clean up release notes for ocata

Change-Id: I9f4d47518f1a1ab184d6cefb2b251aaad38e113a
This commit is contained in:
Steve Martinelli 2017-01-27 01:23:47 -05:00 committed by Samuel de Medeiros Queiroz
parent 169e66ab88
commit 5e2cc88ce7
49 changed files with 274 additions and 234 deletions

View File

@ -0,0 +1,13 @@
---
features:
- >
[`blueprint password-expires-validation <https://blueprints.launchpad.net/keystone/+spec/password-expires-validation>`_]
Token responses will now have a ``password_expires_at`` field in the
``user`` object, this can be expressed briefly as::
{"token": {"user": {"password_expires_at": null}}}
If PCI support is enabled, via the ``[security_compliance]`` configuration
options, then the ``password_expires_at`` field will be populated with a
timestamp. Otherwise, it will default to ``null``, indicating the password
does not expire.

View File

@ -1,8 +0,0 @@
---
features:
- >
Token responses will now have a ``password_expires_at``
field under the ``user`` dictionary.
If PCI support is enabled, the ``password_expires_at``
field will be populated. Otherwise, it will default
to ``null``.

View File

@ -18,5 +18,5 @@ features:
* If a user attempts to change their password too often. See
``[security_compliance] minimum_password_age``.
See http://docs.openstack.org/developer/keystone/event_notifications.html for
additional details.
For additional details see:
`event notifications <See http://docs.openstack.org/developer/keystone/event_notifications.html>`_

View File

@ -0,0 +1,9 @@
---
features:
- >
[`blueprint pci-dss-password-requirements-api <https://blueprints.launchpad.net/keystone/+spec/pci-dss-password-requirements-api>`_]
Added a new API (``/v3/domains/{domain_id}/config/security_compliance``) to
retrieve regular expression requirements for passwords. Specifically,
``[security_compliance] password_regex`` and ``[security_compliance] password_regex_description``
will be returned. Note that these options are only meaningful if PCI support
is enabled, via various ``[security_compliance]`` configuration options.

View File

@ -0,0 +1,12 @@
---
features:
- >
[`blueprint manage-migration <https://blueprints.launchpad.net/keystone/+spec/manage-migration>`_]
The federated identity mapping engine now supports the ability to
automatically provision ``projects`` for ``federated users``. A role assignment
will automatically be created for the user on the specificed proejct. If the
project specified within the mapping does not exist, it will be automatically
created in the ``domain`` associated with the ``identity provider``.
This behavior can be triggered using a specific syntax within the ``local``
rules section of a mapping. For more information see:
`mapping combinations <http://docs.openstack.org/developer/keystone/federation/federated_identity.html#mapping-combinations>`_

View File

@ -0,0 +1,7 @@
---
features:
- >
[`blueprint support-federated-attr <https://blueprints.launchpad.net/keystone/+spec/support-federated-attr>`_]
Added new filters to the `list user` API (``GET /v3/users``) to support
querying federted identity atttributes: ``idp_id``, ``protocol_id``, and
``unique_id``.

View File

@ -0,0 +1,19 @@
---
other:
- >
[`bug 1017606 <https://bugs.launchpad.net/keystone/+bug/1017606>`_]
The signature on the ``get_catalog`` and ``get_v3_catalog`` methods of
``keystone.catalog.backends.base.CatalogDriverBase`` have been updated.
Third-party extensions that extend the abstract class (``CatalogDriverBase``)
should be updated according to the new parameter names.
The method signatures have changed from::
get_catalog(self, user_id, tenant_id)
get_v3_catalog(self, user_id, tenant_id)
to::
get_catalog(self, user_id, project_id)
get_v3_catalog(self, user_id, project_id)

View File

@ -2,11 +2,22 @@
fixes:
- >
[`bug 1524030 <https://bugs.launchpad.net/keystone/+bug/1524030>`_]
During token validation we've reduced the number of revocation events
During token validation we have reduced the number of revocation events
returned, only returning a subset of events relevant to the token. Thus,
improving overall token validation performance.
other:
- >
The revoke backend driver interface has changed. We've added a token
parameter to the ``list_events`` method in order to improve performance by
reducing the number of revocation events returned during token validation.
[`bug 1524030 <https://bugs.launchpad.net/keystone/+bug/1524030>`_]
The signature on the ``list_events`` method of ``keystone.revoke.backends.base.RevokeDriverBase``
has been updated.
Third-party extensions that extend the abstract class (``RevokeDriverBase``)
should update their code according to the new parameter names.
The method signature has changed from::
list_events(self, last_fetch=None)
to::
list_events(self, last_fetch=None, token=None)

