diff --git a/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml b/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml index e6f09af47b..89ef108203 100644 --- a/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml +++ b/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml @@ -1,16 +1,13 @@ --- -features: +deprecations: + - > + [`blueprint deprecated-as-of-mitaka `_] + The V8 Assignment driver interface is deprecated. Support for the V8 + Assignment driver interface is planned to be removed in the 'O' release of + OpenStack. +other: - The list_project_ids_for_user(), list_domain_ids_for_user(), list_user_ids_for_project(), list_project_ids_for_groups(), list_domain_ids_for_groups(), list_role_ids_for_groups_on_project() and list_role_ids_for_groups_on_domain() methods have been removed from the V9 version of the Assignment driver. -upgrade: - - The V8 Assignment driver interface is deprecated, but still supported in - this release, so any custom drivers based on the V8 interface should still - work. -deprecations: - - > - [`blueprint deprecated-as-of-mitaka `_] - Support for the V8 Assignment driver interface is planned to be removed in - the 'O' release of OpenStack. diff --git a/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml b/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml index d724c60b4c..98306f3e29 100644 --- a/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml +++ b/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml @@ -3,8 +3,8 @@ features: - > [`blueprint domain-specific-roles `_] Roles can now be optionally defined as domain specific. Domain specific - roles are not references in policy files, rather they can be used to allow - a domain to build their own private inference rules with implies roles. A + roles are not referenced in policy files, rather they can be used to allow + a domain to build their own private inference rules with implied roles. A domain specific role can be assigned to a domain or project within its domain, and any subset of global roles it implies will appear in a token scoped to the respective domain or project. The domain specific role diff --git a/releasenotes/notes/Role_V9_driver-971c3aae14d9963d.yaml b/releasenotes/notes/Role_V9_driver-971c3aae14d9963d.yaml index f490acc4f7..08bda86f5e 100644 --- a/releasenotes/notes/Role_V9_driver-971c3aae14d9963d.yaml +++ b/releasenotes/notes/Role_V9_driver-971c3aae14d9963d.yaml @@ -1,10 +1,6 @@ --- -upgrade: - - The V8 Role driver interface is deprecated, but still supported in - this release, so any custom drivers based on the V8 interface should still - work. deprecations: - > [`blueprint deprecated-as-of-mitaka `_] - Support for the V8 Role driver interface is planned to be removed in - the 'O' release of OpenStack. + The V8 Role driver interface is deprecated. Support for the V8 Role driver + interface is planned to be removed in the 'O' release of OpenStack. diff --git a/releasenotes/notes/V9ResourceDriver-26716f97c0cc1a80.yaml b/releasenotes/notes/V9ResourceDriver-26716f97c0cc1a80.yaml index 00bffafaa8..8003b702a3 100644 --- a/releasenotes/notes/V9ResourceDriver-26716f97c0cc1a80.yaml +++ b/releasenotes/notes/V9ResourceDriver-26716f97c0cc1a80.yaml @@ -1,8 +1,5 @@ --- -upgrade: - - The V8 Resource driver interface is deprecated, but still supported in - this release, so any custom drivers based on the V8 interface should still - work. -other: - - Support for the V8 Resource driver interface is planned to be removed in - the 'O' release of OpenStack. +deprecations: + - The V8 Resource driver interface is deprecated. Support for the V8 + Resource driver interface is planned to be removed in the 'O' release of + OpenStack. diff --git a/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml b/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml index 7469243b64..997ee64a86 100644 --- a/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml +++ b/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml @@ -1,6 +1,8 @@ --- features: - - keystone-manage now supports the bootstrap command + - > + [`blueprint bootstrap `_] + keystone-manage now supports the bootstrap command on the CLI so that a keystone install can be initialized without the need of the admin_token filter in the paste-ini. @@ -9,7 +11,7 @@ security: to the use of a proper username/password. Historically