openstack/keystone
Code Issues Proposed changes
7ee35794e9
keystone/releasenotes/notes/bug-1805369-ed98d3fcfafb5c43.yaml
Colleen Murphy be452fee80 Add domain scope support for group policies 
This commit adds support for the domain scope type for the group API
policies. It defines appropriate policies for the reader, member, and
admin role and adds tests for each case.

Change-Id: Iaff3c0e45423ef427ef1458250c402c44be4b1d6
Closes-bug: #1808859
Partial-Bug: #968696
2019-03-27 17:15:00 +01:00

48 lines
2.4 KiB
YAML
Raw Blame History

---
features:
- |
[`bug 1805369 <https://bugs.launchpad.net/keystone/+bug/1805369>`_]
The group API now supports the ``admin``, ``member``, and
``reader`` default roles.
- |
[`bug 1808859 <https://bugs.launchpad.net/keystone/+bug/1808859>`_]
The group API now supports using the ``domain`` scope type for performing
domain-specific actions on groups and group membership.
upgrade:
- |
[`bug 1805369 <https://bugs.launchpad.net/keystone/+bug/1805369>`_]
The group API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides
group policies.
deprecations:
- |
[`bug 1805369 <https://bugs.launchpad.net/keystone/+bug/1805369>`_]
The group policies have been deprecated. The ``identity:get_group``,
``identity:list_groups``, ``identity:list_users_in_group``, and
``identity:check_user_in_group`` policies now use ``role:reader and
system_scope:all or (role:reader and
domain_id:%(target.group.domain_id)s)`` instead of ``rule:admin_required``.
The ``identity:list_groups_for_user`` policy now uses ``(role:reader and
system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s)
or or user_id:%(user_id)s`` instead of ``rule:admin_or_owner``. The
``identity:create_group``, ``identity:update_group``,
``identity:delete_group``, ``identity:remove_user_from_group``, and
``identity:add_user_to_group`` policies now use ``role:admin and
system_scope:all or (role:admin and domain_id:%(target.group.domain_id)s)``
instead of ``rule:admin_required``. These new defaults automatically
account for system-scope and domain-scope and support a read-only role,
making it easier for system administrators to delegate subsets of
responsibility without compromising security. Please consider these new
defaults if your deployment overrides group policies.
security:
- |
[`bug 1805369 <https://bugs.launchpad.net/keystone/+bug/1805369>`_]
The group API now uses system-scope and default roles to
provide better accessibility to users in a secure way.
- |
[`bug 1808859 <https://bugs.launchpad.net/keystone/+bug/1808859>`_]
The group API now supports using the ``domain`` scope for the reader,
member, and admin role to provide better accessibility to users in a
secure way.
View Git Blame Copy Permalink