949387bd80
This is the first in a series of commits to add support for codespell. This is continuning the process completed in ironic-python-agent. Future Commits will add a Tox Target, CI support and potentially a git-blame-ignore-revs file if their are lots of spelling mistakes that could clutter git blame. Change-Id: Id328ff64c352e85b58181e9d9e35973a8706ab7a
46 lines
2.1 KiB
YAML
46 lines
2.1 KiB
YAML
---
|
|
features:
|
|
- |
|
|
Adds capability to use ``project`` scoped requests in concert with
|
|
``system`` scoped requests for a composite Role Based Access Control
|
|
(RBAC) model. As Ironic is mainly an administrative service,
|
|
this capability has only been extended to API endpoints which are
|
|
not purely administrative in nature. This consists of the following
|
|
API endpoints: nodes, ports, portgroups, volume connectors, volume
|
|
targets, and allocations.
|
|
- |
|
|
Project ``scoped`` requests for baremetal allocations, will automatically
|
|
record the ``project_id`` of the requester as the ``owner`` of the node.
|
|
deprecations:
|
|
- >
|
|
Pre-RBAC support rules have been deprecated. These consist of:
|
|
* admin_api
|
|
* is_member
|
|
* is_observer
|
|
* is_node_owner
|
|
* is_node_lessee
|
|
* is_allocation_owner
|
|
|
|
These rules will likely be removed in the Xena development cycle.
|
|
Operators are advised to review any custom policy rules for these
|
|
rules and move to the `Secure Role Based Access Controls <https://docs.openstack.org/ironic/latest/admin/secure-rbac.html>`_
|
|
model.
|
|
issues:
|
|
- |
|
|
The addition of both ``project`` and ``system`` scoped Role Based Access
|
|
controls does add additional database queries when linked resources are
|
|
accessed. Example, when attempting to access a ``port`` or ``portgroup``,
|
|
the associated node needs to be checked as this helps govern overall
|
|
object access to the object for ``project`` scoped requests. This does not
|
|
impact ``system`` scoped requests. Operators who adopt project scoped
|
|
access may find it necessary to verify or add additional database indexes
|
|
in relation to the node ``uuid`` column as well as ``node_id`` field in
|
|
any table which may receive heavy project query scope activity.
|
|
The ``ironic`` project anticipates that this will be a future work item
|
|
of the project to help improve database performance.
|
|
upgrade:
|
|
- |
|
|
Legacy policy rules have been deprecated. Operators are advised to review
|
|
and update any custom policy files in use. Please see
|
|
`Secure Role Based Access Controls`_ for more information.
|