1700 lines
77 KiB
Plaintext
1700 lines
77 KiB
Plaintext
# Andi Chandler <andi@gowling.com>, 2017. #zanata
|
|
# Andi Chandler <andi@gowling.com>, 2018. #zanata
|
|
msgid ""
|
|
msgstr ""
|
|
"Project-Id-Version: keystone\n"
|
|
"Report-Msgid-Bugs-To: \n"
|
|
"POT-Creation-Date: 2018-08-08 22:56+0000\n"
|
|
"MIME-Version: 1.0\n"
|
|
"Content-Type: text/plain; charset=UTF-8\n"
|
|
"Content-Transfer-Encoding: 8bit\n"
|
|
"PO-Revision-Date: 2018-08-08 09:01+0000\n"
|
|
"Last-Translator: Andi Chandler <andi@gowling.com>\n"
|
|
"Language-Team: English (United Kingdom)\n"
|
|
"Language: en_GB\n"
|
|
"X-Generator: Zanata 4.3.3\n"
|
|
"Plural-Forms: nplurals=2; plural=(n != 1)\n"
|
|
|
|
msgid "'/' and ',' are not allowed to be in a tag"
|
|
msgstr "'/' and ',' are not allowed to be in a tag"
|
|
|
|
msgid ""
|
|
"**Experimental** - Domain specific configuration options can be stored in "
|
|
"SQL instead of configuration files, using the new REST APIs."
|
|
msgstr ""
|
|
"**Experimental** - Domain specific configuration options can be stored in "
|
|
"SQL instead of configuration files, using the new REST APIs."
|
|
|
|
msgid ""
|
|
"**Experimental** - Keystone now supports tokenless authorization with X.509 "
|
|
"SSL client certificate."
|
|
msgstr ""
|
|
"**Experimental** - Keystone now supports tokenless authorisation with X.509 "
|
|
"SSL client certificate."
|
|
|
|
msgid "10.0.0"
|
|
msgstr "10.0.0"
|
|
|
|
msgid "10.0.1"
|
|
msgstr "10.0.1"
|
|
|
|
msgid "10.0.3"
|
|
msgstr "10.0.3"
|
|
|
|
msgid "11.0.0"
|
|
msgstr "11.0.0"
|
|
|
|
msgid "11.0.1"
|
|
msgstr "11.0.1"
|
|
|
|
msgid "11.0.3"
|
|
msgstr "11.0.3"
|
|
|
|
msgid "11.0.4"
|
|
msgstr "11.0.4"
|
|
|
|
msgid "12.0.0"
|
|
msgstr "12.0.0"
|
|
|
|
msgid "12.0.1"
|
|
msgstr "12.0.1"
|
|
|
|
msgid "13.0.0"
|
|
msgstr "13.0.0"
|
|
|
|
msgid "13.0.1"
|
|
msgstr "13.0.1"
|
|
|
|
msgid "14.0.0.0b1"
|
|
msgstr "14.0.0.0b1"
|
|
|
|
msgid "14.0.0.0b2"
|
|
msgstr "14.0.0.0b2"
|
|
|
|
msgid "14.0.0.0b3"
|
|
msgstr "14.0.0.0b3"
|
|
|
|
msgid "8.0.1"
|
|
msgstr "8.0.1"
|
|
|
|
msgid "8.1.0"
|
|
msgstr "8.1.0"
|
|
|
|
msgid "9.0.0"
|
|
msgstr "9.0.0"
|
|
|
|
msgid "9.2.0"
|
|
msgstr "9.2.0"
|
|
|
|
msgid ""
|
|
"A new ``secure_proxy_ssl_header`` configuration option is available when "
|
|
"running keystone behind a proxy."
|
|
msgstr ""
|
|
"A new ``secure_proxy_ssl_header`` configuration option is available when "
|
|
"running keystone behind a proxy."
|
|
|
|
msgid ""
|
|
"A new config option, `insecure_debug`, is added to control whether debug "
|
|
"information is returned to clients. This used to be controlled by the "
|
|
"`debug` option. If you'd like to return extra information to clients set the "
|
|
"value to ``true``. This extra information may help an attacker."
|
|
msgstr ""
|
|
"A new config option, `insecure_debug`, is added to control whether debug "
|
|
"information is returned to clients. This used to be controlled by the "
|
|
"`debug` option. If you'd like to return extra information to clients set the "
|
|
"value to ``true``. This extra information may help an attacker."
|
|
|
|
msgid ""
|
|
"A new interface called `list_federated_users_info` is added to shadow "
|
|
"backend. It's used to get the shadow user information internally. If you are "
|
|
"maintaining any out-tree shadow backends, please implement this function for "
|
|
"them as well."
|
|
msgstr ""
|
|
"A new interface called `list_federated_users_info` is added to shadow "
|
|
"backend. It's used to get the shadow user information internally. If you are "
|
|
"maintaining any out-tree shadow backends, please implement this function for "
|
|
"them as well."
|
|
|
|
msgid ""
|
|
"Add ``cache_on_issue`` flag to ``[token]`` section that enables placing "
|
|
"issued tokens to validation cache thus reducing the first validation time as "
|
|
"if token is already validated and token data cached."
|
|
msgstr ""
|
|
"Add ``cache_on_issue`` flag to ``[token]`` section that enables placing "
|
|
"issued tokens to validation cache thus reducing the first validation time as "
|
|
"if token is already validated and token data cached."
|
|
|
|
msgid ""
|
|
"Add ``keystone-manage mapping_populate`` command, which should be used when "
|
|
"domain-specific LDAP backend is used."
|
|
msgstr ""
|
|
"Add ``keystone-manage mapping_populate`` command, which should be used when "
|
|
"domain-specific LDAP backend is used."
|
|
|
|
msgid ""
|
|
"Add ``keystone-manage mapping_populate`` command. This command will pre-"
|
|
"populate a mapping table with all users from LDAP, in order to improve "
|
|
"future query performance. It should be used when an LDAP is first "
|
|
"configured, or after calling ``keystone-manage mapping_purge``, before any "
|
|
"queries related to the domain are made. For more information see ``keystone-"
|
|
"manage mapping_populate --help``"
|
|
msgstr ""
|
|
"Add ``keystone-manage mapping_populate`` command. This command will pre-"
|
|
"populate a mapping table with all users from LDAP, in order to improve "
|
|
"future query performance. It should be used when an LDAP is first "
|
|
"configured, or after calling ``keystone-manage mapping_purge``, before any "
|
|
"queries related to the domain are made. For more information see ``keystone-"
|
|
"manage mapping_populate --help``"
|
|
|
|
msgid ""
|
|
"Added an option ``--check`` to ``keystone-manage db_sync``, the option will "
|
|
"allow a user to check the status of rolling upgrades in the database."
|
|
msgstr ""
|
|
"Added an option ``--check`` to ``keystone-manage db_sync``, the option will "
|
|
"allow a user to check the status of rolling upgrades in the database."
|
|
|
|
msgid ""
|
|
"Adjust configuration tools as necessary, see the ``fixes`` section for more "
|
|
"details on this change."
|
|
msgstr ""
|
|
"Adjust configuration tools as necessary, see the ``fixes`` section for more "
|
|
"details on this change."
|
|
|
|
msgid ""
|
|
"Any auth methods that are not defined in ``keystone.conf`` in the ``[auth] "
|
|
"methods`` option are ignored when the rules are processed. Empty rules are "
|
|
"not allowed. If a rule is empty due to no-valid auth methods existing within "
|
|
"it, the rule is discarded at authentication time. If there are no rules or "
|
|
"no valid rules for the user, authentication occurs in the default manner: "
|
|
"any single configured auth method is sufficient to receive a token."
|
|
msgstr ""
|
|
"Any auth methods that are not defined in ``keystone.conf`` in the ``[auth] "
|
|
"methods`` option are ignored when the rules are processed. Empty rules are "
|
|
"not allowed. If a rule is empty due to no-valid auth methods existing within "
|
|
"it, the rule is discarded at authentication time. If there are no rules or "
|
|
"no valid rules for the user, authentication occurs in the default manner: "
|
|
"any single configured auth method is sufficient to receive a token."
|
|
|
|
msgid ""
|
|
"As a performance improvement, the base mapping driver's method "
|
|
"``get_domain_mapping_list`` now accepts an optional named argument "
|
|
"``entity_type`` that can be used to get the mappings for a given entity type "
|
|
"only. As this new call signature is already used in the ``identity.core`` "
|
|
"module, authors/maintainers of out-of-tree custom mapping drivers are "
|
|
"expected to update their implementations of ``get_domain_mapping_list`` "
|
|
"method accordingly."
|
|
msgstr ""
|
|
"As a performance improvement, the base mapping driver's method "
|
|
"``get_domain_mapping_list`` now accepts an optional named argument "
|
|
"``entity_type`` that can be used to get the mappings for a given entity type "
|
|
"only. As this new call signature is already used in the ``identity.core`` "
|
|
"module, authors/maintainers of out-of-tree custom mapping drivers are "
|
|
"expected to update their implementations of ``get_domain_mapping_list`` "
|
|
"method accordingly."
|
|
|
|
msgid "Bug Fixes"
|
|
msgstr "Bug Fixes"
|
|
|
|
msgid ""
|
|
"Certain deprecated methods from the assignment manager were removed in favor "
|
|
"of the same methods in the [resource] and [role] manager."
|
|
msgstr ""
|
|
"Certain deprecated methods from the assignment manager were removed in "
|
|
"favour of the same methods in the [resource] and [role] manager."
|
|
|
|
msgid ""
|
|
"Certain variables in ``keystone.conf`` now have options, which determine if "
|
|
"the user's setting is valid."
|
|
msgstr ""
|
|
"Certain variables in ``keystone.conf`` now have options, which determine if "
|
|
"the user's setting is valid."
|
|
|
|
msgid "Configuring per-Identity Provider WebSSO is now supported."
|
|
msgstr "Configuring per-Identity Provider WebSSO is now supported."
|
|
|
|
msgid "Critical Issues"
|
|
msgstr "Critical Issues"
|
|
|
|
msgid "Current Series Release Notes"
|
|
msgstr "Current Series Release Notes"
|
|
|
|
msgid "Deprecation Notes"
|
|
msgstr "Deprecation Notes"
|
|
|
|
msgid ""
|
|
"Domain name information can now be used in policy rules with the attribute "
|
|
"``domain_name``."
