Release note cleanup
Removed info that's internal to keystone and therefore not relevant to deployers. Consistent references to config option names. `` should be used for literal string values, not references. Change-Id: Ia7e11683ed3ae7f19fe6680848bdcbaed954f424
This commit is contained in:
Brant Knudson
Steve Martinelli
parent
918bfa9747
commit
ee2724a2a2
@ -1,16 +1,13 @@
|
||||
---
|
||||
features:
|
||||
deprecations:
|
||||
- >
|
||||
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
|
||||
The V8 Assignment driver interface is deprecated. Support for the V8
|
||||
Assignment driver interface is planned to be removed in the 'O' release of
|
||||
OpenStack.
|
||||
other:
|
||||
- The list_project_ids_for_user(), list_domain_ids_for_user(),
|
||||
list_user_ids_for_project(), list_project_ids_for_groups(),
|
||||
list_domain_ids_for_groups(), list_role_ids_for_groups_on_project() and
|
||||
list_role_ids_for_groups_on_domain() methods have been removed from the
|
||||
V9 version of the Assignment driver.
|
||||
upgrade:
|
||||
- The V8 Assignment driver interface is deprecated, but still supported in
|
||||
this release, so any custom drivers based on the V8 interface should still
|
||||
work.
|
||||
deprecations:
|
||||
- >
|
||||
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
|
||||
Support for the V8 Assignment driver interface is planned to be removed in
|
||||
the 'O' release of OpenStack.
|
||||
|
||||
@ -3,8 +3,8 @@ features:
|
||||
- >
|
||||
[`blueprint domain-specific-roles <https://blueprints.launchpad.net/keystone/+spec/domain-specific-roles>`_]
|
||||
Roles can now be optionally defined as domain specific. Domain specific
|
||||
roles are not references in policy files, rather they can be used to allow
|
||||
a domain to build their own private inference rules with implies roles. A
|
||||
roles are not referenced in policy files, rather they can be used to allow
|
||||
a domain to build their own private inference rules with implied roles. A
|
||||
domain specific role can be assigned to a domain or project within its
|
||||
domain, and any subset of global roles it implies will appear in a token
|
||||
scoped to the respective domain or project. The domain specific role
|
||||
|
||||
@ -1,10 +1,6 @@
|
||||
---
|
||||
upgrade:
|
||||
- The V8 Role driver interface is deprecated, but still supported in
|
||||
this release, so any custom drivers based on the V8 interface should still
|
||||
work.
|
||||
deprecations:
|
||||
- >
|
||||
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
|
||||
Support for the V8 Role driver interface is planned to be removed in
|
||||
the 'O' release of OpenStack.
|
||||
The V8 Role driver interface is deprecated. Support for the V8 Role driver
|
||||
interface is planned to be removed in the 'O' release of OpenStack.
|
||||
|
||||
@ -1,8 +1,5 @@
|
||||
---
|
||||
upgrade:
|
||||
- The V8 Resource driver interface is deprecated, but still supported in
|
||||
this release, so any custom drivers based on the V8 interface should still
|
||||
work.
|
||||
other:
|
||||
- Support for the V8 Resource driver interface is planned to be removed in
|
||||
the 'O' release of OpenStack.
|
||||
deprecations:
|
||||
- The V8 Resource driver interface is deprecated. Support for the V8
|
||||
Resource driver interface is planned to be removed in the 'O' release of
|
||||
OpenStack.
|
||||
|
||||
@ -1,6 +1,8 @@
|
||||
---
|
||||
features:
|
||||
- keystone-manage now supports the bootstrap command
|
||||
- >
|
||||
[`blueprint bootstrap <https://blueprints.launchpad.net/keystone/+spec/bootstrap>`_]
|
||||
keystone-manage now supports the bootstrap command
|
||||
on the CLI so that a keystone install can be
|
||||
initialized without the need of the admin_token
|
||||
filter in the paste-ini.
|
||||
@ -9,7 +11,7 @@ security:
|
||||
to the use of a proper username/password. Historically
|
||||
the admin_token filter has been left enabled in
|
||||
Keystone after initialization due to the way CMS
|
||||
systems work. Moving to an out-of-band initialization
|
||||
will eliminate the security concerns around a static
|
||||
shared string that conveys admin access to Keystone
|
||||
systems work. Moving to an out-of-band initialization using
|
||||
``keystone-manage bootstrap`` will eliminate the security concerns around
|
||||
a static shared string that conveys admin access to keystone
|
||||
and therefore to the entire installation.
