From b875c783ef70b8305bc8d22bd14ec72b7f119b4e Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Tue, 26 Nov 2024 12:51:21 -0500 Subject: [PATCH] docs/rgw: deprecate tenant-based IAM in favor of accounts the user account feature was intended to cover all of the use cases of the previous tenant-based IAM/STS integration. announce deprecation of tenant-based IAM for the T release and removal for T+2 Signed-off-by: Casey Bodley --- PendingReleaseNotes | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/PendingReleaseNotes b/PendingReleaseNotes index 146cab64d6f..00555adaac8 100644 --- a/PendingReleaseNotes +++ b/PendingReleaseNotes @@ -1,5 +1,16 @@ >=20.0.0 +* RGW: The User Account feature introduced in Squid provides first-class support for + IAM APIs and policy. Our preliminary STS support was instead based on tenants, and + exposed some IAM APIs to admins only. This tenant-level IAM functionality is now + deprecated in favor of accounts. While we'll continue to support the tenant feature + itself for namespace isolation, the following features will be removed no sooner + than the V release: + * tenant-level IAM APIs like CreateRole, PutRolePolicy and PutUserPolicy, + * use of tenant names instead of accounts in IAM policy documents, + * interpretation of IAM policy without cross-account policy evaluation, + * S3 API support for cross-tenant names such as `Bucket='tenant:bucketname'` + * RBD: All Python APIs that produce timestamps now return "aware" `datetime` objects instead of "naive" ones (i.e. those including time zone information instead of those not including it). All timestamps remain to be in UTC but -- 2.39.5