|
|
msgstr ""
|
|
"Domain name information can now be used in policy rules with the attribute "
|
|
"``domain_name``."
|
|
|
|
msgid ""
|
|
"Domains are now represented as top level projects with the attribute "
|
|
"`is_domain` set to true. Such projects will appear as parents for any "
|
|
"previous top level projects. Projects acting as domains can be created, "
|
|
"read, updated, and deleted via either the project API or the domain API (V3 "
|
|
"only)."
|
|
msgstr ""
|
|
"Domains are now represented as top level projects with the attribute "
|
|
"`is_domain` set to true. Such projects will appear as parents for any "
|
|
"previous top level projects. Projects acting as domains can be created, "
|
|
"read, updated, and deleted via either the project API or the domain API (V3 "
|
|
"only)."
|
|
|
|
msgid ""
|
|
"Each list of methods specifies a rule. If the auth methods provided by a "
|
|
"user match (or exceed) the auth methods in the list, that rule is used. The "
|
|
"first rule found (rules will not be processed in a specific order) that "
|
|
"matches will be used. If a user has the ruleset defined as ``[[\"password\", "
|
|
"\"totp\"]]`` the user must provide both password and totp auth methods (and "
|
|
"both methods must succeed) to receive a token. However, if a user has a "
|
|
"ruleset defined as ``[[\"password\"], [\"password\", \"totp\"]]`` the user "
|
|
"may use the ``password`` method on it's own but would be required to use "
|
|
"both ``password`` and ``totp`` if ``totp`` is specified at all."
|
|
msgstr ""
|
|
"Each list of methods specifies a rule. If the auth methods provided by a "
|
|
"user match (or exceed) the auth methods in the list, that rule is used. The "
|
|
"first rule found (rules will not be processed in a specific order) that "
|
|
"matches will be used. If a user has the ruleset defined as ``[[\"password\", "
|
|
"\"totp\"]]`` the user must provide both password and totp auth methods (and "
|
|
"both methods must succeed) to receive a token. However, if a user has a "
|
|
"ruleset defined as ``[[\"password\"], [\"password\", \"totp\"]]`` the user "
|
|
"may use the ``password`` method on it's own but would be required to use "
|
|
"both ``password`` and ``totp`` if ``totp`` is specified at all."
|
|
|
|
msgid "Each project can have up to 100 tags"
|
|
msgstr "Each project can have up to 100 tags"
|
|
|
|
msgid "Each tag can be up to 255 characters"
|
|
msgstr "Each tag can be up to 255 characters"
|
|
|
|
msgid ""
|
|
"Features that were \"extensions\" in previous releases (OAuth delegation, "
|
|
"Federated Identity support, Endpoint Policy, etc) are now enabled by default."
|
|
msgstr ""
|
|
"Features that were \"extensions\" in previous releases (OAuth delegation, "
|
|
"Federated Identity support, Endpoint Policy, etc) are now enabled by default."
|
|
|
|
msgid ""
|
|
"Fixes a bug related to the password create date. If you deployed master "
|
|
"during Newton development, the password create date may be reset. This would "
|
|
"only be apparent if you have security compliance features enabled."
|
|
msgstr ""
|
|
"Fixes a bug related to the password create date. If you deployed master "
|
|
"during Newton development, the password create date may be reset. This would "
|
|
"only be apparent if you have security compliance features enabled."
|
|
|
|
msgid ""
|
|
"For additional details see: `event notifications <See https://docs.openstack."
|
|
"org/developer/keystone/event_notifications.html>`_"
|
|
msgstr ""
|
|
"For additional details see: `event notifications <See https://docs.openstack."
|
|
"org/developer/keystone/event_notifications.html>`_"
|
|
|
|
msgid ""
|
|
"If PCI support is enabled, via the ``[security_compliance]`` configuration "
|
|
"options, then the ``password_expires_at`` field will be populated with a "
|
|
"timestamp. Otherwise, it will default to ``null``, indicating the password "
|
|
"does not expire."
|
|
msgstr ""
|
|
"If PCI support is enabled, via the ``[security_compliance]`` configuration "
|
|
"options, then the ``password_expires_at`` field will be populated with a "
|
|
"timestamp. Otherwise, it will default to ``null``, indicating the password "
|
|
"does not expire."
|
|
|
|
msgid ""
|
|
"If a password does not meet the specified criteria. See "
|
|
"``[security_compliance] password_regex``."
|
|
msgstr ""
|
|
"If a password does not meet the specified criteria. See "
|
|
"``[security_compliance] password_regex``."
|
|
|
|
msgid ""
|
|
"If a user attempts to change their password too often. See "
|
|
"``[security_compliance] minimum_password_age``."
|
|
msgstr ""
|
|
"If a user attempts to change their password too often. See "
|
|
"``[security_compliance] minimum_password_age``."
|
|
|
|
msgid ""
|
|
"If a user does not change their passwords at least once every X days. See "
|
|
"``[security_compliance] password_expires_days``."
|
|
msgstr ""
|
|
"If a user does not change their passwords at least once every X days. See "
|
|
"``[security_compliance] password_expires_days``."
|
|
|
|
msgid ""
|
|
"If a user is locked out after many failed authentication attempts. See "
|
|
"``[security_compliance] lockout_failure_attempts``."
|
|
msgstr ""
|
|
"If a user is locked out after many failed authentication attempts. See "
|
|
"``[security_compliance] lockout_failure_attempts``."
|
|
|
|
msgid ""
|
|
"If a user submits a new password that was recently used. See "
|
|
"``[security_compliance] unique_last_password_count``."
|
|
msgstr ""
|
|
"If a user submits a new password that was recently used. See "
|
|
"``[security_compliance] unique_last_password_count``."
|
|
|
|
msgid ""
|
|
"If performing rolling upgrades, set `[identity] "
|
|
"rolling_upgrade_password_hash_compat` to `True`. This will instruct keystone "
|
|
"to continue to hash passwords in a manner that older (pre Pike release) "
|
|
"keystones can still verify passwords. Once all upgrades are complete, ensure "
|
|
"this option is set back to `False`."
|
|
msgstr ""
|
|
"If performing rolling upgrades, set `[identity] "
|
|
"rolling_upgrade_password_hash_compat` to `True`. This will instruct keystone "
|
|
"to continue to hash passwords in a manner that older (pre Pike release) "
|
|
"keystones can still verify passwords. Once all upgrades are complete, ensure "
|
|
"this option is set back to `False`."
|
|
|
|
msgid ""
|
|
"In ``keystone-paste.ini``, using ``paste.filter_factory`` is deprecated in "
|
|
"favor of the \"use\" directive, specifying an entrypoint."
|
|
msgstr ""
|
|
"In ``keystone-paste.ini``, using ``paste.filter_factory`` is deprecated in "
|
|
"favour of the \"use\" directive, specifying an entrypoint."
|
|
|
|
msgid ""
|
|
"In the [resource] and [role] sections of the ``keystone.conf`` file, not "
|
|
"specifying the driver and using the assignment driver is deprecated. In the "
|
|
"Mitaka release, the resource and role drivers will default to the SQL driver."
|
|
msgstr ""
|
|
"In the [resource] and [role] sections of the ``keystone.conf`` file, not "
|
|
"specifying the driver and using the assignment driver is deprecated. In the "
|
|
"Mitaka release, the resource and role drivers will default to the SQL driver."
|
|
|
|
msgid ""
|
|
"In the case a user should be exempt from MFA Rules, regardless if they are "
|
|
"set, the User-Option ``multi_factor_auth_enabled`` may be set to ``False`` "
|
|
"for that user via the user create and update API (``POST/PATCH /v3/users``) "
|
|
"call. If this option is set to ``False`` the MFA rules will be ignored for "
|
|
"the user. Any other value except ``False`` will result in the MFA Rules "
|
|
"being processed; the option can only be a boolean (``True`` or ``False``) or "
|
|
"\"None\" (which will result in the default behavior (same as ``True``) but "
|
|
"the option will no longer be shown in the ``user[\"options\"]`` dictionary."
|
|
msgstr ""
|
|
"In the case a user should be exempt from MFA Rules, regardless if they are "
|
|
"set, the User-Option ``multi_factor_auth_enabled`` may be set to ``False`` "
|
|
"for that user via the user create and update API (``POST/PATCH /v3/users``) "
|
|
"call. If this option is set to ``False`` the MFA rules will be ignored for "
|
|
"the user. Any other value except ``False`` will result in the MFA Rules "
|
|
"being processed; the option can only be a boolean (``True`` or ``False``) or "
|
|
"\"None\" (which will result in the default behaviour (same as ``True``) but "
|
|
"the option will no longer be shown in the ``user[\"options\"]`` dictionary."
|
|
|
|
msgid ""
|
|
"In the policy.json file, we changed `identity:list_projects_for_groups` to "
|
|
"`identity:list_projects_for_user`. Likewise, we changed `identity:"
|
|
"list_domains_for_groups` to `identity:list_domains_for_user`. If you have "
|
|
"customized the policy.json file, you will need to make these changes. This "
|
|
"was done to better support new features around federation."
|
|
msgstr ""
|
|
"In the policy.json file, we changed `identity:list_projects_for_groups` to "
|
|
"`identity:list_projects_for_user`. Likewise, we changed `identity:"
|
|
"list_domains_for_groups` to `identity:list_domains_for_user`. If you have "
|
|
"customized the policy.json file, you will need to make these changes. This "
|
|
"was done to better support new features around federation."
|
|
|
|
msgid ""
|
|
"It is no longer possible to, via the ``paste.ini`` file to inject middleware "
|
|
"into the running keystone application. This reduces the attack surface area. "
|
|
"While this is not a huge reduction in surface area, it is one less potential "
|
|
"place that malicious code could be loaded. Malicious middleware historically "
|
|
"could collect information and/or modify the requests and responses from "
|
|
"Keystone."
