Queens Series Release Notes¶

1.33.2-3¶

[bug 1880959] The behavior of policy file reloading from policy directories was fixed. Previously the rules from policy files located in the directories specified in the policy_dirs option were not reapplied after the rules from the primary policy file have been reapplied due to a change.

As reported in launchpad bug 1723030, under some circumstances policy checks caused a significant performance degradation. This release includes improved logic around rule validation to prevent that.

A new configuration option has been added to the [oslo_policy] group called enforce_scope. When set to True, oslo.policy will raise an InvalidScope exception if the context passed into the enforce method doesn’t match the policy’s scope_types. If False, a warning will be logged for operators. Note that operators should only enable this option once they’ve audited their users to ensure system users have roles on the system. This could potentially prevent some users from being able to make system-level API calls. This will also give other services the flexibility to fix long-standing RBAC issues in OpenStack once they start introducing scope_types for policies used in their service.

Add support for custom rule check plugins. http and https external rule checks have been converted into stevedore plugins and serve as examples.