openstack/keystone
Code Issues Proposed changes
keystone/releasenotes/notes/bug-1805406-252b45d443af20b3.yaml
Lance Bragstad 29fb7ae395 Implement system admin role in users API 
This commit introduces the system admin role to the users API,
making it consistent with other system-admin policy definitions.

Subsequent patches will build on this work to expose more
functionality to domain and project users:

 - domain reader functionality
 - domain member test coverage
 - domain admin functionality
 - project user test coverage

Change-Id: I19bf5a562401100d9208f98515ce596f7ca20185
Closes-Bug: 1805406
Partial-Bug: 1748027
Partial-Bug: 968696
2019-02-04 19:56:01 +00:00

39 lines
1.8 KiB
YAML
Raw Blame History

---
features:
- |
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
The user API now supports the ``admin``, ``member``, and
``reader`` default roles.
upgrade:
- |
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
The ``GET /v3/users/{user_id`` API now properly returns an ``HTTP
403 Forbidden`` as opposed to ``HTTP 404 Not Found`` if the calling
user doesn't have authorization to call the API. This applies consistent
authorititive policy checks to the API.
The user API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides
user policies.
deprecations:
- |
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
The user policies have been deprecated. The ``identity:get_user`` now uses
``(role:reader and system_scope:all) or user_id:%(target.user.id)s``
instead of ``rule:admin_or_owner``. The ``identity:list_users`` policy now
uses ``role:reader and system_scope:all`` instead of
``rule:admin_required``. The ``identity:create_user``,
``identity:update_user``, and ``identity:delete_user`` policies now use
``role:admin and system_scope:all`` instead of ``rule:admin_required``.
These new defaults automatically account
for system-scope and support a read-only role, making it easier
for system administrators to delegate subsets of responsibility
without compromising security. Please consider these new defaults
if your deployment overrides the user policies.
security:
- |
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
The user API now uses system-scope and default roles to
provide better accessibility to users in a secure way.
View Git Blame Copy Permalink