keystone/releasenotes/notes/bug-1750660-e2a360ddd6790fc4.yaml
Lance Bragstad 09663a01a4 Implement domain admin functionality for projects
This commit add explicit testing to show how users with the admin role
on a domain can manage projects within their domain. It also modifies
the default policies to account for this functionality. A subsequent
patch will do the same for project users.

Change-Id: I3e1cc44c4ed09ea0a4123ea13974b963c7335676
Closes-Bug: 1750660
Related-Bug: 1806762
2019-03-20 20:21:33 +00:00

40 lines
2.1 KiB
YAML

---
features:
- |
[`bug 1750660 <https://bugs.launchpad.net/keystone/+bug/1750660>`_]
The project API now supports the ``admin``, ``member``, and
``reader`` default roles across system-scope, domain-scope, and
project-scope.
upgrade:
- |
[`bug 1750660 <https://bugs.launchpad.net/keystone/+bug/1750660>`_]
The project API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides
project policies.
deprecations:
- |
[`bug 1750660 <https://bugs.launchpad.net/keystone/+bug/1750660>`_]
The project policies have been deprecated. The ``identity:get_project`` policy
now uses ``(role:reader and system_scope:all) or (role:reader and
domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s``
instead of ``rule:admin_required or project_id:%(target.project.id)s``.
The ``identity:list_projects`` policy now uses ``(role:reader and
system_scope:all) or (role:reader and domain_id:%(target.domain_id)s``
instead of ``rule:admin_required``. The ``identity:list_user_projects``
policy now uses ``(role:reader and system_scope:all) or (role:reader and
domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s``
instead of ``rule:admin_or_owner``. The ``identity:create_project``
now uses ``(role:admin and system_scope:all) or (role:admin and
domain_id:%(target.project.domain_id)s)`` instead of
``rule:admin_required``. These new defaults automatically include
support for a read-only role and allow for more granular access
to project APIs, making it easier for system and domain administrators
to delegate authorization, safely. Please consider these new defaults
if your deployment overrides the project policies.
security:
- |
[`bug 1750660 <https://bugs.launchpad.net/keystone/+bug/1750660>`_]
The project API now uses system-scope, domain-scope, project-scope and default
roles to provide better accessibility to users in a secure way.