https://review.openstack.org/#/c/126265/ made many changes to ironic's policy code, including changes to the default /etc/ironic/policy.json. The assumption across most projects is that /etc files are configuration, and that newer versions of a project should function correctly with older versions of configuration. However, the recent changes to ironic's policy engine require the newer policy rules be configured. Attempting to use a checkout of master with a pre-126265 policy.json results in 403's for admin users attempting to use the api.
This was discovered via the experimental grenade upgrade job, which brings up the Kilo service using Juno config:
http://logs.openstack.org/74/124474/4/experimental/check-grenade-dsvm-ironic/4edd6f2/logs/grenade.sh.txt.gz#_2015-01-08_06_45_22_199
http://logs.openstack.org/74/124474/4/experimental/check-grenade-dsvm-ironic/4edd6f2/logs/new/screen-ir-api.txt.gz#_2015-01-08_06_43_25_026
We either need to add some backward compat code to check against the old policies as well, or be loud about this in release notes and add an upgrade step to grenade to update policies before starting the new version.
Fix proposed to branch: master /review. openstack. org/145984
Review: https:/