keystone/releasenotes/notes/bug-1805402-75d0d93f31af620...

33 lines
1.4 KiB
YAML

---
features:
- |
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
The role API now supports the ``admin``, ``member``, and
``reader`` default roles.
upgrade:
- |
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
The role API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides role
policies.
deprecations:
- |
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
The role policies have been deprecated. The ``identity:get_role`` and
``identity:list_roles`` policies now use ``role:reader and
system_scope:all`` instead of ``rule:admin_required``. The
``identity:create_role``, ``identity:update_role``, and
``identity:delete_role`` policies now use ``role:admin and
system_scope:all`` instead of ``rule:admin_required``. These new
defaults automatically account for system-scope and support a read-only
role, making it easier for system administrators to delegate subsets of
responsibility without compromising security. Please consider these new
defaults if your deployment overrides the role policies.
security:
- |
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
The role API now uses system-scope and default roles to provide
better accessibility to users in a secure way.