--- features: - | Nova now supports a new default role ``manager``. This role is part of the standard role hierarchy supported by keystone. A new persona, the ``project_manager``, is denoted by someone with the ``manager`` role on a specific project. The ``project_manager`` persona is intended to perform more privileged operations than a ``project_member`` while granting less access than the global admin role. This brings the total set of personas currently supported by Nova to: * ``admin`` * ``project_manager`` * ``project_member`` * ``project_reader`` To avoid any change in ``admin`` permissions, Nova uses ``PROJECT_MANAGER_OR_ADMIN`` as a default where manager access is granted. In this release, the below APIs policy are newly defaulted to ``PROJECT_MANAGER_OR_ADMIN``: - ``os_compute_api:os-migrate-server:migrate`` (Cold migrate a server without specifying a host) - ``os_compute_api:os-migrate-server:migrate_live`` (live migrate server without specifying host) - ``os_compute_api:os-migrations:index`` (List migrations without host info) - ``os_compute_api:servers:migrations:index`` (Lists in-progress live migrations for a given server without host info) - ``os_compute_api:servers:migrations:force_complete`` (Force an in-progress live migration for a given server) - ``os_compute_api:servers:migrations:delete`` (Delete(Abort) an in-progress live migration) In addition, a number of new, more granular policies are introduced to allow us to use the ``project_manager`` persona in migration APIs: * Live migration: - Existing policy is used when live migrating server without specifying host: - ``os_compute_api:os-migrate-server:migrate_live`` (live migrate server without specifying host) - Default: ``PROJECT_MANAGER_OR_ADMIN`` - New policy is used when live migrate server to a specific host: - ``os_compute_api:os-migrate-server:migrate_live:host`` (live migrate server to a specific host) - Default: ``ADMIN`` * List server migration: - Existing policy is used to list live migrations without host info: - ``os_compute_api:servers:migrations:index`` (Lists in-progress live migrations for a given server) - Default: ``PROJECT_MANAGER_OR_ADMIN`` - New policy is used to host info in live migrations list: - ``os_compute_api:servers:migrations:index:host`` (Lists in-progress live migrations for a given server with host info) - Default: ``ADMIN`` * List migration: - Existing policy is used to list live migrations without host info: - ``os_compute_api:os-migrations:index`` (List migrations without host info) - Default: ``PROJECT_MANAGER_OR_ADMIN`` - New policy is used to host info in live migrations list: - ``os_compute_api:os-migrations:index:all_projects`` (List migrations for all or cross projects) - Default: ``ADMIN`` - ``os_compute_api:os-migrations:index:host`` (List migrations with host info) - Default: ``ADMIN`` Scope checks and new defaults are enabled by default and it is recommended to use new defaults. However, if your deployment needs more time then you can disable them by switching the below config option in ``nova.conf`` file.: [oslo_policy] enforce_new_defaults=False enforce_scope=False Please refer `Policy New Defaults`_ for detail about policy new defaults. .. _Policy New Defaults: https://docs.openstack.org/nova/latest/configuration/policy-concepts.html upgrade: - | New policies are added to the live migration APIs with the same default. If you are using default policy, then no action is needed, but if you have overridden the existing live migration policies in your deployment, you must include the new policy with the same permissions. - Existing policy: - ``os_compute_api:os-migrate-server:migrate_live`` - ``os_compute_api:servers:migrations::index`` - ``os_compute_api:os-migrations:index`` - New policy: - ``os_compute_api:os-migrate-server:migrate_live:host`` - ``os_compute_api:servers:migrations:index:host`` - ``os_compute_api:os-migrations:index:all_projects`` - ``os_compute_api:os-migrations:index:host``