From 9da192975733152f2729e293e90eb87fdbd3279d Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Thu, 18 Jan 2018 22:49:48 +0100 Subject: [PATCH] Add a release note for application credentials bp application-credentials Change-Id: Id3846c65d6ae805d70e0cc911faf0f25e3d28cf0 --- ...lication-credentials-c699f1f17c7d4e2f.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 releasenotes/notes/bp-application-credentials-c699f1f17c7d4e2f.yaml diff --git a/releasenotes/notes/bp-application-credentials-c699f1f17c7d4e2f.yaml b/releasenotes/notes/bp-application-credentials-c699f1f17c7d4e2f.yaml new file mode 100644 index 0000000000..71a7963b87 --- /dev/null +++ b/releasenotes/notes/bp-application-credentials-c699f1f17c7d4e2f.yaml @@ -0,0 +1,24 @@ +--- +prelude: > + This release adds support for Application Credentials, a new way to allow + applications and automated tooling to authenticate with keystone. Rather + than storing a username and password in an application's config file, which + can pose security risks, you can now create an application credential to + allow an application to authenticate and acquire a preset scope and role + assignments. This is especially useful for LDAP and federated users, who + can now delegate their cloud management tasks to a keystone-specific + resource, rather than share their externally managed credentials with + keystone and risk a compromise of those external systems. Users can + delegate a subset of their role assignments to an application credential, + allowing them to strategically limit their application's access to the + minimum needed. Unlike passwords, a user can have more than one active + application credential, which means they can be rotated without causing + downtime for the applications using them. +features: + - | + [`blueprint application-credentials `_] + Users can now create Application Credentials, a new keystone resource that + can provide an application with the means to get a token from keystone with + a preset scope and role assignments. To authenticate with an application + credential, an application can use the normal token API with the + 'application_credential' auth method.