40 lines
2.1 KiB
YAML
40 lines
2.1 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1750660 <https://bugs.launchpad.net/keystone/+bug/1750660>`_]
|
|
The project API now supports the ``admin``, ``member``, and
|
|
``reader`` default roles across system-scope, domain-scope, and
|
|
project-scope.
|
|
upgrade:
|
|
- |
|
|
[`bug 1750660 <https://bugs.launchpad.net/keystone/+bug/1750660>`_]
|
|
The project API uses new default policies that make it more
|
|
accessible to end users and administrators in a secure way. Please
|
|
consider these new defaults if your deployment overrides
|
|
project policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1750660 <https://bugs.launchpad.net/keystone/+bug/1750660>`_]
|
|
The project policies have been deprecated. The ``identity:get_project`` policy
|
|
now uses ``(role:reader and system_scope:all) or (role:reader and
|
|
domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s``
|
|
instead of ``rule:admin_required or project_id:%(target.project.id)s``.
|
|
The ``identity:list_projects`` policy now uses ``(role:reader and
|
|
system_scope:all) or (role:reader and domain_id:%(target.domain_id)s``
|
|
instead of ``rule:admin_required``. The ``identity:list_user_projects``
|
|
policy now uses ``(role:reader and system_scope:all) or (role:reader and
|
|
domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s``
|
|
instead of ``rule:admin_or_owner``. The ``identity:create_project``
|
|
now uses ``(role:admin and system_scope:all) or (role:admin and
|
|
domain_id:%(target.project.domain_id)s)`` instead of
|
|
``rule:admin_required``. These new defaults automatically include
|
|
support for a read-only role and allow for more granular access
|
|
to project APIs, making it easier for system and domain administrators
|
|
to delegate authorization, safely. Please consider these new defaults
|
|
if your deployment overrides the project policies.
|
|
security:
|
|
- |
|
|
[`bug 1750660 <https://bugs.launchpad.net/keystone/+bug/1750660>`_]
|
|
The project API now uses system-scope, domain-scope, project-scope and default
|
|
roles to provide better accessibility to users in a secure way.
|