|
|
msgstr ""
|
|
"It is no longer possible to, via the ``paste.ini`` file to inject middleware "
|
|
"into the running Keystone application. This reduces the attack surface area. "
|
|
"While this is not a huge reduction in surface area, it is one less potential "
|
|
"place that malicious code could be loaded. Malicious middleware historically "
|
|
"could collect information and/or modify the requests and responses from "
|
|
"Keystone."
|
|
|
|
msgid ""
|
|
"It is recommended to have the ``healthcheck`` middleware first in the "
|
|
"pipeline::"
|
|
msgstr ""
|
|
"It is recommended to have the ``healthcheck`` middleware first in the "
|
|
"pipeline::"
|
|
|
|
msgid "Keystone Release Notes"
|
|
msgstr "Keystone Release Notes"
|
|
|
|
msgid ""
|
|
"Keystone cache backends have been removed in favor of their `oslo.cache` "
|
|
"counter-part. This affects:"
|
|
msgstr ""
|
|
"Keystone cache backends have been removed in favour of their `oslo.cache` "
|
|
"counter-part. This affects:"
|
|
|
|
msgid ""
|
|
"Keystone now relies on pyldap instead of python-ldap. The pyldap library is "
|
|
"a fork of python-ldap and is a drop-in replacement with modifications to be "
|
|
"py3 compatible."
|
|
msgstr ""
|
|
"Keystone now relies on pyldap instead of python-ldap. The pyldap library is "
|
|
"a fork of python-ldap and is a drop-in replacement with modifications to be "
|
|
"py3 compatible."
|
|
|
|
msgid ""
|
|
"Keystone now supports authorizing a request token by providing a role name. "
|
|
"A `role` in the `roles` parameter can include either a role name or role id, "
|
|
"but not both."
|
|
msgstr ""
|
|
"Keystone now supports authorising a request token by providing a role name. "
|
|
"A `role` in the `roles` parameter can include either a role name or role id, "
|
|
"but not both."
|
|
|
|
msgid ""
|
|
"Keystone now supports being run under Python 3. The Python 3 and Python 3.4 "
|
|
"classifiers have been added."
|
|
msgstr ""
|
|
"Keystone now supports being run under Python 3. The Python 3 and Python 3.4 "
|
|
"classifiers have been added."
|
|
|
|
msgid ""
|
|
"Keystone now supports encrypted credentials at rest. In order to upgrade "
|
|
"successfully to Newton, deployers must encrypt all credentials currently "
|
|
"stored before contracting the database. Deployers must run `keystone-manage "
|
|
"credential_setup` in order to use the credential API within Newton, or "
|
|
"finish the upgrade from Mitaka to Newton. This will result in a service "
|
|
"outage for the credential API where credentials will be read-only for the "
|
|
"duration of the upgrade process. Once the database is contracted credentials "
|
|
"will be writeable again. Database contraction phases only apply to rolling "
|
|
"upgrades."
|
|
msgstr ""
|
|
"Keystone now supports encrypted credentials at rest. In order to upgrade "
|
|
"successfully to Newton, deployers must encrypt all credentials currently "
|
|
"stored before contracting the database. Deployers must run `keystone-manage "
|
|
"credential_setup` in order to use the credential API within Newton, or "
|
|
"finish the upgrade from Mitaka to Newton. This will result in a service "
|
|
"outage for the credential API where credentials will be read-only for the "
|
|
"duration of the upgrade process. Once the database is contracted credentials "
|
|
"will be writeable again. Database contraction phases only apply to rolling "
|
|
"upgrades."
|
|
|
|
msgid ""
|
|
"Keystone now uses oslo.cache. Update the `[cache]` section of `keystone."
|
|
"conf` to point to oslo.cache backends: ``oslo_cache.memcache_pool`` or "
|
|
"``oslo_cache.mongo``. Refer to the sample configuration file for examples. "
|
|
"See `oslo.cache <http://docs.openstack.org/developer/oslo.cache>`_ for "
|
|
"additional documentation."
|
|
msgstr ""
|
|
"Keystone now uses oslo.cache. Update the `[cache]` section of `keystone."
|
|
"conf` to point to oslo.cache backends: ``oslo_cache.memcache_pool`` or "
|
|
"``oslo_cache.mongo``. Refer to the sample configuration file for examples. "
|
|
"See `oslo.cache <http://docs.openstack.org/developer/oslo.cache>`_ for "
|
|
"additional documentation."
|
|
|
|
msgid ""
|
|
"Keystone supports ``$(project_id)s`` in the catalog. It works the same as ``"
|
|
"$(tenant_id)s``. Use of ``$(tenant_id)s`` is deprecated and catalog "
|
|
"endpoints should be updated to use ``$(project_id)s``."
|
|
msgstr ""
|
|
"Keystone supports ``$(project_id)s`` in the catalogue. It works the same as "
|
|
"``$(tenant_id)s``. Use of ``$(tenant_id)s`` is deprecated and catalogue "
|
|
"endpoints should be updated to use ``$(project_id)s``."
|
|
|
|
msgid "Liberty Series Release Notes"
|
|
msgstr "Liberty Series Release Notes"
|
|
|
|
msgid "Mitaka Series Release Notes"
|
|
msgstr "Mitaka Series Release Notes"
|
|
|
|
msgid "New Features"
|
|
msgstr "New Features"
|
|
|
|
msgid "Newton Series Release Notes"
|
|
msgstr "Newton Series Release Notes"
|
|
|
|
msgid ""
|
|
"Not specifying a domain during a create user, group or project call, which "
|
|
"relied on falling back to the default domain, is now deprecated and will be "
|
|
"removed in the N release."
|
|
msgstr ""
|
|
"Not specifying a domain during a create user, group or project call, which "
|
|
"relied on falling back to the default domain, is now deprecated and will be "
|
|
"removed in the N release."
|
|
|
|
msgid ""
|
|
"OSprofiler support was added. This cross-project profiling library allows to "
|
|
"trace various requests through all OpenStack services that support it. To "
|
|
"initiate OpenStack request tracing `--profile <HMAC_KEY>` option needs to be "
|
|
"added to the CLI command. Configuration and usage details can be foung in "
|
|
"[`OSProfiler documentation <http://docs.openstack.org/developer/osprofiler/"
|
|
"api.html>`_]"
|
|
msgstr ""
|
|
"OSprofiler support was added. This cross-project profiling library allows to "
|
|
"trace various requests through all OpenStack services that support it. To "
|
|
"initiate OpenStack request tracing `--profile <HMAC_KEY>` option needs to be "
|
|
"added to the CLI command. Configuration and usage details can be foung in "
|
|
"[`OSProfiler documentation <http://docs.openstack.org/developer/osprofiler/"
|
|
"api.html>`_]"
|
|
|
|
msgid ""
|
|
"OSprofiler support was introduced. To allow its usage the keystone-paste.ini "
|
|
"file needs to be modified to contain osprofiler middleware."
|
|
msgstr ""
|
|
"OSprofiler support was introduced. To allow its usage the keystone-paste.ini "
|
|
"file needs to be modified to contain osprofiler middleware."
|
|
|
|
msgid "Ocata Series Release Notes"
|
|
msgstr "Ocata Series Release Notes"
|
|
|
|
msgid "Other Notes"
|
|
msgstr "Other Notes"
|
|
|
|
msgid "PKI and PKIz token formats have been removed in favor of Fernet tokens."
|
|
msgstr ""
|
|
"PKI and PKIz token formats have been removed in favour of Fernet tokens."
|
|
|
|
msgid "Pike Series Release Notes"
|
|
msgstr "Pike Series Release Notes"
|
|
|
|
msgid "Prelude"
|
|
msgstr "Prelude"
|
|
|
|
msgid ""
|
|
"Project tags are implemented following the guidelines set by the `API "
|
|
"Working Group <https://specs.openstack.org/openstack/api-wg/guidelines/tags."
|
|
"html>`_"
|
|
msgstr ""
|
|
"Project tags are implemented following the guidelines set by the `API "
|
|
"Working Group <https://specs.openstack.org/openstack/api-wg/guidelines/tags."
|
|
"html>`_"
|
|
|
|
msgid "Queens Series Release Notes"
|
|
msgstr "Queens Series Release Notes"
|
|
|
|
msgid ""
|
|
"Routes and SQL backends for the contrib extensions have been removed, they "
|
|
"have been incorporated into keystone and are no longer optional. This "
|
|
"affects:"
|
|
msgstr ""
|
|
"Routes and SQL backends for the contrib extensions have been removed, they "
|
|
"have been incorporated into Keystone and are no longer optional. This "
|
|
"affects:"
|
|
|
|
msgid ""
|
|
"Running keystone in eventlet remains deprecated and will be removed in the "
|
|
"Mitaka release."
|
|
msgstr ""
|
|
"Running Keystone in eventlet remains deprecated and will be removed in the "
|
|
"Mitaka release."
|
|
|
|
msgid ""
|
|
"SECURITY INFO: The MFA rules are only processed when authentication happens "
|
|
"through the V3 authentication APIs. If V2 Auth is enabled it is possible to "
|
|
"circumvent the MFA rules if the user can authenticate via V2 Auth API. It is "
|
|
"recommended to disable V2 authentication for full enforcement of the MFA "
|
|
"rules."
|
|
msgstr ""
|
|
"SECURITY INFO: The MFA rules are only processed when authentication happens "
|
|
"through the V3 authentication APIs. If V2 Auth is enabled it is possible to "
|
|
"circumvent the MFA rules if the user can authenticate via V2 Auth API. It is "
|
|
"recommended to disable V2 authentication for full enforcement of the MFA "
|
|
"rules."
|
|
|
|
msgid ""
|
|
"Schema downgrades via ``keystone-manage db_sync`` are no longer supported. "
|
|
"Only upgrades are supported."
|
|
msgstr ""
|
|
"Schema downgrades via ``keystone-manage db_sync`` are no longer supported. "
|
|
"Only upgrades are supported."
