Unreleased Release Notes

4.4.0-5

New Features

  • The new [oslo_policy] remote_timeout option has been added. This option determines timeout in HTTP(S) requests in REST based policy check. Its default value is 60 seconds.

Upgrade Notes

  • The following options are no longer loaded from the [DEFAULT] section. Use the [oslo_policy] section instead.

    • policy_file

    • policy_default_rule

    • policy_dirs

4.4.0

Upgrade Notes

  • The default value of config options enforce_scope and enforce_new_defaults have been changed to True.

    Most of the OpenStack services have enabled these options by default, and now it’s time to change the default in the oslo policy itself.

    If you want to disable them, modify the values of these config options in the service configuration file (for example, “nova.conf”):

    [oslo_policy]
    enforce_new_defaults=False
    enforce_scope=False
    

Deprecation Notes

  • The enforce_scope configuration option was added temporarily to facilitate a smooth transition to the new RBAC. OpenStack will always enforce the scope checks, and they will not be configurable. This configuration option is marked as deprecated and will be removed in the 2025.2 cycle.