aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml')
-rw-r--r--keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml14
1 files changed, 14 insertions, 0 deletions
diff --git a/keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml b/keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml
new file mode 100644
index 00000000..a0c2b3bb
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml
@@ -0,0 +1,14 @@
+---
+features:
+ - >
+ [`bug 96869 <https://bugs.launchpad.net/keystone/+bug/968696>`_]
+ A pair of configuration options have been added to the ``[resource]``
+ section to specify a special ``admin`` project:
+ ``admin_project_domain_name`` and ``admin_project_name``. If these are
+ defined, any scoped token issued for that project will have an additional
+ identifier ``is_admin_project`` added to the token. This identifier can then
+ be checked by the policy rules in the policy files of the services when
+ evaluating access control policy for an API. Keystone does not yet
+ support the ability for a project acting as a domain to be the
+ admin project. That will be added once the rest of the code for
+ projects acting as domains is merged.