keystone/releasenotes/notes/bp-application-credentials-c699f1f17c7d4e2f.yaml
Colleen Murphy 9da1929757 Add a release note for application credentials
bp application-credentials

Change-Id: Id3846c65d6ae805d70e0cc911faf0f25e3d28cf0
2018-01-27 12:00:23 +01:00

25 lines
1.5 KiB
YAML

---
prelude: >
This release adds support for Application Credentials, a new way to allow
applications and automated tooling to authenticate with keystone. Rather
than storing a username and password in an application's config file, which
can pose security risks, you can now create an application credential to
allow an application to authenticate and acquire a preset scope and role
assignments. This is especially useful for LDAP and federated users, who
can now delegate their cloud management tasks to a keystone-specific
resource, rather than share their externally managed credentials with
keystone and risk a compromise of those external systems. Users can
delegate a subset of their role assignments to an application credential,
allowing them to strategically limit their application's access to the
minimum needed. Unlike passwords, a user can have more than one active
application credential, which means they can be rotated without causing
downtime for the applications using them.
features:
- |
[`blueprint application-credentials <https://blueprints.launchpad.net/keystone/+spec/application-credentials>`_]
Users can now create Application Credentials, a new keystone resource that
can provide an application with the means to get a token from keystone with
a preset scope and role assignments. To authenticate with an application
credential, an application can use the normal token API with the
'application_credential' auth method.