cdbdcf85f7
The endpoint policies were not taking the default roles work we did last release into account. This commit changes the default policies to rely on the ``admin`` role to create and delete endpoints. Subsequent patches will incorporate: - domain user test coverage - project user test coverage Change-Id: Ia6dc4526ece07e7fee614ec91b0953db8f180c2e Related-Bug: 1804482 Closes-Bug: 1804483
32 lines
1.5 KiB
YAML
32 lines
1.5 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
|
|
The endpoint API now supports the ``admin``, ``member``, and
|
|
``reader`` default roles.
|
|
upgrade:
|
|
- |
|
|
[`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
|
|
The endpoint API uses new default policies that make it more
|
|
accessible to end users and administrators in a secure way. Please
|
|
consider these new defaults if your deployment overrides
|
|
endpoint policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
|
|
The endpoint policies have been deprecated. The ``identity:list_endpoints``
|
|
and ``identity:get_endpoint`` policies now use ``role:reader and system_scope:all``
|
|
instead of ``rule:admin_required``. The ``identity:create_endpoint``,
|
|
``identity:update_endpoint``, and ``identity:delete_endpoint`` policies
|
|
now use ``role:admin and system_scope:all`` instead of ``rule:admin_required``.
|
|
These new defaults automatically account
|
|
for system-scope and support a read-only role, making it easier
|
|
for system administrators to delegate subsets of responsibility
|
|
without compromising security. Please consider these new defaults
|
|
if your deployment overrides the endpoint policies.
|
|
security:
|
|
- |
|
|
[`bug 1804483 <https://bugs.launchpad.net/keystone/+bug/1804483>`_]
|
|
The endpoint API now uses system-scope and default roles to
|
|
provide better accessibility to users in a secure way.
|