clean up release notes for ocata
Change-Id: I9f4d47518f1a1ab184d6cefb2b251aaad38e113a
This commit is contained in:
Steve Martinelli
Samuel de Medeiros Queiroz
parent
169e66ab88
commit
5e2cc88ce7
@ -0,0 +1,13 @@
|
||||
---
|
||||
features:
|
||||
- >
|
||||
[`blueprint password-expires-validation <https://blueprints.launchpad.net/keystone/+spec/password-expires-validation>`_]
|
||||
Token responses will now have a ``password_expires_at`` field in the
|
||||
``user`` object, this can be expressed briefly as::
|
||||
|
||||
{"token": {"user": {"password_expires_at": null}}}
|
||||
|
||||
If PCI support is enabled, via the ``[security_compliance]`` configuration
|
||||
options, then the ``password_expires_at`` field will be populated with a
|
||||
timestamp. Otherwise, it will default to ``null``, indicating the password
|
||||
does not expire.
|
||||
@ -1,8 +0,0 @@
|
||||
---
|
||||
features:
|
||||
- >
|
||||
Token responses will now have a ``password_expires_at``
|
||||
field under the ``user`` dictionary.
|
||||
If PCI support is enabled, the ``password_expires_at``
|
||||
field will be populated. Otherwise, it will default
|
||||
to ``null``.
|
||||
@ -18,5 +18,5 @@ features:
|
||||
* If a user attempts to change their password too often. See
|
||||
``[security_compliance] minimum_password_age``.
|
||||
|
||||
See http://docs.openstack.org/developer/keystone/event_notifications.html for
|
||||
additional details.
|
||||
For additional details see:
|
||||
`event notifications <See http://docs.openstack.org/developer/keystone/event_notifications.html>`_
|
||||
@ -0,0 +1,9 @@
|
||||
---
|
||||
features:
|
||||
- >
|
||||
[`blueprint pci-dss-password-requirements-api <https://blueprints.launchpad.net/keystone/+spec/pci-dss-password-requirements-api>`_]
|
||||
Added a new API (``/v3/domains/{domain_id}/config/security_compliance``) to
|
||||
retrieve regular expression requirements for passwords. Specifically,
|
||||
``[security_compliance] password_regex`` and ``[security_compliance] password_regex_description``
|
||||
will be returned. Note that these options are only meaningful if PCI support
|
||||
is enabled, via various ``[security_compliance]`` configuration options.
|
||||
12
releasenotes/notes/bp-shadow-mapping-06fc7c71a401d707.yaml
Normal file
12
releasenotes/notes/bp-shadow-mapping-06fc7c71a401d707.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
features:
|
||||
- >
|
||||
[`blueprint manage-migration <https://blueprints.launchpad.net/keystone/+spec/manage-migration>`_]
|
||||
The federated identity mapping engine now supports the ability to
|
||||
automatically provision ``projects`` for ``federated users``. A role assignment
|
||||
will automatically be created for the user on the specificed proejct. If the
|
||||
project specified within the mapping does not exist, it will be automatically
|
||||
created in the ``domain`` associated with the ``identity provider``.
|
||||
This behavior can be triggered using a specific syntax within the ``local``
|
||||
rules section of a mapping. For more information see:
|
||||
`mapping combinations <http://docs.openstack.org/developer/keystone/federation/federated_identity.html#mapping-combinations>`_
|
||||
@ -0,0 +1,7 @@
|
||||
---
|
||||
features:
|
||||
- >
|
||||
[`blueprint support-federated-attr <https://blueprints.launchpad.net/keystone/+spec/support-federated-attr>`_]
|
||||
Added new filters to the `list user` API (``GET /v3/users``) to support
|
||||
querying federted identity atttributes: ``idp_id``, ``protocol_id``, and
|
||||
``unique_id``.
|
||||
19
releasenotes/notes/bug-1017606-98313bb4c1edf250.yaml
Normal file
19
releasenotes/notes/bug-1017606-98313bb4c1edf250.yaml
Normal file
@ -0,0 +1,19 @@
|
||||
---
|
||||
other:
|
||||
- >
|
||||
[`bug 1017606 <https://bugs.launchpad.net/keystone/+bug/1017606>`_]
|
||||
The signature on the ``get_catalog`` and ``get_v3_catalog`` methods of
|
||||
``keystone.catalog.backends.base.CatalogDriverBase`` have been updated.
