37 lines
1.7 KiB
YAML
37 lines
1.7 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1805369 <https://bugs.launchpad.net/keystone/+bug/1805369>`_]
|
|
The group API now supports the ``admin``, ``member``, and
|
|
``reader`` default roles.
|
|
upgrade:
|
|
- |
|
|
[`bug 1805369 <https://bugs.launchpad.net/keystone/+bug/1805369>`_]
|
|
The group API uses new default policies that make it more
|
|
accessible to end users and administrators in a secure way. Please
|
|
consider these new defaults if your deployment overrides
|
|
group policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1805369 <https://bugs.launchpad.net/keystone/+bug/1805369>`_]
|
|
The group policies have been deprecated. The ``identity:get_group``,
|
|
``identity:list_groups``, ``identity:list_users_in_group``, and
|
|
``identity:check_user_in_group`` policies now use ``role:reader and
|
|
system_scope:all`` instead of ``rule:admin_required``. The
|
|
``identity:list_groups_for_user`` policy now uses ``(role:reader and
|
|
system_scope:all) or user_id:%(user_id)s`` instead of
|
|
``rule:admin_or_owner``. The ``identity:create_group``,
|
|
``identity:update_group``, ``identity:delete_group``,
|
|
``identity:remove_user_from_group``, and
|
|
``identity:add_user_to_group`` policies now use ``role:admin and
|
|
system_scope:all`` instead of ``rule:admin_required``. These new defaults
|
|
automatically account for system-scope and support a read-only role, making
|
|
it easier for system administrators to delegate subsets of responsibility
|
|
without compromising security. Please consider these new defaults if your
|
|
deployment overrides group policies.
|
|
security:
|
|
- |
|
|
[`bug 1805369 <https://bugs.launchpad.net/keystone/+bug/1805369>`_]
|
|
The group API now uses system-scope and default roles to
|
|
provide better accessibility to users in a secure way.
|