Add a release note for enforce_scope
A previous change added the ability to enforce scope using a configuration option: Ia573b8cac3bf9cee2962790589dea24c7f530ef5 This commit ensures we have a release note to communicate that change. bp add-scope-to-policy Change-Id: I1c71aecd247b39c01a3b333e9915aee517079162
This commit is contained in:
Lance Bragstad
parent
5dc2ab7bcd
commit
8835af6aa5
13
releasenotes/notes/enforce_scope_types-1e92f6a34e4173ef.yaml
Normal file
13
releasenotes/notes/enforce_scope_types-1e92f6a34e4173ef.yaml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
A new configuration option has been added to the ``[oslo_policy]`` group
|
||||
called ``enforce_scope``. When set to ``True``, oslo.policy will raise an
|
||||
``InvalidScope`` exception if the context passed into the enforce method
|
||||
doesn't match the policy's ``scope_types``. If ``False``, a warning will be
|
||||
logged for operators. Note that operators should only enable this option
|
||||
once they've audited their users to ensure system users have roles on the
|
||||
system. This could potentially prevent some users from being able to make
|
||||
system-level API calls. This will also give other services the flexibility
|
||||
to fix long-standing RBAC issues in OpenStack once they start introducing
|
||||
``scope_types`` for policies used in their service.
|
||||
Loading…
Reference in New Issue
Block a user