39 lines
1.8 KiB
YAML
39 lines
1.8 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
|
|
The user API now supports the ``admin``, ``member``, and
|
|
``reader`` default roles.
|
|
upgrade:
|
|
- |
|
|
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
|
|
The ``GET /v3/users/{user_id`` API now properly returns an ``HTTP
|
|
403 Forbidden`` as opposed to ``HTTP 404 Not Found`` if the calling
|
|
user doesn't have authorization to call the API. This applies consistent
|
|
authorititive policy checks to the API.
|
|
|
|
The user API uses new default policies that make it more
|
|
accessible to end users and administrators in a secure way. Please
|
|
consider these new defaults if your deployment overrides
|
|
user policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
|
|
The user policies have been deprecated. The ``identity:get_user`` now uses
|
|
``(role:reader and system_scope:all) or user_id:%(target.user.id)s``
|
|
instead of ``rule:admin_or_owner``. The ``identity:list_users`` policy now
|
|
uses ``role:reader and system_scope:all`` instead of
|
|
``rule:admin_required``. The ``identity:create_user``,
|
|
``identity:update_user``, and ``identity:delete_user`` policies now use
|
|
``role:admin and system_scope:all`` instead of ``rule:admin_required``.
|
|
These new defaults automatically account
|
|
for system-scope and support a read-only role, making it easier
|
|
for system administrators to delegate subsets of responsibility
|
|
without compromising security. Please consider these new defaults
|
|
if your deployment overrides the user policies.
|
|
security:
|
|
- |
|
|
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
|
|
The user API now uses system-scope and default roles to
|
|
provide better accessibility to users in a secure way.
|