|
||||
|
||||
Third-party extensions that extend the abstract class (``CatalogDriverBase``)
|
||||
should be updated according to the new parameter names.
|
||||
|
||||
The method signatures have changed from::
|
||||
|
||||
get_catalog(self, user_id, tenant_id)
|
||||
get_v3_catalog(self, user_id, tenant_id)
|
||||
|
||||
to::
|
||||
|
||||
get_catalog(self, user_id, project_id)
|
||||
get_v3_catalog(self, user_id, project_id)
|
||||
@ -2,11 +2,22 @@
|
||||
fixes:
|
||||
- >
|
||||
[`bug 1524030 <https://bugs.launchpad.net/keystone/+bug/1524030>`_]
|
||||
During token validation we've reduced the number of revocation events
|
||||
During token validation we have reduced the number of revocation events
|
||||
returned, only returning a subset of events relevant to the token. Thus,
|
||||
improving overall token validation performance.
|
||||
other:
|
||||
- >
|
||||
The revoke backend driver interface has changed. We've added a token
|
||||
parameter to the ``list_events`` method in order to improve performance by
|
||||
reducing the number of revocation events returned during token validation.
|
||||
[`bug 1524030 <https://bugs.launchpad.net/keystone/+bug/1524030>`_]
|
||||
The signature on the ``list_events`` method of ``keystone.revoke.backends.base.RevokeDriverBase``
|
||||
has been updated.
|
||||
|
||||
Third-party extensions that extend the abstract class (``RevokeDriverBase``)
|
||||
should update their code according to the new parameter names.
|
||||
|
||||
The method signature has changed from::
|
||||
|
||||
list_events(self, last_fetch=None)
|
||||
|
||||
to::
|
||||
|
||||
list_events(self, last_fetch=None, token=None)
|
||||
|
||||
@ -4,8 +4,8 @@ fixes:
|
||||
[`bug 1651989 <https://bugs.launchpad.net/keystone/+bug/1651989>`_]
|
||||
Due to ``bug 1547684``, when using the ``policy.v3cloudsample.json``
|
||||
sample file, a domain admin token was being treated as a cloud admin.
|
||||
Since the ``is_admin_project`` functionality only supports project-
|
||||
scoped tokens, we automatically set any domain scoped token to have
|
||||
Since the ``is_admin_project`` functionality only supports
|
||||
project-scoped tokens, we automatically set any domain scoped token to have
|
||||
the property ``is_admin_project`` to ``False``.
|
||||
|
||||
[`bug 1547684 <https://bugs.launchpad.net/keystone/+bug/1547684>`_]
|
||||
|
||||
23
releasenotes/notes/bug-1561054-dbe88b552a936a05.yaml
Normal file
23
releasenotes/notes/bug-1561054-dbe88b552a936a05.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
---
|
||||
prelude: >
|
||||
- The default token provider is now Fernet.
|
||||
upgrade:
|
||||
- >
|
||||
[`bug 1561054 <https://bugs.launchpad.net/keystone/+bug/1561054>`_]
|
||||
The default token provider has switched from UUID to Fernet. Please note that
|
||||
Fernet requires a key repository to be in place prior to running Ocata,
|
||||
this can be done running ``keystone-manage fernet_setup``.
|
||||
Additionally, for multi-node deployments, it is imperative that a key
|
||||
distribution process be in use before upgrading. Once a key repository has
|
||||
been created it should be distributed to all keystone nodes in the deployment.
|
||||
This ensures that each keystone node will be able to validate tokens issued
|
||||
across the deployment. If you do not wish to switch token formats, you will
|
||||
need to explicitly set the token provider for each node in the deployment
|
||||
by setting ``[token] provider`` to ``uuid`` in ``keystone.conf``.
|
||||
Documentation can be found at `fernet-tokens <http://docs.openstack.org/developer/keystone/configuration.html#encryption-keys-for-fernet-tokens>`_.
|
||||
critical:
|
||||
- >
|
||||
[`bug 1561054 <https://bugs.launchpad.net/keystone/+bug/1561054>`_]
|
||||
If upgrading to Fernet tokens, you must have a key repository and key distribution
|
||||
mechanism in place, otherwise token validation may not work. Please see the
|
||||
upgrade section for more details.
