aodh/releasenotes/notes/policy-defaults-refresh-95b565bee059f611.yaml
Takashi Kajinami 807e65e352 Isolate project scope and system scope
This change updates the default policies implemented in Heat, to follow
the updated guideline[1] to implement SRBAC.

The main change is that system users are no longer allowed to perform
any operations about project-level resources like alarms, while project
admin(*1) is still allowed to perform operations about project-level
resources BEYOND project (like getting alarms for all projects)

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change

Change-Id: I0a59e3f892aff306e47812b69dbf82066411a542
2024-07-18 15:51:29 +00:00

7 lines
229 B
YAML

---
features:
- |
Aodh policies have been modified to isolate the system and project level
APIs policy. Because of this change, system users will not be allowed to
perform any operations on project level resources.