52da4d0e12
Implement system scopes, namely 'admin', 'reader', and 'member' for the application credential API. Thus, making it consistent with other system-scoped policy definitions. For the application credential API, the follow policies will be enforced: - system admin can fetch, list, lookup, and delete user's application credentials. - system member and reader can only fetch, list, and lookup user's application credentials. Deleting a user's application credential other their own is strictly prohibitted. - domain and project admins can no longer touch user's application credentials other their own. - domain and project readers cannot touch user's application credentials other their own. - domain and project members cannot touch user's application credentials other their own. - create an application credential can only be done by the owner. No one else can create an application credential on behalf of another user. Test cases are added to guard the above policy changes. Change-Id: I26ee11571b6d0f700a5fe3a62ad2e8fc7f5316fe Closes-Bug: 1818725 Closes-Bug: 1750615
42 lines
2.1 KiB
YAML
42 lines
2.1 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1818725 <https://bugs.launchpad.net/keystone/+bug/1818725>`_]
|
|
[`bug 1750615 <https://bugs.launchpad.net/keystone/+bug/1750615>`_]
|
|
The application credential API now supports the ``admin``, ``member``, and
|
|
``reader`` default roles.
|
|
|
|
upgrade:
|
|
- |
|
|
[`bug 1818725 <https://bugs.launchpad.net/keystone/+bug/1818725>`_]
|
|
[`bug 1750615 <https://bugs.launchpad.net/keystone/+bug/1750615>`_]
|
|
The application credential API uses new default policies to make it more
|
|
accessible to end users and administrators in a secure way. Please
|
|
consider these new defaults if your deployment overrides application
|
|
credential policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1818725 <https://bugs.launchpad.net/keystone/+bug/1818725>`_]
|
|
[`bug 1750615 <https://bugs.launchpad.net/keystone/+bug/1750615>`_]
|
|
The application credential policies have been deprecated. The
|
|
``identity:get_application_credential`` policy now uses
|
|
``(role:reader and system_scope:all) or user_id:%(user_id)s`` instead of
|
|
``rule:admin_required or user_id:%(user_id)s``. The
|
|
``identity:list_application_credentials`` policy now uses
|
|
``(role:reader and system_scope:all) or user_id:%(user_id)s`` instead of
|
|
``rule:admin_required or user_id:%(user_id)s``. The
|
|
``identity:delete_application_credential`` policy now use
|
|
``(role:admin and system_scope:all) or user_id:%(user_id)s`` instead of
|
|
``rule:admin_required or user_id:%(user_id)s``.
|
|
These new defaults automatically account for system-scope and support
|
|
a read-only role, making it easier for system administrators to delegate
|
|
subsets of responsibility without compromising security. Please consider
|
|
these new defaults if your deployment overrides the application
|
|
credential policies.
|
|
security:
|
|
- |
|
|
[`bug 1818725 <https://bugs.launchpad.net/keystone/+bug/1818725>`_]
|
|
[`bug 1750615 <https://bugs.launchpad.net/keystone/+bug/1750615>`_]
|
|
The application credential API now uses system-scope and default roles
|
|
to provide better accessibility to users in a secure manner.
|