Wallaby Series Release Notes¶
The default policies provided by placement have been updated to add support for read-only roles. This is part of a broader community effort to support read-only roles and implement secure, consistent default policies. Refer to the Keystone documentation for more information on the reason for these changes.
Previously, all policies defaulted to
rule:admin_api, which mapped to
role:admin. The following rules now default to
role:admin and system_scope:allinstead:
The following rule now defaults to
(role:reader and system_scope:all) or role:reader and project_id:%(project_id)sinstead:
More information on these policy defaults can be found in the documentation.
The default policy used for the
placement:usages, has been updated to allow project users to view information about resource usage for their project, specified using the
project_idquery string parameter. Previously this API was restricted to admins.
The default value of
[oslo_policy] policy_fileconfig option has been changed from
policy.yaml. Operators who are utilizing customized or previously generated static policy JSON files (which are not needed by default), should generate new policy files or convert them in YAML format. Use the oslopolicy-convert-json-to-yaml tool to convert a JSON to YAML formatted policy file in backward compatible way.
placementpolicy has now been removed. This policy was used prior to the introduction of granular policies in the nova 18.0.0 (Rocky) release.
[placement]/policy_fileconfiguration option is removed Use the more standard
[oslo_policy]/policy_fileconfig option. If you do not override policy with custom rules you will have nothing to do. If you do override the placement default policy then you will need to update your configuration to use the
Use of JSON policy files was deprecated by the
oslo.policylibrary during the Victoria development cycle. As a result, this deprecation is being noted in the Wallaby cycle with an anticipated future removal of support by
oslo.policy. As such operators will need to convert to YAML policy files. Please see the upgrade notes for details on migration of any custom policy files.