Ghanshyam Mann
f9c1d1163d
After moving the nova APIs policy as per the new guidlines where system scoped token will be only allowed to access system level APIs and will not be allowed any operation on project level APIs. With that we do not need below base rules (who have hardcoded 'system_scope:all' check_str): - system_admin_api - system_reader_api - system_admin_or_owner - system_or_project_reader At this stage (phase-1 target), we allow below roles as targeted in phase-1 [1] 1. ADMIN(this is System Administrator with scope_type 'system' when scope enabled otherwise legacy admin) 2. PROJECT_ADMIN 3. PROJECT_MEMBER 4. PROJECT_READER & below one specific to nova 5. PROJECT_READER_OR_ADMIN (to allow system admin and project reader to list flavor extra specs) This complete the phase-1 of RBAC community-wide goal[2] for nova. Add release notes too. [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#how-operator [2] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#yoga-timeline-7th-mar-2022 Partial implement blueprint policy-defaults-refresh-2 Change-Id: I075005d13ff6bfe048bbb21d80d71bf1602e4c02
OpenStack Nova Documentation README =================================== Both contributor developer documentation and REST API documentation are sourced here. Contributor developer docs are built to: https://docs.openstack.org/nova/latest/ API guide docs are built to: https://docs.openstack.org/api-guide/compute/ For more details, see the "Building the Documentation" section of doc/source/contributor/development-environment.rst.