the admin_token filter has been left enabled in Keystone after initialization due to the way CMS - systems work. Moving to an out-of-band initialization - will eliminate the security concerns around a static - shared string that conveys admin access to Keystone + systems work. Moving to an out-of-band initialization using + ``keystone-manage bootstrap`` will eliminate the security concerns around + a static shared string that conveys admin access to keystone and therefore to the entire installation. diff --git a/releasenotes/notes/admin_token-a5678d712783c145.yaml b/releasenotes/notes/admin_token-a5678d712783c145.yaml index 5fb2ef7f35..8547c6d309 100644 --- a/releasenotes/notes/admin_token-a5678d712783c145.yaml +++ b/releasenotes/notes/admin_token-a5678d712783c145.yaml @@ -2,13 +2,13 @@ upgrade: - > [`bug 1473553 `_] - The ``keystone-paste.ini`` must be updated to put the ``admin_token_auth`` + The `keystone-paste.ini` must be updated to put the ``admin_token_auth`` middleware before ``build_auth_context``. See the sample - ``keystone-paste.ini`` for the correct ``pipeline`` value. Having + `keystone-paste.ini` for the correct `pipeline` value. Having ``admin_token_auth`` after ``build_auth_context`` is deprecated and will not be supported in a future release. deprecations: - > [`blueprint deprecated-as-of-mitaka `_] The ``admin_token_auth`` filter must now be placed before the - ``build_auth_context`` filter in ``keystone-paste.ini``. + ``build_auth_context`` filter in `keystone-paste.ini`. diff --git a/releasenotes/notes/bug-1519210-de76097c974f9c93.yaml b/releasenotes/notes/bug-1519210-de76097c974f9c93.yaml index d6c415e470..0b7192b1a4 100644 --- a/releasenotes/notes/bug-1519210-de76097c974f9c93.yaml +++ b/releasenotes/notes/bug-1519210-de76097c974f9c93.yaml @@ -3,5 +3,5 @@ features: - > [`bug 1519210 `_] A user may now opt-out of notifications by specifying a list of - `event_types` using the ``notification_opt_out`` option in `keystone.conf`. + event types using the `notification_opt_out` option in `keystone.conf`. These events are never sent to a messaging service. diff --git a/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml b/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml index e6a6f5f84f..bc6ec7286f 100644 --- a/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml +++ b/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml @@ -2,20 +2,20 @@ features: - > [`bug 1542417 `_] - Added support for a "user_description_attribute" mapping + Added support for a `user_description_attribute` mapping to the LDAP driver configuration. upgrade: - > - The LDAP driver now also maps the user "description" attribute after + The LDAP driver now also maps the user description attribute after user retrieval from LDAP. - If this is undesired behavior for your setup, please add "description" - to the "user_attribute_ignore" LDAP driver config setting. + If this is undesired behavior for your setup, please add `description` + to the `user_attribute_ignore` LDAP driver config setting. - The default mapping of the description attribute is set to "description". - Please adjust the LDAP driver config setting "user_description_attribute" - if your LDAP uses a different attribute name (for instance to "displayName" + The default mapping of the description attribute is set to `description`. + Please adjust the LDAP driver config setting `user_description_attribute` + if your LDAP uses a different attribute name (for instance to `displayName` in case of an AD backed LDAP). - If your "user_additional_attribute_mapping" setting contains - "description:description" you can remove this mapping, since this is - now default behavior of the driver. + If your `user_additional_attribute_mapping` setting contains + `description:description` you can remove this mapping, since this is + now the default behavior. diff --git a/releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml b/releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml index 3c573d4873..0befecd3d5 100644 --- a/releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml +++ b/releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml @@ -1,6 +1,6 @@ --- -fixes: +features: - > [`bug 1526462 `_] Support for posixGroups with OpenDirectory and UNIX when using - the LDAP identity driver. \ No newline at