|
|
|
|
msgid "Security Issues"
|
|
msgstr "Security Issues"
|
|
|
|
msgid ""
|
|
"See `Project Tags <https://developer.openstack.org/api-ref/identity/v3/"
|
|
"#project-tags>`_"
|
|
msgstr ""
|
|
"See `Project Tags <https://developer.openstack.org/api-ref/identity/v3/"
|
|
"#project-tags>`_"
|
|
|
|
msgid ""
|
|
"Set the following user attributes to ``True`` or ``False`` in an API "
|
|
"request. To mark a user as exempt from the PCI password lockout policy::"
|
|
msgstr ""
|
|
"Set the following user attributes to ``True`` or ``False`` in an API "
|
|
"request. To mark a user as exempt from the PCI password lockout policy::"
|
|
|
|
msgid ""
|
|
"Several configuration options have been deprecated, renamed, or moved to new "
|
|
"sections in the ``keystone.conf`` file."
|
|
msgstr ""
|
|
"Several configuration options have been deprecated, renamed, or moved to new "
|
|
"sections in the ``keystone.conf`` file."
|
|
|
|
msgid ""
|
|
"Several features were hardened, including Fernet tokens, federation, domain "
|
|
"specific configurations from database and role assignments."
|
|
msgstr ""
|
|
"Several features were hardened, including Fernet tokens, federation, domain "
|
|
"specific configurations from database and role assignments."
|
|
|
|
msgid ""
|
|
"Several token issuance methods from the abstract class ``keystone.token."
|
|
"providers.base.Provider`` were removed (see below) in favor of a single "
|
|
"method to issue tokens (``issue_token``). If using a custom token provider, "
|
|
"updated the custom provider accordingly."
|
|
msgstr ""
|
|
"Several token issuance methods from the abstract class ``keystone.token."
|
|
"providers.base.Provider`` were removed (see below) in favour of a single "
|
|
"method to issue tokens (``issue_token``). If using a custom token provider, "
|
|
"updated the custom provider accordingly."
|
|
|
|
msgid ""
|
|
"Several token validation methods from the abstract class ``keystone.token."
|
|
"providers.base.Provider`` were removed (see below) in favor of a single "
|
|
"method to validate tokens (``validate_token``), that has the signature "
|
|
"``validate_token(self, token_ref)``. If using a custom token provider, "
|
|
"update the custom provider accordingly."
|
|
msgstr ""
|
|
"Several token validation methods from the abstract class ``keystone.token."
|
|
"providers.base.Provider`` were removed (see below) in favour of a single "
|
|
"method to validate tokens (``validate_token``), that has the signature "
|
|
"``validate_token(self, token_ref)``. If using a custom token provider, "
|
|
"update the custom provider accordingly."
|
|
|
|
msgid ""
|
|
"Support for writing to LDAP has been removed. See ``Other Notes`` for more "
|
|
"details."
|
|
msgstr ""
|
|
"Support for writing to LDAP has been removed. See ``Other Notes`` for more "
|
|
"details."
|
|
|
|
msgid ""
|
|
"Support has now been added to send notification events on user/group "
|
|
"membership. When a user is added or removed from a group a notification will "
|
|
"be sent including the identifiers of both the user and the group."
|
|
msgstr ""
|
|
"Support has now been added to send notification events on user/group "
|
|
"membership. When a user is added or removed from a group a notification will "
|
|
"be sent including the identifiers of both the user and the group."
|
|
|
|
msgid ""
|
|
"Support was improved for out-of-tree drivers by defining stable driver "
|
|
"interfaces."
|
|
msgstr ""
|
|
"Support was improved for out-of-tree drivers by defining stable driver "
|
|
"interfaces."
|
|
|
|
msgid "Tags are case sensitive"
|
|
msgstr "Tags are case sensitive"
|
|
|
|
msgid ""
|
|
"The EC2 token middleware, deprecated in Juno, is no longer available in "
|
|
"keystone. It has been moved to the keystonemiddleware package."
|
|
msgstr ""
|
|
"The EC2 token middleware, deprecated in Juno, is no longer available in "
|
|
"Keystone. It has been moved to the keystonemiddleware package."
|
|
|
|
msgid ""
|
|
"The LDAP driver now also maps the user description attribute after user "
|
|
"retrieval from LDAP. If this is undesired behavior for your setup, please "
|
|
"add `description` to the `user_attribute_ignore` LDAP driver config setting. "
|
|
"The default mapping of the description attribute is set to `description`. "
|
|
"Please adjust the LDAP driver config setting `user_description_attribute` if "
|
|
"your LDAP uses a different attribute name (for instance to `displayName` in "
|
|
"case of an AD backed LDAP). If your `user_additional_attribute_mapping` "
|
|
"setting contains `description:description` you can remove this mapping, "
|
|
"since this is now the default behavior."
|
|
msgstr ""
|
|
"The LDAP driver now also maps the user description attribute after user "
|
|
"retrieval from LDAP. If this is undesired behaviour for your setup, please "
|
|
"add `description` to the `user_attribute_ignore` LDAP driver config setting. "
|
|
"The default mapping of the description attribute is set to `description`. "
|
|
"Please adjust the LDAP driver config setting `user_description_attribute` if "
|
|
"your LDAP uses a different attribute name (for instance to `displayName` in "
|
|
"case of an AD backed LDAP). If your `user_additional_attribute_mapping` "
|
|
"setting contains `description:description` you can remove this mapping, "
|
|
"since this is now the default behaviour."
|
|
|
|
msgid ""
|
|
"The MFA rules are set via the user create and update API (``POST/PATCH /v3/"
|
|
"users``) call; the options allow an admin to force a user to use specific "
|
|
"forms of authentication or combinations of forms of authentication to get a "
|
|
"token. The rules are specified as follows::"
|
|
msgstr ""
|
|
"The MFA rules are set via the user create and update API (``POST/PATCH /v3/"
|
|
"users``) call; the options allow an admin to force a user to use specific "
|
|
"forms of authentication or combinations of forms of authentication to get a "
|
|
"token. The rules are specified as follows::"
|
|
|
|
msgid ""
|
|
"The PKI and PKIz token format has been removed. See ``Other Notes`` for more "
|
|
"details."
|
|
msgstr ""
|
|
"The PKI and PKIz token format has been removed. See ``Other Notes`` for more "
|
|
"details."
|
|
|
|
msgid ""
|
|
"The V8 Federation driver interface is deprecated in favor of the V9 "
|
|
"Federation driver interface. Support for the V8 Federation driver interface "
|
|
"is planned to be removed in the 'O' release of OpenStack."
|
|
msgstr ""
|
|
"The V8 Federation driver interface is deprecated in favour of the V9 "
|
|
"Federation driver interface. Support for the V8 Federation driver interface "
|
|
"is planned to be removed in the 'O' release of OpenStack."
|
|
|
|
msgid ""
|
|
"The V8 Resource driver interface is deprecated. Support for the V8 Resource "
|
|
"driver interface is planned to be removed in the 'O' release of OpenStack."
|
|
msgstr ""
|
|
"The V8 Resource driver interface is deprecated. Support for the V8 Resource "
|
|
"driver interface is planned to be removed in the 'O' release of OpenStack."
|
|
|
|
msgid ""
|
|
"The XML middleware stub has been removed, so references to it must be "
|
|
"removed from the ``keystone-paste.ini`` configuration file."
|
|
msgstr ""
|
|
"The XML middleware stub has been removed, so references to it must be "
|
|
"removed from the ``keystone-paste.ini`` configuration file."
|
|
|
|
msgid ""
|
|
"The ``/OS-FEDERATION/projects`` and ``/OS-FEDERATION/domains`` APIs are "
|
|
"deprecated in favor of the ``/v3/auth/projects`` and ``/v3/auth/domains`` "
|
|
"APIs. These APIs were originally marked as deprecated during the Juno "
|
|
"release cycle, but we never deprecated using ``versionutils`` from oslo. "
|
|
"More information regarding this deprecation can be found in the `patch "
|
|
"<https://review.openstack.org/#/c/115423/>`_ that proposed the deprecation."
|
|
msgstr ""
|
|
"The ``/OS-FEDERATION/projects`` and ``/OS-FEDERATION/domains`` APIs are "
|
|
"deprecated in favour of the ``/v3/auth/projects`` and ``/v3/auth/domains`` "
|
|
"APIs. These APIs were originally marked as deprecated during the Juno "
|
|
"release cycle, but we never deprecated using ``versionutils`` from oslo. "
|
|
"More information regarding this deprecation can be found in the `patch "
|
|
"<https://review.openstack.org/#/c/115423/>`_ that proposed the deprecation."
|
|
|
|
msgid ""
|
|
"The ``[DEFAULT] domain_id_immutable`` configuration option has been removed "
|
|
"in favor of strictly immutable domain IDs."
|
|
msgstr ""
|
|
"The ``[DEFAULT] domain_id_immutable`` configuration option has been removed "
|
|
"in favour of strictly immutable domain IDs."
|
|
|
|
msgid ""
|
|
"The ``[DEFAULT] domain_id_immutable`` option has been removed. This removes "
|
|
"the ability to change the ``domain_id`` attribute of users, groups, and "
|
|
"projects. The behavior was introduced to allow deployers to migrate entities "
|
|
"from one domain to another by updating the ``domain_id`` attribute of an "
|
|
"entity. This functionality was deprecated in the Mitaka release is now "
|
|
"removed."
|
|
msgstr ""
|
|
"The ``[DEFAULT] domain_id_immutable`` option has been removed. This removes "
|
|
"the ability to change the ``domain_id`` attribute of users, groups, and "
|
|
"projects. The behaviour was introduced to allow deployers to migrate "
|
|
"entities from one domain to another by updating the ``domain_id`` attribute "
|
|
"of an entity. This functionality was deprecated in the Mitaka release is now "
|
|
"removed."
|
|
|
|
msgid ""
|
|
"The ``[assignment] driver`` now defaults to ``sql``. Logic to determine the "
|
|
"default assignment driver if one wasn't supplied through configuration has "
|
|
"been removed. Keystone only supports one assignment driver and it shouldn't "
|
|
"be changed unless you're deploying a custom assignment driver."
|
|
msgstr ""
|
|
"The ``[assignment] driver`` now defaults to ``sql``. Logic to determine the "
|
|
"default assignment driver if one wasn't supplied through configuration has "
|
|
"been removed. Keystone only supports one assignment driver and it shouldn't "
|
|
"be changed unless you're deploying a custom assignment driver."
|
|
|
|
msgid ""
|
|
"The ``[endpoint_policy] enabled`` configuration option has been removed in "
|
|
"favor of always enabling the endpoint policy extension."
