keystone/releasenotes/notes/bug-1805372-af4ebf4b19500b72.yaml
Lance Bragstad 1d4e402528 Update limit policies for system admin
This change makes the policy definitions for admin limit
operations consistent with the other limit
policies. Subsequent patches will incorporate:

 - domain user test coverage
 - project user test coverage

Change-Id: Id3f6159af505fbe81ff83cfaa346f2178f2d8e77
Closes-Bug: 1805372
Related-Bug: 1805880
2019-01-09 14:56:48 +00:00

31 lines
1.2 KiB
YAML

---
features:
- |
[`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
The registered limit and limit API now support the ``admin``,
``member``, and ``reader`` default roles.
upgrade:
- |
[`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
Several of the registered limit and limit policies have been
deprecated. The following policies now use ``role:admin and
system_scope:all`` instead of ``rule:admin_required``:
* ``identity:create_registered_limits``
* ``identity:update_registered_limit``
* ``identity:delete_registered_limit``
* ``identity:create_limits``
* ``identity:update_limit``
* ``identity:delete_limit``
These policies are not being formally deprecated because the
unified limits API is still considered experimental. These
new default automatically account for system-scope. Please
consider these new defaults if your deployment overrides the
registered limit or limit policies.
security:
- |
[`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
The registered limit and limit APIs now uses system-scope and default roles
to provide better accessibility to users in a secure way.