2023.1 Series Release Notes¶
The Placement policies have been modified to drop the system scope. Every API policy is scoped to project. This means that system scoped users will get 403 permission denied error.
Currently, Placement supports the following default roles:
project reader(for project resource usage)
Currently, scope checks and new defaults are disabled by default. You can enable them by switching the below config option in
[oslo_policy] enforce_new_defaults=True enforce_scope=True
All the placement policies have been dropped the system scope and they are now project scoped only. The scope of policy is not overridable in policy.yaml. If you have enabled the scope enforcement and using system scope token to access placement APIs, you need to switch to the project scope token. Enforce scope is not enabled by default but it will be enabled by default in the future release. The old defaults are deprecated but enforced by default which will be removed in the future release.
placement:reshaper:reshapepolicy default has been changed to