clean up release notes for ocata

Change-Id: I9f4d47518f1a1ab184d6cefb2b251aaad38e113a

releasenotes/notes/bp-password-expires-validation-4b32fe7032595932.yaml

@@ -0,0 +1,13 @@
+---
+features:
+  - >
+    [`blueprint password-expires-validation <https://blueprints.launchpad.net/keystone/+spec/password-expires-validation>`_]
+    Token responses will now have a ``password_expires_at`` field in the
+    ``user`` object, this can be expressed briefly as::
+
+      {"token": {"user": {"password_expires_at": null}}}
+
+    If PCI support is enabled, via the ``[security_compliance]`` configuration
+    options, then the ``password_expires_at`` field will be populated with a
+    timestamp. Otherwise, it will default to ``null``, indicating the password
+    does not expire.

releasenotes/notes/bp-password_expired_at-4b32fe7032595932.yaml

@@ -1,8 +0,0 @@
----
-features:
-  - >
-    Token responses will now have a ``password_expires_at``
-    field under the ``user`` dictionary.
-    If PCI support is enabled, the ``password_expires_at``
-    field will be populated. Otherwise, it will default
-    to ``null``.

releasenotes/notes/bp-pci-dss-notifications-808a205a637bac25.yaml

@@ -18,5 +18,5 @@ features:
      * If a user attempts to change their password too often. See
        ``[security_compliance] minimum_password_age``.
 
-   See http://docs.openstack.org/developer/keystone/event_notifications.html for
+   For additional details see:
-   additional details.
+   `event notifications <See http://docs.openstack.org/developer/keystone/event_notifications.html>`_

releasenotes/notes/bp-pci-dss-password-requirements-api-87bc724b2aa554f7.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - >
+    [`blueprint pci-dss-password-requirements-api <https://blueprints.launchpad.net/keystone/+spec/pci-dss-password-requirements-api>`_]
+    Added a new API (``/v3/domains/{domain_id}/config/security_compliance``) to
+    retrieve regular expression requirements for passwords. Specifically,
+    ``[security_compliance] password_regex`` and ``[security_compliance] password_regex_description``
+    will be returned. Note that these options are only meaningful if PCI support
+    is enabled, via various ``[security_compliance]`` configuration options.

releasenotes/notes/bp-shadow-mapping-06fc7c71a401d707.yaml

@@ -0,0 +1,12 @@
+---
+features:
+  - >
+    [`blueprint manage-migration <https://blueprints.launchpad.net/keystone/+spec/manage-migration>`_]
+    The federated identity mapping engine now supports the ability to
+    automatically provision ``projects`` for ``federated users``. A role assignment
+    will automatically be created for the user on the specificed proejct. If the
+    project specified within the mapping does not exist, it will be automatically
+    created in the ``domain`` associated with the ``identity provider``.
+    This behavior can be triggered using a specific syntax within the ``local``
+    rules section of a mapping. For more information see:
+    `mapping combinations <http://docs.openstack.org/developer/keystone/federation/federated_identity.html#mapping-combinations>`_

releasenotes/notes/bp-support-federated-attr-94084d4073f50280.yaml

@@ -0,0 +1,7 @@
+---
+features:
+ - >
+   [`blueprint support-federated-attr <https://blueprints.launchpad.net/keystone/+spec/support-federated-attr>`_]
+   Added new filters to the `list user` API (``GET /v3/users``) to support
+   querying federted identity atttributes: ``idp_id``, ``protocol_id``, and
+   ``unique_id``.

