openstack/keystone
Code Issues Proposed changes
ee54ba0ce4
keystone/releasenotes/notes/bug-1805406-252b45d443af20b3.yaml
Lance Bragstad cf1ce4eb36 Implement domain admin functionality for user API 
This commit add explicit testing to show how users with the admin role
on a domain can manage users within thier domain. It also modifies the
default policies to account for this functionality. A subsequent patch
will do the same for project users.

Change-Id: I3899e07b857e213f85384ed9c9e4add199290a49
Partial-Bug: 1748027
Partial-Bug: 968696
2019-03-19 22:34:15 +00:00

42 lines
2.0 KiB
YAML
Raw Blame History

---
features:
- |
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
The user API now supports the ``admin``, ``member``, and
``reader`` default roles.
upgrade:
- |
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
The ``GET /v3/users/{user_id`` API now properly returns an ``HTTP
403 Forbidden`` as opposed to ``HTTP 404 Not Found`` if the calling
user doesn't have authorization to call the API. This applies consistent
authorititive policy checks to the API.
The user API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides
user policies.
deprecations:
- |
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
The user policies have been deprecated. The ``identity:get_user`` now uses
``(role:reader and system_scope:all) or (role:reader and
token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s``
instead of ``rule:admin_or_owner``. The ``identity:list_users`` policy now
uses ``(role:reader and system_scope:all) or (role:reader
and domain_id:%(target.domain_id)s)`` instead of
``rule:admin_required``. The ``identity:create_user``,
``identity:update_user``, and ``identity:delete_user`` policies now use
``(role:admin and system_scope:all) or (role:admin and
token.domain.id:%(target.user.domain_id)s)`` instead of ``rule:admin_required``.
These new defaults automatically account for system-scope, domain-scope,
and support a read-only role, making it easier for system and domain
administrators to delegate subsets of responsibility without compromising
security. Please consider these new defaults if your deployment overrides
the user policies.
security:
- |
[`bug 1805406 <https://bugs.launchpad.net/keystone/+bug/1805406>`_]
The user API now uses system-scope and default roles to
provide better accessibility to users in a secure way.
View Git Blame Copy Permalink