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
other:
|
||||
- >
|
||||
[`bug 1563101 <https://bugs.launchpad.net/keystone/+bug/1563101>`_]
|
||||
The token provider driver interface has moved from
|
||||
``keystone.token.provider.Provider`` to ``keystone.token.providers.base.Provider``.
|
||||
This is consistent with other backend drivers. If you have implemented a
|
||||
custom token provider, you will want to subclass from the new location.
|
||||
If implementing a custom token provider, subclass from the new location.
|
||||
15
releasenotes/notes/bug-1582585-a368ac5a252ec84f.yaml
Normal file
15
releasenotes/notes/bug-1582585-a368ac5a252ec84f.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
other:
|
||||
- >
|
||||
[`bug 1582585 <https://bugs.launchpad.net/keystone/+bug/1582585>`_]
|
||||
A new method ``get_domain_mapping_list`` was added to
|
||||
``keystone.identity.mapping_backends.base.MappingDriverBase``.
|
||||
|
||||
Third-party extensions that extend the abstract class (``MappingDriverBase``)
|
||||
should implement this new method.
|
||||
|
||||
The method has the following signature::
|
||||
|
||||
get_domain_mapping_list(self, domain_id)
|
||||
|
||||
and will return a list of mappings for a given domain ID.
|
||||
8
releasenotes/notes/bug-1611102-e1348cbec9b1110a.yaml
Normal file
8
releasenotes/notes/bug-1611102-e1348cbec9b1110a.yaml
Normal file
@ -0,0 +1,8 @@
|
||||
|
||||
---
|
||||
other:
|
||||
- >
|
||||
[`bug 1611102 <https://bugs.launchpad.net/keystone/+bug/1611102>`_]
|
||||
The methods ``list_endpoints_for_policy()`` and ``get_policy_for_endpoint()``
|
||||
have been removed from the ``keystone.endpoint_policy.backends.base.EndpointPolicyDriverBase``
|
||||
abstract class, they were unused.
|
||||
@ -2,7 +2,6 @@
|
||||
fixes:
|
||||
- >
|
||||
[`bug 1616424 <https://bugs.launchpad.net/keystone/+bug/1616424>`_]
|
||||
Python build-in exception was raised if create request token or access token
|
||||
request from client with invalid request parameters, invalid signature for example.
|
||||
The implementation is hardened by showing proper exception and displaying the
|
||||
failure reasons if existent.
|
||||
Provide better exception messages when creating OAuth request tokens and
|
||||
OAuth access tokens via the ``/v3/OS-OAUTH1/request_token`` and
|
||||
``/v3/OS-OAUTH1/access_token`` APIs, respectively.
|
||||
@ -2,9 +2,17 @@
|
||||
fixes:
|
||||
- >
|
||||
[`bug 1622310 <https://bugs.launchpad.net/keystone/+bug/1622310>`_]
|
||||
Keystone trust will be invalidated if the project to which the trust
|
||||
Trusts will now be invalidated if: the project to which the trust
|
||||
is scoped, or the user (trustor or trustee) for which the delegation
|
||||
is assigned, have been deleted.
|
||||
is assigned, has been deleted.
|
||||
other:
|
||||
- Abstract method ``delete_trusts_for_project`` should be implemented by
|
||||
custom drivers.
|
||||
- >
|
||||
[`bug 1622310 <https://bugs.launchpad.net/keystone/+bug/1622310>`_]
|
||||
A new method ``delete_trusts_for_project`` has been added to ``keystone.trust.backends.base.TrustDriverBase``.
|
||||
|
||||
Third-party extensions that extend the abstract class (``TrustDriverBase``)
|
||||
should be updated according to the new parameter names.
|
||||
|
||||
The signature for the new method is::
|
||||
|
||||
delete_trusts_for_project(self, project_id)
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
features:
|
||||
- >
|
||||
[`bug 1638603 <https://bugs.launchpad.net/keystone/+bug/1638603>`_]
|
||||
Support nested groups in Active Directory. A new boolean option
|
||||
Add support for nested groups in Active Directory. A new boolean option
|
||||
``[ldap] group_ad_nesting`` has been added, it defaults to ``False``.
