104 lines
4.4 KiB
YAML
104 lines
4.4 KiB
YAML
---
|
|
prelude: >
|
|
- The PKI and PKIz token format has been removed. See ``Other Notes`` for
|
|
more details.
|
|
|
|
- Support for writing to LDAP has been removed. See ``Other Notes`` for more
|
|
details.
|
|
other:
|
|
- >
|
|
PKI and PKIz token formats have been removed in favor of Fernet tokens.
|
|
- >
|
|
Write support for the LDAP has been removed in favor of read-only support.
|
|
The following operations are no longer supported for LDAP:
|
|
|
|
* ``create user``
|
|
* ``create group``
|
|
* ``delete user``
|
|
* ``delete group``
|
|
* ``update user``
|
|
* ``update group``
|
|
* ``add user to group``
|
|
* ``remove user from group``
|
|
- >
|
|
Routes and SQL backends for the contrib extensions have been removed, they
|
|
have been incorporated into keystone and are no longer optional. This
|
|
affects:
|
|
|
|
* ``keystone/contrib/admin_crud``
|
|
* ``keystone/contrib/endpoint_filter``
|
|
* ``keystone/contrib/federation``
|
|
* ``keystone/contrib/oauth1``
|
|
* ``keystone/contrib/revoke``
|
|
* ``keystone/contrib/simple_cert``
|
|
* ``keystone/contrib/user_crud``
|
|
- >
|
|
Keystone cache backends have been removed in favor of their `oslo.cache`
|
|
counter-part. This affects:
|
|
|
|
* ``keystone/common/cache/backends/mongo``
|
|
* ``keystone/common/cache/backends/memcache_pool``
|
|
* ``keystone/common/cache/backends/noop``
|
|
- >
|
|
Several token validation methods from the abstract class ``keystone.token.providers.base.Provider``
|
|
were removed (see below) in favor of a single method to validate tokens (``validate_token``),
|
|
that has the signature ``validate_token(self, token_ref)``. If using a custom token
|
|
provider, update the custom provider accordingly.
|
|
|
|
* ``validate_v2_token``
|
|
* ``validate_v3_token``
|
|
* ``validate_non_persistent_token``
|
|
- >
|
|
Several token issuance methods from the abstract class ``keystone.token.providers.base.Provider``
|
|
were removed (see below) in favor of a single method to issue tokens (``issue_token``).
|
|
If using a custom token provider, updated the custom provider accordingly.
|
|
|
|
* ``issue_v2_token``
|
|
* ``issue_v3_token``
|
|
- >
|
|
The ``[DEFAULT] domain_id_immutable`` configuration option has been removed
|
|
in favor of strictly immutable domain IDs.
|
|
- >
|
|
The ``[endpoint_policy] enabled`` configuration option has been removed in
|
|
favor of always enabling the endpoint policy extension.
|
|
- >
|
|
The auth plugin ``keystone.auth.plugins.saml2.Saml2`` has been removed in
|
|
favor of the auth plugin ``keystone.auth.plugins.mapped.Mapped``.
|
|
- >
|
|
The ``memcache`` and ``memcache_pool`` token persistence backends have been
|
|
removed in favor of using Fernet tokens (which require no persistence).
|
|
- >
|
|
The ``httpd/keystone.py`` file has been removed in favor of the
|
|
``keystone-wsgi-admin`` and ``keystone-wsgi-public`` scripts.
|
|
- >
|
|
The ``keystone/service.py`` file has been removed, the logic has been
|
|
moved to the ``keystone/version/service.py``.
|
|
- >
|
|
The check for admin token from ``build_auth_context`` middleware has been
|
|
removed. If your deployment requires the use of `admin token`, update
|
|
``keystone-paste.ini`` so that ``admin_token_auth`` is before
|
|
``build_auth_context`` in the paste pipelines, otherwise remove the
|
|
``admin_token_auth`` middleware from ``keystone-paste.ini`` entirely.
|
|
- >
|
|
The ``[assignment] driver`` now defaults to ``sql``. Logic to
|
|
determine the default assignment driver if one wasn't supplied through
|
|
configuration has been removed. Keystone only supports one assignment
|
|
driver and it shouldn't be changed unless you're deploying a custom
|
|
assignment driver.
|
|
- >
|
|
The ``[resource] driver`` now defaults to ``sql``. Logic to
|
|
determine the default resource driver if one wasn't supplied through
|
|
configuration has been removed. Keystone only supports one resource
|
|
driver and it shouldn't be changed unless you're deploying a custom
|
|
resource driver.
|
|
- >
|
|
The ``[os_inherit] enabled`` config option has been removed, the `OS-INHERIT`
|
|
extension is now always enabled.
|
|
- >
|
|
The ``[DEFAULT] domain_id_immutable`` option has been removed.
|
|
This removes the ability to change the ``domain_id`` attribute of
|
|
users, groups, and projects. The behavior was introduced to allow
|
|
deployers to migrate entities from one domain to another by updating
|
|
the ``domain_id`` attribute of an entity. This functionality was
|
|
deprecated in the Mitaka release is now removed.
|