Release note cleanup

Removed info that's internal to keystone and therefore not relevant
to deployers.

Consistent references to config option names. `` should be used for
literal string values, not references.

Change-Id: Ia7e11683ed3ae7f19fe6680848bdcbaed954f424
This commit is contained in:
Brant Knudson 2016-03-14 10:16:49 -05:00 committed by Steve Martinelli
parent 918bfa9747
commit ee2724a2a2
25 changed files with 77 additions and 90 deletions

View File

@ -1,16 +1,13 @@
---
features:
deprecations:
- >
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
The V8 Assignment driver interface is deprecated. Support for the V8
Assignment driver interface is planned to be removed in the 'O' release of
OpenStack.
other:
- The list_project_ids_for_user(), list_domain_ids_for_user(),
list_user_ids_for_project(), list_project_ids_for_groups(),
list_domain_ids_for_groups(), list_role_ids_for_groups_on_project() and
list_role_ids_for_groups_on_domain() methods have been removed from the
V9 version of the Assignment driver.
upgrade:
- The V8 Assignment driver interface is deprecated, but still supported in
this release, so any custom drivers based on the V8 interface should still
work.
deprecations:
- >
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
Support for the V8 Assignment driver interface is planned to be removed in
the 'O' release of OpenStack.

View File

@ -3,8 +3,8 @@ features:
- >
[`blueprint domain-specific-roles <https://blueprints.launchpad.net/keystone/+spec/domain-specific-roles>`_]
Roles can now be optionally defined as domain specific. Domain specific
roles are not references in policy files, rather they can be used to allow
a domain to build their own private inference rules with implies roles. A
roles are not referenced in policy files, rather they can be used to allow
a domain to build their own private inference rules with implied roles. A
domain specific role can be assigned to a domain or project within its
domain, and any subset of global roles it implies will appear in a token
scoped to the respective domain or project. The domain specific role

View File

@ -1,10 +1,6 @@
---
upgrade:
- The V8 Role driver interface is deprecated, but still supported in
this release, so any custom drivers based on the V8 interface should still
work.
deprecations:
- >
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
Support for the V8 Role driver interface is planned to be removed in
the 'O' release of OpenStack.
The V8 Role driver interface is deprecated. Support for the V8 Role driver
interface is planned to be removed in the 'O' release of OpenStack.

View File

@ -1,8 +1,5 @@
---
upgrade:
- The V8 Resource driver interface is deprecated, but still supported in
this release, so any custom drivers based on the V8 interface should still
work.
other:
- Support for the V8 Resource driver interface is planned to be removed in
the 'O' release of OpenStack.
deprecations:
- The V8 Resource driver interface is deprecated. Support for the V8
Resource driver interface is planned to be removed in the 'O' release of
OpenStack.

View File

@ -1,6 +1,8 @@
---
features:
- keystone-manage now supports the bootstrap command
- >
[`blueprint bootstrap <https://blueprints.launchpad.net/keystone/+spec/bootstrap>`_]
keystone-manage now supports the bootstrap command
on the CLI so that a keystone install can be
initialized without the need of the admin_token
filter in the paste-ini.
@ -9,7 +11,7 @@ security:
to the use of a proper username/password. Historically
the admin_token filter has been left enabled in
Keystone after initialization due to the way CMS
systems work. Moving to an out-of-band initialization
will eliminate the security concerns around a static
shared string that conveys admin access to Keystone
systems work. Moving to an out-of-band initialization using
``keystone-manage bootstrap`` will eliminate the security concerns around
a static shared string that conveys admin access to keystone
and therefore to the entire installation.

View File

@ -2,13 +2,13 @@
upgrade:
- >
[`bug 1473553 <https://bugs.launchpad.net/keystone/+bug/1473553>`_]
The ``keystone-paste.ini`` must be updated to put the ``admin_token_auth``
The `keystone-paste.ini` must be updated to put the ``admin_token_auth``
middleware before ``build_auth_context``. See the sample
``keystone-paste.ini`` for the correct ``pipeline`` value. Having
`keystone-paste.ini` for the correct `pipeline` value. Having
``admin_token_auth`` after ``build_auth_context`` is deprecated and will
not be supported in a future release.
deprecations:
- >
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
The ``admin_token_auth`` filter must now be placed before the
``build_auth_context`` filter in ``keystone-paste.ini``.
``build_auth_context`` filter in `keystone-paste.ini`.

View File

@ -3,5 +3,5 @@ features:
- >
[`bug 1519210 <https://bugs.launchpad.net/keystone/+bug/1519210>`_]
A user may now opt-out of notifications by specifying a list of
`event_types` using the ``notification_opt_out`` option in `keystone.conf`.
event types using the `notification_opt_out` option in `keystone.conf`.
These events are never sent to a messaging service.

