openstack/ironic
Code Issues Proposed changes
ironic/releasenotes/notes/implement-policy-in-code-cbb0216ef5f8224f.yaml
Devananda van der Veen c7da7a6925 Add keystone policy support to Ironic 
Implements more fine-grained policy support within our API service,
following the oslo policy-in-code spec, while maintaining compatibility
with the previous default policy.json file. An empty policy.json file is
included, along with a sample file listig all supported policy settings
and their default values.

A new tox target "genpolicy" has been added to ease automation of
sample policy file generation.

All calls to policy.enforce() have been replaced with with
policy.authorize() to avoid silent failures when a rule is undefined,
because enforce() does not raise() if the target rule does not exist.

  NOTE: policy.enforce() is not removed by this patch, but a deprecation
  warning will be logged if it this method is invoked.

Updates unit test coverage for the new authorize() method, as well as
more general unit test updates for some of the new rules.

Partial-bug: #1526752
Change-Id: Ie4398f840601d027e2fe209c17d854421687c7b7
2016-08-04 12:43:20 +00:00

23 lines
1.1 KiB
YAML
Raw Blame History

---
features:
- |
RESTful access to every API resource may now be controlled by adjusting
policy settings. Defaults are set in code, and remain backwards compatible
with the previously-included policy.json file. Two new roles are checked
by default, "baremetal_admin" and "baremetal_observer", though these may be
replaced or overridden by configuration. The "baremetal_observer" role
grants read-only access to Ironic's API.
security:
- |
Previously, access to Ironic's REST API was "all or nothing". With this
release, it is now possible to restrict read and write access to API
resources to specific cloud roles.
upgrade:
- |
During an upgrade, it is recommended that all deployers re-evaluate the
settings in their /etc/ironic/policy.json file. This file should now be
used only to override default configuration, such as by limiting access to
the Bare Metal service to specific tenants or restricting access to
specific API endpoints. A policy.json.sample file is provided that lists
all supported policies.
View Git Blame Copy Permalink