system_admin + - system_reader + - system_admin_or_owner + - system_or_project_reader + + - New Defaults for device_profile APIs + + Rewrite check string(authorization rules) using new personas for + device profile APIs. + + Add ``checkstr=base.PROJECT_READER_OR_SYSTEM_READER`` and + deprecated ``checkstr=base.deprecated_default`` for + + - ``cyborg:device_profile:get_one`` + - ``cyborg:device_profile:get_all`` + + Add ``check_str=base.SYSTEM_ADMIN`` and + deprecated ``check_str=base.deprecated_is_admin`` for + + - ``cyborg:device_profile:create`` + + Add ``check_str=base.SYSTEM_ADMIN`` and + deprecated ``base.deprecated_default`` for + + - ``cyborg:device_profile:delete`` + + - Added policy configuration guide on cyborg doc page + + Please refer to `policy configuration guide`_ + + .. _policy default refresh: https://specs.openstack.org/openstack/cyborg-specs/specs/ussuri/approved/policy-defaults-refresh.html + .. _Policy Reference: https://docs.openstack.org/cyborg/latest/configuration/policy.html + .. _policy configuration guide: https://docs.openstack.org/cyborg/latest/configuration/policy-guide.html + +deprecations: + - | + The old basic personas below are marked as deprecated rules in base policy. + + - public_api + - allow + - deny + - admin_api + - is_admin + - admin_or_owner + - admin_or_user