|
|
msgstr ""
|
|
"The ``[endpoint_policy] enabled`` configuration option has been removed in "
|
|
"favour of always enabling the endpoint policy extension."
|
|
|
|
msgid ""
|
|
"The ``[os_inherit] enabled`` config option has been removed, the `OS-"
|
|
"INHERIT` extension is now always enabled."
|
|
msgstr ""
|
|
"The ``[os_inherit] enabled`` config option has been removed, the `OS-"
|
|
"INHERIT` extension is now always enabled."
|
|
|
|
msgid ""
|
|
"The ``[resource] driver`` now defaults to ``sql``. Logic to determine the "
|
|
"default resource driver if one wasn't supplied through configuration has "
|
|
"been removed. Keystone only supports one resource driver and it shouldn't be "
|
|
"changed unless you're deploying a custom resource driver."
|
|
msgstr ""
|
|
"The ``[resource] driver`` now defaults to ``sql``. Logic to determine the "
|
|
"default resource driver if one wasn't supplied through configuration has "
|
|
"been removed. Keystone only supports one resource driver and it shouldn't be "
|
|
"changed unless you're deploying a custom resource driver."
|
|
|
|
msgid ""
|
|
"The ``[security_compliance] password_expires_ignore_user_ids`` option has "
|
|
"been removed. Each user that should ignore password expiry should have the "
|
|
"value set to \"true\" in the user's ``options`` attribute (e.g. "
|
|
"``user['options']['ignore_password_expiry'] = True``) with a user update "
|
|
"call."
|
|
msgstr ""
|
|
"The ``[security_compliance] password_expires_ignore_user_ids`` option has "
|
|
"been removed. Each user that should ignore password expiry should have the "
|
|
"value set to \"true\" in the user's ``options`` attribute (e.g. "
|
|
"``user['options']['ignore_password_expiry'] = True``) with a user update "
|
|
"call."
|
|
|
|
msgid ""
|
|
"The ``compute_port`` configuration option, deprecated in Juno, is no longer "
|
|
"available."
|
|
msgstr ""
|
|
"The ``compute_port`` configuration option, deprecated in Juno, is no longer "
|
|
"available."
|
|
|
|
msgid ""
|
|
"The ``enabled`` config option of the ``trust`` feature is deprecated and "
|
|
"will be removed in the next release. Trusts will then always be enabled."
|
|
msgstr ""
|
|
"The ``enabled`` config option of the ``trust`` feature is deprecated and "
|
|
"will be removed in the next release. Trusts will then always be enabled."
|
|
|
|
msgid ""
|
|
"The ``httpd/keystone.py`` file has been removed in favor of the ``keystone-"
|
|
"wsgi-admin`` and ``keystone-wsgi-public`` scripts."
|
|
msgstr ""
|
|
"The ``httpd/keystone.py`` file has been removed in favour of the ``keystone-"
|
|
"wsgi-admin`` and ``keystone-wsgi-public`` scripts."
|
|
|
|
msgid ""
|
|
"The ``keystone.conf`` file now references entrypoint names for drivers. For "
|
|
"example, the drivers are now specified as \"sql\", \"ldap\", \"uuid\", "
|
|
"rather than the full module path. See the sample configuration file for "
|
|
"other examples."
|
|
msgstr ""
|
|
"The ``keystone.conf`` file now references entrypoint names for drivers. For "
|
|
"example, the drivers are now specified as \"sql\", \"ldap\", \"uuid\", "
|
|
"rather than the full module path. See the sample configuration file for "
|
|
"other examples."
|
|
|
|
msgid ""
|
|
"The ``keystone/service.py`` file has been removed, the logic has been moved "
|
|
"to the ``keystone/version/service.py``."
|
|
msgstr ""
|
|
"The ``keystone/service.py`` file has been removed, the logic has been moved "
|
|
"to the ``keystone/version/service.py``."
|
|
|
|
msgid ""
|
|
"The ``memcache`` and ``memcache_pool`` token persistence backends have been "
|
|
"removed in favor of using Fernet tokens (which require no persistence)."
|
|
msgstr ""
|
|
"The ``memcache`` and ``memcache_pool`` token persistence backends have been "
|
|
"removed in favour of using Fernet tokens (which require no persistence)."
|
|
|
|
msgid ""
|
|
"The ``policies`` API is deprecated. Keystone is not a policy management "
|
|
"service."
|
|
msgstr ""
|
|
"The ``policies`` API is deprecated. Keystone is not a policy management "
|
|
"service."
|
|
|
|
msgid ""
|
|
"The ``token`` auth method typically should not be specified in any MFA "
|
|
"Rules. The ``token`` auth method will include all previous auth methods for "
|
|
"the original auth request and will match the appropriate ruleset. This is "
|
|
"intentional, as the ``token`` method is used for rescoping/changing active "
|
|
"projects."
|
|
msgstr ""
|
|
"The ``token`` auth method typically should not be specified in any MFA "
|
|
"Rules. The ``token`` auth method will include all previous auth methods for "
|
|
"the original auth request and will match the appropriate ruleset. This is "
|
|
"intentional, as the ``token`` method is used for rescoping/changing active "
|
|
"projects."
|
|
|
|
msgid ""
|
|
"The `keystone-paste.ini` file must be updated to remove extension filters, "
|
|
"and their use in ``[pipeline:api_v3]``. Remove the following filters: "
|
|
"``[filter:oauth1_extension]``, ``[filter:federation_extension]``, ``[filter:"
|
|
"endpoint_filter_extension]``, and ``[filter:revoke_extension]``. See the "
|
|
"sample `keystone-paste.ini <https://git.openstack.org/cgit/openstack/"
|
|
"keystone/tree/etc/keystone-paste.ini>`_ file for guidance."
|
|
msgstr ""
|
|
"The `keystone-paste.ini` file must be updated to remove extension filters, "
|
|
"and their use in ``[pipeline:api_v3]``. Remove the following filters: "
|
|
"``[filter:oauth1_extension]``, ``[filter:federation_extension]``, ``[filter:"
|
|
"endpoint_filter_extension]``, and ``[filter:revoke_extension]``. See the "
|
|
"sample `keystone-paste.ini <https://git.openstack.org/cgit/openstack/"
|
|
"keystone/tree/etc/keystone-paste.ini>`_ file for guidance."
|
|
|
|
msgid ""
|
|
"The `keystone-paste.ini` file must be updated to remove extension filters, "
|
|
"and their use in ``[pipeline:public_api]`` and ``[pipeline:admin_api]`` "
|
|
"pipelines. Remove the following filters: ``[filter:user_crud_extension]``, "
|
|
"``[filter:crud_extension]``. See the sample `keystone-paste.ini <https://git."
|
|
"openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini>`_ file "
|
|
"for guidance."
|
|
msgstr ""
|
|
"The `keystone-paste.ini` file must be updated to remove extension filters, "
|
|
"and their use in ``[pipeline:public_api]`` and ``[pipeline:admin_api]`` "
|
|
"pipelines. Remove the following filters: ``[filter:user_crud_extension]``, "
|
|
"``[filter:crud_extension]``. See the sample `keystone-paste.ini <https://git."
|
|
"openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini>`_ file "
|
|
"for guidance."
|
|
|
|
msgid ""
|
|
"The `os_inherit` configuration option is disabled. In the future, this "
|
|
"option will be removed and this portion of the API will be always enabled."
|
|
msgstr ""
|
|
"The `os_inherit` configuration option is disabled. In the future, this "
|
|
"option will be removed and this portion of the API will be always enabled."
|
|
|
|
msgid ""
|
|
"The ability to validate a trust-scoped token against the v2.0 API has been "
|
|
"removed, in favor of using the version 3 of the API."
|
|
msgstr ""
|
|
"The ability to validate a trust-scoped token against the v2.0 API has been "
|
|
"removed, in favour of using the version 3 of the API."
|
|
|
|
msgid ""
|
|
"The admin_token method of authentication was never intended to be used for "
|
|
"any purpose other than bootstrapping an install. However many deployments "
|
|
"had to leave the admin_token method enabled due to restrictions on editing "
|
|
"the paste file used to configure the web pipelines. To minimize the risk "
|
|
"from this mechanism, the `admin_token` configuration value now defaults to a "
|
|
"python `None` value. In addition, if the value is set to `None`, either "
|
|
"explicitly or implicitly, the `admin_token` will not be enabled, and an "
|
|
"attempt to use it will lead to a failed authentication."
|
|
msgstr ""
|
|
"The admin_token method of authentication was never intended to be used for "
|
|
"any purpose other than bootstrapping an install. However many deployments "
|
|
"had to leave the admin_token method enabled due to restrictions on editing "
|
|
"the paste file used to configure the web pipelines. To minimize the risk "
|
|
"from this mechanism, the `admin_token` configuration value now defaults to a "
|
|
"python `None` value. In addition, if the value is set to `None`, either "
|
|
"explicitly or implicitly, the `admin_token` will not be enabled, and an "
|
|
"attempt to use it will lead to a failed authentication."
|
|
|
|
msgid ""
|
|
"The auth plugin ``keystone.auth.plugins.saml2.Saml2`` has been removed in "
|
|
"favor of the auth plugin ``keystone.auth.plugins.mapped.Mapped``."
|
|
msgstr ""
|
|
"The auth plugin ``keystone.auth.plugins.saml2.Saml2`` has been removed in "
|
|
"favour of the auth plugin ``keystone.auth.plugins.mapped.Mapped``."
|
|
|
|
msgid ""
|
|
"The catalog backend ``endpoint_filter.sql`` has been removed. It has been "
|
|
"consolidated with the ``sql`` backend, therefore replace the "
|
|
"``endpoint_filter.sql`` catalog backend with the ``sql`` backend."
|
|
msgstr ""
|
|
"The catalogue backend ``endpoint_filter.sql`` has been removed. It has been "
|
|
"consolidated with the ``sql`` backend, therefore replace the "
|
|
"``endpoint_filter.sql`` catalogue backend with the ``sql`` backend."
