2ca4836a95
This change makes the policy definitions for admin role operations consistent with other role policies. Subsequent patches will incorporate: - domain user test coverage - project user test coverage Change-Id: I35a2af10d47e000ee6257ce16c52c7e49a62b033 Related-Bug: 1806713 Closes-Bug: 1805402
33 lines
1.4 KiB
YAML
33 lines
1.4 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
|
|
The role API now supports the ``admin``, ``member``, and
|
|
``reader`` default roles.
|
|
upgrade:
|
|
- |
|
|
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
|
|
The role API uses new default policies that make it more
|
|
accessible to end users and administrators in a secure way. Please
|
|
consider these new defaults if your deployment overrides role
|
|
policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
|
|
The role policies have been deprecated. The ``identity:get_role`` and
|
|
``identity:list_roles`` policies now use ``role:reader and
|
|
system_scope:all`` instead of ``rule:admin_required``. The
|
|
``identity:create_role``, ``identity:update_role``, and
|
|
``identity:delete_role`` policies now use ``role:admin and
|
|
system_scope:all`` instead of ``rule:admin_required``. These new
|
|
defaults automatically account for system-scope and support a read-only
|
|
role, making it easier for system administrators to delegate subsets of
|
|
responsibility without compromising security. Please consider these new
|
|
defaults if your deployment overrides the role policies.
|
|
security:
|
|
- |
|
|
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
|
|
The role API now uses system-scope and default roles to provide
|
|
better accessibility to users in a secure way.
|
|
|