keystone/releasenotes/notes/bug-1844194-48ae60db49f91bd...

44 lines
2.1 KiB
YAML

---
features:
- |
[`bug 1844194 <https://bugs.launchpad.net/keystone/+bug/1844194>`_]
[`bug 1844193 <https://bugs.launchpad.net/keystone/+bug/1844193>`_]
The project tags API now supports the ``admin``, ``member``, and ``reader``
default roles.
upgrade:
- |
[`bug 1844194 <https://bugs.launchpad.net/keystone/+bug/1844194>`_]
[`bug 1844193 <https://bugs.launchpad.net/keystone/+bug/1844193>`_]
The project tags API now uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides the project
tags policies.
deprecations:
- |
[`bug 1844194 <https://bugs.launchpad.net/keystone/+bug/1844194>`_]
[`bug 1844193 <https://bugs.launchpad.net/keystone/+bug/1844193>`_]
The project tags API policies have been deprecated. The
``identity:get_project_tag`` and ``identity:list_project_tags``
policies now use ``(role:reader and system_scope:all) or
(role:reader and domain_id:%(target.project.domain_id)s) or
project_id:%(target.project.id)s`` instead of
``rule:admin_required or project_id:%(target.project.id)s``. The
``identity:update_project_tags``, ``identity:delete_project_tags``,
``identity:delete_project_tag``, and ``identity:create_project_tag``
policies now use ``(role:admin and system_scope:all) or (role:admin
and domain_id:%(target.project.domain_id)s) or (role:admin and
project_id:%(target.project.id)s)`` instead of
``rule:admin_required``.
These new defaults automatically account for system-scope and support
a read-only role, making it easier for system administrators to
delegate subsets of responsibility with compromising security. Please
consider these new defaults if your deployment overrides the project
tag policies.
security:
- |
[`bug 1844194 <https://bugs.launchpad.net/keystone/+bug/1844194>`_]
[`bug 1844193 <https://bugs.launchpad.net/keystone/+bug/1844193>`_]
The project tags API now uses system-scope and default roles to
provide better accessibility to users in a secure way.