keystone/releasenotes/notes/bug-1804463-74537652166cf65...

32 lines
1.5 KiB
YAML

---
features:
- |
[`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
The services API now supports the ``admin``, ``member``, and
``reader`` default roles.
upgrade:
- |
[`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
The services API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides
service policies.
deprecations:
- |
[`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
The service policies have been deprecated. The ``identity:get_service`` and
``identity:list_services`` policies now use ``(role:reader and
system_scope:all)`` instead of ``rule:admin_required``. The
``identity:create_service``, ``identity:update_service``, and
``identity:delete_service`` policies now use ``(role:admin and
system_scope:all)`` instead of ``rule:admin_required``. These new defaults
automatically account for system-scope and support a read-only role, making
it easier for system administrators to delegate subsets of responsibility
without compromising security. Please consider these new defaults if your
deployment overrides service policies.
security:
- |
[`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
The services API now uses system-scope and default roles to
provide better accessibility to users in a secure way.