end of file + the LDAP identity driver. diff --git a/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml b/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml index 3b7e481ae9..31c7ff851f 100644 --- a/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml +++ b/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml @@ -4,7 +4,7 @@ deprecations: [`blueprint deprecated-as-of-mitaka `_] As of the Mitaka release, the PKI and PKIz token formats have been deprecated. They will be removed in the 'O' release. Due to this change, - the ``hash_algorithm`` option in the ``[token]`` section of the + the `hash_algorithm` option in the `[token]` section of the configuration file has also been deprecated. Also due to this change, the ``keystone-manage pki_setup`` command has been deprecated as well. - > @@ -16,8 +16,8 @@ deprecations: removed in the 'O' release. - > [`blueprint deprecated-as-of-mitaka `_] - As of the Mitaka release, the auth plugin ``keystone.auth.plugins.saml2.Saml2`` - has been deprecated. It is recommended to use ``keystone.auth.plugins.mapped.Mapped`` + As of the Mitaka release, the auth plugin `keystone.auth.plugins.saml2.Saml2` + has been deprecated. It is recommended to use `keystone.auth.plugins.mapped.Mapped` instead. The ``saml2`` plugin will be removed in the 'O' release. - > [`blueprint deprecated-as-of-mitaka `_] diff --git a/releasenotes/notes/enable-filter-idp-d0135f4615178cfc.yaml b/releasenotes/notes/enable-filter-idp-d0135f4615178cfc.yaml index 6f6c222d49..ea99014bdd 100644 --- a/releasenotes/notes/enable-filter-idp-d0135f4615178cfc.yaml +++ b/releasenotes/notes/enable-filter-idp-d0135f4615178cfc.yaml @@ -2,5 +2,5 @@ features: - > [`bug 1525317 `_] - Enable filtering of identity providers based on ``id``, and ``enabled`` + Enable filtering of identity providers based on `id`, and `enabled` attributes. diff --git a/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml b/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml index 63a0a0192d..8346285aab 100644 --- a/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml +++ b/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml @@ -1,9 +1,10 @@ --- upgrade: - > - The default setting for the os_inherit configuration option is + The default setting for the `os_inherit` configuration option is changed to True. If it is required to continue with this portion of the API disabled, then override the default setting by explicitly - specifying the os_inherit option as False. Now this option is marked - as deprecated. In the future, this option will be removed and this - portion of the API will be always enabled. + specifying the os_inherit option as False. +deprecations: + - The `os_inherit` configuration option is disabled. In the future, this + option will be removed and this portion of the API will be always enabled. diff --git a/releasenotes/notes/endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml b/releasenotes/notes/endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml index ce820a165c..d94db3baff 100644 --- a/releasenotes/notes/endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml +++ b/releasenotes/notes/endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml @@ -3,5 +3,5 @@ fixes: - > [`bug 1516469 `_] Endpoints filtered by endpoint_group project association will be - included in catalog when issue a project scoped token and using - ``endpoint_filter.sql`` as catalog's backend driver. + included in the service catalog when a project scoped token is issued and + ``endpoint_filter.sql`` is used for the catalog driver. diff --git a/releasenotes/notes/extensions-to-core-a0d270d216d47276.yaml b/releasenotes/notes/extensions-to-core-a0d270d216d47276.yaml index 8bfd4c1bed..ced7d5a73f 100644 --- a/releasenotes/notes/extensions-to-core-a0d270d216d47276.yaml +++ b/releasenotes/notes/extensions-to-core-a0d270d216d47276.yaml @@ -1,7 +1,7 @@ --- upgrade: - > - The ``keystone-paste.ini`` file must be updated to remove extension + The `keystone-paste.ini` file must be updated to remove extension filters, and their use in ``[pipeline:api_v3]``. Remove the following filters: ``[filter:oauth1_extension]``, ``[filter:federation_extension]``, ``[filter:endpoint_filter_extension]``, @@ -9,7 +9,7 @@ upgrade: `_ file for guidance. - > - The ``keystone-paste.ini`` file must be updated to