docs/rgw: deprecate tenant-based IAM in favor of accounts

the user account feature was intended to cover all of the use cases of
the previous tenant-based IAM/STS integration. announce deprecation of
tenant-based IAM for the T release and removal for T+2

Signed-off-by: Casey Bodley <cbodley@redhat.com>

diff --git a/PendingReleaseNotes b/PendingReleaseNotes
index 146cab64d6fb744f1990331b33411c867781a94d..00555adaac801b8c0ff2b0cfcbfffc57bc4c3173 100644 (file)
--- a/PendingReleaseNotes
+++ b/PendingReleaseNotes
@@ -1,5 +1,16 @@
 >=20.0.0
 
+* RGW: The User Account feature introduced in Squid provides first-class support for
+  IAM APIs and policy. Our preliminary STS support was instead based on tenants, and
+  exposed some IAM APIs to admins only. This tenant-level IAM functionality is now
+  deprecated in favor of accounts. While we'll continue to support the tenant feature
+  itself for namespace isolation, the following features will be removed no sooner
+  than the V release:
+    * tenant-level IAM APIs like CreateRole, PutRolePolicy and PutUserPolicy,
+    * use of tenant names instead of accounts in IAM policy documents,
+    * interpretation of IAM policy without cross-account policy evaluation,
+    * S3 API support for cross-tenant names such as `Bucket='tenant:bucketname'`
+
 * RBD: All Python APIs that produce timestamps now return "aware" `datetime`
   objects instead of "naive" ones (i.e. those including time zone information
   instead of those not including it).  All timestamps remain to be in UTC but