41 lines
1.9 KiB
YAML
41 lines
1.9 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
|
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
|
|
The system assignment API now supports the ``admin``, ``member``,
|
|
and ``reader`` default roles across system-scope, domain-scope,
|
|
and project-scope.
|
|
upgrade:
|
|
- |
|
|
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
|
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
|
|
The system assignment API uses new default policies that make it more
|
|
accessible to end users and administrators in a secure way. Please
|
|
consider these new defaults if your deployment overrides system
|
|
assignment policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
|
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
|
|
The system assignment policies have been deprecated. The
|
|
``identity:list_system_grants_for_user`` and
|
|
``identity:check_system_grant_for_user`` policies now use
|
|
``role:reader and system_scope:all`` instead of
|
|
``rule:admin_required``. The
|
|
``identity:create_system_grant_for_user`` and
|
|
``identity:revoke_system_grant_for_user`` policies now use
|
|
``role:admin and system_scope:all`` instead of
|
|
``rule:admin_required``. These new defaults automatically include
|
|
support for a read-only role and allow for more granular access to
|
|
the system assignment API, making it easier for administrators to
|
|
delegate authorization, safely. Please consider these new defaults
|
|
if your deployment overrides the system assignment APIs.
|
|
security:
|
|
- |
|
|
[`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
|
|
[`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
|
|
The system assignment API now uses system-scope, domain-scope,
|
|
project-scope, and default roles to provide better accessibility
|
|
to users in a secure way.
|