keystone/releasenotes/notes/bug-1805406-252b45d443af20b...

42 lines
2.0 KiB
YAML

---
features:
- |
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
The user API now supports the ``admin``, ``member``, and
``reader`` default roles.
upgrade:
- |
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
The ``GET /v3/users/{user_id`` API now properly returns an ``HTTP
403 Forbidden`` as opposed to ``HTTP 404 Not Found`` if the calling
user doesn't have authorization to call the API. This applies consistent
authorititive policy checks to the API.
The user API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides
user policies.
deprecations:
- |
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
The user policies have been deprecated. The ``identity:get_user`` now uses
``(role:reader and system_scope:all) or (role:reader and
token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s``
instead of ``rule:admin_or_owner``. The ``identity:list_users`` policy now
uses ``(role:reader and system_scope:all) or (role:reader
and domain_id:%(target.domain_id)s)`` instead of
``rule:admin_required``. The ``identity:create_user``,
``identity:update_user``, and ``identity:delete_user`` policies now use
``(role:admin and system_scope:all) or (role:admin and
token.domain.id:%(target.user.domain_id)s)`` instead of ``rule:admin_required``.
These new defaults automatically account for system-scope, domain-scope,
and support a read-only role, making it easier for system and domain
administrators to delegate subsets of responsibility without compromising
security. Please consider these new defaults if your deployment overrides
the user policies.
security:
- |
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
The user API now uses system-scope and default roles to
provide better accessibility to users in a secure way.