25 lines
1.5 KiB
YAML
25 lines
1.5 KiB
YAML
---
|
|
prelude: >
|
|
This release adds support for Application Credentials, a new way to allow
|
|
applications and automated tooling to authenticate with keystone. Rather
|
|
than storing a username and password in an application's config file, which
|
|
can pose security risks, you can now create an application credential to
|
|
allow an application to authenticate and acquire a preset scope and role
|
|
assignments. This is especially useful for LDAP and federated users, who
|
|
can now delegate their cloud management tasks to a keystone-specific
|
|
resource, rather than share their externally managed credentials with
|
|
keystone and risk a compromise of those external systems. Users can
|
|
delegate a subset of their role assignments to an application credential,
|
|
allowing them to strategically limit their application's access to the
|
|
minimum needed. Unlike passwords, a user can have more than one active
|
|
application credential, which means they can be rotated without causing
|
|
downtime for the applications using them.
|
|
features:
|
|
- |
|
|
[`blueprint application-credentials <https://blueprints.launchpad.net/keystone/+spec/application-credentials>`_]
|
|
Users can now create Application Credentials, a new keystone resource that
|
|
can provide an application with the means to get a token from keystone with
|
|
a preset scope and role assignments. To authenticate with an application
|
|
credential, an application can use the normal token API with the
|
|
'application_credential' auth method.
|