releasenotes/notes/bug-1017606-98313bb4c1edf250.yaml

@@ -0,0 +1,19 @@
+---
+other:
+  - >
+    [`bug 1017606 <https://bugs.launchpad.net/keystone/+bug/1017606>`_]
+    The signature on the ``get_catalog`` and ``get_v3_catalog`` methods of
+    ``keystone.catalog.backends.base.CatalogDriverBase`` have been updated.
+
+    Third-party extensions that extend the abstract class (``CatalogDriverBase``)
+    should be updated according to the new parameter names.
+
+    The method signatures have changed from::
+
+      get_catalog(self, user_id, tenant_id)
+      get_v3_catalog(self, user_id, tenant_id)
+
+    to::
+
+      get_catalog(self, user_id, project_id)
+      get_v3_catalog(self, user_id, project_id)

releasenotes/notes/bug-1524030-ccff6b0ec9d1cbf2.yaml

@@ -2,11 +2,22 @@
 fixes:
   - >
     [`bug 1524030 <https://bugs.launchpad.net/keystone/+bug/1524030>`_]
-    During token validation we've reduced the number of revocation events
+    During token validation we have reduced the number of revocation events
     returned, only returning a subset of events relevant to the token. Thus,
     improving overall token validation performance.
 other:
   - >
-    The revoke backend driver interface has changed. We've added a token
+    [`bug 1524030 <https://bugs.launchpad.net/keystone/+bug/1524030>`_]
-    parameter to the ``list_events`` method in order to improve performance by
+    The signature on the ``list_events`` method of ``keystone.revoke.backends.base.RevokeDriverBase``
-    reducing the number of revocation events returned during token validation.
+    has been updated.
+
+    Third-party extensions that extend the abstract class (``RevokeDriverBase``)
+    should update their code according to the new parameter names.
+
+    The method signature has changed from::
+
+      list_events(self, last_fetch=None)
+
+    to::
+
+      list_events(self, last_fetch=None, token=None)

releasenotes/notes/bug-1547684-911aed68a0d3df17.yaml

@@ -4,8 +4,8 @@ fixes:
     [`bug 1651989 <https://bugs.launchpad.net/keystone/+bug/1651989>`_]
     Due to ``bug 1547684``, when using the ``policy.v3cloudsample.json``
     sample file, a domain admin token was being treated as a cloud admin.
-    Since the ``is_admin_project`` functionality only supports project-
+    Since the ``is_admin_project`` functionality only supports
-    scoped tokens, we automatically set any domain scoped token to have
+    project-scoped tokens, we automatically set any domain scoped token to have
     the property ``is_admin_project`` to ``False``.
 
     [`bug 1547684 <https://bugs.launchpad.net/keystone/+bug/1547684>`_]

releasenotes/notes/bug-1561054-dbe88b552a936a05.yaml

@@ -0,0 +1,23 @@
+---
+prelude: >
+  - The default token provider is now Fernet.
+upgrade:
+  - >
+    [`bug 1561054 <https://bugs.launchpad.net/keystone/+bug/1561054>`_]
+    The default token provider has switched from UUID to Fernet. Please note that
+    Fernet requires a key repository to be in place prior to running Ocata,
+    this can be done running ``keystone-manage fernet_setup``.
+    Additionally, for multi-node deployments, it is imperative that a key
+    distribution process be in use before upgrading. Once a key repository has
+    been created it should be distributed to all keystone nodes in the deployment.
+    This ensures that each keystone node will be able to validate tokens issued
+    across the deployment. If you do not wish to switch token formats, you will
+    need to explicitly set the token provider for each node in the deployment
+    by setting ``[token] provider`` to ``uuid`` in ``keystone.conf``.
+    Documentation can be found at `fernet-tokens <http://docs.openstack.org/developer/keystone/configuration.html#encryption-keys-for-fernet-tokens>`_.
+critical:
+  - >
+    [`bug 1561054 <https://bugs.launchpad.net/keystone/+bug/1561054>`_]
+    If upgrading to Fernet tokens, you must have a key repository and key distribution
+    mechanism in place, otherwise token validation may not work. Please see the
+    upgrade section for more details.

releasenotes/notes/bug-1563101-134df5b99ea48f00.yaml

@@ -1,7 +1,7 @@
 ---
 other:
   - >
+    [`bug 1563101 <https://bugs.launchpad.net/keystone/+bug/1563101>`_]
     The token provider driver interface has moved from
     ``keystone.token.provider.Provider`` to ``keystone.token.providers.base.Provider``.
-    This is consistent with other backend drivers. If you have implemented a
+    If implementing a custom token provider, subclass from the new location.
-    custom token provider, you will want to subclass from the new location.