View File

@ -4,8 +4,8 @@ fixes:
[`bug 1651989 <https://bugs.launchpad.net/keystone/+bug/1651989>`_]
Due to ``bug 1547684``, when using the ``policy.v3cloudsample.json``
sample file, a domain admin token was being treated as a cloud admin.
Since the ``is_admin_project`` functionality only supports project-
scoped tokens, we automatically set any domain scoped token to have
Since the ``is_admin_project`` functionality only supports
project-scoped tokens, we automatically set any domain scoped token to have
the property ``is_admin_project`` to ``False``.
[`bug 1547684 <https://bugs.launchpad.net/keystone/+bug/1547684>`_]

View File

@ -0,0 +1,23 @@
---
prelude: >
- The default token provider is now Fernet.
upgrade:
- >
[`bug 1561054 <https://bugs.launchpad.net/keystone/+bug/1561054>`_]
The default token provider has switched from UUID to Fernet. Please note that
Fernet requires a key repository to be in place prior to running Ocata,
this can be done running ``keystone-manage fernet_setup``.
Additionally, for multi-node deployments, it is imperative that a key
distribution process be in use before upgrading. Once a key repository has
been created it should be distributed to all keystone nodes in the deployment.
This ensures that each keystone node will be able to validate tokens issued
across the deployment. If you do not wish to switch token formats, you will
need to explicitly set the token provider for each node in the deployment
by setting ``[token] provider`` to ``uuid`` in ``keystone.conf``.
Documentation can be found at `fernet-tokens <http://docs.openstack.org/developer/keystone/configuration.html#encryption-keys-for-fernet-tokens>`_.
critical:
- >
[`bug 1561054 <https://bugs.launchpad.net/keystone/+bug/1561054>`_]
If upgrading to Fernet tokens, you must have a key repository and key distribution
mechanism in place, otherwise token validation may not work. Please see the
upgrade section for more details.

View File

@ -1,7 +1,7 @@
---
other:
- >
[`bug 1563101 <https://bugs.launchpad.net/keystone/+bug/1563101>`_]
The token provider driver interface has moved from
``keystone.token.provider.Provider`` to ``keystone.token.providers.base.Provider``.
This is consistent with other backend drivers. If you have implemented a
custom token provider, you will want to subclass from the new location.
If implementing a custom token provider, subclass from the new location.

View File

@ -0,0 +1,15 @@
---
other:
- >
[`bug 1582585 <https://bugs.launchpad.net/keystone/+bug/1582585>`_]
A new method ``get_domain_mapping_list`` was added to
``keystone.identity.mapping_backends.base.MappingDriverBase``.
Third-party extensions that extend the abstract class (``MappingDriverBase``)
should implement this new method.
The method has the following signature::
get_domain_mapping_list(self, domain_id)
and will return a list of mappings for a given domain ID.

View File

@ -0,0 +1,8 @@
---
other:
- >
[`bug 1611102 <https://bugs.launchpad.net/keystone/+bug/1611102>`_]
The methods ``list_endpoints_for_policy()`` and ``get_policy_for_endpoint()``
have been removed from the ``keystone.endpoint_policy.backends.base.EndpointPolicyDriverBase``
abstract class, they were unused.

View File

@ -2,7 +2,6 @@
fixes:
- >
[`bug 1616424 <https://bugs.launchpad.net/keystone/+bug/1616424>`_]
Python build-in exception was raised if create request token or access token
request from client with invalid request parameters, invalid signature for example.
The implementation is hardened by showing proper exception and displaying the
failure reasons if existent.
Provide better exception messages when creating OAuth request tokens and
OAuth access tokens via the ``/v3/OS-OAUTH1/request_token`` and
``/v3/OS-OAUTH1/access_token`` APIs, respectively.