|
||||
|
||||
@ -2,13 +2,13 @@
|
||||
upgrade:
|
||||
- >
|
||||
[`bug 1473553 <https://bugs.launchpad.net/keystone/+bug/1473553>`_]
|
||||
The ``keystone-paste.ini`` must be updated to put the ``admin_token_auth``
|
||||
The `keystone-paste.ini` must be updated to put the ``admin_token_auth``
|
||||
middleware before ``build_auth_context``. See the sample
|
||||
``keystone-paste.ini`` for the correct ``pipeline`` value. Having
|
||||
`keystone-paste.ini` for the correct `pipeline` value. Having
|
||||
``admin_token_auth`` after ``build_auth_context`` is deprecated and will
|
||||
not be supported in a future release.
|
||||
deprecations:
|
||||
- >
|
||||
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
|
||||
The ``admin_token_auth`` filter must now be placed before the
|
||||
``build_auth_context`` filter in ``keystone-paste.ini``.
|
||||
``build_auth_context`` filter in `keystone-paste.ini`.
|
||||
|
||||
@ -3,5 +3,5 @@ features:
|
||||
- >
|
||||
[`bug 1519210 <https://bugs.launchpad.net/keystone/+bug/1519210>`_]
|
||||
A user may now opt-out of notifications by specifying a list of
|
||||
`event_types` using the ``notification_opt_out`` option in `keystone.conf`.
|
||||
event types using the `notification_opt_out` option in `keystone.conf`.
|
||||
These events are never sent to a messaging service.
|
||||
|
||||
@ -2,20 +2,20 @@
|
||||
features:
|
||||
- >
|
||||
[`bug 1542417 <https://bugs.launchpad.net/keystone/+bug/1542417>`_]
|
||||
Added support for a "user_description_attribute" mapping
|
||||
Added support for a `user_description_attribute` mapping
|
||||
to the LDAP driver configuration.
|
||||
upgrade:
|
||||
- >
|
||||
The LDAP driver now also maps the user "description" attribute after
|
||||
The LDAP driver now also maps the user description attribute after
|
||||
user retrieval from LDAP.
|
||||
If this is undesired behavior for your setup, please add "description"
|
||||
to the "user_attribute_ignore" LDAP driver config setting.
|
||||
If this is undesired behavior for your setup, please add `description`
|
||||
to the `user_attribute_ignore` LDAP driver config setting.
|
||||
|
||||
The default mapping of the description attribute is set to "description".
|
||||
Please adjust the LDAP driver config setting "user_description_attribute"
|
||||
if your LDAP uses a different attribute name (for instance to "displayName"
|
||||
The default mapping of the description attribute is set to `description`.
|
||||
Please adjust the LDAP driver config setting `user_description_attribute`
|
||||
if your LDAP uses a different attribute name (for instance to `displayName`
|
||||
in case of an AD backed LDAP).
|
||||
|
||||
If your "user_additional_attribute_mapping" setting contains
|
||||
"description:description" you can remove this mapping, since this is
|
||||
now default behavior of the driver.
|
||||
If your `user_additional_attribute_mapping` setting contains
|
||||
`description:description` you can remove this mapping, since this is
|
||||
now the default behavior.
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
fixes:
|
||||
features:
|
||||
- >
|
||||
[`bug 1526462 <https://bugs.launchpad.net/keystone/+bug/1526462>`_]
|
||||
Support for posixGroups with OpenDirectory and UNIX when using
|
||||
the LDAP identity driver.
|
||||
the LDAP identity driver.
|
||||
|
||||
@ -4,7 +4,7 @@ deprecations:
|
||||
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
|
||||
As of the Mitaka release, the PKI and PKIz token formats have been
|
||||
deprecated. They will be removed in the 'O' release. Due to this change,
|
||||
the ``hash_algorithm`` option in the ``[token]`` section of the
|
||||
the `hash_algorithm` option in the `[token]` section of the
|
||||
configuration file has also been deprecated. Also due to this change, the
|
||||
``keystone-manage pki_setup`` command has been deprecated as well.
|
||||
- >
|
||||
@ -16,8 +16,8 @@ deprecations:
|
||||
removed in the 'O' release.
|
||||
- >
|
||||
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
|
||||
As of the Mitaka release, the auth plugin ``keystone.auth.plugins.saml2.Saml2``
|
||||
has been deprecated. It is recommended to use ``keystone.auth.plugins.mapped.Mapped``
|
||||
As of the Mitaka release, the auth plugin `keystone.auth.plugins.saml2.Saml2`
|
||||
has been deprecated. It is recommended to use `keystone.auth.plugins.mapped.Mapped`
|
||||
instead. The ``saml2`` plugin will be removed in the 'O' release.