releasenotes/notes/bug-1582585-a368ac5a252ec84f.yaml

@@ -0,0 +1,15 @@
+---
+other:
+  - >
+    [`bug 1582585 <https://bugs.launchpad.net/keystone/+bug/1582585>`_]
+    A new method ``get_domain_mapping_list`` was added to
+    ``keystone.identity.mapping_backends.base.MappingDriverBase``.
+
+    Third-party extensions that extend the abstract class (``MappingDriverBase``)
+    should implement this new method.
+
+    The method has the following signature::
+
+      get_domain_mapping_list(self, domain_id)
+
+    and will return a list of mappings for a given domain ID.

releasenotes/notes/bug-1611102-e1348cbec9b1110a.yaml

@@ -0,0 +1,8 @@
+
+---
+other:
+  - >
+    [`bug 1611102 <https://bugs.launchpad.net/keystone/+bug/1611102>`_]
+    The methods ``list_endpoints_for_policy()`` and ``get_policy_for_endpoint()``
+    have been removed from the ``keystone.endpoint_policy.backends.base.EndpointPolicyDriverBase``
+    abstract class, they were unused.

releasenotes/notes/bug-1616424-c46ba773f7ac40ae.yaml

@@ -2,7 +2,6 @@
 fixes:
   - >
     [`bug 1616424 <https://bugs.launchpad.net/keystone/+bug/1616424>`_]
-    Python build-in exception was raised if create request token or access token
+    Provide better exception messages when creating OAuth request tokens and
-    request from client with invalid request parameters, invalid signature for example.
+    OAuth access tokens via the ``/v3/OS-OAUTH1/request_token`` and
-    The implementation is hardened by showing proper exception and displaying the
+    ``/v3/OS-OAUTH1/access_token`` APIs, respectively.
-    failure reasons if existent.

releasenotes/notes/bug-1622310-c501cf77437fdfa6.yaml

@@ -2,9 +2,17 @@
 fixes:
   - >
     [`bug 1622310 <https://bugs.launchpad.net/keystone/+bug/1622310>`_]
-    Keystone trust will be invalidated if the project to which the trust
+    Trusts will now be invalidated if: the project to which the trust
     is scoped, or the user (trustor or trustee) for which the delegation
-    is assigned, have been deleted.
+    is assigned, has been deleted.
 other:
-  - Abstract method ``delete_trusts_for_project`` should be implemented by
+  - >
-    custom drivers.
+    [`bug 1622310 <https://bugs.launchpad.net/keystone/+bug/1622310>`_]
+    A new method ``delete_trusts_for_project`` has been added to ``keystone.trust.backends.base.TrustDriverBase``.
+
+    Third-party extensions that extend the abstract class (``TrustDriverBase``)
+    should be updated according to the new parameter names.
+
+    The signature for the new method is::
+
+      delete_trusts_for_project(self, project_id)

releasenotes/notes/bug-1638603-354ee4167e6e.yaml

@@ -2,7 +2,7 @@
 features:
   - >
     [`bug 1638603 <https://bugs.launchpad.net/keystone/+bug/1638603>`_]
-    Support nested groups in Active Directory. A new boolean option
+    Add support for nested groups in Active Directory. A new boolean option
     ``[ldap] group_ad_nesting`` has been added, it defaults to ``False``.
     Enable the option is using Active Directory with nested groups. This
     option will impact the ``list_users_in_group``, ``list_groups_for_user``,

releasenotes/notes/bug-1641645-516709f9da3de26f.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    [`bug 1641645 <https://bugs.launchpad.net/keystone/+bug/1641645>`_]
+    RBAC protection was removed from the `Self-service change user password` API
+    (``/v3/user/$user_id/password``), meaning, a user can now change their password
+    without a token specified in the ``X-Auth-Token`` header. This change will
+    allow a user, with an expired password, to update their password without the
+    need of an administrator.

