5e06ec8163
This implements part 3 of the proposed change for immutable roles[1], as well as adds a release note. Part 4 (changing the default behavior of ``keystone-manage bootstrap`` will have to come in the next cycle. [1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/immutable-resources.html#proposed-change Change-Id: Ie9d658deb1fa69e9007f3c50535b5c48a7a292d1 Partial-bug: #1823258
12 lines
614 B
YAML
12 lines
614 B
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1823258 <https://bugs.launchpad.net/keystone/+bug/1823258>`_]
|
|
Adds support for an "immutable" resource option for roles, which when
|
|
enabled prevents accidental harmful modification or deletion of roles. Also
|
|
adds a new flag ``--immutable-roles`` to the ``keystone-manage bootstrap``
|
|
command to make the default roles (admin, member, and reader) immutable by
|
|
default, as well as a check in the ``keystone-status upgrade check``
|
|
command to check that these roles have been made immutable. In a future
|
|
release, these three roles will be immutable by default.
|