- The default API policy shipped with Nova contained many policies set to
""(allow all) which was not the proper default for many of those checks. It
was also a source of confusion as some people thought "" meant to use the
default rule. These empty policies have been updated to be explicit in all
Many of them were changed to match the default rule of "admin_or_owner"
which is a more restrictive policy check but does not change the
restrictiveness of the API calls overall because there are similar checks
in the database already.
This does not affect any existing deployment, just the default policy used
by new deployments.