|
||||
- >
|
||||
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
|
||||
|
||||
@ -2,5 +2,5 @@
|
||||
features:
|
||||
- >
|
||||
[`bug 1525317 <https://bugs.launchpad.net/keystone/+bug/1525317>`_]
|
||||
Enable filtering of identity providers based on ``id``, and ``enabled``
|
||||
Enable filtering of identity providers based on `id`, and `enabled`
|
||||
attributes.
|
||||
|
||||
@ -1,9 +1,10 @@
|
||||
---
|
||||
upgrade:
|
||||
- >
|
||||
The default setting for the os_inherit configuration option is
|
||||
The default setting for the `os_inherit` configuration option is
|
||||
changed to True. If it is required to continue with this portion
|
||||
of the API disabled, then override the default setting by explicitly
|
||||
specifying the os_inherit option as False. Now this option is marked
|
||||
as deprecated. In the future, this option will be removed and this
|
||||
portion of the API will be always enabled.
|
||||
specifying the os_inherit option as False.
|
||||
deprecations:
|
||||
- The `os_inherit` configuration option is disabled. In the future, this
|
||||
option will be removed and this portion of the API will be always enabled.
|
||||
|
||||
@ -3,5 +3,5 @@ fixes:
|
||||
- >
|
||||
[`bug 1516469 <https://bugs.launchpad.net/keystone/+bug/1516469>`_]
|
||||
Endpoints filtered by endpoint_group project association will be
|
||||
included in catalog when issue a project scoped token and using
|
||||
``endpoint_filter.sql`` as catalog's backend driver.
|
||||
included in the service catalog when a project scoped token is issued and
|
||||
``endpoint_filter.sql`` is used for the catalog driver.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
upgrade:
|
||||
- >
|
||||
The ``keystone-paste.ini`` file must be updated to remove extension
|
||||
The `keystone-paste.ini` file must be updated to remove extension
|
||||
filters, and their use in ``[pipeline:api_v3]``.
|
||||
Remove the following filters: ``[filter:oauth1_extension]``,
|
||||
``[filter:federation_extension]``, ``[filter:endpoint_filter_extension]``,
|
||||
@ -9,7 +9,7 @@ upgrade:
|
||||
<https://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini>`_
|
||||
file for guidance.
|
||||
- >
|
||||
The ``keystone-paste.ini`` file must be updated to remove extension filters,
|
||||
The `keystone-paste.ini` file must be updated to remove extension filters,
|
||||
and their use in ``[pipeline:public_api]`` and ``[pipeline:admin_api]`` pipelines.
|
||||
Remove the following filters: ``[filter:user_crud_extension]``,
|
||||
``[filter:crud_extension]``. See the sample `keystone-paste.ini
|
||||
|
||||
@ -4,9 +4,9 @@ features:
|
||||
[`blueprint implied-roles <https://blueprints.launchpad.net/keystone/+spec/implied-roles>`_]
|
||||
Keystone now supports creating implied roles. Role inference rules can now
|
||||
be added to indicate when the assignment of one role implies the assignment
|
||||
of another. The rules are of the form ``prior_role`` implies
|
||||
``implied_role``. At token generation time, user/group assignments of roles
|
||||
of another. The rules are of the form `prior_role` implies
|
||||
`implied_role`. At token generation time, user/group assignments of roles
|
||||
that have implied roles will be expanded to also include such roles in the
|
||||
token. The expansion of implied roles is controlled by the
|
||||
``prohibited_implied_role`` option in the ``[assignment]``
|
||||
`prohibited_implied_role` option in the `[assignment]`
|
||||
section of `keystone.conf`.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
upgrade:
|
||||
- A new config option, ``insecure_debug``, is added to control whether debug
|
||||
- A new config option, `insecure_debug`, is added to control whether debug
|
||||
information is returned to clients. This used to be controlled by the
|
||||
``debug`` option. If you'd like to return extra information to clients
|
||||
`debug` option. If you'd like to return extra information to clients
|
||||
set the value to ``true``. This extra information may help an attacker.
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
features:
|
||||
- >
|
||||
[`bug 1515302 <https://bugs.launchpad.net/keystone/+bug/1515302>`_]
|
||||
Two new configuration options have been added to the ``[ldap]`` section.
|
||||
``user_enabled_emulation_use_group_config`` and
|
||||
``project_enabled_emulation_use_group_config``, which allow deployers to
|
||||
Two new configuration options have been added to the `[ldap]` section.
|
||||
`user_enabled_emulation_use_group_config` and
|
||||
`project_enabled_emulation_use_group_config`, which allow deployers to
|
||||
choose if they want to override the default group LDAP schema option.