|
|
|
|
msgid ""
|
|
"The check for admin token from ``build_auth_context`` middleware has been "
|
|
"removed. If your deployment requires the use of `admin token`, update "
|
|
"``keystone-paste.ini`` so that ``admin_token_auth`` is before "
|
|
"``build_auth_context`` in the paste pipelines, otherwise remove the "
|
|
"``admin_token_auth`` middleware from ``keystone-paste.ini`` entirely."
|
|
msgstr ""
|
|
"The check for admin token from ``build_auth_context`` middleware has been "
|
|
"removed. If your deployment requires the use of `admin token`, update "
|
|
"``keystone-paste.ini`` so that ``admin_token_auth`` is before "
|
|
"``build_auth_context`` in the paste pipelines, otherwise remove the "
|
|
"``admin_token_auth`` middleware from ``keystone-paste.ini`` entirely."
|
|
|
|
msgid ""
|
|
"The config option ``rolling_upgrade_password_hash_compat`` is removed. It is "
|
|
"only used for rolling-upgrade from Ocata release to Pike release."
|
|
msgstr ""
|
|
"The config option ``rolling_upgrade_password_hash_compat`` is removed. It is "
|
|
"only used for rolling-upgrade from Ocata release to Pike release."
|
|
|
|
msgid ""
|
|
"The configuration options for LDAP connection pooling, `[ldap] use_pool` and "
|
|
"`[ldap] use_auth_pool`, are now both enabled by default. Only deployments "
|
|
"using LDAP drivers are affected. Additional configuration options are "
|
|
"available in the `[ldap]` section to tune connection pool size, etc."
|
|
msgstr ""
|
|
"The configuration options for LDAP connection pooling, `[ldap] use_pool` and "
|
|
"`[ldap] use_auth_pool`, are now both enabled by default. Only deployments "
|
|
"using LDAP drivers are affected. Additional configuration options are "
|
|
"available in the `[ldap]` section to tune connection pool size, etc."
|
|
|
|
msgid ""
|
|
"The credentials list call can now have its results filtered by credential "
|
|
"type."
|
|
msgstr ""
|
|
"The credentials list call can now have its results filtered by credential "
|
|
"type."
|
|
|
|
msgid ""
|
|
"The default setting for the `os_inherit` configuration option is changed to "
|
|
"True. If it is required to continue with this portion of the API disabled, "
|
|
"then override the default setting by explicitly specifying the os_inherit "
|
|
"option as False."
|
|
msgstr ""
|
|
"The default setting for the `os_inherit` configuration option is changed to "
|
|
"True. If it is required to continue with this portion of the API disabled, "
|
|
"then override the default setting by explicitly specifying the os_inherit "
|
|
"option as False."
|
|
|
|
msgid "The default token provider is now Fernet."
|
|
msgstr "The default token provider is now Fernet."
|
|
|
|
msgid ""
|
|
"The external authentication plugins ExternalDefault, ExternalDomain, "
|
|
"LegacyDefaultDomain, and LegacyDomain, deprecated in Icehouse, are no longer "
|
|
"available."
|
|
msgstr ""
|
|
"The external authentication plugins ExternalDefault, ExternalDomain, "
|
|
"LegacyDefaultDomain, and LegacyDomain, deprecated in Icehouse, are no longer "
|
|
"available."
|
|
|
|
msgid ""
|
|
"The functionality of the ``ADMIN_TOKEN`` remains, but has been incorporated "
|
|
"into the main auth middleware (``keystone.middleware.auth."
|
|
"AuthContextMiddleware``)."
|
|
msgstr ""
|
|
"The functionality of the ``ADMIN_TOKEN`` remains, but has been incorporated "
|
|
"into the main auth middleware (``keystone.middleware.auth."
|
|
"AuthContextMiddleware``)."
|
|
|
|
msgid ""
|
|
"The identity backend driver interface has changed. A new method, "
|
|
"`unset_default_project_id(project_id)`, was added to unset a user's default "
|
|
"project ID for a given project ID. Custom backend implementations must "
|
|
"implement this method."
|
|
msgstr ""
|
|
"The identity backend driver interface has changed. A new method, "
|
|
"`unset_default_project_id(project_id)`, was added to unset a user's default "
|
|
"project ID for a given project ID. Custom backend implementations must "
|
|
"implement this method."
|
|
|
|
msgid ""
|
|
"The identity backend driver interface has changed. We've added a new "
|
|
"``change_password()`` method for self service password changes. If you have "
|
|
"a custom implementation for the identity driver, you will need to implement "
|
|
"this new method."
|
|
msgstr ""
|
|
"The identity backend driver interface has changed. We've added a new "
|
|
"``change_password()`` method for self service password changes. If you have "
|
|
"a custom implementation for the identity driver, you will need to implement "
|
|
"this new method."
|
|
|
|
msgid ""
|
|
"The implementation for checking database state during an upgrade with the "
|
|
"use of `keystone-manage db_sync --check` has been corrected. This allows "
|
|
"users and automation to determine what step is next in a rolling upgrade "
|
|
"based on logging and command status codes."
|
|
msgstr ""
|
|
"The implementation for checking database state during an upgrade with the "
|
|
"use of `keystone-manage db_sync --check` has been corrected. This allows "
|
|
"users and automation to determine what step is next in a rolling upgrade "
|
|
"based on logging and command status codes."
|
|
|
|
msgid ""
|
|
"The list_project_ids_for_user(), list_domain_ids_for_user(), "
|
|
"list_user_ids_for_project(), list_project_ids_for_groups(), "
|
|
"list_domain_ids_for_groups(), list_role_ids_for_groups_on_project() and "
|
|
"list_role_ids_for_groups_on_domain() methods have been removed from the V9 "
|
|
"version of the Assignment driver."
|
|
msgstr ""
|
|
"The list_project_ids_for_user(), list_domain_ids_for_user(), "
|
|
"list_user_ids_for_project(), list_project_ids_for_groups(), "
|
|
"list_domain_ids_for_groups(), list_role_ids_for_groups_on_project() and "
|
|
"list_role_ids_for_groups_on_domain() methods have been removed from the V9 "
|
|
"version of the Assignment driver."
|
|
|
|
msgid "The method signature has changed from::"
|
|
msgstr "The method signature has changed from::"
|
|
|
|
msgid ""
|
|
"The resource backend cannot be configured to anything but SQL if the SQL "
|
|
"Identity backend is being used. The resource backend must now be SQL which "
|
|
"allows for the use of Foreign Keys to domains/projects wherever desired. "
|
|
"This makes managing project relationships and such much more straight "
|
|
"forward. The inability to configure non-SQL resource backends has been in "
|
|
"Keystone since at least Ocata. This is eliminating some complexity and "
|
|
"preventing the need for some really ugly back-port SQL migrations in favor "
|
|
"of a better model. Resource is highly relational and should be SQL based."
|
|
msgstr ""
|
|
"The resource backend cannot be configured to anything but SQL if the SQL "
|
|
"Identity backend is being used. The resource backend must now be SQL which "
|
|
"allows for the use of Foreign Keys to domains/projects wherever desired. "
|
|
"This makes managing project relationships and such much more straight "
|
|
"forward. The inability to configure non-SQL resource backends has been in "
|
|
"Keystone since at least Ocata. This is eliminating some complexity and "
|
|
"preventing the need for some really ugly back-port SQL migrations in favour "
|
|
"of a better model. Resource is highly relational and should be SQL based."
|
|
|
|
msgid ""
|
|
"The response's content type for creating request token or access token is "
|
|
"changed to `application/x-www-form-urlencoded`, the old value `application/x-"
|
|
"www-urlformencoded` is invalid and will no longer be used."
|
|
msgstr ""
|
|
"The response's content type for creating request token or access token is "
|
|
"changed to `application/x-www-form-urlencoded`, the old value `application/x-"
|
|
"www-urlformencoded` is invalid and will no longer be used."
|
|
|
|
msgid ""
|
|
"The rules are specified as a list of lists. The elements of the sub-lists "
|
|
"must be strings and are intended to mirror the required authentication "
|
|
"method names (e.g. ``password``, ``totp``, etc) as defined in the ``keystone."
|
|
"conf`` file in the ``[auth] methods`` option."
|
|
msgstr ""
|
|
"The rules are specified as a list of lists. The elements of the sub-lists "
|
|
"must be strings and are intended to mirror the required authentication "
|
|
"method names (e.g. ``password``, ``totp``, etc) as defined in the ``keystone."
|
|
"conf`` file in the ``[auth] methods`` option."
|
|
|
|
msgid ""
|
|
"The token provider API has removed the ``needs_persistence`` property from "
|
|
"the abstract interface. Token providers are expected to handle persistence "
|
|
"requirement if needed. This will require out-of-tree token providers to "
|
|
"remove the unused property and handle token storage."
|
|
msgstr ""
|
|
"The token provider API has removed the ``needs_persistence`` property from "
|
|
"the abstract interface. Token providers are expected to handle persistence "
|
|
"requirement if needed. This will require out-of-tree token providers to "
|
|
"remove the unused property and handle token storage."
|
|
|
|
msgid ""
|
|
"The token_formatter utility class has been moved from under fernet to the "
|
|
"default token directory. This is to allow for the reuse of functionality "
|
|
"with other token providers. Any deployments that are specifically using the "
|
|
"fernet utils may be affected and will need to adjust accordingly."
|
|
msgstr ""
|
|
"The token_formatter utility class has been moved from under fernet to the "
|
|
"default token directory. This is to allow for the reuse of functionality "
|
|
"with other token providers. Any deployments that are specifically using the "
|
|
"fernet utils may be affected and will need to adjust accordingly."
|
|
|
|
msgid ""
|
|
"The trusts table now has an expires_at_int column that represents the "
|
|
"expiration time as an integer instead of a datetime object. This will "
|
|
"prevent rounding errors related to the way date objects are stored in some "
|
|
"versions of MySQL. The expires_at column remains, but will be dropped in "
|
|
"Rocky."
|
|
msgstr ""
|
|
"The trusts table now has an expires_at_int column that represents the "
|
|
"expiration time as an integer instead of a datetime object. This will "
|
|
"prevent rounding errors related to the way date objects are stored in some "
|
|
"versions of MySQL. The expires_at column remains, but will be dropped in "
|
|
"Rocky."