|
||||
Enable the option is using Active Directory with nested groups. This
|
||||
option will impact the ``list_users_in_group``, ``list_groups_for_user``,
|
||||
|
||||
9
releasenotes/notes/bug-1641645-516709f9da3de26f.yaml
Normal file
9
releasenotes/notes/bug-1641645-516709f9da3de26f.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
[`bug 1641645 <https://bugs.launchpad.net/keystone/+bug/1641645>`_]
|
||||
RBAC protection was removed from the `Self-service change user password` API
|
||||
(``/v3/user/$user_id/password``), meaning, a user can now change their password
|
||||
without a token specified in the ``X-Auth-Token`` header. This change will
|
||||
allow a user, with an expired password, to update their password without the
|
||||
need of an administrator.
|
||||
21
releasenotes/notes/bug-1641654-8630ce7bcde43a7e.yaml
Normal file
21
releasenotes/notes/bug-1641654-8630ce7bcde43a7e.yaml
Normal file
@ -0,0 +1,21 @@
|
||||
---
|
||||
features:
|
||||
- >
|
||||
[`bug 1641654 <https://bugs.launchpad.net/keystone/+bug/1641654>`_]
|
||||
The ``healthcheck`` middleware from `oslo.middleware` has been added to the
|
||||
keystone application pipelines by default. This middleware provides a common
|
||||
method to check the health of keystone. Refer to the example paste provided
|
||||
in ``keystone-paste.ini`` to see how to include the ``healthcheck`` middleware.
|
||||
upgrade:
|
||||
- |
|
||||
[`bug 1641654 <https://bugs.launchpad.net/keystone/+bug/1641654>`_]
|
||||
The ``healthcheck`` middleware from `oslo.middleware` has been added to the
|
||||
keystone application pipelines by default. The following section has been
|
||||
added to ``keystone-paste.ini``::
|
||||
|
||||
[filter:healthcheck]
|
||||
use = egg:oslo.middleware#healthcheck
|
||||
|
||||
It is recommended to have the ``healthcheck`` middleware first in the pipeline::
|
||||
|
||||
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler ...
|
||||
13
releasenotes/notes/bug-1641660-f938267e1ec54071.yaml
Normal file
13
releasenotes/notes/bug-1641660-f938267e1ec54071.yaml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
upgrade:
|
||||
- >
|
||||
[`bug 1641660 <https://bugs.launchpad.net/keystone/+bug/1641660>`_]
|
||||
The default value for ``[DEFAULT] notification_format`` has been changed
|
||||
from ``basic`` to ``cadf``. The CADF notifications have more information
|
||||
about the user that initiated the request.
|
||||
- >
|
||||
[`bug 1641660 <https://bugs.launchpad.net/keystone/+bug/1641660>`_]
|
||||
The default value for ``[DEFAULT] notification_opt_out`` has been changed
|
||||
to include: ``identity.authenticate.success``, ``identity.authenticate.pending``
|
||||
and ``identity.authenticate.failed``. If a deployment relies on these
|
||||
notifications, then override the default setting.
|
||||
6
releasenotes/notes/bug-1641816-8b39f3f73359c778.yaml
Normal file
6
releasenotes/notes/bug-1641816-8b39f3f73359c778.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
features:
|
||||
- >
|
||||
[`bug 1641816 <https://bugs.launchpad.net/keystone/+bug/1641816>`_]
|
||||
The ``[token] cache_on_issue`` option is now enabled by default. This option
|
||||
has no effect unless global caching and token caching are enabled.
|
||||
6
releasenotes/notes/bug-1642348-83d4c86ad3984d75.yaml
Normal file
6
releasenotes/notes/bug-1642348-83d4c86ad3984d75.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
features:
|
||||
- >
|
||||
[`bug 1642348 <https://bugs.launchpad.net/keystone/+bug/1642348>`_]
|
||||
Added new option ``[security_compliance] lockout_ignored_user_ids`` to allow
|
||||
deployers to specify users that are exempt from PCI lockout rules.
|
||||
18
releasenotes/notes/bug-1642687-5497fb56fe86806d.yaml
Normal file
18
releasenotes/notes/bug-1642687-5497fb56fe86806d.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
fixes:
|
||||
- >
|
||||
[`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
|
||||
When registering an ``identity provider`` via the OS-FEDERATION API, it is
|
||||
now recommended to include a ``domain_id`` to associate with the
|
||||
``identity provider`` in the request. Federated users that authenticate with
|
||||
the ``identity provider`` will now be associated with the ``domain_id``
|
||||
specified. If no ``domain_id`` is specified, then a domain will be automatically
|
||||
created.