remove extension filters, + The `keystone-paste.ini` file must be updated to remove extension filters, and their use in ``[pipeline:public_api]`` and ``[pipeline:admin_api]`` pipelines. Remove the following filters: ``[filter:user_crud_extension]``, ``[filter:crud_extension]``. See the sample `keystone-paste.ini diff --git a/releasenotes/notes/implied-roles-026f401adc0f7fb6.yaml b/releasenotes/notes/implied-roles-026f401adc0f7fb6.yaml index f0dae6da14..065fd54132 100644 --- a/releasenotes/notes/implied-roles-026f401adc0f7fb6.yaml +++ b/releasenotes/notes/implied-roles-026f401adc0f7fb6.yaml @@ -4,9 +4,9 @@ features: [`blueprint implied-roles `_] Keystone now supports creating implied roles. Role inference rules can now be added to indicate when the assignment of one role implies the assignment - of another. The rules are of the form ``prior_role`` implies - ``implied_role``. At token generation time, user/group assignments of roles + of another. The rules are of the form `prior_role` implies + `implied_role`. At token generation time, user/group assignments of roles that have implied roles will be expanded to also include such roles in the token. The expansion of implied roles is controlled by the - ``prohibited_implied_role`` option in the ``[assignment]`` + `prohibited_implied_role` option in the `[assignment]` section of `keystone.conf`. diff --git a/releasenotes/notes/insecure_reponse-2a168230709bc8e7.yaml b/releasenotes/notes/insecure_reponse-2a168230709bc8e7.yaml index 00f3b4a4cf..ba11ab2a52 100644 --- a/releasenotes/notes/insecure_reponse-2a168230709bc8e7.yaml +++ b/releasenotes/notes/insecure_reponse-2a168230709bc8e7.yaml @@ -1,7 +1,7 @@ --- upgrade: - - A new config option, ``insecure_debug``, is added to control whether debug + - A new config option, `insecure_debug`, is added to control whether debug information is returned to clients. This used to be controlled by the - ``debug`` option. If you'd like to return extra information to clients + `debug` option. If you'd like to return extra information to clients set the value to ``true``. This extra information may help an attacker. diff --git a/releasenotes/notes/ldap-emulation-91c4d535eb9c3d10.yaml b/releasenotes/notes/ldap-emulation-91c4d535eb9c3d10.yaml index 28911b9c14..1d097ae360 100644 --- a/releasenotes/notes/ldap-emulation-91c4d535eb9c3d10.yaml +++ b/releasenotes/notes/ldap-emulation-91c4d535eb9c3d10.yaml @@ -2,7 +2,7 @@ features: - > [`bug 1515302 `_] - Two new configuration options have been added to the ``[ldap]`` section. - ``user_enabled_emulation_use_group_config`` and - ``project_enabled_emulation_use_group_config``, which allow deployers to + Two new configuration options have been added to the `[ldap]` section. + `user_enabled_emulation_use_group_config` and + `project_enabled_emulation_use_group_config`, which allow deployers to choose if they want to override the default group LDAP schema option. diff --git a/releasenotes/notes/migration_squash-f655329ddad7fc2a.yaml b/releasenotes/notes/migration_squash-f655329ddad7fc2a.yaml index 95210c2bbe..c7d9d4127a 100644 --- a/releasenotes/notes/migration_squash-f655329ddad7fc2a.yaml +++ b/releasenotes/notes/migration_squash-f655329ddad7fc2a.yaml @@ -2,5 +2,4 @@ upgrade: - > [`bug 1541092 `_] - Database schema migrations have been squashed. Only database upgrades from - Kilo and newer are supported. \ No newline at end of file + Only database upgrades from Kilo and newer are supported. diff --git a/releasenotes/notes/no-default-domain-2161ada44bf7a3f7.yaml b/releasenotes/notes/no-default-domain-2161ada44bf7a3f7.yaml index 654be4f68e..a449ad670d 100644 --- a/releasenotes/notes/no-default-domain-2161ada44bf7a3f7.yaml +++ b/releasenotes/notes/no-default-domain-2161ada44bf7a3f7.yaml @@ -3,4 +3,5 @@ other: - > ``keystone-manage db_sync`` will no longer create the Default domain. This domain is used as the domain for any users created using the legacy v2.0 - API. A default domain is created by ``keystone-manage bootstrap``. + API. A default domain is created by ``keystone-manage bootstrap`` and when + a user or project is created using the legacy v2.0 API. diff --git a/releasenotes/notes/oslo.cache-a9ce47bfa8809efa.yaml b/releasenotes/notes/oslo.cache-a9ce47bfa8809efa.yaml index 6d5a93113d..dc98915451 100644 --- a/releasenotes/notes/oslo.cache-a9ce47bfa8809efa.yaml +++ b/releasenotes/notes/oslo.cache-a9ce47bfa8809efa.yaml @@ -1,9 +1,9 @@ --- upgrade: - > - Keystone now uses oslo.cache. Update the ``[cache]`` section of - ``keystone.conf`` to point to oslo.cache backends: - ``oslo_cache.memcache_pool`` or ``oslo_cache.mongo``, refer to the + Keystone now uses oslo.cache. Update the `[cache]` section of + `keystone.conf` to point to oslo.cache backends: + ``oslo_cache.memcache_pool`` or ``oslo_cache.mongo``. Refer to the sample configuration file for examples. See `oslo.cache `_ for additional documentation. diff --git a/releasenotes/notes/projects_as_domains-3ea8a58b4c2965e1.yaml b/releasenotes/notes/projects_as_domains-3ea8a58b4c2965e1.yaml index cb859ebd65..7845df9aff 100644 --- a/releasenotes/notes/projects_as_domains-3ea8a58b4c2965e1.yaml +++ b/releasenotes/notes/projects_as_domains-3ea8a58b4c2965e1.yaml @@ -1,11 +1,7 @@ --- features: - Domains are now represented as top level projects with the attribute - ``is_domain`` set to true. Such projects will appears as parents for any + `is_domain` set to true. Such projects will appear as parents for any previous top level projects. Projects acting as domains can be created, - read, update and deleted via either the project API or the domain API. -upgrade: - - The contents of the sql domain table are migrated to the sql project - table. Although the domain table (and its contents) are not removed in this - upgrade, they are no longer referenced. They will be removed in a future - upgrade. + read, updated, and deleted via either the project API or the domain API + (V3 only). diff --git a/releasenotes/notes/request_context-e143ba9c446a5952.yaml b/releasenotes/notes/request_context-e143ba9c446a5952.yaml index 9c27ba9694..b00153db09 100644 --- a/releasenotes/notes/request_context-e143ba9c446a5952.yaml +++ b/releasenotes/notes/request_context-e143ba9c446a5952.yaml @@ -4,4 +4,4 @@ features: [`bug 1500222 `_] Added information such as: user ID, project ID, and domain ID to log entries. As a side effect of this change, both the user's domain ID and - project's domain ID are now included in ``auth_context``. + project's domain ID are now included in the auth context. diff --git a/releasenotes/notes/totp-40d93231714c6a20.yaml b/releasenotes/notes/totp-40d93231714c6a20.yaml index 47a7bbb793..fcfdb04910 100644 --- a/releasenotes/notes/totp-40d93231714c6a20.yaml +++ b/releasenotes/notes/totp-40d93231714c6a20.yaml @@ -3,7 +3,7 @@ features: - > [`blueprint totp-auth `_] Keystone now supports authenticating via Time-based One-time Password (TOTP). - To enable this feature, add the ``totp`` auth plugin to the ``methods`` - option in the ``[auth]`` section of ``keystone.conf``. More information - about using TOTP can be found in `keystone's documentation + To enable this feature, add the ``totp`` auth plugin to the `methods` + option in the `[auth]` section of `keystone.conf`. More information + about using TOTP can be found in `keystone's developer documentation `_. diff --git a/releasenotes/notes/v9FederationDriver-cbebcf5f97e1eae2.yaml b/releasenotes/notes/v9FederationDriver-cbebcf5f97e1eae2.yaml index 24a91178d0..7db04c8175 100644 --- a/releasenotes/notes/v9FederationDriver-cbebcf5f97e1eae2.yaml +++ b/releasenotes/notes/v9FederationDriver-cbebcf5f97e1eae2.yaml @@ -1,7 +1,5 @@ --- -upgrade: - - The V8 Federation driver interface is deprecated, but still supported in - Mitaka, so any custom drivers based on the V8 interface should still work. -other: - - Support for the V8 Federation driver interface is planned to be removed in - the 'O' release of OpenStack. +deprecations: + - The V8 Federation driver interface is deprecated in favor of the V9 + Federation driver interface. Support for the V8 Federation driver + interface is planned to be removed in the 'O' release of OpenStack. diff --git a/releasenotes/notes/x509-auth-df0a229780b8e3ff.yaml b/releasenotes/notes/x509-auth-df0a229780b8e3ff.yaml index c533630758..421acd6dc4 100644 --- a/releasenotes/notes/x509-auth-df0a229780b8e3ff.yaml +++ b/releasenotes/notes/x509-auth-df0a229780b8e3ff.yaml @@ -2,5 +2,5 @@ features: - > [`blueprint x509-ssl-client-cert-authn `_] - Support tokenless client SSL x.509 certificate authentication and - authorization. + Keystone now supports tokenless client SSL x.509 certificate authentication + and authorization.