|
|
|
|
msgid ""
|
|
"The use of `sha512_crypt` is considered inadequate for password hashing in "
|
|
"an application like Keystone. The use of bcrypt or scrypt is recommended to "
|
|
"ensure protection against password cracking utilities if the hashes are "
|
|
"exposed. This is due to Time-Complexity requirements for computing the "
|
|
"hashes in light of modern hardware (CPU, GPU, ASIC, FPGA, etc). Keystone has "
|
|
"moved to bcrypt as a default and no longer hashes new passwords (and "
|
|
"password changes) with sha512_crypt. It is recommended passwords be changed "
|
|
"after upgrade to Pike. The risk of password hash exposure is limited, but "
|
|
"for the best possible protection against cracking the hash it is recommended "
|
|
"passwords be changed after upgrade. The password change will then result in "
|
|
"a more secure hash (bcrypt by default) being used to store the password in "
|
|
"the DB."
|
|
msgstr ""
|
|
"The use of `sha512_crypt` is considered inadequate for password hashing in "
|
|
"an application like Keystone. The use of bcrypt or scrypt is recommended to "
|
|
"ensure protection against password cracking utilities if the hashes are "
|
|
"exposed. This is due to Time-Complexity requirements for computing the "
|
|
"hashes in light of modern hardware (CPU, GPU, ASIC, FPGA, etc). Keystone has "
|
|
"moved to bcrypt as a default and no longer hashes new passwords (and "
|
|
"password changes) with sha512_crypt. It is recommended passwords be changed "
|
|
"after upgrade to Pike. The risk of password hash exposure is limited, but "
|
|
"for the best possible protection against cracking the hash it is recommended "
|
|
"passwords be changed after upgrade. The password change will then result in "
|
|
"a more secure hash (bcrypt by default) being used to store the password in "
|
|
"the DB."
|
|
|
|
msgid ""
|
|
"The use of admin_token filter is insecure compared to the use of a proper "
|
|
"username/password. Historically the admin_token filter has been left enabled "
|
|
"in Keystone after initialization due to the way CMS systems work. Moving to "
|
|
"an out-of-band initialization using ``keystone-manage bootstrap`` will "
|
|
"eliminate the security concerns around a static shared string that conveys "
|
|
"admin access to keystone and therefore to the entire installation."
|
|
msgstr ""
|
|
"The use of admin_token filter is insecure compared to the use of a proper "
|
|
"username/password. Historically the admin_token filter has been left enabled "
|
|
"in Keystone after initialisation due to the way CMS systems work. Moving to "
|
|
"an out-of-band initialisation using ``keystone-manage bootstrap`` will "
|
|
"eliminate the security concerns around a static shared string that conveys "
|
|
"admin access to Keystone and therefore to the entire installation."
|
|
|
|
msgid ""
|
|
"Third-party extensions that extend the abstract class "
|
|
"(``ShadowUsersDriverBase``) should be updated according to the new parameter "
|
|
"names."
|
|
msgstr ""
|
|
"Third-party extensions that extend the abstract class "
|
|
"(``ShadowUsersDriverBase``) should be updated according to the new parameter "
|
|
"names."
|
|
|
|
msgid ""
|
|
"This release adds support for Application Credentials, a new way to allow "
|
|
"applications and automated tooling to authenticate with keystone. Rather "
|
|
"than storing a username and password in an application's config file, which "
|
|
"can pose security risks, you can now create an application credential to "
|
|
"allow an application to authenticate and acquire a preset scope and role "
|
|
"assignments. This is especially useful for LDAP and federated users, who can "
|
|
"now delegate their cloud management tasks to a keystone-specific resource, "
|
|
"rather than share their externally managed credentials with keystone and "
|
|
"risk a compromise of those external systems. Users can delegate a subset of "
|
|
"their role assignments to an application credential, allowing them to "
|
|
"strategically limit their application's access to the minimum needed. Unlike "
|
|
"passwords, a user can have more than one active application credential, "
|
|
"which means they can be rotated without causing downtime for the "
|
|
"applications using them."
|
|
msgstr ""
|
|
"This release adds support for Application Credentials, a new way to allow "
|
|
"applications and automated tooling to authenticate with keystone. Rather "
|
|
"than storing a username and password in an application's config file, which "
|
|
"can pose security risks, you can now create an application credential to "
|
|
"allow an application to authenticate and acquire a preset scope and role "
|
|
"assignments. This is especially useful for LDAP and federated users, who can "
|
|
"now delegate their cloud management tasks to a keystone-specific resource, "
|
|
"rather than share their externally managed credentials with keystone and "
|
|
"risk a compromise of those external systems. Users can delegate a subset of "
|
|
"their role assignments to an application credential, allowing them to "
|
|
"strategically limit their application's access to the minimum needed. Unlike "
|
|
"passwords, a user can have more than one active application credential, "
|
|
"which means they can be rotated without causing downtime for the "
|
|
"applications using them."
|
|
|
|
msgid "To mark a user as exempt from the PCI password expiry policy::"
|
|
msgstr "To mark a user as exempt from the PCI password expiry policy::"
|
|
|
|
msgid "To mark a user as exempt from the PCI reset policy::"
|
|
msgstr "To mark a user as exempt from the PCI reset policy::"
|
|
|
|
msgid "To mark a user exempt from the MFA Rules::"
|
|
msgstr "To mark a user exempt from the MFA Rules::"
|
|
|
|
msgid "To the properly written::"
|
|
msgstr "To the properly written::"
|
|
|
|
msgid "To::"
|
|
msgstr "To::"
|
|
|
|
msgid ""
|
|
"Token persistence driver/code (SQL) is deprecated with this patch since it "
|
|
"is only used by the UUID token provider.."
|
|
msgstr ""
|
|
"Token persistence driver/code (SQL) is deprecated with this patch since it "
|
|
"is only used by the UUID token provider.."
|
|
|
|
msgid "Tokens can now be cached when issued."
|
|
msgstr "Tokens can now be cached when issued."
|
|
|
|
msgid ""
|
|
"UUID token provider ``[token] provider=uuid`` has been deprecated in favor "
|
|
"of Fernet tokens ``[token] provider=fernet``. With Fernet tokens becoming "
|
|
"the default UUID tokens can be slated for removal in the R release. This "
|
|
"also deprecates token-bind support as it was never implemented for fernet."
|
|
msgstr ""
|
|
"UUID token provider ``[token] provider=uuid`` has been deprecated in favour "
|
|
"of Fernet tokens ``[token] provider=fernet``. With Fernet tokens becoming "
|
|
"the default UUID tokens can be slated for removal in the R release. This "
|
|
"also deprecates token-bind support as it was never implemented for fernet."
|
|
|
|
msgid "Upgrade Notes"
|
|
msgstr "Upgrade Notes"
|
|
|
|
msgid ""
|
|
"Use of ``$(tenant_id)s`` in the catalog endpoints is deprecated in favor of "
|
|
"``$(project_id)s``."
|
|
msgstr ""
|
|
"Use of ``$(tenant_id)s`` in the catalogue endpoints is deprecated in favour "
|
|
"of ``$(project_id)s``."
|
|
|
|
msgid ""
|
|
"Using LDAP as the resource backend, i.e for projects and domains, is now "
|
|
"deprecated and will be removed in the Mitaka release."
|
|
msgstr ""
|
|
"Using LDAP as the resource backend, i.e for projects and domains, is now "
|
|
"deprecated and will be removed in the Mitaka release."
|
|
|
|
msgid ""
|
|
"Using the full path to the driver class is deprecated in favor of using the "
|
|
"entrypoint. In the Mitaka release, the entrypoint must be used."
|
|
msgstr ""
|
|
"Using the full path to the driver class is deprecated in favour of using the "
|
|
"entrypoint. In the Mitaka release, the entrypoint must be used."
|
|
|
|
msgid ""
|
|
"We have added the ``password_expires_at`` attribute to the user response "
|
|
"object."
|
|
msgstr ""
|
|
"We have added the ``password_expires_at`` attribute to the user response "
|
|
"object."
|
|
|
|
msgid ""
|
|
"We now expose entrypoints for the ``keystone-manage`` command instead of a "
|
|
"file."
|
|
msgstr ""
|
|
"We now expose entrypoints for the ``keystone-manage`` command instead of a "
|
|
"file."
|
|
|
|
msgid ""
|
|
"Write support for the LDAP has been removed in favor of read-only support. "
|
|
"The following operations are no longer supported for LDAP:"
|
|
msgstr ""
|
|
"Write support for the LDAP has been removed in favour of read-only support. "
|
|
"The following operations are no longer supported for LDAP:"
|
|
|
|
msgid ""
|
|
"[`Bug 1645487 <https://bugs.launchpad.net/keystone/+bug/1645487>`_] Added a "
|
|
"new PCI-DSS feature that will require users to immediately change their "
|
|
"password upon first use for new users and after an administrative password "
|
|
"reset. The new feature can be enabled by setting [security_compliance] "
|
|
"``change_password_upon_first_use`` to ``True``."
|
|
msgstr ""
|
|
"[`Bug 1645487 <https://bugs.launchpad.net/keystone/+bug/1645487>`_] Added a "
|
|
"new PCI-DSS feature that will require users to immediately change their "
|
|
"password upon first use for new users and after an administrative password "
|
|
"reset. The new feature can be enabled by setting [security_compliance] "
|
|
"``change_password_upon_first_use`` to ``True``."
|
|
|
|
msgid ""
|
|
"[`Bug 1649446 <https://bugs.launchpad.net/keystone/+bug/1651989>`_] The "
|
|
"default policy for listing revocation events has changed. Previously, any "
|
|
"authenticated user could list revocation events; it is now, by default, an "
|
|
"admin or service user only function. This can be changed by modifying the "
|
|
"policy file being used by keystone."
|
|
msgstr ""
|
|
"[`Bug 1649446 <https://bugs.launchpad.net/keystone/+bug/1651989>`_] The "
|
|
"default policy for listing revocation events has changed. Previously, any "
|
|
"authenticated user could list revocation events; it is now, by default, an "
|
|
"admin or service user only function. This can be changed by modifying the "
|
|
"policy file being used by Keystone."
