keystone/releasenotes/notes/bug-1804522-00df902cd2d74ee...

35 lines
1.6 KiB
YAML

---
features:
- |
[`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
The federated service provider API now supports the ``admin``, ``member``,
and ``reader`` default roles.
upgrade:
- |
[`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
The federated service provider API uses new default policies that
make it more accessible to end users and administrators. Please consider
these new defaults if your deployment overrides federated service provider
policies.
deprecations:
- |
[`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
The federated service provider policies have been deprecated. The
``identity:get_service_provider`` and
``identity:list_service_providers`` policies now use ``role:reader
and system_scope:all`` instead of ``rule:admin_required``. The
``identity:create_service_provider``,
``identity:update_service_provider``, and
``identity:delete_service_provider`` policies now use ``role:admin
and system_scope:all`` instead of ``rule:admin_required``. These
new defaults automatically include support for a read-only role
and allow for more granular access to service provider APIs,
making it easier for system administrators to delegate
authorization. Please consider these new defaults if your
deployment overrides the federated service provider policies.
security:
- |
[`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
The federated service provider API now uses system-scope and default
roles to provide better accessibility to users in a secure way.