Need documentation on recommended operator workflow for deprecated policies

Bug #1853170 reported by Ben Nemec on 2019-11-19
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

As developers we have come up with a recommended way to handle deprecated policies, but as far as I can tell we never wrote that down in the admin docs for oslo.policy. We need to do that.

At a high level, the flow goes something like this:
1) Service deprecates a policy, which causes the old policy to be OR'd with the new policy so nothing breaks
2) Operator sees deprecation warnings and makes any necessary changes to their user configurations to support the new policy
3) When operator thinks they are ready for the new policy, they explicitly set the new policy rule in their policy file which prevents oslo.policy from doing the OR'ing mentioned above
4) Operator verifies that their deployment is still working when using only the new policy rule
5) Once all of the policy rules have been migrated and there are no more deprecation warnings in the service logs, set enforce_scope to true? <- Lance, please correct me if I'm wrong here.

This is going to be particularly important as more projects start to move to supporting scopes and default roles because there will be a lot of policy deprecations happening.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers