Current Series Release Notes

5.0.0.0rc1-30

New Features

  • In the Victoria release, cyborg introduced the new scoped RBAC policy authorization for API access, and partially implemented the blueprints. What implemented are new default rules in base policy and device_profile policy.

    During the development period(victoria and wallaby releases), the new and old policy will both work because a deployment sets cyborg.conf [oslo_policy] enforce_scope = False as the default set. Although users can set cyborg.conf [oslo_policy] enforce_scope = True by default in their deployment, if they want to ignore old rules and support new rules only. After we implement all the features, we’ll give two cycles transition period for operators. For specification of new policy, please refer to policy default refresh.

    • Scope

      Cyborg introduced scope_type to protect each policy. Cyborg support two types of sope_type with their combination. ['system'], ['project'] and ['system', 'project'].

      To know each policy scope_type, please refer the Policy Reference

      This feature is disabled by default can be enabled via config option [oslo_policy]enforce_scope in cyborg.conf

      • New Defaults Configuration

      Policies are default to Admin, Member and Reader roles. Old roles are also supproted. You can switch to new defaults via config option [oslo_policy]enforce_new_defaults in cyborg.conf file.

    • New Base policy roles

      Cyborg introduced seven basic roles based on the new defaults combined with different scope_types.

      • project_reader

      • project_member

      • project_admin

      • system_admin

      • system_reader

      • system_admin_or_owner

      • system_or_project_reader

    • New Defaults for device_profile APIs

      Rewrite check string(authorization rules) using new personas for device profile APIs.

      Add checkstr=base.PROJECT_READER_OR_SYSTEM_READER and deprecated checkstr=base.deprecated_default for

      • cyborg:device_profile:get_one

      • cyborg:device_profile:get_all

      Add check_str=base.SYSTEM_ADMIN and deprecated check_str=base.deprecated_is_admin for

      • cyborg:device_profile:create

      Add check_str=base.SYSTEM_ADMIN and deprecated base.deprecated_default for

      • cyborg:device_profile:delete

    • Added policy configuration guide on cyborg doc page

      Please refer to policy configuration guide

Upgrade Notes

  • The default value of [oslo_policy] policy_file config option has been changed from policy.json to policy.yaml. Cyborg policy new defaults since 5.0.0 and current default value of [oslo_policy] policy_file config option (policy.json) does not work when policy.json is generated by oslopolicy-sample-generator tool. Refer to bug 1875418 for more details. Also check oslopolicy-convert-json-to-yaml tool to convert the JSON to YAML formatted policy file in backward compatible way.

Deprecation Notes

  • The old basic personas below are marked as deprecated rules in base policy.

    • public_api

    • allow

    • deny

    • admin_api

    • is_admin

    • admin_or_owner

    • admin_or_user