283fa242ca
As per the RBAC new direction in Zed cycle, we have dropped the system scope from API policies and all the policies are hardcoded to project scoped so that any user accessing APIs using system scope will get 403 error. It is dropped from all the OpenStack services except for the Ironic service which will have system scope and to support ironic only deployment, we are keeping system as well as project scope in Keystone. Complete discussion and direction can be found in the below gerrit change and TC goal direction: - https://review.opendev.org/c/openstack/governance/+/847418 - https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#the-issues-we-are-facing-with-scope-concept As phase-2 of RBAC goal, services will start enabling the new defaults and project scope by default. For example: Nova did in - https://review.opendev.org/c/openstack/nova/+/866218 Kolla who start accessing the services using system scope token - https://review.opendev.org/c/openstack/kolla-ansible/+/692179 This commit partially revert the above change except keeping system scope usage for Keystone and Ironic. Rest all services are changed to use the project scope token. And enable the scope and new defaults for Nova which was disabled by https://review.opendev.org/c/openstack/kolla-ansible/+/870804 Change-Id: I0adbe0a6c39e11d7c9542569085fc5d580f26c9d
10 lines
407 B
YAML
10 lines
407 B
YAML
---
|
|
upgrade:
|
|
- |
|
|
OpenStack services (except Ironic and Keystone) stopped supporting
|
|
the system scope in their API policy. Kolla who started using the
|
|
system scope token during the OpenStack Xena release needs to revert
|
|
it and use the project scope token to perform those services API
|
|
operations. The Ironic and Keystone operations are still performed
|
|
using the system scope token.
|