keystone/releasenotes/notes/bug-1844461-08a8bdc5f613b88...

32 lines
1.5 KiB
YAML

---
features:
- |
[`bug 1844461 <https://bugs.launchpad.net/keystone/+bug/1844461>`_]
Listing role assignments for a project subtree is now allowed by system
readers and domain readers in addition to project admins.
upgrade:
- |
[`bug 1844461 <https://bugs.launchpad.net/keystone/+bug/1844461>`_]
The ``identity:list_role_assignments_for_subtree`` policy now allows system
and domain readers to list role assignments for a project subtree and
deprecates the old ``rule:admin_required`` policy check string. Please
consider the new policies if your deployment overrides role
assignment policies.
deprecations:
- |
[`bug 1844461 <https://bugs.launchpad.net/keystone/+bug/1844461>`_]
The role assignment ``identity:list_role_assignments_for_subtree`` policy
now uses ``(role:reader and system_scope:all) or (role:reader and
domain_id:%(target.project.domain_id)s) or (role:admin and
project_id:%(target.project.id)s)`` instead of ``rule:admin_required``.
This new default automatically includes support for a read-only role
and allows for more granular access to the role assignment API. Please
consider this new default if your deployment overrides the role
assignment policies.
security:
- |
[`bug 1844461 <https://bugs.launchpad.net/keystone/+bug/1844461>`_]
Listing role assignments for a project subtree now uses system-scope,
domain-scope, project-scope, and default roles to provide better
accessbility to users in a secure way.