36 lines
1.8 KiB
YAML
36 lines
1.8 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1750676 <https://bugs.launchpad.net/keystone/+bug/1750676>`_]
|
|
[`bug 1818844 <https://bugs.launchpad.net/keystone/+bug/1818844>`_]
|
|
The token API now supports the ``admin``, ``member``, and ``reader``
|
|
default roles.
|
|
upgrade:
|
|
- |
|
|
[`bug 1750676 <https://bugs.launchpad.net/keystone/+bug/1750676>`_]
|
|
[`bug 1818844 <https://bugs.launchpad.net/keystone/+bug/1818844>`_]
|
|
The token API uses new default policies that make it easier for system
|
|
users to delegate functionality in a secure way. Please consider the new
|
|
policies if your deployment overrides the token policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1750676 <https://bugs.launchpad.net/keystone/+bug/1750676>`_]
|
|
[`bug 1818844 <https://bugs.launchpad.net/keystone/+bug/1818844>`_]
|
|
The ``identity:check_token`` policy now uses ``(role:reader and
|
|
system_scope:all) or rule:token_subject`` instead of ``rule:admin_required
|
|
or rule:token_subject``. The ``identity:validate_token`` policy now uses
|
|
``(role:reader and system_scope:all) or rule:service_role or
|
|
rule:token_subject`` instead or ``rule:service_or_admin or
|
|
rule:token_subject``. The ``identity:revoke_token`` policy now uses
|
|
``(role:admin and system_scope:all) or rule:token_subject`` instead of
|
|
``rule:admin_or_token_subject``. These new defaults automatically account
|
|
for a read-only role by default and allow more granular access to the API.
|
|
Please consider these new defaults if your deployment overrides the token
|
|
policies.
|
|
security:
|
|
- |
|
|
[`bug 1750676 <https://bugs.launchpad.net/keystone/+bug/1750676>`_]
|
|
[`bug 1818844 <https://bugs.launchpad.net/keystone/+bug/1818844>`_]
|
|
The token API now uses system-scope and default roles properly to provide
|
|
more granular access to the token API.
|