diff options
-rw-r--r-- | keystone/conf/token.py | 8 | ||||
-rw-r--r-- | releasenotes/notes/deprecated-as-of-rocky-60b2fa05d07d3a28.yaml | 11 |
2 files changed, 19 insertions, 0 deletions
diff --git a/keystone/conf/token.py b/keystone/conf/token.py index b93db4d04..6834b0721 100644 --- a/keystone/conf/token.py +++ b/keystone/conf/token.py @@ -114,6 +114,14 @@ request for a scoped token to avoid re-scoping altogether. infer_roles = cfg.BoolOpt( 'infer_roles', default=True, + deprecated_since=versionutils.deprecated.ROCKY, + deprecated_reason=utils.fmt(""" +Default roles depend on a chain of implied role assignments. Ex: an admin user +will also have the reader and member role. By ensuring that all these roles +will always appear on the token validation response, we can improve the +simplicity and readability of policy files. +"""), + deprecated_for_removal=True, help=utils.fmt(""" This controls whether roles should be included with tokens that are not directly assigned to the token's scope, but are instead linked implicitly to diff --git a/releasenotes/notes/deprecated-as-of-rocky-60b2fa05d07d3a28.yaml b/releasenotes/notes/deprecated-as-of-rocky-60b2fa05d07d3a28.yaml new file mode 100644 index 000000000..ad01e535b --- /dev/null +++ b/releasenotes/notes/deprecated-as-of-rocky-60b2fa05d07d3a28.yaml @@ -0,0 +1,11 @@ +--- +deprecations: + - > + The option ``[token] infer_roles=False`` is being deprecated in favor of + always expanding role implications during token validation. + + `Default roles <https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html>`_ + depend on a chain of implied role assignments, ex: an admin user will also + have the reader and member role. Therefore by ensuring that all these roles will + always appear on the token validation response, we can improve the + simplicity and readability of policy files. |