Be more explicit about upgrade to native integration

markus-hentsch · gtema · commit 23f353a4f2dd · 2024-11-06T15:56:55.000+01:00
Signed-off-by: Markus Hentsch &lt;markus.hentsch@cloudandheat.com&gt;
diff --git a/Standards/scs-0302-v1-domain-manager-role.md b/Standards/scs-0302-v1-domain-manager-role.md
@@ -118,12 +118,16 @@ enforce_scope = True
 The "`is_domain_managed_role`" policy rule MAY be adjusted using a dedicated `policy.yaml` file for the Identity API in order to adjust the set of roles a Domain Manager is able to assign/revoke.
 When doing so, the `admin` role MUST NOT be added to this set.
 
+#### Note about upgrading from SCS Domain Manager to native integration
+
+In case the Identity API was upgraded from an older version where the policy-based Domain Manager implementation of SCS described in the [implementation notes for this standard](https://github.com/SovereignCloudStack/standards/blob/main/Standards/scs-0302-w1-domain-manager-implementation-notes.md) was still in use, the policies described there MUST be removed (except for the "`is_domain_managed_role`" rule).
+
 ### For OpenStack Keystone 2024.1 or below
 
 For OpenStack Keystone 2024.1 or below, the Domain Manager functionality MUST be implemented using API policies.
 For details, refer to the [implementation notes for this standard](https://github.com/SovereignCloudStack/standards/blob/main/Standards/scs-0302-w1-domain-manager-implementation-notes.md).
 
-For those versions, changing the "`enforce_scope`" and "`enforce_new_defaults`" options for the Identity API is not necessary for the Domain Manager implementation.
+For the release 2024.1 and below, changing the "`enforce_scope`" and "`enforce_new_defaults`" options for the Identity API is not necessary for the Domain Manager implementation.
 
 ## Related Documents
 
diff --git a/Standards/scs-0302-w1-domain-manager-implementation-notes.md b/Standards/scs-0302-w1-domain-manager-implementation-notes.md
@@ -11,12 +11,16 @@ supplements:
 
 :::caution
 
-If a Keystone release of OpenStack 2024.2 or later is used, this document can be disregarded.
+If a Keystone release of OpenStack 2024.2 or later is used, **the policy configuration described in this document MUST be removed again** in case it was applied in the past prior to the upgrade.
+
+:::
+
+:::info
+
 The implementation described in this document only applies to Keystone releases prior to the OpenStack release 2024.2 ("Dalmatian").
 This document describes a transitional solution to offer the Domain Manager functionality for SCS clouds based on an OpenStack release earlier than 2024.2.
 
-Beginning with the 2024.2 release of OpenStack, the Domain Manager persona is integrated natively into Keystone and the implementation described below is unnecessary.
-The implementation described in this document and the native OpenStack integration starting with 2024.2 offer identical behavior for users, ensuring a seamless transition.
+Beginning with the 2024.2 release of OpenStack, the Domain Manager persona is integrated natively into Keystone and the implementation described below is unnecessary and might conflict with the native implementation.
 
 :::
 
