aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml')
-rw-r--r--keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml11
1 files changed, 11 insertions, 0 deletions
diff --git a/keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml b/keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml
new file mode 100644
index 00000000..98306f3e
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml
@@ -0,0 +1,11 @@
+---
+features:
+ - >
+ [`blueprint domain-specific-roles <https://blueprints.launchpad.net/keystone/+spec/domain-specific-roles>`_]
+ Roles can now be optionally defined as domain specific. Domain specific
+ roles are not referenced in policy files, rather they can be used to allow
+ a domain to build their own private inference rules with implied roles. A
+ domain specific role can be assigned to a domain or project within its
+ domain, and any subset of global roles it implies will appear in a token
+ scoped to the respective domain or project. The domain specific role
+ itself, however, will not appear in the token.