4f0c7394ed
This change deprecates the rule:admin_required policies for the create/update/delete actions of the OAUTH consumer API and replaces it with the system-specific check strings for the admin role. Change-Id: Id6742ff295ce206d0a4965465b0e9ec2ceab7cd5 Closes-bug: #1805363
33 lines
1.5 KiB
YAML
33 lines
1.5 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1805363 <https://bugs.launchpad.net/keystone/+bug/1805363>`_]
|
|
The oauth1 consumer API now supports the ``admin``,
|
|
``member``, and ``reader`` default roles.
|
|
|
|
upgrade:
|
|
- |
|
|
[`bug 1805363 <https://bugs.launchpad.net/keystone/+bug/1805363>`_]
|
|
The oauth1 consumer API uses new default policies to
|
|
make it more accessible to end users and administrators in a secure way.
|
|
Please consider these new defaults if your deployment overrides oauth1
|
|
consumer policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1805363 <https://bugs.launchpad.net/keystone/+bug/1805363>`_]
|
|
The oauth1 consumer policies have been deprecated. The
|
|
``identity:get_consumer`` and ``identity:list_consumers`` policies now use
|
|
``role:reader and system_scope:all`` instead of
|
|
``rule:admin_required``. The ``identity:create_consumer``,
|
|
``identity:update_consumer``, and ``identity:delete_consumer`` policies now
|
|
use ``role:admin and system_scope:all`` instead of ``rule:admin_required``.
|
|
These new defaults automatically account for system-scope and support
|
|
a read-only role, making it easier for system administrators to delegate
|
|
subsets of responsibility without compromising security. Please consider
|
|
these new defaults if your deployment overrides the oauth1 consumer policies.
|
|
security:
|
|
- |
|
|
[`bug 1805363 <https://bugs.launchpad.net/keystone/+bug/1805363>`_]
|
|
The oauth1 consumer API now uses system-scope and default
|
|
roles to provide better accessibility to users in a secure manner.
|