Wallaby Series Release Notes

5.0.0

New Features

  • The default policies provided by placement have been updated to add support for read-only roles. This is part of a broader community effort to support read-only roles and implement secure, consistent default policies. Refer to the Keystone documentation for more information on the reason for these changes.

    Previously, all policies defaulted to rule:admin_api, which mapped to role:admin. The following rules now default to role:admin and system_scope:all instead:

    • placement:allocation_candidates:list

    • placement:allocations:delete

    • placement:allocations:list

    • placement:allocations:manage

    • placement:allocations:update

    • placement:reshaper:reshape

    • placement:resource_classes:list

    • placement:resource_classes:create

    • placement:resource_classes:show

    • placement:resource_classes:update

    • placement:resource_classes:delete

    • placement:resource_providers:create

    • placement:resource_providers:delete

    • placement:resource_providers:list

    • placement:resource_providers:show

    • placement:resource_providers:update

    • placement:resource_providers:aggregates:list

    • placement:resource_providers:aggregates:update

    • placement:resource_providers:allocations:list

    • placement:resource_providers:inventories:create

    • placement:resource_providers:inventories:delete

    • placement:resource_providers:inventories:list

    • placement:resource_providers:inventories:show

    • placement:resource_providers:inventories:update

    • placement:resource_providers:traits:delete

    • placement:resource_providers:traits:list

    • placement:resource_providers:traits:update

    • placement:resource_providers:usages

    • placement:traits:list

    • placement:traits:show

    • placement:traits:update

    • placement:traits:delete

    The following rule now defaults to (role:reader and system_scope:all) or role:reader and project_id:%(project_id)s instead:

    • placement:usages

    More information on these policy defaults can be found in the documentation.

  • The default policy used for the /usages API, placement:usages, has been updated to allow project users to view information about resource usage for their project, specified using the project_id query string parameter. Previously this API was restricted to admins.

Upgrade Notes

  • The default value of [oslo_policy] policy_file config option has been changed from policy.json to policy.yaml. Operators who are utilizing customized or previously generated static policy JSON files (which are not needed by default), should generate new policy files or convert them in YAML format. Use the oslopolicy-convert-json-to-yaml tool to convert a JSON to YAML formatted policy file in backward compatible way.

  • The deprecated placement policy has now been removed. This policy was used prior to the introduction of granular policies in the nova 18.0.0 (Rocky) release.

  • The deprecated [placement]/policy_file configuration option is removed Use the more standard [oslo_policy]/policy_file config option. If you do not override policy with custom rules you will have nothing to do. If you do override the placement default policy then you will need to update your configuration to use the [oslo_policy]/policy_file config option.

Deprecation Notes

  • Use of JSON policy files was deprecated by the oslo.policy library during the Victoria development cycle. As a result, this deprecation is being noted in the Wallaby cycle with an anticipated future removal of support by oslo.policy. As such operators will need to convert to YAML policy files. Please see the upgrade notes for details on migration of any custom policy files.