View File

@ -2,20 +2,20 @@
features:
- >
[`bug 1542417 <https://bugs.launchpad.net/keystone/+bug/1542417>`_]
Added support for a "user_description_attribute" mapping
Added support for a `user_description_attribute` mapping
to the LDAP driver configuration.
upgrade:
- >
The LDAP driver now also maps the user "description" attribute after
The LDAP driver now also maps the user description attribute after
user retrieval from LDAP.
If this is undesired behavior for your setup, please add "description"
to the "user_attribute_ignore" LDAP driver config setting.
If this is undesired behavior for your setup, please add `description`
to the `user_attribute_ignore` LDAP driver config setting.
The default mapping of the description attribute is set to "description".
Please adjust the LDAP driver config setting "user_description_attribute"
if your LDAP uses a different attribute name (for instance to "displayName"
The default mapping of the description attribute is set to `description`.
Please adjust the LDAP driver config setting `user_description_attribute`
if your LDAP uses a different attribute name (for instance to `displayName`
in case of an AD backed LDAP).
If your "user_additional_attribute_mapping" setting contains
"description:description" you can remove this mapping, since this is
now default behavior of the driver.
If your `user_additional_attribute_mapping` setting contains
`description:description` you can remove this mapping, since this is
now the default behavior.

View File

@ -1,6 +1,6 @@
---
fixes:
features:
- >
[`bug 1526462 <https://bugs.launchpad.net/keystone/+bug/1526462>`_]
Support for posixGroups with OpenDirectory and UNIX when using
the LDAP identity driver.
the LDAP identity driver.

View File

@ -4,7 +4,7 @@ deprecations:
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
As of the Mitaka release, the PKI and PKIz token formats have been
deprecated. They will be removed in the 'O' release. Due to this change,
the ``hash_algorithm`` option in the ``[token]`` section of the
the `hash_algorithm` option in the `[token]` section of the
configuration file has also been deprecated. Also due to this change, the
``keystone-manage pki_setup`` command has been deprecated as well.
- >
@ -16,8 +16,8 @@ deprecations:
removed in the 'O' release.
- >
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
As of the Mitaka release, the auth plugin ``keystone.auth.plugins.saml2.Saml2``
has been deprecated. It is recommended to use ``keystone.auth.plugins.mapped.Mapped``
As of the Mitaka release, the auth plugin `keystone.auth.plugins.saml2.Saml2`
has been deprecated. It is recommended to use `keystone.auth.plugins.mapped.Mapped`
instead. The ``saml2`` plugin will be removed in the 'O' release.
- >
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]

View File

@ -2,5 +2,5 @@
features:
- >
[`bug 1525317 <https://bugs.launchpad.net/keystone/+bug/1525317>`_]
Enable filtering of identity providers based on ``id``, and ``enabled``
Enable filtering of identity providers based on `id`, and `enabled`
attributes.

View File

@ -1,9 +1,10 @@
---
upgrade:
- >
The default setting for the os_inherit configuration option is
The default setting for the `os_inherit` configuration option is
changed to True. If it is required to continue with this portion
of the API disabled, then override the default setting by explicitly
specifying the os_inherit option as False. Now this option is marked
as deprecated. In the future, this option will be removed and this
portion of the API will be always enabled.
specifying the os_inherit option as False.
deprecations:
- The `os_inherit` configuration option is disabled. In the future, this
option will be removed and this portion of the API will be always enabled.

View File

@ -3,5 +3,5 @@ fixes:
- >
[`bug 1516469 <https://bugs.launchpad.net/keystone/+bug/1516469>`_]
Endpoints filtered by endpoint_group project association will be
included in catalog when issue a project scoped token and using
``endpoint_filter.sql`` as catalog's backend driver.
included in the service catalog when a project scoped token is issued and
``endpoint_filter.sql`` is used for the catalog driver.

View File

@ -1,7 +1,7 @@
---
upgrade:
- >
The ``keystone-paste.ini`` file must be updated to remove extension
The `keystone-paste.ini` file must be updated to remove extension
filters, and their use in ``[pipeline:api_v3]``.
Remove the following filters: ``[filter:oauth1_extension]``,
``[filter:federation_extension]``, ``[filter:endpoint_filter_extension]``,
@ -9,7 +9,7 @@ upgrade:
<https://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini>`_
file for guidance.
- >
The ``keystone-paste.ini`` file must be updated to remove extension filters,
The `keystone-paste.ini` file must be updated to remove extension filters,
and their use in ``[pipeline:public_api]`` and ``[pipeline:admin_api]`` pipelines.
Remove the following filters: ``[filter:user_crud_extension]``,
``[filter:crud_extension]``. See the sample `keystone-paste.ini

View File

@ -4,9 +4,9 @@ features:
[`blueprint implied-roles <https://blueprints.launchpad.net/keystone/+spec/implied-roles>`_]
Keystone now supports creating implied roles. Role inference rules can now
be added to indicate when the assignment of one role implies the assignment
of another. The rules are of the form ``prior_role`` implies
``implied_role``. At token generation time, user/group assignments of roles
of another. The rules are of the form `prior_role` implies
`implied_role`. At token generation time, user/group assignments of roles
that have implied roles will be expanded to also include such roles in the
token. The expansion of implied roles is controlled by the
``prohibited_implied_role`` option in the ``[assignment]``
`prohibited_implied_role` option in the `[assignment]`
section of `keystone.conf`.