|
||||
upgrade:
|
||||
- >
|
||||
[`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
|
||||
Upon a successful upgrade, all existing ``identity providers`` will now
|
||||
be associated with a automatically created domain. Each ``identity provider``
|
||||
that existed prior to the `Ocata` release will now have a ``domain_id`` field.
|
||||
The new domain will have an ``id`` (random UUID), a ``name`` (that will match
|
||||
the ``identity provider`` ID , and be ``enabled`` by default.
|
||||
23
releasenotes/notes/bug-1642687-c7ab1c9be152db20.yaml
Normal file
23
releasenotes/notes/bug-1642687-c7ab1c9be152db20.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
---
|
||||
other:
|
||||
- |
|
||||
[`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
|
||||
The signature on the ``create_federated_user`` method of
|
||||
``keystone.identity.shadow_backends.base.ShadowUsersDriverBase`` has been
|
||||
updated.
|
||||
|
||||
Third-party extensions that extend the abstract class (``ShadowUsersDriverBase``)
|
||||
should be updated according to the new parameter names.
|
||||
|
||||
The method signature has changed from::
|
||||
|
||||
create_federated_user(self, federated_dict)
|
||||
|
||||
to::
|
||||
|
||||
create_federated_user(self, domain_id, federated_dict)
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
|
||||
Users that authenticate with an ``identity provider`` will now have a
|
||||
``domain_id`` attribute, that is associated with the ``identity provider``.
|
||||
@ -2,5 +2,5 @@
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1642692 <https://bugs.launchpad.net/keystone/+bug/1642692>`_]
|
||||
All federated_user entries will be deleted if the ``protocol`` it used
|
||||
to first authenticate is deleted.
|
||||
When a `federation protocol` is deleted, all users that authenticated with
|
||||
the `federation protocol` will also be deleted.
|
||||
|
||||
@ -1,16 +1,15 @@
|
||||
---
|
||||
features:
|
||||
fixes:
|
||||
- >
|
||||
[`bug 1656076 <https://bugs.launchpad.net/keystone/+bug/1656076>`_]
|
||||
``AuthContext`` Object now required in ``keystone.controllers.Auth.authenticate``
|
||||
The various plugins under ``keystone.controllers.Auth.authenticate`` now
|
||||
require ``AuthContext`` objects to be returned.
|
||||
security:
|
||||
- >
|
||||
[`bug 1650676 <https://bugs.launchpad.net/keystone/+bug/1656076>`_]
|
||||
A bug is fixed that could allow an authenticate call to not use the
|
||||
``AuthContext`` object which has added security features to ensure things
|
||||
such as the ``user_id`` does not change between auth methods being processed
|
||||
in the Keystone server. The ``keystone.controllers.Auth.authenticate``
|
||||
Authentication plugins now required ``AuthContext`` objects to be used. This
|
||||
has added security features to ensure information such as the ``user_id``
|
||||
does not change between authentication methods being processed
|
||||
by the server. The ``keystone.controllers.Auth.authenticate``
|
||||
method now requires the argument ``auth_context`` to be an actual
|
||||
``AuthContext`` object. The scope of the fix is only tests, and this
|
||||
will prevent security regressions in the future. This is a
|
||||
hardening patch and not an exploitable security flaw.
|
||||
``AuthContext`` object.
|
||||
|
||||
@ -1,8 +1,9 @@
|
||||
---
|
||||
other:
|
||||
- >
|
||||
The signature on the ``authenticate`` method of
|
||||
``keystone.auth.plugins.base.AuthMethodHandler`` has been updated.
|
||||
[`bug 1659730 <https://bugs.launchpad.net/keystone/+bug/1659730>`_]
|
||||
The signature on the ``authenticate`` method of ``keystone.auth.plugins.base.AuthMethodHandler``
|
||||
has been updated.
|
||||
|
||||
Third-party extensions that extend the abstract class
|
||||
(``AuthMethodHandler``) should update their code according to the new
|
||||
@ -1,6 +0,0 @@
|
||||
---
|
||||
features:
|
||||
- The ``[token] cache_on_issue`` option is now enabled
|
||||
by default. This option has no effect unless global
|
||||
caching and token caching are enabled. This matches
|
||||
the other cache settings (such as token, catalog etc)
|
||||
@ -1,5 +0,0 @@
|
||||
---
|
||||
other:
|
||||
- The signature of keystone catalog driver interfaces ``get_catalog``
|
||||
and ``get_v3_catalog`` have been changed in favour of using ``project_id``
|
||||
instead of ``tenant_id``.
