afb312529b
By incorporating system scope and default roles into keystone's default policies for implied roles, we've effectively made these policies obsolete. Change-Id: I75515d3491517ea6e6fa17473a7890ce4653b481 Partial-bug: #1806762 Closes-bug: #1805371
34 lines
1.6 KiB
YAML
34 lines
1.6 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1805371 <https://bugs.launchpad.net/keystone/+bug/1805371>`_]
|
|
The implied roles API now supports the ``admin``, ``member``, and
|
|
``reader`` default roles.
|
|
|
|
upgrade:
|
|
- |
|
|
[`bug 1805371 <https://bugs.launchpad.net/keystone/+bug/1805371>`_]
|
|
The implied roles API uses new default policies to
|
|
make it more accessible to end users and administrators in a secure way.
|
|
Please consider these new defaults if your deployment overrides implied
|
|
roles policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1805371 <https://bugs.launchpad.net/keystone/+bug/1805371>`_]
|
|
The implied roles policies have been deprecated. The
|
|
``identity:get_implied_role``, ``identity:list_implied_roles``,
|
|
``identity:list_role_inference_rules``, and ``identity:check_implied_role``
|
|
policies now use ``role:reader and system_scope:all`` instead of
|
|
``rule:admin_required``. The ``identity:create_implied_role`` and
|
|
``identity:delete_implied_role`` policies now use ``role:admin and
|
|
system_scope:all`` instead of ``rule:admin_required``.
|
|
These new defaults automatically account for system-scope and support
|
|
a read-only role, making it easier for system administrators to delegate
|
|
subsets of responsibility without compromising security. Please consider
|
|
these new defaults if your deployment overrides the implied roles policies.
|
|
security:
|
|
- |
|
|
[`bug 1805371 <https://bugs.launchpad.net/keystone/+bug/1805371>`_]
|
|
The implied role API now uses system-scope and default
|
|
roles to provide better accessibility to users in a secure manner.
|