View File

@ -1,7 +1,7 @@
---
upgrade:
- A new config option, ``insecure_debug``, is added to control whether debug
- A new config option, `insecure_debug`, is added to control whether debug
information is returned to clients. This used to be controlled by the
``debug`` option. If you'd like to return extra information to clients
`debug` option. If you'd like to return extra information to clients
set the value to ``true``. This extra information may help an attacker.

View File

@ -2,7 +2,7 @@
features:
- >
[`bug 1515302 <https://bugs.launchpad.net/keystone/+bug/1515302>`_]
Two new configuration options have been added to the ``[ldap]`` section.
``user_enabled_emulation_use_group_config`` and
``project_enabled_emulation_use_group_config``, which allow deployers to
Two new configuration options have been added to the `[ldap]` section.
`user_enabled_emulation_use_group_config` and
`project_enabled_emulation_use_group_config`, which allow deployers to
choose if they want to override the default group LDAP schema option.

View File

@ -2,5 +2,4 @@
upgrade:
- >
[`bug 1541092 <https://bugs.launchpad.net/keystone/+bug/1541092>`_]
Database schema migrations have been squashed. Only database upgrades from
Kilo and newer are supported.
Only database upgrades from Kilo and newer are supported.

View File

@ -3,4 +3,5 @@ other:
- >
``keystone-manage db_sync`` will no longer create the Default domain. This
domain is used as the domain for any users created using the legacy v2.0
API. A default domain is created by ``keystone-manage bootstrap``.
API. A default domain is created by ``keystone-manage bootstrap`` and when
a user or project is created using the legacy v2.0 API.

View File

@ -1,9 +1,9 @@
---
upgrade:
- >
Keystone now uses oslo.cache. Update the ``[cache]`` section of
``keystone.conf`` to point to oslo.cache backends:
``oslo_cache.memcache_pool`` or ``oslo_cache.mongo``, refer to the
Keystone now uses oslo.cache. Update the `[cache]` section of
`keystone.conf` to point to oslo.cache backends:
``oslo_cache.memcache_pool`` or ``oslo_cache.mongo``. Refer to the
sample configuration file for examples. See `oslo.cache
<http://docs.openstack.org/developer/oslo.cache>`_ for additional
documentation.

View File

@ -1,11 +1,7 @@
---
features:
- Domains are now represented as top level projects with the attribute
``is_domain`` set to true. Such projects will appears as parents for any
`is_domain` set to true. Such projects will appear as parents for any
previous top level projects. Projects acting as domains can be created,
read, update and deleted via either the project API or the domain API.
upgrade:
- The contents of the sql domain table are migrated to the sql project
table. Although the domain table (and its contents) are not removed in this
upgrade, they are no longer referenced. They will be removed in a future
upgrade.
read, updated, and deleted via either the project API or the domain API
(V3 only).

View File

@ -4,4 +4,4 @@ features:
[`bug 1500222 <https://bugs.launchpad.net/keystone/+bug/1500222>`_]
Added information such as: user ID, project ID, and domain ID to log
entries. As a side effect of this change, both the user's domain ID and
project's domain ID are now included in ``auth_context``.
project's domain ID are now included in the auth context.

View File

@ -3,7 +3,7 @@ features:
- >
[`blueprint totp-auth <https://blueprints.launchpad.net/keystone/+spec/totp-auth>`_]
Keystone now supports authenticating via Time-based One-time Password (TOTP).
To enable this feature, add the ``totp`` auth plugin to the ``methods``
option in the ``[auth]`` section of ``keystone.conf``. More information
about using TOTP can be found in `keystone's documentation
To enable this feature, add the ``totp`` auth plugin to the `methods`
option in the `[auth]` section of `keystone.conf`. More information
about using TOTP can be found in `keystone's developer documentation
<http://docs.openstack.org/developer/keystone/auth-totp.html>`_.

View File

@ -1,7 +1,5 @@
---
upgrade:
- The V8 Federation driver interface is deprecated, but still supported in
Mitaka, so any custom drivers based on the V8 interface should still work.
other:
- Support for the V8 Federation driver interface is planned to be removed in
the 'O' release of OpenStack.
deprecations:
- The V8 Federation driver interface is deprecated in favor of the V9
Federation driver interface. Support for the V8 Federation driver
interface is planned to be removed in the 'O' release of OpenStack.

View File

@ -2,5 +2,5 @@
features:
- >
[`blueprint x509-ssl-client-cert-authn <https://blueprints.launchpad.net/keystone/+spec/x509-ssl-client-cert-authn>`_]
Support tokenless client SSL x.509 certificate authentication and
authorization.
Keystone now supports tokenless client SSL x.509 certificate authentication
and authorization.