|
||||
@ -2,8 +2,8 @@
|
||||
deprecations:
|
||||
- >
|
||||
[`blueprint deprecated-as-of-ocata <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-ocata>`_]
|
||||
The catalog backend ``endpoint_filter.sql``has been deprecated in the
|
||||
The catalog backend ``endpoint_filter.sql`` has been deprecated in the
|
||||
`Ocata` release, it has been consolidated with the ``sql`` backend.
|
||||
It's recommended to replace the ``endpoint_filter.sql`` catalog backend
|
||||
It is recommended to replace the ``endpoint_filter.sql`` catalog backend
|
||||
with the ``sql`` backend. The ``endpoint_filter.sql`` backend will be
|
||||
removed in the `Pike` release.
|
||||
|
||||
@ -1,6 +0,0 @@
|
||||
---
|
||||
upgrade:
|
||||
- ID Mapping driver interface has changed. A new method
|
||||
``get_domain_mapping_list`` was added for fetching mapping list
|
||||
for a domain. If you have a custom implementation for the identity
|
||||
driver, you will need to implement this new method.
|
||||
@ -1,12 +0,0 @@
|
||||
---
|
||||
fixes:
|
||||
- Changed the default notification from ``basic`` to ``cadf``.
|
||||
- Added ``identity.authenticate.success``, ``identity.authenticate.pending``
|
||||
and ``identity.authenticate.failed`` as default for
|
||||
``notification_opt_out``.
|
||||
upgrade:
|
||||
- The default setting for ``notification_opt_out`` is changed to include
|
||||
``identity.authenticate.success``, ``identity.authenticate.pending`` and
|
||||
``identity.authenticate.failed``. If a deployment relies on these
|
||||
notifications, then override the default ``notification_opt_out`` setting
|
||||
by explicitly specifying the notifications to suppress.
|
||||
@ -1,5 +0,0 @@
|
||||
---
|
||||
upgrade:
|
||||
- The methods ``list_endpoints_for_policy()`` and
|
||||
``get_policy_for_endpoint()`` have been removed from the EndpointPolicy
|
||||
driver interface.
|
||||
@ -1,4 +0,0 @@
|
||||
---
|
||||
upgrade:
|
||||
- Added new filters (``idp_id``, ``protocol_id``, and ``unique_id``) for the
|
||||
list user API (``GET /v3/users``).
|
||||
@ -1,7 +0,0 @@
|
||||
---
|
||||
features:
|
||||
- >
|
||||
The healthcheck middleware from Oslo has been added to the keystone
|
||||
application pipelines in the example ``keystone-paste.ini`` file. This
|
||||
middleware provides a common method to check the health of a particular
|
||||
application provided by keystone.
|
||||
@ -1,16 +0,0 @@
|
||||
---
|
||||
fixes:
|
||||
- >
|
||||
[`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
|
||||
When registering an Identity Provider (IdP) via the OS-FEDERATION API, it's
|
||||
now recommended to include a domain ID to associate with the IdP in the
|
||||
request. Federated users that authenticate with the IdP will now be
|
||||
associated with the domain ID specified. If no domain ID is specified, then
|
||||
a domain will be automatically created.
|
||||
upgrade:
|
||||
- The ``domain_id`` is now recommended to be included when registering an
|
||||
Identity Provider (IdP) via the OS-FEDERATION API. For existing Identity
|
||||
Providers (IdPs), new domains will automatically be created and associated
|
||||
to the IdPs. Each IdP will now have a ``domain_id`` field. The new domain's
|
||||
``id`` will be a random UUID, its ``name`` will match its ``id``. All
|
||||
automatically generated domains will be ``enabled`` by default.
|
||||
@ -1,9 +0,0 @@
|
||||
---
|
||||
features:
|
||||
- The federated mapping engine now supports the ability
|
||||
to automatically provision federated users into projects
|
||||
specified in the mapping rules at federated login time. If the
|
||||
project within the mapping does not exist, it will be
|
||||
automatically created in the domain of the Identity Provider.
|
||||
This behavior can be done using a specific syntax within
|
||||
the ``local`` rules section of a mapping.
