keystone/releasenotes/notes/bug-1750678-88a38851ca80fc6...

37 lines
1.8 KiB
YAML

---
features:
- |
[`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
The EC2 credentials API now supports the ``admin``,
``member``, and ``reader`` default roles.
upgrade:
- |
[`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
The EC2 credentials API uses new default policies to
make it more accessible to end users and administrators in a secure way.
Please consider these new defaults if your deployment overrides EC2
credentials consumer policies.
deprecations:
- |
[`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
The EC2 credentials policies have been deprecated. The
``identity:ec2_get_credentials`` now use ``(role:reader and system_scope:all)
or user_id:%(target.credential.user_id)s`` instead of
``rule:admin_required``and ``identity:ec2_list_credentials`` policies now use
``role:reader and system_scope:all or rule:owner`` instead of
``rule:admin_required``. The ``identity:ec2_delete_credentials`` now use
``(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s``
instead of ``rule:admin_required``and ``identity:ec2_create_credentials``
policies now use ``role:admin and system_scope:all or rule:owner`` instead of
``rule:admin_required``.
These new defaults automatically account for system-scope and support
a read-only role, making it easier for system administrators to delegate
subsets of responsibility without compromising security. Please consider
these new defaults if your deployment overrides the EC2 credentials policies.
security:
- |
[`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
The EC2 credentials API now uses system-scope and default
roles to provide better accessibility to users in a secure manner.