keystone/releasenotes/notes/bug-1750673-b53f74944d767ae...

31 lines
1.3 KiB
YAML

---
features:
- |
[`bug 1750673 <https://bugs.launchpad.net/keystone/+bug/1750673>`_]
The role assignment API now supports the ``admin``, ``member``, and
``reader`` default roles across system-scope, domain-scope, and
project-scope.
upgrade:
- |
[`bug 1750673 <https://bugs.launchpad.net/keystone/+bug/1750673>`_]
The role assignment API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new policies if your deployment overrides role
assignment policies.
deprecations:
- |
[`bug 1750673 <https://bugs.launchpad.net/keystone/+bug/1750673>`_]
The role assignment ``identity:list_role_assignments`` policy now
uses ``(role:reader and system_scope:all) or (role:reader and
domain_id:%(target.domain.id)s)`` instead of ``rule:admin_required``.
This new default automatically includes support for a read-only role
and allows for more granular access to the role assignment API. Please
consider this new default if your deployment overrides the role
assignment policies.
security:
- |
[`bug 1750673 <https://bugs.launchpad.net/keystone/+bug/1750673>`_]
The role assignment API now uses system-scope, domain-scope,
project-scope, and default roles to provide better accessbility to
users in a secure way.