|
||||
@ -1,21 +0,0 @@
|
||||
---
|
||||
upgrade:
|
||||
- The default token provider has switched from UUID
|
||||
to Fernet. Please note that Fernet requires a
|
||||
key repository to be in place prior to running Ocata.
|
||||
This can be done using ``keystone-manage fernet_setup``.
|
||||
Documentation can be found `here <http://docs.openstack.org/developer/keystone/man/keystone-manage.html>`_.
|
||||
In addition, for multi-node deployments, it is imperative that
|
||||
a key distribution process be in use before upgrading. Once
|
||||
a key repository has been created it should be distributed
|
||||
to all keystone nodes in the deployment. This ensures that
|
||||
each keystone node will be able to validate tokens issued
|
||||
across the deployment. If you do not wish to switch token
|
||||
formats, you will need to explicitly set UUID as the token
|
||||
provider for each node in the deployment using
|
||||
``[token] provider = uuid`` in your ``keystone.conf``.
|
||||
critical:
|
||||
- If upgrading to Fernet tokens, you must have a key
|
||||
repository and key distribution mechanism in place.
|
||||
Otherwise token validation may not work. Please see
|
||||
the upgrade section for more details.
|
||||
@ -1,7 +0,0 @@
|
||||
---
|
||||
features:
|
||||
- User interfaces and clients now have the ability
|
||||
to retrieve password requirement information via the
|
||||
Domain Config API. Specifically, the ``password_regex``
|
||||
and ``password_regex_description`` options of the
|
||||
``[security_compliance]`` section.
|
||||
@ -1,7 +0,0 @@
|
||||
---
|
||||
features:
|
||||
- >
|
||||
[`bug 1642348 <https://bugs.launchpad.net/keystone/+bug/1642348>`_]
|
||||
Added a way to ignore the lockout validation for specific users, such as
|
||||
service users, by setting the `lockout_ignored_user_ids` option in the
|
||||
`[security_compliance]` section of `keystone.conf`.
|
||||
@ -1,15 +0,0 @@
|
||||
---
|
||||
upgrade:
|
||||
- The ``validate_v3_token()`` and
|
||||
``validate_non_persistent_token()`` methods have been
|
||||
removed from the token provider interface. The token
|
||||
provider API now uses a single validation method
|
||||
called ``validate_token()``. Having any validation method
|
||||
defined except ``validate_token()`` will fail since the
|
||||
interface no longer includes legacy methods. Please take
|
||||
this into consideration and plan accordingly if you're
|
||||
maintaining a custom token provider.
|
||||
critical:
|
||||
- If writing a custom token provider, see the upgrade
|
||||
section about the removal of the ``validate_v3_token()``
|
||||
and ``validate_non_persistent()`` token methods.
|
||||
@ -1,14 +0,0 @@
|
||||
---
|
||||
upgrade:
|
||||
- The ``issue_v2_token()`` method has been removed
|
||||
from the token provider interface. The token provider
|
||||
API now uses a single create token method and translates
|
||||
v3 token responses to v2 format when needed. Having
|
||||
``issue_v2_token()`` defined with the Ocata codebase
|
||||
will fail since the interface no longer includes that
|
||||
method. Please take this into consideration and plan
|
||||
accordingly if you're maintaining a custom token provider.
|
||||
critical:
|
||||
- If writing a custom token provider, see the upgrade
|
||||
section about the removal of the ``issue_v2_token()``
|
||||
method.
|
||||
@ -1,15 +0,0 @@
|
||||
---
|
||||
upgrade:
|
||||
- The ``issue_v3_token()`` method has been removed
|
||||
from the token provider interface. The token provider
|
||||
API now uses a single create token method, ``issue_token``
|
||||
and translates v3 token responses to v2 format when
|
||||
needed. Having ``issue_v3_token()`` defined with the
|
||||
Ocata codebase will fail since the interface no longer
|
||||
includes that method. Please take this into consideration
|
||||
and plan accordingly if you're maintaining a custom token
|
||||
provider.
|
||||
critical:
|
||||
- If writing a custom token provider, see the upgrade
|
||||
section about the removal of the ``issue_v3_token()``
|
||||
method.
|
||||
@ -1,14 +0,0 @@
|
||||
---
|
||||
upgrade:
|
||||
- The ``validate_v2_token()`` method has been removed
|
||||
from the token provider interface. The token provider
|
||||
API now uses other validation methods and translates
|
||||
v3 token responses to v2 format when needed. Having
|
||||
``validate_v2_token()`` defined with the Ocata codebase
|
||||
will fail since the interface no longer includes that
|
||||
method. Please take this into consideration and plan
|
||||
accordingly if you're maintaining a custom token provider.