releasenotes/notes/bug-1641654-8630ce7bcde43a7e.yaml

@@ -0,0 +1,21 @@
+---
+features:
+  - >
+    [`bug 1641654 <https://bugs.launchpad.net/keystone/+bug/1641654>`_]
+    The ``healthcheck`` middleware from `oslo.middleware` has been added to the
+    keystone application pipelines by default. This middleware provides a common
+    method to check the health of keystone. Refer to the example paste provided
+    in ``keystone-paste.ini`` to see how to include the ``healthcheck`` middleware.
+upgrade:
+  - |
+    [`bug 1641654 <https://bugs.launchpad.net/keystone/+bug/1641654>`_]
+    The ``healthcheck`` middleware from `oslo.middleware` has been added to the
+    keystone application pipelines by default. The following section has been
+    added to ``keystone-paste.ini``::
+
+      [filter:healthcheck]
+      use = egg:oslo.middleware#healthcheck
+
+    It is recommended to have the ``healthcheck`` middleware first in the pipeline::
+
+      pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler ...

releasenotes/notes/bug-1641660-f938267e1ec54071.yaml

@@ -0,0 +1,13 @@
+---
+upgrade:
+  - >
+    [`bug 1641660 <https://bugs.launchpad.net/keystone/+bug/1641660>`_]
+    The default value for ``[DEFAULT] notification_format`` has been changed
+    from ``basic`` to ``cadf``. The CADF notifications have more information
+    about the user that initiated the request.
+  - >
+    [`bug 1641660 <https://bugs.launchpad.net/keystone/+bug/1641660>`_]
+    The default value for ``[DEFAULT] notification_opt_out`` has been changed
+    to include: ``identity.authenticate.success``, ``identity.authenticate.pending``
+    and ``identity.authenticate.failed``. If a deployment relies on these
+    notifications, then override the default setting.

releasenotes/notes/bug-1641816-8b39f3f73359c778.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - >
+    [`bug 1641816 <https://bugs.launchpad.net/keystone/+bug/1641816>`_]
+    The ``[token] cache_on_issue`` option is now enabled by default. This option
+    has no effect unless global caching and token caching are enabled.

releasenotes/notes/bug-1642348-83d4c86ad3984d75.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - >
+    [`bug 1642348 <https://bugs.launchpad.net/keystone/+bug/1642348>`_]
+    Added new option ``[security_compliance] lockout_ignored_user_ids`` to allow
+    deployers to specify users that are exempt from PCI lockout rules.

releasenotes/notes/bug-1642687-5497fb56fe86806d.yaml

@@ -0,0 +1,18 @@
+---
+fixes:
+ - >
+    [`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
+    When registering an ``identity provider`` via the OS-FEDERATION API, it is
+    now recommended to include a ``domain_id`` to associate with the
+    ``identity provider`` in the request. Federated users that authenticate with
+    the ``identity provider`` will now be associated with the ``domain_id``
+    specified. If no ``domain_id`` is specified, then a domain will be automatically
+    created.
+upgrade:
+  - >
+    [`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
+    Upon a successful upgrade, all existing ``identity providers`` will now
+    be associated with a automatically created domain. Each ``identity provider``
+    that existed prior to the `Ocata` release will now have a ``domain_id`` field.
+    The new domain will have an ``id`` (random UUID), a ``name`` (that will match
+    the ``identity provider`` ID , and be ``enabled`` by default.

releasenotes/notes/bug-1642687-c7ab1c9be152db20.yaml

@@ -0,0 +1,23 @@
+---
+other:
+  - |
+    [`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
+    The signature on the ``create_federated_user`` method of
+    ``keystone.identity.shadow_backends.base.ShadowUsersDriverBase`` has been
+    updated.
+
+    Third-party extensions that extend the abstract class (``ShadowUsersDriverBase``)
+    should be updated according to the new parameter names.
+
+    The method signature has changed from::
+
+      create_federated_user(self, federated_dict)
+
+    to::
+
+      create_federated_user(self, domain_id, federated_dict)
+fixes:
+  - |
+    [`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
+    Users that authenticate with an ``identity provider`` will now have a
+    ``domain_id`` attribute, that is associated with the ``identity provider``.

