87d93db909
This commit introduces the system admin role to the protocol API, making it consistent with other system-admin policy definitions. Subsequent patches will build on this work to expose more functionality to domain and project users: - domain user test coverage - project user test coverage Change-Id: I9384e0fdd95545f1afef65a5e97e8513b709f150 Closes-Bug: 1804523 Related-Bug: 1806762
33 lines
1.5 KiB
YAML
33 lines
1.5 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1804523 <https://bugs.launchpad.net/keystone/+bug/1804523>`_]
|
|
The federated protocol API now supports the ``admin``, ``member``,
|
|
and ``reader`` default roles.
|
|
upgrade:
|
|
- |
|
|
[`bug 1804523 <https://bugs.launchpad.net/keystone/+bug/1804523>`_]
|
|
The federated protocol API uses new default policies that
|
|
make it more accessible to end users and administrators. Please consider
|
|
these new defaults if your deployment overrides federated protocol
|
|
policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1804523 <https://bugs.launchpad.net/keystone/+bug/1804523>`_]
|
|
The federated protocol policies have been deprecated. The
|
|
``identity:get_protocol`` and ``identity:list_protocols`` now use
|
|
``role:reader and system_scope:all`` instead of
|
|
``rule:admin_required``. The ``identity:create_protocol``,
|
|
``identity:update_protocol``, and ``identity:delete_protocol``
|
|
policies now use ``role:admin and system_scope:all`` instead of
|
|
``rule:admin_required``. These new defaults automatically account
|
|
for system-scope and support a read-only role, making it easier
|
|
for system administrators to delegate subsets of responsibility
|
|
without compromising security. Please consider these new defaults
|
|
if your deployment overrides the federated protocol policies.
|
|
security:
|
|
- |
|
|
[`bug 1804523 <https://bugs.launchpad.net/keystone/+bug/1804523>`_]
|
|
The federated protocol API now uses system-scope and default
|
|
roles to provide better accessibility to users in a secure way.
|