|
||||
critical:
|
||||
- If writing a custom token provider, see the upgrade
|
||||
section about the removal of the ``validate_v2_token()``
|
||||
method.
|
||||
@ -39,6 +39,22 @@ other:
|
||||
* ``keystone/common/cache/backends/mongo``
|
||||
* ``keystone/common/cache/backends/memcache_pool``
|
||||
* ``keystone/common/cache/backends/noop``
|
||||
- >
|
||||
Several token validation methods from the abstract class ``keystone.token.providers.base.Provider``
|
||||
were removed (see below) in favor of a single method to validate tokens (``validate_token``),
|
||||
that has the signature ``validate_token(self, token_ref)``. If using a custom token
|
||||
provider, update the custom provider accordingly.
|
||||
|
||||
* ``validate_v2_token``
|
||||
* ``validate_v3_token``
|
||||
* ``validate_non_persistent_token``
|
||||
- >
|
||||
Several token issuance methods from the abstract class ``keystone.token.providers.base.Provider``
|
||||
were removed (see below) in favor of a single method to issue tokens (``issue_token``).
|
||||
If using a custom token provider, updated the custom provider accordingly.
|
||||
|
||||
* ``issue_v2_token``
|
||||
* ``issue_v3_token``
|
||||
- >
|
||||
The ``[DEFAULT] domain_id_immutable`` configuration option has been removed
|
||||
in favor of strictly immutable domain IDs.
|
||||
@ -64,22 +80,22 @@ other:
|
||||
``build_auth_context`` in the paste pipelines, otherwise remove the
|
||||
``admin_token_auth`` middleware from ``keystone-paste.ini`` entirely.
|
||||
- >
|
||||
The ``CONF [assignment] driver`` now defaults to ``sql``. Logic to
|
||||
The ``[assignment] driver`` now defaults to ``sql``. Logic to
|
||||
determine the default assignment driver if one wasn't supplied through
|
||||
configuration has been removed. Keystone only supports one assignment
|
||||
driver and it shouldn't be changed unless you're deploying a custom
|
||||
assignment driver.
|
||||
- >
|
||||
The ``CONF [resource] driver`` now defaults to ``sql``. Logic to
|
||||
The ``[resource] driver`` now defaults to ``sql``. Logic to
|
||||
determine the default resource driver if one wasn't supplied through
|
||||
configuration has been removed. Keystone only supports one resource
|
||||
driver and it shouldn't be changed unless you're deploying a custom
|
||||
resource driver.
|
||||
- >
|
||||
Removed the config option ``[os_inherit] enabled`` as the OS-INHERIT
|
||||
The ``[os_inherit] enabled`` config option has been removed, the `OS-INHERIT`
|
||||
extension is now always enabled.
|
||||
- >
|
||||
The ``CONF [DEFAULT] domain_id_immutable`` option has been removed.
|
||||
The ``[DEFAULT] domain_id_immutable`` option has been removed.
|
||||
This removes the ability to change the ``domain_id`` attribute of
|
||||
users, groups, and projects. The behavior was introduced to allow
|
||||
deployers to migrate entities from one domain to another by updating
|
||||
|
||||
@ -1,16 +0,0 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
The abstract base class for the shadow users backend has changed. We've
|
||||
added a ``domain_id`` parameter to the ``create_federated_user`` method.
|
||||
This is so that the domain ID of the Identity Provider gets set for the
|
||||
federated user. If you have a custom implementation for the shadow users
|
||||
backend, you will need to add the new parameter to your method
|
||||
implementation.
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
|
||||
Prior to this release federated users did not belong to a real domain. Now
|
||||
when federated users are created, as part of shadowing users, federated
|
||||
users will belong to the domain Id of the Identity Provider.
|
||||
|
||||
@ -1,9 +0,0 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Removes RBAC protection from the `Self-service change user
|
||||
password` API (``/v3/user/$user_id/password``). A user is expected
|
||||
to know their own password and can be authenticated as such. This
|
||||
change is related to PCI-DSS features and allows a user with an
|
||||
expired password to change it without the need of an
|
||||
administrator.
|
||||
Loading…
Reference in New Issue
Block a user