releasenotes/notes/bug-1642692-d669c8fcf9e171d9.yaml

@@ -2,5 +2,5 @@
 fixes:
   - |
     [`bug 1642692 <https://bugs.launchpad.net/keystone/+bug/1642692>`_]
-    All federated_user entries will be deleted if the ``protocol`` it used
+    When a `federation protocol` is deleted, all users that authenticated with
-    to first authenticate is deleted.
+    the `federation protocol` will also be deleted.

releasenotes/notes/bug-1656076-c4422270f73b43b.yaml

@@ -1,16 +1,15 @@
 ---
-features:
+fixes:
   - >
     [`bug 1656076 <https://bugs.launchpad.net/keystone/+bug/1656076>`_]
-    ``AuthContext`` Object now required in ``keystone.controllers.Auth.authenticate``
+    The various plugins under ``keystone.controllers.Auth.authenticate`` now
+    require ``AuthContext`` objects to be returned.
 security:
   - >
     [`bug 1650676 <https://bugs.launchpad.net/keystone/+bug/1656076>`_]
-    A bug is fixed that could allow an authenticate call to not use the
+    Authentication plugins now required ``AuthContext`` objects to be used. This
-    ``AuthContext`` object which has added security features to ensure things
+    has added security features to ensure information such as the ``user_id``
-    such as the ``user_id`` does not change between auth methods being processed
+    does not change between authentication methods being processed
-    in the Keystone server. The ``keystone.controllers.Auth.authenticate``
+    by the server. The ``keystone.controllers.Auth.authenticate``
     method now requires the argument ``auth_context`` to be an actual
-    ``AuthContext`` object. The scope of the fix is only tests, and this
+    ``AuthContext`` object.
-    will prevent security regressions in the future. This is a
-    hardening patch and not an exploitable security flaw.

releasenotes/notes/bug-1659730-17834ba2dde668ae.yaml

@@ -1,8 +1,9 @@
 ---
 other:
   - >
-    The signature on the ``authenticate`` method of
+    [`bug 1659730 <https://bugs.launchpad.net/keystone/+bug/1659730>`_]
-    ``keystone.auth.plugins.base.AuthMethodHandler`` has been updated.
+    The signature on the ``authenticate`` method of ``keystone.auth.plugins.base.AuthMethodHandler``
+    has been updated.
 
     Third-party extensions that extend the abstract class
     (``AuthMethodHandler``) should update their code according to the new

releasenotes/notes/cache_on_issue_default_on-8b39f3f73359c778.yaml

@@ -1,6 +0,0 @@
----
-features:
-  - The ``[token] cache_on_issue`` option is now enabled
-    by default. This option has no effect unless global
-    caching and token caching are enabled. This matches
-    the other cache settings (such as token, catalog etc)

releasenotes/notes/catalog-interface-tenant-to-project-98313bb4c1edf250.yaml

@@ -1,5 +0,0 @@
----
-other:
-  - The signature of keystone catalog driver interfaces ``get_catalog``
-    and ``get_v3_catalog`` have been changed in favour of using ``project_id``
-    instead of ``tenant_id``.

releasenotes/notes/deprecated-as-of-ocata-a5b2f1e3e39f818e.yaml

@@ -2,8 +2,8 @@
 deprecations:
   - >
     [`blueprint deprecated-as-of-ocata <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-ocata>`_]
-    The catalog backend ``endpoint_filter.sql``has been deprecated in the
+    The catalog backend ``endpoint_filter.sql`` has been deprecated in the
     `Ocata` release, it has been consolidated with the ``sql`` backend.
-    It's recommended to replace the ``endpoint_filter.sql`` catalog backend
+    It is recommended to replace the ``endpoint_filter.sql`` catalog backend
     with the ``sql`` backend. The ``endpoint_filter.sql`` backend will be
     removed in the `Pike` release.

