e94dff934a
This change makes the policy definitions for admin mapping operations consistent with the other mapping policies. Subsequent patches will incorporate: - testing for domain users - testing for project users Change-Id: Iad665112c73de41e2c1727a557fe5255e89b3fb6 Related-Bug: 1804519 Closes-Bug: 1804521
32 lines
1.5 KiB
YAML
32 lines
1.5 KiB
YAML
features:
|
|
- |
|
|
[`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
|
|
The federated mapping API now supports the ``admin``, ``member``,
|
|
and ``reader`` default roles.
|
|
upgrade:
|
|
- |
|
|
[`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
|
|
The federated mapping API uses new default policies that
|
|
make it more accessible to end users and administrators in a
|
|
secure way. Please consider these new defaults if your deployment
|
|
overrides federated mapping policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
|
|
The federated mapping policies have been deprecated. The
|
|
``identity:list_mappings`` and ``identity:get_mapping`` policies now
|
|
use ``role:reader and system_scope:all`` instead of ``rule:admin_required``.
|
|
The ``identity:create_mapping``, ``identity:update_mapping``, and
|
|
``identity:delete_mapping`` policies now use ``role:admin and
|
|
system_scope:all`` instead of ``rule:admin_required``.
|
|
These new defaults automatically account for system-scope and support
|
|
a read-only role, making it easier for system administrators to
|
|
delegate subsets of responsibility without compromising security.
|
|
Please consider these new defaults if your deployment overrides the
|
|
federated mapping policies.
|
|
security:
|
|
- |
|
|
[`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
|
|
The federated mapping API now uses system-scope and default roles
|
|
to provide better accessibility to users in a secure way.
|