keystone/releasenotes/notes/bug-1805372-af4ebf4b19500b72.yaml

---
features:
  - |
    [`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
    The registered limit and limit API now support the ``admin``,
    ``member``, and ``reader`` default roles.    
upgrade:
  - |
    [`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
    Several of the registered limit and limit policies have been
    deprecated. The following policies now use ``role:admin and
    system_scope:all`` instead of ``rule:admin_required``:

    * ``identity:create_registered_limits``
    * ``identity:update_registered_limit``
    * ``identity:delete_registered_limit``
    * ``identity:create_limits``
    * ``identity:update_limit``
    * ``identity:delete_limit``

    These policies are not being formally deprecated because the
    unified limits API is still considered experimental. These
    new default automatically account for system-scope. Please
    consider these new defaults if your deployment overrides the
    registered limit or limit policies.    
security:
  - |
    [`bug 1805372 <https://bugs.launchpad.net/keystone/+bug/1805372>`_]
    The registered limit and limit APIs now uses system-scope and default roles
    to provide better accessibility to users in a secure way.