|
||||
|
||||
@ -2,5 +2,4 @@
|
||||
upgrade:
|
||||
- >
|
||||
[`bug 1541092 <https://bugs.launchpad.net/keystone/+bug/1541092>`_]
|
||||
Database schema migrations have been squashed. Only database upgrades from
|
||||
Kilo and newer are supported.
|
||||
Only database upgrades from Kilo and newer are supported.
|
||||
|
||||
@ -3,4 +3,5 @@ other:
|
||||
- >
|
||||
``keystone-manage db_sync`` will no longer create the Default domain. This
|
||||
domain is used as the domain for any users created using the legacy v2.0
|
||||
API. A default domain is created by ``keystone-manage bootstrap``.
|
||||
API. A default domain is created by ``keystone-manage bootstrap`` and when
|
||||
a user or project is created using the legacy v2.0 API.
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
---
|
||||
upgrade:
|
||||
- >
|
||||
Keystone now uses oslo.cache. Update the ``[cache]`` section of
|
||||
``keystone.conf`` to point to oslo.cache backends:
|
||||
``oslo_cache.memcache_pool`` or ``oslo_cache.mongo``, refer to the
|
||||
Keystone now uses oslo.cache. Update the `[cache]` section of
|
||||
`keystone.conf` to point to oslo.cache backends:
|
||||
``oslo_cache.memcache_pool`` or ``oslo_cache.mongo``. Refer to the
|
||||
sample configuration file for examples. See `oslo.cache
|
||||
<http://docs.openstack.org/developer/oslo.cache>`_ for additional
|
||||
documentation.
|
||||
|
||||
@ -1,11 +1,7 @@
|
||||
---
|
||||
features:
|
||||
- Domains are now represented as top level projects with the attribute
|
||||
``is_domain`` set to true. Such projects will appears as parents for any
|
||||
`is_domain` set to true. Such projects will appear as parents for any
|
||||
previous top level projects. Projects acting as domains can be created,
|
||||
read, update and deleted via either the project API or the domain API.
|
||||
upgrade:
|
||||
- The contents of the sql domain table are migrated to the sql project
|
||||
table. Although the domain table (and its contents) are not removed in this
|
||||
upgrade, they are no longer referenced. They will be removed in a future
|
||||
upgrade.
|
||||
read, updated, and deleted via either the project API or the domain API
|
||||
(V3 only).
|
||||
|
||||
@ -4,4 +4,4 @@ features:
|
||||
[`bug 1500222 <https://bugs.launchpad.net/keystone/+bug/1500222>`_]
|
||||
Added information such as: user ID, project ID, and domain ID to log
|
||||
entries. As a side effect of this change, both the user's domain ID and
|
||||
project's domain ID are now included in ``auth_context``.
|
||||
project's domain ID are now included in the auth context.
|
||||
|
||||
@ -3,7 +3,7 @@ features:
|
||||
- >
|
||||
[`blueprint totp-auth <https://blueprints.launchpad.net/keystone/+spec/totp-auth>`_]
|
||||
Keystone now supports authenticating via Time-based One-time Password (TOTP).
|
||||
To enable this feature, add the ``totp`` auth plugin to the ``methods``
|
||||
option in the ``[auth]`` section of ``keystone.conf``. More information
|
||||
about using TOTP can be found in `keystone's documentation
|
||||
To enable this feature, add the ``totp`` auth plugin to the `methods`
|
||||
option in the `[auth]` section of `keystone.conf`. More information
|
||||
about using TOTP can be found in `keystone's developer documentation
|
||||
<http://docs.openstack.org/developer/keystone/auth-totp.html>`_.
|
||||
|
||||
@ -1,7 +1,5 @@
|
||||
---
|
||||
upgrade:
|
||||
- The V8 Federation driver interface is deprecated, but still supported in
|
||||
Mitaka, so any custom drivers based on the V8 interface should still work.
|
||||
other:
|
||||
- Support for the V8 Federation driver interface is planned to be removed in
|
||||
the 'O' release of OpenStack.
|
||||
deprecations:
|
||||
- The V8 Federation driver interface is deprecated in favor of the V9
|
||||
Federation driver interface. Support for the V8 Federation driver
|
||||
interface is planned to be removed in the 'O' release of OpenStack.
|
||||
|
||||
@ -2,5 +2,5 @@
|
||||
features:
|
||||
- >
|
||||
[`blueprint x509-ssl-client-cert-authn <https://blueprints.launchpad.net/keystone/+spec/x509-ssl-client-cert-authn>`_]
|
||||
Support tokenless client SSL x.509 certificate authentication and
|
||||
authorization.
|
||||
Keystone now supports tokenless client SSL x.509 certificate authentication
|
||||
and authorization.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user