Add a release note for application credentials

bp application-credentials

Change-Id: Id3846c65d6ae805d70e0cc911faf0f25e3d28cf0
This commit is contained in:
Colleen Murphy 2018-01-18 22:49:48 +01:00
parent d827e6e3ab
commit 9da1929757
1 changed files with 24 additions and 0 deletions

View File

@ -0,0 +1,24 @@
---
prelude: >
This release adds support for Application Credentials, a new way to allow
applications and automated tooling to authenticate with keystone. Rather
than storing a username and password in an application's config file, which
can pose security risks, you can now create an application credential to
allow an application to authenticate and acquire a preset scope and role
assignments. This is especially useful for LDAP and federated users, who
can now delegate their cloud management tasks to a keystone-specific
resource, rather than share their externally managed credentials with
keystone and risk a compromise of those external systems. Users can
delegate a subset of their role assignments to an application credential,
allowing them to strategically limit their application's access to the
minimum needed. Unlike passwords, a user can have more than one active
application credential, which means they can be rotated without causing
downtime for the applications using them.
features:
- |
[`blueprint application-credentials <https://blueprints.launchpad.net/keystone/+spec/application-credentials>`_]
Users can now create Application Credentials, a new keystone resource that
can provide an application with the means to get a token from keystone with
a preset scope and role assignments. To authenticate with an application
credential, an application can use the normal token API with the
'application_credential' auth method.