View File

@ -2,9 +2,17 @@
fixes:
- >
[`bug 1622310 <https://bugs.launchpad.net/keystone/+bug/1622310>`_]
Keystone trust will be invalidated if the project to which the trust
Trusts will now be invalidated if: the project to which the trust
is scoped, or the user (trustor or trustee) for which the delegation
is assigned, have been deleted.
is assigned, has been deleted.
other:
- Abstract method ``delete_trusts_for_project`` should be implemented by
custom drivers.
- >
[`bug 1622310 <https://bugs.launchpad.net/keystone/+bug/1622310>`_]
A new method ``delete_trusts_for_project`` has been added to ``keystone.trust.backends.base.TrustDriverBase``.
Third-party extensions that extend the abstract class (``TrustDriverBase``)
should be updated according to the new parameter names.
The signature for the new method is::
delete_trusts_for_project(self, project_id)

View File

@ -2,7 +2,7 @@
features:
- >
[`bug 1638603 <https://bugs.launchpad.net/keystone/+bug/1638603>`_]
Support nested groups in Active Directory. A new boolean option
Add support for nested groups in Active Directory. A new boolean option
``[ldap] group_ad_nesting`` has been added, it defaults to ``False``.
Enable the option is using Active Directory with nested groups. This
option will impact the ``list_users_in_group``, ``list_groups_for_user``,

View File

@ -0,0 +1,9 @@
---
features:
- |
[`bug 1641645 <https://bugs.launchpad.net/keystone/+bug/1641645>`_]
RBAC protection was removed from the `Self-service change user password` API
(``/v3/user/$user_id/password``), meaning, a user can now change their password
without a token specified in the ``X-Auth-Token`` header. This change will
allow a user, with an expired password, to update their password without the
need of an administrator.

View File

@ -0,0 +1,21 @@
---
features:
- >
[`bug 1641654 <https://bugs.launchpad.net/keystone/+bug/1641654>`_]
The ``healthcheck`` middleware from `oslo.middleware` has been added to the
keystone application pipelines by default. This middleware provides a common
method to check the health of keystone. Refer to the example paste provided
in ``keystone-paste.ini`` to see how to include the ``healthcheck`` middleware.
upgrade:
- |
[`bug 1641654 <https://bugs.launchpad.net/keystone/+bug/1641654>`_]
The ``healthcheck`` middleware from `oslo.middleware` has been added to the
keystone application pipelines by default. The following section has been
added to ``keystone-paste.ini``::
[filter:healthcheck]
use = egg:oslo.middleware#healthcheck
It is recommended to have the ``healthcheck`` middleware first in the pipeline::
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler ...

View File

@ -0,0 +1,13 @@
---
upgrade:
- >
[`bug 1641660 <https://bugs.launchpad.net/keystone/+bug/1641660>`_]
The default value for ``[DEFAULT] notification_format`` has been changed
from ``basic`` to ``cadf``. The CADF notifications have more information
about the user that initiated the request.
- >
[`bug 1641660 <https://bugs.launchpad.net/keystone/+bug/1641660>`_]
The default value for ``[DEFAULT] notification_opt_out`` has been changed
to include: ``identity.authenticate.success``, ``identity.authenticate.pending``
and ``identity.authenticate.failed``. If a deployment relies on these
notifications, then override the default setting.

View File

@ -0,0 +1,6 @@
---
features:
- >
[`bug 1641816 <https://bugs.launchpad.net/keystone/+bug/1641816>`_]
The ``[token] cache_on_issue`` option is now enabled by default. This option
has no effect unless global caching and token caching are enabled.

View File

@ -0,0 +1,6 @@
---
features:
- >
[`bug 1642348 <https://bugs.launchpad.net/keystone/+bug/1642348>`_]
Added new option ``[security_compliance] lockout_ignored_user_ids`` to allow
deployers to specify users that are exempt from PCI lockout rules.

View File

@ -0,0 +1,18 @@
---
fixes:
- >
[`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
When registering an ``identity provider`` via the OS-FEDERATION API, it is
now recommended to include a ``domain_id`` to associate with the
``identity provider`` in the request. Federated users that authenticate with
the ``identity provider`` will now be associated with the ``domain_id``
specified. If no ``domain_id`` is specified, then a domain will be automatically
created.
upgrade:
- >
[`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
Upon a successful upgrade, all existing ``identity providers`` will now
be associated with a automatically created domain. Each ``identity provider``
that existed prior to the `Ocata` release will now have a ``domain_id`` field.
The new domain will have an ``id`` (random UUID), a ``name`` (that will match
the ``identity provider`` ID , and be ``enabled`` by default.

