206ae19f48
As per the RBAc goal timeline, we agreed to enable enforce_scope as well as the enforce_new_defaults by default - https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#id4 Also, marking enforce_scope deprecated and to be removed in 2025.2 (SLURP) cycle. Change-Id: I23ccdfd810ba8290aa49a47471eabdb65fea2128
24 lines
844 B
YAML
24 lines
844 B
YAML
---
|
|
upgrade:
|
|
- |
|
|
The default value of config options ``enforce_scope`` and
|
|
``enforce_new_defaults`` have been changed to ``True``.
|
|
|
|
Most of the OpenStack services have enabled these options by
|
|
default, and now it's time to change the default in the oslo
|
|
policy itself.
|
|
|
|
If you want to disable them, modify the values of these config
|
|
options in the service configuration file (for example, "nova.conf")::
|
|
|
|
[oslo_policy]
|
|
enforce_new_defaults=False
|
|
enforce_scope=False
|
|
deprecations:
|
|
- |
|
|
The ``enforce_scope`` configuration option was added temporarily
|
|
to facilitate a smooth transition to the new RBAC. OpenStack will
|
|
always enforce the scope checks, and they will not be configurable.
|
|
This configuration option is marked as deprecated and will be removed
|
|
in the 2025.2 cycle.
|