releasenotes/notes/domain_mapping_list-a368ac5a252ec84f.yaml

@@ -1,6 +0,0 @@
----
-upgrade:
-  - ID Mapping driver interface has changed. A new method
-    ``get_domain_mapping_list`` was added for fetching mapping list
-    for a domain. If you have a custom implementation for the identity
-    driver, you will need to implement this new method.

releasenotes/notes/enable-cadf-notification-format-by-default-f938267e1ec54071.yaml

@@ -1,12 +0,0 @@
----
-fixes:
-  - Changed the default notification from ``basic`` to ``cadf``.
-  - Added ``identity.authenticate.success``, ``identity.authenticate.pending``
-    and ``identity.authenticate.failed`` as default for
-    ``notification_opt_out``.
-upgrade:
-  - The default setting for ``notification_opt_out`` is changed to include
-    ``identity.authenticate.success``, ``identity.authenticate.pending`` and
-    ``identity.authenticate.failed``. If a deployment relies on these
-    notifications, then override the default ``notification_opt_out`` setting
-    by explicitly specifying the notifications to suppress.

releasenotes/notes/endpoint_policy_driver_unused_methods_removed-e1348cbec9b1110a.yaml

@@ -1,5 +0,0 @@
----
-upgrade:
-  - The  methods ``list_endpoints_for_policy()`` and 
-    ``get_policy_for_endpoint()`` have been removed from the EndpointPolicy
-    driver interface.

releasenotes/notes/extending_federated_attributes_to_list_users.yaml

@@ -1,4 +0,0 @@
----
-upgrade:
- - Added new filters (``idp_id``, ``protocol_id``, and ``unique_id``) for the
-   list user API (``GET /v3/users``).

releasenotes/notes/healthcheck-middleware-8630ce7bcde43a7e.yaml

@@ -1,7 +0,0 @@
----
-features:
-  - >
-    The healthcheck middleware from Oslo has been added to the keystone
-    application pipelines in the example ``keystone-paste.ini`` file. This
-    middleware provides a common method to check the health of a particular
-    application provided by keystone.

releasenotes/notes/idp_requires_domain_id-5497fb56fe86806d.yaml

@@ -1,16 +0,0 @@
----
-fixes:
- - >
-    [`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
-    When registering an Identity Provider (IdP) via the OS-FEDERATION API, it's
-    now recommended to include a domain ID to associate with the IdP in the
-    request. Federated users that authenticate with the IdP will now be
-    associated with the domain ID specified. If no domain ID is specified, then
-    a domain will be automatically created.
-upgrade:
-  - The ``domain_id`` is now recommended to be included when registering an
-    Identity Provider (IdP) via the OS-FEDERATION API. For existing Identity
-    Providers (IdPs), new domains will automatically be created and associated
-    to the IdPs. Each IdP will now have a ``domain_id`` field. The new domain's
-    ``id`` will be a random UUID, its ``name`` will match its ``id``. All
-    automatically generated domains will be ``enabled`` by default.

releasenotes/notes/implement-shadow-mapping-06fc7c71a401d707.yaml

@@ -1,9 +0,0 @@
----
-features:
-  - The federated mapping engine now supports the ability
-    to automatically provision federated users into projects
-    specified in the mapping rules at federated login time. If the
-    project within the mapping does not exist, it will be
-    automatically created in the domain of the Identity Provider.
-    This behavior can be done using a specific syntax within
-    the ``local`` rules section of a mapping.

