09663a01a4
This commit add explicit testing to show how users with the admin role on a domain can manage projects within their domain. It also modifies the default policies to account for this functionality. A subsequent patch will do the same for project users. Change-Id: I3e1cc44c4ed09ea0a4123ea13974b963c7335676 Closes-Bug: 1750660 Related-Bug: 1806762
40 lines
2.1 KiB
YAML
40 lines
2.1 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1750660 <https://bugs.launchpad.net/keystone/+bug/1750660>`_]
|
|
The project API now supports the ``admin``, ``member``, and
|
|
``reader`` default roles across system-scope, domain-scope, and
|
|
project-scope.
|
|
upgrade:
|
|
- |
|
|
[`bug 1750660 <https://bugs.launchpad.net/keystone/+bug/1750660>`_]
|
|
The project API uses new default policies that make it more
|
|
accessible to end users and administrators in a secure way. Please
|
|
consider these new defaults if your deployment overrides
|
|
project policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1750660 <https://bugs.launchpad.net/keystone/+bug/1750660>`_]
|
|
The project policies have been deprecated. The ``identity:get_project`` policy
|
|
now uses ``(role:reader and system_scope:all) or (role:reader and
|
|
domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s``
|
|
instead of ``rule:admin_required or project_id:%(target.project.id)s``.
|
|
The ``identity:list_projects`` policy now uses ``(role:reader and
|
|
system_scope:all) or (role:reader and domain_id:%(target.domain_id)s``
|
|
instead of ``rule:admin_required``. The ``identity:list_user_projects``
|
|
policy now uses ``(role:reader and system_scope:all) or (role:reader and
|
|
domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s``
|
|
instead of ``rule:admin_or_owner``. The ``identity:create_project``
|
|
now uses ``(role:admin and system_scope:all) or (role:admin and
|
|
domain_id:%(target.project.domain_id)s)`` instead of
|
|
``rule:admin_required``. These new defaults automatically include
|
|
support for a read-only role and allow for more granular access
|
|
to project APIs, making it easier for system and domain administrators
|
|
to delegate authorization, safely. Please consider these new defaults
|
|
if your deployment overrides the project policies.
|
|
security:
|
|
- |
|
|
[`bug 1750660 <https://bugs.launchpad.net/keystone/+bug/1750660>`_]
|
|
The project API now uses system-scope, domain-scope, project-scope and default
|
|
roles to provide better accessibility to users in a secure way.
|