openstack
/
keystone
Code Issues Proposed changes
keystone/releasenotes/notes/bug-1750669-dfce859550126f0...

43 lines
2.1 KiB
YAML
Raw Blame History

---
features:
- |
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
The system assignment API now supports the ``admin``, ``member``,
and ``reader`` default roles across system-scope, domain-scope,
and project-scope.
upgrade:
- |
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
The system assignment API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides system
assignment policies.
deprecations:
- |
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
The system assignment policies have been deprecated. The
``identity:list_system_grants_for_user``,
``identity:check_system_grant_for_user``,
``identity:list_system_grants_for_group``, and
``identity:check_system_grant_for_group`` policies now use
``role:reader and system_scope:all`` instead of
``rule:admin_required``. The ``identity:create_system_grant_for_user``,
``identity:revoke_system_grant_for_user``,
``identity:create_system_grant_for_group``, and
``identity:revoke_system_grant_for_group`` policies now use ``role:admin
and system_scope:all`` instead of ``rule:admin_required``. These new
defaults automatically include support for a read-only role and allow for
more granular access to the system assignment API, making it easier for
administrators to delegate authorization, safely. Please consider these new
defaults if your deployment overrides the system assignment APIs.
security:
- |
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
The system assignment API now uses system-scope, domain-scope,
project-scope, and default roles to provide better accessibility
to users in a secure way.
View Git Blame Copy Permalink