We enthusiastically announce the release of: ironic-inspector 12.0.0: Hardware introspection for OpenStack Bare Metal This release is part of the caracal release series. The source is available from: https://opendev.org/openstack/ironic-inspector Download the package from: https://tarballs.openstack.org/ironic-inspector/ Please report issues through: https://storyboard.openstack.org/#!/project/944 For more details, please see below. 12.0.0 ^^^^^^ Upgrade Notes ************* * The legacy Role Based Access Control policy used by ironic- inspector has been disabled by default. The end result of this is that the legacy "baremetal_admin" and "baremetal_observer" roles are no longer enabled by default. System scoped access can be utilized to connect to the "ironic-inspector" service, or alternatively a user with an "admin" or "service" role. The Ironic project does not anticipate any issues with this change, as the the "ironic-inspector" service is a service *for* the system itself. That being said, if the operator deployed configuration is reliant upon the deprecated roles, configuration changes will be required. This change is a result of the new policy which was introduced as part of Consistent and Secure RBAC community goal and the underlying "[oslo_policy] enforce_scope" and "[oslo_policy] enforce_new_defaults" settings being changed to "True". Operators wishing to revert to the old policy configuration may do so by setting the following values in "ironic-inspector.conf".: [oslo_policy] enforce_new_defaults=False enforce_scope=False Operators who revert the configuration are encouraged to make the necessary changes to their configuration, as the legacy RBAC policy will be removed at some point in the future. Please review 2024.1-Release Timeline. Failure to do so will may force operators to craft custom policy override configuration. (https://governance.openstack.org/tc/goals/selected/consistent-and- secure-rbac.html) (https://governance.openstack.org/tc/goals/selected/consistent-and- secure-rbac.html#id3) Bug Fixes ********* * In case the lldp raw data collected by the inspection process includes non utf-8 information, the parser fails breaking the inspection process. This patch works around that excluding the malformed data and adding an entry in the logs to provide information on the failed tlv. * Fixes the Role Based Access Control state and capabilities to align with OpenStack Community RBAC goals which includes support for a "service" role by default to enable inter-service communication to be configured without an "admin" username. In large part, these changes were missed as the Inspector service is considered an "admin-only" service. Also in alignment with overall community position changes, where the "admin" role is sufficient without an explicit "system" scope. To help ensure a high level of security, explicit testing was also added for the "manager" role, which is unavailable as that role is reserved for administrative functions inside of a tenant's project. Changes in ironic-inspector 11.8.0..12.0.0 ------------------------------------------ fff8008 Change policy to enforce only new policy c08ab06 [codespell] Adding CI target for Tox Codespell fd0d817 [codespell] Adding Tox Target for Codespell 98a226b [codespell] Fixing Spelling Mistakes 0fb5589 Update python classifier in setup.cfg 5523b11 Fix RBAC access for service/admin user access db76af9 Handle LLDP parse Unicode error bf59b80 Fix versions in release notes dc5da67 Suppress logs from stevedore 969cccb [coordination] backend_url should be secret Diffstat (except docs and test files) ------------------------------------- devstack/plugin.sh | 4 +- ironic_inspector/common/lldp_tlvs.py | 2 +- ironic_inspector/common/swift.py | 2 +- ironic_inspector/conf/coordination.py | 1 + ironic_inspector/conf/opts.py | 1 + ironic_inspector/db/api.py | 4 +- .../18440d0834af_introducing_the_aborting_state.py | 2 +- ironic_inspector/main.py | 2 +- ironic_inspector/node_cache.py | 10 +- ironic_inspector/plugins/lldp_basic.py | 11 +- ironic_inspector/plugins/local_link_connection.py | 2 +- ironic_inspector/policy.py | 40 ++- ironic_inspector/test/unit/test_acl.py | 359 ++++++++++++++++++++- ironic_inspector/test/unit/test_introspect.py | 2 +- .../notes/accelerators-2aa4f0cedf359810.yaml | 2 +- .../notes/extra-check-9cf0a7d89e534ccd.yaml | 2 +- .../notes/fix-lldp-decode-83f4ad3869b0c7a7.yaml | 9 + .../keystoneauth-plugins-aab6cbe1d0e884bf.yaml | 12 +- ...gacy-rbac-policy-disabled-6fc45ad1237f4d57.yaml | 35 ++ .../notes/policy-engine-c44828e3131e6c62.yaml | 2 +- ...-deny-unknown-host-option-b84b2aa1f7f49a17.yaml | 2 +- ...or-openstack-rbac-changes-7ca8533f76e504d5.yaml | 14 + ...qlalchemy-minimum-version-cd34a2e10d7946fd.yaml | 2 +- releasenotes/source/2023.1.rst | 6 +- releasenotes/source/2023.2.rst | 6 +- .../locale/en_GB/LC_MESSAGES/releasenotes.po | 12 +- releasenotes/source/zed.rst | 6 +- setup.cfg | 7 + tox.ini | 8 + zuul.d/ironic-inspector-jobs.yaml | 9 + zuul.d/project.yaml | 2 + 31 files changed, 519 insertions(+), 59 deletions(-)