releasenotes/notes/make-fernet-the-default-token-provider-dbe88b552a936a05.yaml

@@ -1,21 +0,0 @@
----
-upgrade:
-  - The default token provider has switched from UUID
-    to Fernet. Please note that Fernet requires a
-    key repository to be in place prior to running Ocata.
-    This can be done using ``keystone-manage fernet_setup``.
-    Documentation can be found `here <http://docs.openstack.org/developer/keystone/man/keystone-manage.html>`_.
-    In addition, for multi-node deployments, it is imperative that
-    a key distribution process be in use before upgrading. Once
-    a key repository has been created it should be distributed
-    to all keystone nodes in the deployment. This ensures that
-    each keystone node will be able to validate tokens issued
-    across the deployment. If you do not wish to switch token
-    formats, you will need to explicitly set UUID as the token
-    provider for each node in the deployment using
-    ``[token] provider = uuid`` in your ``keystone.conf``.
-critical:
-  - If upgrading to Fernet tokens, you must have a key
-    repository and key distribution mechanism in place.
-    Otherwise token validation may not work. Please see
-    the upgrade section for more details.

releasenotes/notes/password-requirements-api-87bc724b2aa554f7.yaml

@@ -1,7 +0,0 @@
----
-features:
-  - User interfaces and clients now have the ability
-    to retrieve password requirement information via the
-    Domain Config API.  Specifically, the ``password_regex``
-    and ``password_regex_description`` options of the
-    ``[security_compliance]`` section.

releasenotes/notes/pci_lockout_ignore_list-83d4c86ad3984d75.yaml

@@ -1,7 +0,0 @@
----
-features:
-  - >
-    [`bug 1642348 <https://bugs.launchpad.net/keystone/+bug/1642348>`_]
-    Added a way to ignore the lockout validation for specific users, such as
-    service users, by setting the `lockout_ignored_user_ids` option in the
-    `[security_compliance]` section of `keystone.conf`.

releasenotes/notes/remove-all-but-one-validate-token-method-7fd7377e62a1bc62.yaml

@@ -1,15 +0,0 @@
----
-upgrade:
-  - The ``validate_v3_token()`` and
-    ``validate_non_persistent_token()`` methods have been
-    removed from the token provider interface. The token
-    provider API now uses a single validation method
-    called ``validate_token()``. Having any validation method
-    defined except ``validate_token()`` will fail since the
-    interface no longer includes legacy methods. Please take
-    this into consideration and plan accordingly if you're
-    maintaining a custom token provider.
-critical:
-  - If writing a custom token provider, see the upgrade
-    section about the removal of the ``validate_v3_token()``
-    and ``validate_non_persistent()`` token methods.

releasenotes/notes/remove-issue-v2-token-82117ac04a932251.yaml

@@ -1,14 +0,0 @@
----
-upgrade:
-  - The ``issue_v2_token()`` method has been removed
-    from the token provider interface. The token provider
-    API now uses a single create token method and translates
-    v3 token responses to v2 format when needed. Having
-    ``issue_v2_token()`` defined with the Ocata codebase
-    will fail since the interface no longer includes that
-    method. Please take this into consideration and plan
-    accordingly if you're maintaining a custom token provider.
-critical:
-  - If writing a custom token provider, see the upgrade
-    section about the removal of the ``issue_v2_token()``
-    method.

releasenotes/notes/remove-issue-v3-token-method-98f58e9e494885cb.yaml

@@ -1,15 +0,0 @@
----
-upgrade:
-  - The ``issue_v3_token()`` method has been removed
-    from the token provider interface. The token provider
-    API now uses a single create token method, ``issue_token``
-    and translates v3 token responses to v2 format when
-    needed. Having ``issue_v3_token()`` defined with the
-    Ocata codebase will fail since the interface no longer
-    includes that method. Please take this into consideration
-    and plan accordingly if you're maintaining a custom token
-    provider.
-critical:
-  - If writing a custom token provider, see the upgrade
-    section about the removal of the ``issue_v3_token()``
-    method.

releasenotes/notes/remove-validate-v2-token-method-ea89f0f5107270ee.yaml

@@ -1,14 +0,0 @@
----
-upgrade:
-  - The ``validate_v2_token()`` method has been removed
-    from the token provider interface. The token provider
-    API now uses other validation methods and translates
-    v3 token responses to v2 format when needed. Having
-    ``validate_v2_token()`` defined with the Ocata codebase
-    will fail since the interface no longer includes that
-    method. Please take this into consideration and plan
-    accordingly if you're maintaining a custom token provider.
-critical:
-  - If writing a custom token provider, see the upgrade
-    section about the removal of the ``validate_v2_token()``
-    method.

