Merge pull request ceph#60848 from cbodley/wip-rgw-deprecate-iam-tenant

cbodley · web-flow · commit 093e0de0b870 · 2025-01-08T13:02:17.000-05:00
docs/rgw: deprecate tenant-based IAM in favor of accounts

Reviewed-by: Anthony D'Atri &lt;anthony.datri@gmail.com&gt;
diff --git a/PendingReleaseNotes b/PendingReleaseNotes
@@ -1,5 +1,16 @@
 >=20.0.0
 
+* RGW: The User Account feature introduced in Squid provides first-class support for
+  IAM APIs and policy. Our preliminary STS support was instead based on tenants, and
+  exposed some IAM APIs to admins only. This tenant-level IAM functionality is now
+  deprecated in favor of accounts. While we'll continue to support the tenant feature
+  itself for namespace isolation, the following features will be removed no sooner
+  than the V release:
+    * tenant-level IAM APIs like CreateRole, PutRolePolicy and PutUserPolicy,
+    * use of tenant names instead of accounts in IAM policy documents,
+    * interpretation of IAM policy without cross-account policy evaluation,
+    * S3 API support for cross-tenant names such as `Bucket='tenant:bucketname'`
+
 * RBD: All Python APIs that produce timestamps now return "aware" `datetime`
   objects instead of "naive" ones (i.e. those including time zone information
   instead of those not including it).  All timestamps remain to be in UTC but