View File

@ -0,0 +1,23 @@
---
other:
- |
[`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
The signature on the ``create_federated_user`` method of
``keystone.identity.shadow_backends.base.ShadowUsersDriverBase`` has been
updated.
Third-party extensions that extend the abstract class (``ShadowUsersDriverBase``)
should be updated according to the new parameter names.
The method signature has changed from::
create_federated_user(self, federated_dict)
to::
create_federated_user(self, domain_id, federated_dict)
fixes:
- |
[`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
Users that authenticate with an ``identity provider`` will now have a
``domain_id`` attribute, that is associated with the ``identity provider``.

View File

@ -2,5 +2,5 @@
fixes:
- |
[`bug 1642692 <https://bugs.launchpad.net/keystone/+bug/1642692>`_]
All federated_user entries will be deleted if the ``protocol`` it used
to first authenticate is deleted.
When a `federation protocol` is deleted, all users that authenticated with
the `federation protocol` will also be deleted.

View File

@ -1,16 +1,15 @@
---
features:
fixes:
- >
[`bug 1656076 <https://bugs.launchpad.net/keystone/+bug/1656076>`_]
``AuthContext`` Object now required in ``keystone.controllers.Auth.authenticate``
The various plugins under ``keystone.controllers.Auth.authenticate`` now
require ``AuthContext`` objects to be returned.
security:
- >
[`bug 1650676 <https://bugs.launchpad.net/keystone/+bug/1656076>`_]
A bug is fixed that could allow an authenticate call to not use the
``AuthContext`` object which has added security features to ensure things
such as the ``user_id`` does not change between auth methods being processed
in the Keystone server. The ``keystone.controllers.Auth.authenticate``
Authentication plugins now required ``AuthContext`` objects to be used. This
has added security features to ensure information such as the ``user_id``
does not change between authentication methods being processed
by the server. The ``keystone.controllers.Auth.authenticate``
method now requires the argument ``auth_context`` to be an actual
``AuthContext`` object. The scope of the fix is only tests, and this
will prevent security regressions in the future. This is a
hardening patch and not an exploitable security flaw.
``AuthContext`` object.

View File

@ -1,8 +1,9 @@
---
other:
- >
The signature on the ``authenticate`` method of
``keystone.auth.plugins.base.AuthMethodHandler`` has been updated.
[`bug 1659730 <https://bugs.launchpad.net/keystone/+bug/1659730>`_]
The signature on the ``authenticate`` method of ``keystone.auth.plugins.base.AuthMethodHandler``
has been updated.
Third-party extensions that extend the abstract class
(``AuthMethodHandler``) should update their code according to the new

View File

@ -1,6 +0,0 @@
---
features:
- The ``[token] cache_on_issue`` option is now enabled
by default. This option has no effect unless global
caching and token caching are enabled. This matches
the other cache settings (such as token, catalog etc)

View File

@ -1,5 +0,0 @@
---
other:
- The signature of keystone catalog driver interfaces ``get_catalog``
and ``get_v3_catalog`` have been changed in favour of using ``project_id``
instead of ``tenant_id``.

View File

@ -2,8 +2,8 @@
deprecations:
- >
[`blueprint deprecated-as-of-ocata <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-ocata>`_]
The catalog backend ``endpoint_filter.sql``has been deprecated in the
The catalog backend ``endpoint_filter.sql`` has been deprecated in the
`Ocata` release, it has been consolidated with the ``sql`` backend.
It's recommended to replace the ``endpoint_filter.sql`` catalog backend
It is recommended to replace the ``endpoint_filter.sql`` catalog backend
with the ``sql`` backend. The ``endpoint_filter.sql`` backend will be
removed in the `Pike` release.

View File

@ -1,6 +0,0 @@
---
upgrade:
- ID Mapping driver interface has changed. A new method
``get_domain_mapping_list`` was added for fetching mapping list
for a domain. If you have a custom implementation for the identity
driver, you will need to implement this new method.

View File

@ -1,12 +0,0 @@
---
fixes:
- Changed the default notification from ``basic`` to ``cadf``.
- Added ``identity.authenticate.success``, ``identity.authenticate.pending``
and ``identity.authenticate.failed`` as default for
``notification_opt_out``.
upgrade:
- The default setting for ``notification_opt_out`` is changed to include
``identity.authenticate.success``, ``identity.authenticate.pending`` and
``identity.authenticate.failed``. If a deployment relies on these
notifications, then override the default ``notification_opt_out`` setting
by explicitly specifying the notifications to suppress.

