keystone/releasenotes/notes/bug-1750669-dfce859550126f0...

53 lines
2.7 KiB
YAML

---
features:
- |
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
The system assignment API now supports the ``admin``, ``member``,
and ``reader`` default roles across system-scope, domain-scope, and
project-scope. The grant API now supports the ``admin``,
``member``, and ``reader`` default roles for system-scope.
upgrade:
- |
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
The system assignment and grant APIs uses new default policies that
make it more accessible to end users and administrators in a secure
way. Please consider these new defaults if your deployment
overrides system assignment policies.
deprecations:
- |
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
The system assignment and grant policies have been deprecated. The
``identity:list_system_grants_for_user``,
``identity:check_system_grant_for_user``,
``identity:list_system_grants_for_group``, and
``identity:check_system_grant_for_group`` policies now use
``role:reader and system_scope:all`` instead of
``rule:admin_required``. The
``identity:create_system_grant_for_user``,
``identity:revoke_system_grant_for_user``,
``identity:create_system_grant_for_group``, and
``identity:revoke_system_grant_for_group`` policies now use
``role:admin and system_scope:all`` instead of
``rule:admin_required``. The ``identity:check_grant`` and
``identity:list_grants`` policies now use ``role:reader and
system_scope:all`` instead of ``rule:admin_required``. The
``identity:create_grant`` and ``identity:revoke_grant`` policies
now use ``role:admin and system_scope:all`` instead of
``rule:admin_required``. These new defaults automatically include
support for a read-only role and allow for more granular access to
the system assignment and grant APIs, making it easier for
administrators to delegate authorization, safely. Please consider
these new defaults if your deployment overrides the system
assignment APIs.
security:
- |
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
The system assignment API now uses system-scope, domain-scope,
project-scope, and default roles to provide better accessibility to
users in a secure way. The grant API now uses system-scope and
default to provide better accessbility to operators.