releasenotes/notes/removed-as-of-ocata-436bb4b839e74494.yaml

@@ -39,6 +39,22 @@ other:
       * ``keystone/common/cache/backends/mongo``
       * ``keystone/common/cache/backends/memcache_pool``
       * ``keystone/common/cache/backends/noop``
+  - >
+    Several token validation methods from the abstract class ``keystone.token.providers.base.Provider``
+    were removed (see below) in favor of a single method to validate tokens (``validate_token``),
+    that has the signature ``validate_token(self, token_ref)``. If using a custom token
+    provider, update the custom provider accordingly.
+
+      * ``validate_v2_token``
+      * ``validate_v3_token``
+      * ``validate_non_persistent_token``
+  - >
+    Several token issuance methods from the abstract class ``keystone.token.providers.base.Provider``
+    were removed (see below) in favor of a single method to issue tokens (``issue_token``).
+    If using a custom token provider, updated the custom provider accordingly.
+
+      * ``issue_v2_token``
+      * ``issue_v3_token``
   - >
     The ``[DEFAULT] domain_id_immutable`` configuration option has been removed
     in favor of strictly immutable domain IDs.
@@ -64,22 +80,22 @@ other:
     ``build_auth_context`` in the paste pipelines, otherwise remove the
     ``admin_token_auth`` middleware from ``keystone-paste.ini`` entirely.
   - >
-    The ``CONF [assignment] driver`` now defaults to ``sql``. Logic to
+    The ``[assignment] driver`` now defaults to ``sql``. Logic to
     determine the default assignment driver if one wasn't supplied through
     configuration has been removed. Keystone only supports one assignment
     driver and it shouldn't be changed unless you're deploying a custom
     assignment driver.
   - >
-    The ``CONF [resource] driver`` now defaults to ``sql``. Logic to
+    The ``[resource] driver`` now defaults to ``sql``. Logic to
     determine the default resource driver if one wasn't supplied through
     configuration has been removed. Keystone only supports one resource
     driver and it shouldn't be changed unless you're deploying a custom
     resource driver.
   - >
-    Removed the config option ``[os_inherit] enabled`` as the OS-INHERIT
+    The ``[os_inherit] enabled`` config option has been removed, the `OS-INHERIT`
     extension is now always enabled.
   - >
-    The ``CONF [DEFAULT] domain_id_immutable`` option has been removed.
+    The ``[DEFAULT] domain_id_immutable`` option has been removed.
     This removes the ability to change the ``domain_id`` attribute of
     users, groups, and projects. The behavior was introduced to allow
     deployers to migrate entities from one domain to another by updating

releasenotes/notes/shadow-users-backend-driver-has-changed-c7ab1c9be152db20.yaml

@@ -1,16 +0,0 @@
----
-upgrade:
-  - |
-    The abstract base class for the shadow users backend has changed. We've
-    added a ``domain_id`` parameter to the ``create_federated_user`` method.
-    This is so that the domain ID of the Identity Provider gets set for the
-    federated user. If you have a custom implementation for the shadow users
-    backend, you will need to add the new parameter to your method
-    implementation.
-fixes:
-  - |
-    [`bug 1642687 <https://bugs.launchpad.net/keystone/+bug/1642687>`_]
-    Prior to this release federated users did not belong to a real domain. Now
-    when federated users are created, as part of shadowing users, federated
-    users will belong to the domain Id of the Identity Provider.
-

releasenotes/notes/user-can-change-expired-password-516709f9da3de26f.yaml

@@ -1,9 +0,0 @@
----
-features:
-  - |
-    Removes RBAC protection from the `Self-service change user
-    password` API (``/v3/user/$user_id/password``). A user is expected
-    to know their own password and can be authenticated as such. This
-    change is related to PCI-DSS features and allows a user with an
-    expired password to change it without the need of an
-    administrator.