keystone/releasenotes/notes/bug-1804523-d1768909b13b167e.yaml
Lance Bragstad 87d93db909 Implement system admin role in protocol API
This commit introduces the system admin role to the protocol API,
making it consistent with other system-admin policy definitions.

Subsequent patches will build on this work to expose more
functionality to domain and project users:

 - domain user test coverage
 - project user test coverage

Change-Id: I9384e0fdd95545f1afef65a5e97e8513b709f150
Closes-Bug: 1804523
Related-Bug: 1806762
2019-01-08 20:39:34 +00:00

33 lines
1.5 KiB
YAML

---
features:
- |
[`bug 1804523 <https://bugs.launchpad.net/keystone/+bug/1804523>`_]
The federated protocol API now supports the ``admin``, ``member``,
and ``reader`` default roles.
upgrade:
- |
[`bug 1804523 <https://bugs.launchpad.net/keystone/+bug/1804523>`_]
The federated protocol API uses new default policies that
make it more accessible to end users and administrators. Please consider
these new defaults if your deployment overrides federated protocol
policies.
deprecations:
- |
[`bug 1804523 <https://bugs.launchpad.net/keystone/+bug/1804523>`_]
The federated protocol policies have been deprecated. The
``identity:get_protocol`` and ``identity:list_protocols`` now use
``role:reader and system_scope:all`` instead of
``rule:admin_required``. The ``identity:create_protocol``,
``identity:update_protocol``, and ``identity:delete_protocol``
policies now use ``role:admin and system_scope:all`` instead of
``rule:admin_required``. These new defaults automatically account
for system-scope and support a read-only role, making it easier
for system administrators to delegate subsets of responsibility
without compromising security. Please consider these new defaults
if your deployment overrides the federated protocol policies.
security:
- |
[`bug 1804523 <https://bugs.launchpad.net/keystone/+bug/1804523>`_]
The federated protocol API now uses system-scope and default
roles to provide better accessibility to users in a secure way.