View File

@ -1,5 +0,0 @@
---
upgrade:
- The methods ``list_endpoints_for_policy()`` and
``get_policy_for_endpoint()`` have been removed from the EndpointPolicy
driver interface.

View File

@ -1,4 +0,0 @@
---
upgrade:
- Added new filters (``idp_id``, ``protocol_id``, and ``unique_id``) for the
list user API (``GET /v3/users``).

View File

@ -1,7 +0,0 @@
---
features:
- >
The healthcheck middleware from Oslo has been added to the keystone
application pipelines in the example ``keystone-paste.ini`` file. This
middleware provides a common method to check the health of a particular
application provided by keystone.

View File

@ -1,16 +0,0 @@
---
fixes:
- >
[`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
When registering an Identity Provider (IdP) via the OS-FEDERATION API, it's
now recommended to include a domain ID to associate with the IdP in the
request. Federated users that authenticate with the IdP will now be
associated with the domain ID specified. If no domain ID is specified, then
a domain will be automatically created.
upgrade:
- The ``domain_id`` is now recommended to be included when registering an
Identity Provider (IdP) via the OS-FEDERATION API. For existing Identity
Providers (IdPs), new domains will automatically be created and associated
to the IdPs. Each IdP will now have a ``domain_id`` field. The new domain's
``id`` will be a random UUID, its ``name`` will match its ``id``. All
automatically generated domains will be ``enabled`` by default.

View File

@ -1,9 +0,0 @@
---
features:
- The federated mapping engine now supports the ability
to automatically provision federated users into projects
specified in the mapping rules at federated login time. If the
project within the mapping does not exist, it will be
automatically created in the domain of the Identity Provider.
This behavior can be done using a specific syntax within
the ``local`` rules section of a mapping.

View File

@ -1,21 +0,0 @@
---
upgrade:
- The default token provider has switched from UUID
to Fernet. Please note that Fernet requires a
key repository to be in place prior to running Ocata.
This can be done using ``keystone-manage fernet_setup``.
Documentation can be found `here <http://docs.openstack.org/developer/keystone/man/keystone-manage.html>`_.
In addition, for multi-node deployments, it is imperative that
a key distribution process be in use before upgrading. Once
a key repository has been created it should be distributed
to all keystone nodes in the deployment. This ensures that
each keystone node will be able to validate tokens issued
across the deployment. If you do not wish to switch token
formats, you will need to explicitly set UUID as the token
provider for each node in the deployment using
``[token] provider = uuid`` in your ``keystone.conf``.
critical:
- If upgrading to Fernet tokens, you must have a key
repository and key distribution mechanism in place.
Otherwise token validation may not work. Please see
the upgrade section for more details.

View File

@ -1,7 +0,0 @@
---
features:
- User interfaces and clients now have the ability
to retrieve password requirement information via the
Domain Config API. Specifically, the ``password_regex``
and ``password_regex_description`` options of the
``[security_compliance]`` section.

View File

@ -1,7 +0,0 @@
---
features:
- >
[`bug 1642348 <https://bugs.launchpad.net/keystone/+bug/1642348>`_]
Added a way to ignore the lockout validation for specific users, such as
service users, by setting the `lockout_ignored_user_ids` option in the
`[security_compliance]` section of `keystone.conf`.

View File

@ -1,15 +0,0 @@
---
upgrade:
- The ``validate_v3_token()`` and
``validate_non_persistent_token()`` methods have been
removed from the token provider interface. The token
provider API now uses a single validation method
called ``validate_token()``. Having any validation method
defined except ``validate_token()`` will fail since the
interface no longer includes legacy methods. Please take
this into consideration and plan accordingly if you're
maintaining a custom token provider.
critical:
- If writing a custom token provider, see the upgrade
section about the removal of the ``validate_v3_token()``
and ``validate_non_persistent()`` token methods.

View File

@ -1,14 +0,0 @@
---
upgrade:
- The ``issue_v2_token()`` method has been removed
from the token provider interface. The token provider
API now uses a single create token method and translates
v3 token responses to v2 format when needed. Having
``issue_v2_token()`` defined with the Ocata codebase
will fail since the interface no longer includes that
method. Please take this into consideration and plan
accordingly if you're maintaining a custom token provider.
critical:
- If writing a custom token provider, see the upgrade
section about the removal of the ``issue_v2_token()``
method.

