keystone/releasenotes/notes/bug-1818846-d1a8c77d20659ad6.yaml
Colleen Murphy 9be1caff97 Implement system admin for trusts API
This change enables a system admin to delete trusts. Previously, only
the trustor or the is_admin admin could delete a trust. This changes
makes the trusts API more useful to system administrators who need to
clean up trusts and makes the API consistent with others.

This does not enable system admins to create trusts. A trust can only be
scoped to a project, so creating one is inherently a project-scoped
action. If trusts later gain the ability to be scoped to the system or
domains, we can add those scopes to the create_trust scope_types.

Change-Id: Idf13b862f345388bb2372609787947eb43d7ba75
Closes-bug: #1818846
Closes-bug: #1818850
Related-Bug: #968696
2019-08-16 15:20:15 -07:00

42 lines
2.1 KiB
YAML

---
features:
- |
[`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
The trusts API now supports the ``admin``, ``member``, and ``reader``
default roles. System users can now audit and clean up trusts using the
default policies.
upgrade:
- |
[`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
[`bug 1818850 <https://bugs.launchpad.net/keystone/+bug/1818850>`_]
The trusts API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides
trust policies.
deprecations:
- |
[`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
[`bug 1818850 <https://bugs.launchpad.net/keystone/+bug/1818850>`_]
The trust policies have been deprecated. The ``identity:list_trusts``
policy now uses ``(role:reader and system_scope:all)`` instead of
``rule_admin_required``. The ``identity:list_roles_for_trust``,
``identity:get_role_for_trust``, and ``identity:get_trust`` policies now
use ``(role:reader and system_scope:all) or
user_id:%(target.trust.trustor_user_id)s or
user_id:%(target.trust.trustee_user_id)s`` instead
of``user_id:%(target.trust.trustor_user_id)s or
user_id:%(target.trust.trustee_user_id)s``. The ``identity:delete_trust``
policy now uses ``(role:admin and system_scope:all) or
user_id:%(target.trust.trustor_user_id)s`` instead of
``user_id:%(target.trust.trustor_user_id)s``. These new defaults
automatically account for system-scope and support a read-only role, making
it easier for system administrators to delegate subsets of responsibility
without compromising security. Please consider these new defaults if your
deployment overrides trust policies.
security:
- |
[`bug 1818846 <https://bugs.launchpad.net/keystone/+bug/1818846>`_]
[`bug 1818850 <https://bugs.launchpad.net/keystone/+bug/1818850>`_]
The trusts API now uses system-scope and default roles to
provide better accessibility to users in a secure way.