426353c3f5
Deprecates legacy policies which will be removed at a later point in time. Notes these in a release note which covers project scoped access enablement, and updates the Secure RBAC docs to cover additional details Special thanks to Rammstein Radio on Pandora, for without this and all of the amazing artists it brought to my coding jam sessions, this effort would not have reached any sort of conclusion in the relatively short time for such a massive amount of work. Change-Id: I3bf0fa0de07e19d6058f0299e7abbff91b48b360
46 lines
2.1 KiB
YAML
46 lines
2.1 KiB
YAML
---
|
|
features:
|
|
- |
|
|
Adds capability to use ``project`` scoped requests in concert with
|
|
``system`` scoped requests for a composite Role Based Access Control
|
|
(RBAC) model. As Ironic is mainly an administrative service,
|
|
this capability has only been extended to API endpoints which are
|
|
not purely administrative in nature. This consists of the following
|
|
API endpoints: nodes, ports, portgroups, volume connectors, volume
|
|
targets, and allocations.
|
|
- |
|
|
Project ``scoped`` requests for baremetal allocations, will automatically
|
|
record the ``project_id`` of the requestor as the ``owner`` of the node.
|
|
deprecations:
|
|
- >
|
|
Pre-RBAC support rules have been deprecated. These consist of:
|
|
* admin_api
|
|
* is_member
|
|
* is_observer
|
|
* is_node_owner
|
|
* is_node_lessee
|
|
* is_allocation_owner
|
|
|
|
These rules will likely be removed in the Xena development cycle.
|
|
Operators are advised to review any custom policy rules for these
|
|
rules and move to the `Secure Role Based Access Controls <https://docs.openstack.org/ironic/latest/admin/secure-rbac.html>`_
|
|
model.
|
|
issues:
|
|
- |
|
|
The addition of both ``project`` and ``system`` scoped Role Based Access
|
|
controls does add additional database queries when linked resources are
|
|
accessed. Example, when attempting to access a ``port`` or ``portgroup``,
|
|
the associated node needs to be checked as this helps govern overall
|
|
object access to the object for ``project`` scoped requests. This does not
|
|
impact ``system`` scoped requests. Operators who adopt project scoped
|
|
access may find it necessary to verify or add additional database indexes
|
|
in relation to the node ``uuid`` column as well as ``node_id`` field in
|
|
any table which may recieve heavy project query scope activity.
|
|
The ``ironic`` project anticipates that this will be a future work item
|
|
of the project to help improve database performance.
|
|
upgrade:
|
|
- |
|
|
Legacy policy rules have been deprecated. Operators are advised to review
|
|
and update any custom policy files in use. Please see
|
|
`Secure Role Based Access Controls`_ for more information.
|