Add a release note for application credentials

bp application-credentials

Change-Id: Id3846c65d6ae805d70e0cc911faf0f25e3d28cf0

releasenotes/notes/bp-application-credentials-c699f1f17c7d4e2f.yaml

@@ -0,0 +1,24 @@
+---
+prelude: >
+    This release adds support for Application Credentials, a new way to allow
+    applications and automated tooling to authenticate with keystone. Rather
+    than storing a username and password in an application's config file, which
+    can pose security risks, you can now create an application credential to
+    allow an application to authenticate and acquire a preset scope and role
+    assignments. This is especially useful for LDAP and federated users, who
+    can now delegate their cloud management tasks to a keystone-specific
+    resource, rather than share their externally managed credentials with
+    keystone and risk a compromise of those external systems. Users can
+    delegate a subset of their role assignments to an application credential,
+    allowing them to strategically limit their application's access to the
+    minimum needed. Unlike passwords, a user can have more than one active
+    application credential, which means they can be rotated without causing
+    downtime for the applications using them.
+features:
+  - |
+    [`blueprint application-credentials <https://blueprints.launchpad.net/keystone/+spec/application-credentials>`_]
+    Users can now create Application Credentials, a new keystone resource that
+    can provide an application with the means to get a token from keystone with
+    a preset scope and role assignments. To authenticate with an application
+    credential, an application can use the normal token API with the
+    'application_credential' auth method.