View File

@ -1,15 +0,0 @@
---
upgrade:
- The ``issue_v3_token()`` method has been removed
from the token provider interface. The token provider
API now uses a single create token method, ``issue_token``
and translates v3 token responses to v2 format when
needed. Having ``issue_v3_token()`` defined with the
Ocata codebase will fail since the interface no longer
includes that method. Please take this into consideration
and plan accordingly if you're maintaining a custom token
provider.
critical:
- If writing a custom token provider, see the upgrade
section about the removal of the ``issue_v3_token()``
method.

View File

@ -1,14 +0,0 @@
---
upgrade:
- The ``validate_v2_token()`` method has been removed
from the token provider interface. The token provider
API now uses other validation methods and translates
v3 token responses to v2 format when needed. Having
``validate_v2_token()`` defined with the Ocata codebase
will fail since the interface no longer includes that
method. Please take this into consideration and plan
accordingly if you're maintaining a custom token provider.
critical:
- If writing a custom token provider, see the upgrade
section about the removal of the ``validate_v2_token()``
method.

View File

@ -39,6 +39,22 @@ other:
* ``keystone/common/cache/backends/mongo``
* ``keystone/common/cache/backends/memcache_pool``
* ``keystone/common/cache/backends/noop``
- >
Several token validation methods from the abstract class ``keystone.token.providers.base.Provider``
were removed (see below) in favor of a single method to validate tokens (``validate_token``),
that has the signature ``validate_token(self, token_ref)``. If using a custom token
provider, update the custom provider accordingly.
* ``validate_v2_token``
* ``validate_v3_token``
* ``validate_non_persistent_token``
- >
Several token issuance methods from the abstract class ``keystone.token.providers.base.Provider``
were removed (see below) in favor of a single method to issue tokens (``issue_token``).
If using a custom token provider, updated the custom provider accordingly.
* ``issue_v2_token``
* ``issue_v3_token``
- >
The ``[DEFAULT] domain_id_immutable`` configuration option has been removed
in favor of strictly immutable domain IDs.
@ -64,22 +80,22 @@ other:
``build_auth_context`` in the paste pipelines, otherwise remove the
``admin_token_auth`` middleware from ``keystone-paste.ini`` entirely.
- >
The ``CONF [assignment] driver`` now defaults to ``sql``. Logic to
The ``[assignment] driver`` now defaults to ``sql``. Logic to
determine the default assignment driver if one wasn't supplied through
configuration has been removed. Keystone only supports one assignment
driver and it shouldn't be changed unless you're deploying a custom
assignment driver.
- >
The ``CONF [resource] driver`` now defaults to ``sql``. Logic to
The ``[resource] driver`` now defaults to ``sql``. Logic to
determine the default resource driver if one wasn't supplied through
configuration has been removed. Keystone only supports one resource
driver and it shouldn't be changed unless you're deploying a custom
resource driver.
- >
Removed the config option ``[os_inherit] enabled`` as the OS-INHERIT
The ``[os_inherit] enabled`` config option has been removed, the `OS-INHERIT`
extension is now always enabled.
- >
The ``CONF [DEFAULT] domain_id_immutable`` option has been removed.
The ``[DEFAULT] domain_id_immutable`` option has been removed.
This removes the ability to change the ``domain_id`` attribute of
users, groups, and projects. The behavior was introduced to allow
deployers to migrate entities from one domain to another by updating

View File

@ -1,16 +0,0 @@
---
upgrade:
- |
The abstract base class for the shadow users backend has changed. We've
added a ``domain_id`` parameter to the ``create_federated_user`` method.
This is so that the domain ID of the Identity Provider gets set for the
federated user. If you have a custom implementation for the shadow users
backend, you will need to add the new parameter to your method
implementation.
fixes:
- |
[`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
Prior to this release federated users did not belong to a real domain. Now
when federated users are created, as part of shadowing users, federated
users will belong to the domain Id of the Identity Provider.

View File

@ -1,9 +0,0 @@
---
features:
- |
Removes RBAC protection from the `Self-service change user
password` API (``/v3/user/$user_id/password``). A user is expected
to know their own password and can be authenticated as such. This
change is related to PCI-DSS features and allows a user with an
expired password to change it without the need of an
administrator.