ironic/releasenotes/notes/keystone-auth-3155762c524e44df.yaml
Jim Rollenhagen 0fe585ac7c Clean up release notes for 6.1.0
This corrects some typos, some grammar, and makes formatting of notes
generally more consistent.

Change-Id: Ic6b48a1877a9b142a4dd1df2ae22342eef99bc76
2016-08-10 14:02:42 -04:00

52 lines
2.4 KiB
YAML

---
upgrade:
- |
Changes the way to configure access credentials for OpenStack services
clients. For each service, both Keystone session options
(timeout, SSL-related ones) and Keystone auth_plugin options
(auth_url, auth_type and corresponding auth_plugin options)
should be specified in the configuration section for this service.
Configuration sections affected are:
* ``[neutron]`` for Neutron service user
* ``[glance]`` for Glance service user
* ``[swift]`` for Swift service user
* ``[inspector]`` for Ironic Inspector service user
* ``[service_catalog]`` *new section* for Ironic service user,
used to discover Ironic endpoint from Keystone Catalog
This enables fine tuning of authentication for each service.
Backward-compatible options handling is provided
using values from ``[keystone_authtoken]`` config section,
but operators are advised to switch to the new config options as the
old options are deprecated. The old options will be removed during the
Ocata cycle.
For more information on sessions, auth plugins and their settings,
please refer to http://docs.openstack.org/developer/keystoneauth/.
- |
Small change in semantics of default for ``[neutron]/url`` option
* default is changed to None.
* For the case when ``[neutron]/auth_strategy`` is ``noauth``,
default means use ``http://$my_ip:9696``.
* For the case when ``[neutron]/auth_strategy`` is ``keystone``,
default means to resolve the endpoint from Keystone Catalog.
- New config section ``[service_catalog]`` for access credentials used
to discover Ironic API URL from Keystone Catalog.
Previously credentials from ``[keystone_authtoken]`` section were used,
which is now deprecated for such purpose.
deprecations:
- The ``[keystone_authtoken]`` configuration section is deprecated for
configuring clients for other services (but is still used for configuring
API token authentication), in favor of the ``[service_catalog]`` section.
The ability to configure clients for other services via the
``[keystone_authtoken]`` section will be removed during the Ocata cycle.
fixes:
- Do not rely on keystonemiddleware config options for instantiating
clients for other OpenStack services.
This allows changing keystonemiddleware options from legacy ones
and thus support Keystone V3 for token validation.