ef838a3a3f
This commit adjust the create and revoke grant policies to be consistent with other system admin policy check strings by not using the rule:admin_required check string and by including system_scope:all in the rule itself. Subsequent patches will: - implement domain reader and member support - implement domain admin support - introduce test coverage for project users and the grants API - remove redundant policies from policy.v3cloudsample.json Related-Bug: 1805368 Related-Bug: 1750669 Related-Bug: 1806762 Change-Id: Idcbe16f643332d80af716074cf3ea22525d465a9
53 lines
2.7 KiB
YAML
53 lines
2.7 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
|
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
|
|
The system assignment API now supports the ``admin``, ``member``,
|
|
and ``reader`` default roles across system-scope, domain-scope, and
|
|
project-scope. The grant API now supports the ``admin``,
|
|
``member``, and ``reader`` default roles for system-scope.
|
|
upgrade:
|
|
- |
|
|
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
|
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
|
|
The system assignment and grant APIs uses new default policies that
|
|
make it more accessible to end users and administrators in a secure
|
|
way. Please consider these new defaults if your deployment
|
|
overrides system assignment policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
|
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
|
|
The system assignment and grant policies have been deprecated. The
|
|
``identity:list_system_grants_for_user``,
|
|
``identity:check_system_grant_for_user``,
|
|
``identity:list_system_grants_for_group``, and
|
|
``identity:check_system_grant_for_group`` policies now use
|
|
``role:reader and system_scope:all`` instead of
|
|
``rule:admin_required``. The
|
|
``identity:create_system_grant_for_user``,
|
|
``identity:revoke_system_grant_for_user``,
|
|
``identity:create_system_grant_for_group``, and
|
|
``identity:revoke_system_grant_for_group`` policies now use
|
|
``role:admin and system_scope:all`` instead of
|
|
``rule:admin_required``. The ``identity:check_grant`` and
|
|
``identity:list_grants`` policies now use ``role:reader and
|
|
system_scope:all`` instead of ``rule:admin_required``. The
|
|
``identity:create_grant`` and ``identity:revoke_grant`` policies
|
|
now use ``role:admin and system_scope:all`` instead of
|
|
``rule:admin_required``. These new defaults automatically include
|
|
support for a read-only role and allow for more granular access to
|
|
the system assignment and grant APIs, making it easier for
|
|
administrators to delegate authorization, safely. Please consider
|
|
these new defaults if your deployment overrides the system
|
|
assignment APIs.
|
|
security:
|
|
- |
|
|
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
|
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
|
|
The system assignment API now uses system-scope, domain-scope,
|
|
project-scope, and default roles to provide better accessibility to
|
|
users in a secure way. The grant API now uses system-scope and
|
|
default to provide better accessbility to operators.
|