Merge "Remove system EC2 credentials from policy.v3cloudsample.json"
This commit is contained in:
commit
778a8c17ce
|
@ -16,9 +16,6 @@
|
|||
"identity:get_project_tag": "rule:admin_required",
|
||||
"identity:list_project_tags": "rule:admin_required",
|
||||
|
||||
"identity:ec2_list_credentials": "rule:admin_required or rule:owner",
|
||||
"identity:ec2_create_credential": "rule:admin_required or rule:owner",
|
||||
|
||||
"domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
|
||||
"get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
|
||||
"domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
|
||||
|
|
|
@ -250,8 +250,10 @@ class PolicyJsonTestCase(unit.TestCase):
|
|||
'identity:delete_service_provider',
|
||||
'identity:delete_trust',
|
||||
'identity:delete_user',
|
||||
'identity:ec2_create_credential',
|
||||
'identity:ec2_delete_credential',
|
||||
'identity:ec2_get_credential',
|
||||
'identity:ec2_list_credentials',
|
||||
'identity:get_access_rule',
|
||||
'identity:get_access_token',
|
||||
'identity:get_access_token_role',
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
[`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
|
||||
The EC2 credentials API now supports the ``admin``,
|
||||
``member``, and ``reader`` default roles.
|
||||
|
||||
upgrade:
|
||||
- |
|
||||
[`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
|
||||
The EC2 credentials API uses new default policies to
|
||||
make it more accessible to end users and administrators in a secure way.
|
||||
Please consider these new defaults if your deployment overrides EC2
|
||||
credentials consumer policies.
|
||||
deprecations:
|
||||
- |
|
||||
[`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
|
||||
The EC2 credentials policies have been deprecated. The
|
||||
``identity:ec2_get_credentials`` now use ``(role:reader and system_scope:all)
|
||||
or user_id:%(target.credential.user_id)s`` instead of
|
||||
``rule:admin_required``and ``identity:ec2_list_credentials`` policies now use
|
||||
``role:reader and system_scope:all or rule:owner`` instead of
|
||||
``rule:admin_required``. The ``identity:ec2_delete_credentials`` now use
|
||||
``(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s``
|
||||
instead of ``rule:admin_required``and ``identity:ec2_create_credentials``
|
||||
policies now use ``role:admin and system_scope:all or rule:owner`` instead of
|
||||
``rule:admin_required``.
|
||||
These new defaults automatically account for system-scope and support
|
||||
a read-only role, making it easier for system administrators to delegate
|
||||
subsets of responsibility without compromising security. Please consider
|
||||
these new defaults if your deployment overrides the EC2 credentials policies.
|
||||
security:
|
||||
- |
|
||||
[`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
|
||||
The EC2 credentials API now uses system-scope and default
|
||||
roles to provide better accessibility to users in a secure manner.
|
Loading…
Reference in New Issue