Add a release note for enforce_scope
A previous change added the ability to enforce scope using a configuration option: Ia573b8cac3bf9cee2962790589dea24c7f530ef5 This commit ensures we have a release note to communicate that change. bp add-scope-to-policy Change-Id: I1c71aecd247b39c01a3b333e9915aee517079162
This commit is contained in:
Lance Bragstad
parent
5dc2ab7bcd
commit
8835af6aa5
13
releasenotes/notes/enforce_scope_types-1e92f6a34e4173ef.yaml
Normal file
13
releasenotes/notes/enforce_scope_types-1e92f6a34e4173ef.yaml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
A new configuration option has been added to the ``[oslo_policy]`` group
|
||||||
|
called ``enforce_scope``. When set to ``True``, oslo.policy will raise an
|
||||||
|
``InvalidScope`` exception if the context passed into the enforce method
|
||||||
|
doesn't match the policy's ``scope_types``. If ``False``, a warning will be
|
||||||
|
logged for operators. Note that operators should only enable this option
|
||||||
|
once they've audited their users to ensure system users have roles on the
|
||||||
|
system. This could potentially prevent some users from being able to make
|
||||||
|
system-level API calls. This will also give other services the flexibility
|
||||||
|
to fix long-standing RBAC issues in OpenStack once they start introducing
|
||||||
|
``scope_types`` for policies used in their service.
|
||||||
Loading…
Reference in New Issue
Block a user