keystone/releasenotes/notes/bug-1844194-48ae60db49f91bd4.yaml
Lance Bragstad 8e67249d5b Add default roles and scope checking to project tags
This commit makes it so that project tags adhere to system-scope and
also incorporates default roles into the policy checks by default.

Change-Id: Ie36df5677a08d7d95f056f3ea00eda05e1315ea5
Closes-Bug: 1844194
Closes-Bug: 1844193
Related-Bug: 1806762
2019-09-19 02:48:39 +00:00

44 lines
2.1 KiB
YAML

---
features:
- |
[`bug 1844194 <https://bugs.launchpad.net/keystone/+bug/1844194>`_]
[`bug 1844193 <https://bugs.launchpad.net/keystone/+bug/1844193>`_]
The project tags API now supports the ``admin``, ``member``, and ``reader``
default roles.
upgrade:
- |
[`bug 1844194 <https://bugs.launchpad.net/keystone/+bug/1844194>`_]
[`bug 1844193 <https://bugs.launchpad.net/keystone/+bug/1844193>`_]
The project tags API now uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides the project
tags policies.
deprecations:
- |
[`bug 1844194 <https://bugs.launchpad.net/keystone/+bug/1844194>`_]
[`bug 1844193 <https://bugs.launchpad.net/keystone/+bug/1844193>`_]
The project tags API policies have been deprecated. The
``identity:get_project_tag`` and ``identity:list_project_tags``
policies now use ``(role:reader and system_scope:all) or
(role:reader and domain_id:%(target.project.domain_id)s) or
project_id:%(target.project.id)s`` instead of
``rule:admin_required or project_id:%(target.project.id)s``. The
``identity:update_project_tags``, ``identity:delete_project_tags``,
``identity:delete_project_tag``, and ``identity:create_project_tag``
policies now use ``(role:admin and system_scope:all) or (role:admin
and domain_id:%(target.project.domain_id)s) or (role:admin and
project_id:%(target.project.id)s)`` instead of
``rule:admin_required``.
These new defaults automatically account for system-scope and support
a read-only role, making it easier for system administrators to
delegate subsets of responsibility with compromising security. Please
consider these new defaults if your deployment overrides the project
tag policies.
security:
- |
[`bug 1844194 <https://bugs.launchpad.net/keystone/+bug/1844194>`_]
[`bug 1844193 <https://bugs.launchpad.net/keystone/+bug/1844193>`_]
The project tags API now uses system-scope and default roles to
provide better accessibility to users in a secure way.