Queens Series Release Notes¶
[bug 1880959] The behavior of policy file reloading from policy directories was fixed. Previously the rules from policy files located in the directories specified in the
policy_dirsoption were not reapplied after the rules from the primary policy file have been reapplied due to a change.
As reported in launchpad bug 1723030, under some circumstances policy checks caused a significant performance degradation. This release includes improved logic around rule validation to prevent that.
A new configuration option has been added to the
enforce_scope. When set to
True, oslo.policy will raise an
InvalidScopeexception if the context passed into the enforce method doesn’t match the policy’s
False, a warning will be logged for operators. Note that operators should only enable this option once they’ve audited their users to ensure system users have roles on the system. This could potentially prevent some users from being able to make system-level API calls. This will also give other services the flexibility to fix long-standing RBAC issues in OpenStack once they start introducing
scope_typesfor policies used in their service.
Add support for custom rule check plugins.
httpsexternal rule checks have been converted into stevedore plugins and serve as examples.