---
upgrade:
  - |
    Changes the way to configure access credentials for OpenStack services
    clients. For each service, both Keystone session options
    (timeout, SSL-related ones) and Keystone auth_plugin options
    (auth_url, auth_type and corresponding auth_plugin options)
    should be specified in the configuration section for this service.
    Configuration sections affected are:

    * ``[neutron]`` for Neutron service user
    * ``[glance]`` for Glance service user
    * ``[swift]`` for Swift service user
    * ``[inspector]`` for Ironic Inspector service user
    * ``[service_catalog]`` *new section* for Ironic service user,
      used to discover Ironic endpoint from Keystone Catalog

    This enables fine tuning of authentication for each service.

    Backward-compatible options handling is provided
    using values from ``[keystone_authtoken]`` config section,
    but operators are advised to switch to the new config options as the
    old options are deprecated. The old options will be removed during the
    Ocata cycle.
    For more information on sessions, auth plugins and their settings,
    please refer to http://docs.openstack.org/developer/keystoneauth/.

  - |
    Small change in semantics of default for ``[neutron]/url`` option

    * default is changed to None.
    * For the case when ``[neutron]/auth_strategy`` is ``noauth``,
      default means use ``http://$my_ip:9696``.
    * For the case when ``[neutron]/auth_strategy`` is ``keystone``,
      default means to resolve the endpoint from Keystone Catalog.

  - New config section ``[service_catalog]`` for access credentials used
    to discover Ironic API URL from Keystone Catalog.
    Previously credentials from ``[keystone_authtoken]`` section were used,
    which is now deprecated for such purpose.
deprecations:
  - The ``[keystone_authtoken]`` configuration section is deprecated for
    configuring clients for other services (but is still used for configuring
    API token authentication), in favor of the ``[service_catalog]`` section.
    The ability to configure clients for other services via the
    ``[keystone_authtoken]`` section will be removed during the Ocata cycle.
fixes:
  - Do not rely on keystonemiddleware config options for instantiating
    clients for other OpenStack services.
    This allows changing keystonemiddleware options from legacy ones
    and thus support Keystone V3 for token validation.