This documents important user-visible changes to ACS, in reverse chronological order.
These changes have not been released yet, but are likely to appear in the next release.
A new administration interface has been added to ACS, which will slowly become the single-point-of-contact for all administrators and managers of ACS installations. Currently this interface only exposes the new alerts system, but will be expanded in future releases. It can be accessed from the base URL of your ACS installation.
The 'Global Administrator Account' user account is now created with a
UUID specific to this installation of ACS. Once this has been done the
old account object (d53f476a-29dd-4d79-b614-5b7fe9bc8acf) can be
deleted.
The password for this account has moved from the krb5-passwords K8s
Secret into a dedicated Secret for this purpose, admin-password. This
contains a single key password holding the account password.
Note that this account bypasses all ACLs and should not be used for normal operation.
Previously ACS deployed a Client Role called 'Global Debugger'
(4473fe9c-05b0-42cc-ad8c-8e05f6d0ca86). This was
a Group of permissions within the Auth service which was granted in the
permission slot of access control entries. It was only useful if
granted with a wildcard target.
This has been replaced by a Group of users called 'MQTT global
debuggers' (f76f8445-ce78-41c5-90ec-5964fb0cd431). Accounts and groups
which should have global MQTT access should be added to this group; the
group should not appear in any additional access control entries.
Accounts created by the ACS installation will have been updated to be members of the Group, but ACLs referencing the Client Role and the Role itself will not have been removed. Any local accounts using the Role should be updated to be members of the Group instead, and then any access control entries referencing the Role should be removed.
This is a major release, with fundamental changes to the architecture. Detailed release notes are available here.