Merge "Deprecate show_multiple_locations option"

2016-08-30 18:22:04 +00:00 · 2016-08-30 18:22:04 +00:00 · 797a12361f
commit 797a12361f
parent a3ef4b466a dbfc121072
2 changed files with 36 additions and 1 deletions
--- a/glance/common/config.py
+++ b/glance/common/config.py
@ -159,7 +159,16 @@ Related options:
                       'in image properties. Revealing storage location can '
                       'be a security risk, so use this setting with '
                       'caution!')),
-    cfg.BoolOpt('show_multiple_locations', default=False,
+    # NOTE(flaper87): The policy.json file should be updated and the locaiton
+    # related rules set to admin only once this option is finally removed.
+    cfg.BoolOpt('show_multiple_locations',
+                default=False, deprecated_for_removal=True,
+                deprecated_reason=_('This option will be removed in the Ocata '
+                                    'release because the same functionality '
+                                    'can be achieved with greater granularity '
+                                    'by using policies. Please see the Newton '
+                                    'release notes for more information.'),
+                deprecated_since='Newton',
                help=_('Whether to include the backend image locations '
                       'in image properties. '
                       'For example, if using the file system store a URL of '
--- a/releasenotes/notes/deprecate-show-multiple-location-9890a1e961def2f6.yaml
+++ b/releasenotes/notes/deprecate-show-multiple-location-9890a1e961def2f6.yaml
@ -0,0 +1,26 @@
+---
+prelude: >
+    Deprecate the ``show_multiple_locations`` configuration
+    option in favor of the existing Role Based Access
+    Control (RBAC) for Image locations which uses
+    ``policy.json`` file to define the appropriate rules.
+    Maintaining two different ways to configure, enable
+    and/or disable a feature is painful for developers and
+    operators, so the less granular means of controlling
+    this feature will be eliminated in the **Ocata**
+    release. Please read upgrade section for more details.
+upgrade:
+  - For the Newton release, this option will still be
+    honored. However, it is important to update
+    ``policy.json`` file for glance-api nodes. In
+    particular, please consider updating the policies
+    ``delete_image_location``, ``get_image_location`` and
+    ``set_image_location`` as per your requirements. As this
+    is an advanced option and prone to expose some risks,
+    please check the policies to ensure security and privacy
+    of your cloud.
+  - Future releases will ignore this option and just
+    follow the policy rules. It is recommended that this
+    option is disabled for public endpoints and is being
+    only used internally for service-to-service
+    communication.