keystone/releasenotes/notes/bug-1805369-ed98d3fcfafb5c4...

48 lines
2.4 KiB
YAML

---
features:
- |
[`bug 1805369 <https://bugs.launchpad.net/keystone/+bug/1805369>`_]
The group API now supports the ``admin``, ``member``, and
``reader`` default roles.
- |
[`bug 1808859 <https://bugs.launchpad.net/keystone/+bug/1808859>`_]
The group API now supports using the ``domain`` scope type for performing
domain-specific actions on groups and group membership.
upgrade:
- |
[`bug 1805369 <https://bugs.launchpad.net/keystone/+bug/1805369>`_]
The group API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides
group policies.
deprecations:
- |
[`bug 1805369 <https://bugs.launchpad.net/keystone/+bug/1805369>`_]
The group policies have been deprecated. The ``identity:get_group``,
``identity:list_groups``, ``identity:list_users_in_group``, and
``identity:check_user_in_group`` policies now use ``role:reader and
system_scope:all or (role:reader and
domain_id:%(target.group.domain_id)s)`` instead of ``rule:admin_required``.
The ``identity:list_groups_for_user`` policy now uses ``(role:reader and
system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s)
or or user_id:%(user_id)s`` instead of ``rule:admin_or_owner``. The
``identity:create_group``, ``identity:update_group``,
``identity:delete_group``, ``identity:remove_user_from_group``, and
``identity:add_user_to_group`` policies now use ``role:admin and
system_scope:all or (role:admin and domain_id:%(target.group.domain_id)s)``
instead of ``rule:admin_required``. These new defaults automatically
account for system-scope and domain-scope and support a read-only role,
making it easier for system administrators to delegate subsets of
responsibility without compromising security. Please consider these new
defaults if your deployment overrides group policies.
security:
- |
[`bug 1805369 <https://bugs.launchpad.net/keystone/+bug/1805369>`_]
The group API now uses system-scope and default roles to
provide better accessibility to users in a secure way.
- |
[`bug 1808859 <https://bugs.launchpad.net/keystone/+bug/1808859>`_]
The group API now supports using the ``domain`` scope for the reader,
member, and admin role to provide better accessibility to users in a
secure way.