2023.1 Series Release Notes

26.0.0

Prelude

In this cycle Glance enabled the API policies (RBAC) new defaults and scope by default and removed the deprecated enforce_secure_rbac option which is no longer needed after switching to new defaults. The Default value of config options [oslo_policy] enforce_scope and [oslo_policy] oslo_policy.enforce_new_defaults have been changed to True. Old policies are still there but they are disabled by default.

Upgrade Notes

  • The Glance service enables the API policies (RBAC) new defaults and scope by default. The Default value of config options [oslo_policy] enforce_scope and [oslo_policy] oslo_policy.enforce_new_defaults have been changed to True.

    If you want to disable them then modify the below config options value in glance-api.conf file:

    [oslo_policy]
    enforce_new_defaults=False
    enforce_scope=False
    
  • As per the revised SRBAC community goals, glance service is switching to new defaults by default in Antelope cycle, hence removing the deprecated enforce_secure_rbac option which is no longer needed. The enforce_secure_rbac option was introduced EXPERIMENTAL in Wallaby release for operators to opt into enforcing authorization based on common RBAC personas.

    Now operator can control the scope and new defaults flag with the below config options in glance-api.conf file:

    [oslo_policy]
    enforce_new_defaults=True
    enforce_scope=True
    

Bug Fixes

  • Bug 1990854: oslo_limit section not clear

  • Bug 1779781: virt/vmware not support VirtualSriovEthernetCard

  • Bug 1647491: Missing documentation for glance-manage db_purge command

  • Bug 1983279: Cannot upload vmdk images due to unsupported vmdk format

  • Bug 1989268: Wrong assertion method

  • Bug 1996188: [OSSA-2023-002] Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951)

  • Bug 1939690: The api-ref response and the actual response returned from the Create Tags API does not match

  • Bug 1983279: Cannot upload vmdk images due to unsupported vmdk format