openstack/keystone
Code Issues Proposed changes
99733f172f
keystone/releasenotes/notes/bug-1805368-ea32c2db2ae57225.yaml
Lance Bragstad bbd77d0bf9 Implement domain admin support for grants 
This commit goes through and updates grant policies to allow domain
administrator to manager grants for their domains and projects within
thier domain.

Co-Authored-By: Colleen Murphy <colleen@gazlene.net>

Change-Id: I5f1839a3f8d23d17e449aa9f8710d70233ee8fcc
Closes-Bug: 1805368
Closes-Bug: 1750669
2019-09-11 08:24:21 -07:00

40 lines
2.2 KiB
YAML
Raw Blame History

---
features:
- |
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
The grant API now supports the ``admin``, ``member``, and ``reader``
default roles for domain users (e.g., domain-scoped tokens).
upgrade:
- |
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
The grant APIs use new default policies that make it more accessible to
domain users in a safe and secure way. Please consider these new defaults
if your deployment overrides the grant APIs.
deprecations:
- |
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
The grant policies have been deprecated and replaced with new policies that
expose grant APIs to domain users. This allows deployments to delegate more
functionality to domain owners by default. The ``identity:check_grant`` and
``identity:list_grants`` policies now use ``(role:reader and
system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s)
or (role:reader and domain_id:%(target.group.domain_id)s)`` instead of
``role:reader and system_scope:all``. The ``identity:create_grant`` and
``identity:revoke_grant`` policies now use ``(role:admin and
system_scope:all) or (role:admin and domain_id:%(target.user.domain_id)s)
or (role:admin and domain_id:%(target.group.domain_id)s)`` instead of
``role:admin and system_scope:all``. These new defaults automatically
include support for domain reader and domain administrator roles, making it
easier for system administrator to delegate functionality down to domain
users to manage grants within their domains. Please consider these new
defaults if your deployment overrides the grant APIs.
security:
- |
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
The grant API now supports domain-scoped default roles to provide better
accessbility grants for domain users.
View Git Blame Copy Permalink