2024.1 Series Release Notes

12.0.0

Upgrade Notes

  • The legacy Role Based Access Control policy used by ironic-inspector has been disabled by default. The end result of this is that the legacy baremetal_admin and baremetal_observer roles are no longer enabled by default. System scoped access can be utilized to connect to the ironic-inspector service, or alternatively a user with an admin or service role.

    The Ironic project does not anticipate any issues with this change, as the the ironic-inspector service is a service for the system itself. That being said, if the operator deployed configuration is reliant upon the deprecated roles, configuration changes will be required.

    This change is a result of the new policy which was introduced as part of Consistent and Secure RBAC community goal and the underlying [oslo_policy] enforce_scope and [oslo_policy] enforce_new_defaults settings being changed to True.

    Operators wishing to revert to the old policy configuration may do so by setting the following values in ironic-inspector.conf.:

    [oslo_policy]
enforce_new_defaults=False
enforce_scope=False

    Operators who revert the configuration are encouraged to make the necessary changes to their configuration, as the legacy RBAC policy will be removed at some point in the future. Please review 2024.1-Release Timeline. Failure to do so will may force operators to craft custom policy override configuration.

Bug Fixes

  • In case the lldp raw data collected by the inspection process includes non utf-8 information, the parser fails breaking the inspection process. This patch works around that excluding the malformed data and adding an entry in the logs to provide information on the failed tlv.

  • Fixes the Role Based Access Control state and capabilities to align with OpenStack Community RBAC goals which includes support for a service role by default to enable inter-service communication to be configured without an admin username. In large part, these changes were missed as the Inspector service is considered an “admin-only” service.

    Also in alignment with overall community position changes, where the admin role is sufficient without an explicit system scope. To help ensure a high level of security, explicit testing was also added for the manager role, which is unavailable as that role is reserved for administrative functions inside of a tenant’s project.