keystone/releasenotes/notes/bug-1750676-cf70c1a27b2c8de...

36 lines
1.8 KiB
YAML

---
features:
- |
[`bug 1750676 <https://bugs.launchpad.net/keystone/+bug/1750676>`_]
[`bug 1818844 <https://bugs.launchpad.net/keystone/+bug/1818844>`_]
The token API now supports the ``admin``, ``member``, and ``reader``
default roles.
upgrade:
- |
[`bug 1750676 <https://bugs.launchpad.net/keystone/+bug/1750676>`_]
[`bug 1818844 <https://bugs.launchpad.net/keystone/+bug/1818844>`_]
The token API uses new default policies that make it easier for system
users to delegate functionality in a secure way. Please consider the new
policies if your deployment overrides the token policies.
deprecations:
- |
[`bug 1750676 <https://bugs.launchpad.net/keystone/+bug/1750676>`_]
[`bug 1818844 <https://bugs.launchpad.net/keystone/+bug/1818844>`_]
The ``identity:check_token`` policy now uses ``(role:reader and
system_scope:all) or rule:token_subject`` instead of ``rule:admin_required
or rule:token_subject``. The ``identity:validate_token`` policy now uses
``(role:reader and system_scope:all) or rule:service_role or
rule:token_subject`` instead or ``rule:service_or_admin or
rule:token_subject``. The ``identity:revoke_token`` policy now uses
``(role:admin and system_scope:all) or rule:token_subject`` instead of
``rule:admin_or_token_subject``. These new defaults automatically account
for a read-only role by default and allow more granular access to the API.
Please consider these new defaults if your deployment overrides the token
policies.
security:
- |
[`bug 1750676 <https://bugs.launchpad.net/keystone/+bug/1750676>`_]
[`bug 1818844 <https://bugs.launchpad.net/keystone/+bug/1818844>`_]
The token API now uses system-scope and default roles properly to provide
more granular access to the token API.