f377351ac8
The service policies were not taking the default roles work we did last release into account. This commit changes the default policies to rely on the ``admin`` role to create and delete services. Subsequent patches will incorporate: - domain user test coverage - project user test coverage Change-Id: I58bbe6848c9e8e63656a6c706c84d1747c72a71e Related-Bug: 1804462 Closes-Bug: 1804463
32 lines
1.5 KiB
YAML
32 lines
1.5 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
|
|
The services API now supports the ``admin``, ``member``, and
|
|
``reader`` default roles.
|
|
upgrade:
|
|
- |
|
|
[`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
|
|
The services API uses new default policies that make it more
|
|
accessible to end users and administrators in a secure way. Please
|
|
consider these new defaults if your deployment overrides
|
|
service policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
|
|
The service policies have been deprecated. The ``identity:get_service`` and
|
|
``identity:list_services`` policies now use ``(role:reader and
|
|
system_scope:all)`` instead of ``rule:admin_required``. The
|
|
``identity:create_service``, ``identity:update_service``, and
|
|
``identity:delete_service`` policies now use ``(role:admin and
|
|
system_scope:all)`` instead of ``rule:admin_required``. These new defaults
|
|
automatically account for system-scope and support a read-only role, making
|
|
it easier for system administrators to delegate subsets of responsibility
|
|
without compromising security. Please consider these new defaults if your
|
|
deployment overrides service policies.
|
|
security:
|
|
- |
|
|
[`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
|
|
The services API now uses system-scope and default roles to
|
|
provide better accessibility to users in a secure way.
|