954b976669
This commit adds some scaffolding for testing how user with project role assignments should behave with the role assignment API. Co-Authored-By: Vishakha Agarwal <agarwalvishakha18@gmail.com> Closes-Bug: 1750673 Change-Id: Iec99b5d6b3aa3015d4410ce94fedc646bc4d6f74
31 lines
1.3 KiB
YAML
31 lines
1.3 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1750673 <https://bugs.launchpad.net/keystone/+bug/1750673>`_]
|
|
The role assignment API now supports the ``admin``, ``member``, and
|
|
``reader`` default roles across system-scope, domain-scope, and
|
|
project-scope.
|
|
upgrade:
|
|
- |
|
|
[`bug 1750673 <https://bugs.launchpad.net/keystone/+bug/1750673>`_]
|
|
The role assignment API uses new default policies that make it more
|
|
accessible to end users and administrators in a secure way. Please
|
|
consider these new policies if your deployment overrides role
|
|
assignment policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1750673 <https://bugs.launchpad.net/keystone/+bug/1750673>`_]
|
|
The role assignment ``identity:list_role_assignments`` policy now
|
|
uses ``(role:reader and system_scope:all) or (role:reader and
|
|
domain_id:%(target.domain.id)s)`` instead of ``rule:admin_required``.
|
|
This new default automatically includes support for a read-only role
|
|
and allows for more granular access to the role assignment API. Please
|
|
consider this new default if your deployment overrides the role
|
|
assignment policies.
|
|
security:
|
|
- |
|
|
[`bug 1750673 <https://bugs.launchpad.net/keystone/+bug/1750673>`_]
|
|
The role assignment API now uses system-scope, domain-scope,
|
|
project-scope, and default roles to provide better accessbility to
|
|
users in a secure way.
|