|
|
|
|
msgid ""
|
|
"[`Related to Bug 1649446 <https://bugs.launchpad.net/keystone/"
|
|
"+bug/1649446>`_] The ``identity:list_revoke_events`` rule has been changed "
|
|
"in both sample policy files, ``policy.json`` and ``policy.v3cloudsample."
|
|
"json``. From::"
|
|
msgstr ""
|
|
"[`Related to Bug 1649446 <https://bugs.launchpad.net/keystone/"
|
|
"+bug/1649446>`_] The ``identity:list_revoke_events`` rule has been changed "
|
|
"in both sample policy files, ``policy.json`` and ``policy.v3cloudsample."
|
|
"json``. From::"
|
|
|
|
msgid ""
|
|
"[`blueprint allow-expired <https://blueprints.launchpad.net/keystone/+spec/"
|
|
"allow-expired>`_] An `allow_expired` flag is added to the token validation "
|
|
"call (``GET/HEAD /v3/auth/tokens``) that allows fetching a token that has "
|
|
"expired. This allows for validating tokens in long running operations."
|
|
msgstr ""
|
|
"[`blueprint allow-expired <https://blueprints.launchpad.net/keystone/+spec/"
|
|
"allow-expired>`_] An `allow_expired` flag is added to the token validation "
|
|
"call (``GET/HEAD /v3/auth/tokens``) that allows fetching a token that has "
|
|
"expired. This allows for validating tokens in long running operations."
|
|
|
|
msgid ""
|
|
"[`blueprint allow-expired <https://blueprints.launchpad.net/keystone/+spec/"
|
|
"allow-expired>`_] To allow long running operations to complete services must "
|
|
"be able to fetch expired tokens via the ``allow_expired`` flag. The length "
|
|
"of time a token is retrievable for beyond its traditional expiry is managed "
|
|
"by the ``[token] allow_expired_window`` option and so the data must be "
|
|
"retrievable for this about of time. When using fernet tokens this means that "
|
|
"the key rotation period must exceed this time so that older tokens are still "
|
|
"decrytable. Ensure that you do not rotate fernet keys faster than ``[token] "
|
|
"expiration`` + ``[token] allow_expired_window`` seconds."
|
|
msgstr ""
|
|
"[`blueprint allow-expired <https://blueprints.launchpad.net/keystone/+spec/"
|
|
"allow-expired>`_] To allow long running operations to complete services must "
|
|
"be able to fetch expired tokens via the ``allow_expired`` flag. The length "
|
|
"of time a token is retrievable for beyond its traditional expiry is managed "
|
|
"by the ``[token] allow_expired_window`` option and so the data must be "
|
|
"retrievable for this about of time. When using fernet tokens this means that "
|
|
"the key rotation period must exceed this time so that older tokens are still "
|
|
"decrytable. Ensure that you do not rotate fernet keys faster than ``[token] "
|
|
"expiration`` + ``[token] allow_expired_window`` seconds."
|
|
|
|
msgid ""
|
|
"[`blueprint application-credentials <https://blueprints.launchpad.net/"
|
|
"keystone/+spec/application-credentials>`_] Users can now create Application "
|
|
"Credentials, a new keystone resource that can provide an application with "
|
|
"the means to get a token from keystone with a preset scope and role "
|
|
"assignments. To authenticate with an application credential, an application "
|
|
"can use the normal token API with the 'application_credential' auth method."
|
|
msgstr ""
|
|
"[`blueprint application-credentials <https://blueprints.launchpad.net/"
|
|
"keystone/+spec/application-credentials>`_] Users can now create Application "
|
|
"Credentials, a new keystone resource that can provide an application with "
|
|
"the means to get a token from keystone with a preset scope and role "
|
|
"assignments. To authenticate with an application credential, an application "
|
|
"can use the normal token API with the 'application_credential' auth method."
|
|
|
|
msgid ""
|
|
"[`blueprint bootstrap <https://blueprints.launchpad.net/keystone/+spec/"
|
|
"bootstrap>`_] keystone-manage now supports the bootstrap command on the CLI "
|
|
"so that a keystone install can be initialized without the need of the "
|
|
"admin_token filter in the paste-ini."
|
|
msgstr ""
|
|
"[`blueprint bootstrap <https://blueprints.launchpad.net/keystone/+spec/"
|
|
"bootstrap>`_] keystone-manage now supports the bootstrap command on the CLI "
|
|
"so that a keystone install can be initialised without the need of the "
|
|
"admin_token filter in the paste-ini."
|
|
|
|
msgid ""
|
|
"[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/"
|
|
"keystone/+spec/deprecated-as-of-mitaka>`_] As of the Mitaka release, the PKI "
|
|
"and PKIz token formats have been deprecated. They will be removed in the 'O' "
|
|
"release. Due to this change, the `hash_algorithm` option in the `[token]` "
|
|
"section of the configuration file has also been deprecated. Also due to this "
|
|
"change, the ``keystone-manage pki_setup`` command has been deprecated as "
|
|
"well."
|
|
msgstr ""
|
|
"[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/"
|
|
"keystone/+spec/deprecated-as-of-mitaka>`_] As of the Mitaka release, the PKI "
|
|
"and PKIz token formats have been deprecated. They will be removed in the 'O' "
|
|
"release. Due to this change, the `hash_algorithm` option in the `[token]` "
|
|
"section of the configuration file has also been deprecated. Also due to this "
|
|
"change, the ``keystone-manage pki_setup`` command has been deprecated as "
|
|
"well."
|
|
|
|
msgid ""
|
|
"[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/"
|
|
"keystone/+spec/deprecated-as-of-mitaka>`_] As of the Mitaka release, the "
|
|
"auth plugin `keystone.auth.plugins.saml2.Saml2` has been deprecated. It is "
|
|
"recommended to use `keystone.auth.plugins.mapped.Mapped` instead. The "
|
|
"``saml2`` plugin will be removed in the 'O' release."
|
|
msgstr ""
|
|
"[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/"
|
|
"keystone/+spec/deprecated-as-of-mitaka>`_] As of the Mitaka release, the "
|
|
"auth plugin `keystone.auth.plugins.saml2.Saml2` has been deprecated. It is "
|
|
"recommended to use `keystone.auth.plugins.mapped.Mapped` instead. The "
|
|
"``saml2`` plugin will be removed in the 'O' release."
|
|
|
|
msgid ""
|
|
"[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/"
|
|
"keystone/+spec/deprecated-as-of-mitaka>`_] As of the Mitaka release, the "
|
|
"simple_cert_extension is deprecated since it is only used in support of the "
|
|
"PKI and PKIz token formats. It will be removed in the 'O' release."
|
|
msgstr ""
|
|
"[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/"
|
|
"keystone/+spec/deprecated-as-of-mitaka>`_] As of the Mitaka release, the "
|
|
"simple_cert_extension is deprecated since it is only used in support of the "
|
|
"PKI and PKIz token formats. It will be removed in the 'O' release."
|
|
|
|
msgid ""
|
|
"[`bug 1748970 <https://bugs.launchpad.net/keystone/+bug/1748970>`_] A bug "
|
|
"was introduced in Queens that resulted in system role assignments being "
|
|
"returned when querying the role assignments API for a specific role. The "
|
|
"issue is fixed and the list of roles returned from ``GET /v3/"
|
|
"role_assignments?role.id={role_id}`` respects system role assignments."
|
|
msgstr ""
|
|
"[`bug 1748970 <https://bugs.launchpad.net/keystone/+bug/1748970>`_] A bug "
|
|
"was introduced in Queens that resulted in system role assignments being "
|
|
"returned when querying the role assignments API for a specific role. The "
|
|
"issue is fixed and the list of roles returned from ``GET /v3/"
|
|
"role_assignments?role.id={role_id}`` respects system role assignments."
|
|
|
|
msgid ""
|
|
"[`bug 1749264 <https://bugs.launchpad.net/keystone/+bug/1749264>`_] A user's "
|
|
"system role assignment will be removed when the user is deleted."
|
|
msgstr ""
|
|
"[`bug 1749264 <https://bugs.launchpad.net/keystone/+bug/1749264>`_] A user's "
|
|
"system role assignment will be removed when the user is deleted."
|
|
|
|
msgid ""
|
|
"[`bug 1749267 <https://bugs.launchpad.net/keystone/+bug/1749267>`_] A "
|
|
"group's system role assignments are removed when the group is deleted."
|
|
msgstr ""
|
|
"[`bug 1749267 <https://bugs.launchpad.net/keystone/+bug/1749267>`_] A "
|
|
"group's system role assignments are removed when the group is deleted."
|
|
|
|
msgid ""
|
|
"[`bug 1755874 <https://bugs.launchpad.net/keystone/+bug/1755874>`_] Users "
|
|
"now can have the resource option ``lock_password`` set which prevents the "
|
|
"user from utilizing the self-service password change API. Valid values are "
|
|
"``True``, ``False``, or \"None\" (where ``None`` clears the option)."
|
|
msgstr ""
|
|
"[`bug 1755874 <https://bugs.launchpad.net/keystone/+bug/1755874>`_] Users "
|
|
"now can have the resource option ``lock_password`` set which prevents the "
|
|
"user from utilizing the self-service password change API. Valid values are "
|
|
"``True``, ``False``, or \"None\" (where ``None`` clears the option)."
|
|
|
|
msgid ""
|
|
"[`bug 1756190 <https://bugs.launchpad.net/keystone/+bug/1756190>`_] When "
|
|
"filtering projects based on tags, the filtering will now be performed by "
|
|
"matching a subset containing the given tags against projects, rather than "
|
|
"exact matching. Providing more tags when performing a search will yield more "
|
|
"exact results while less will return any projects that match the given tags "
|
|
"but could contain other tags as well."
|
|
msgstr ""
|
|
"[`bug 1756190 <https://bugs.launchpad.net/keystone/+bug/1756190>`_] When "
|
|
"filtering projects based on tags, the filtering will now be performed by "
|
|
"matching a subset containing the given tags against projects, rather than "
|
|
"exact matching. Providing more tags when performing a search will yield more "
|
|
"exact results while less will return any projects that match the given tags "
|
|
"but could contain other tags as well."
|
|
|
|
msgid ""
|
|
"[`bug 1757022 <https://bugs.launchpad.net/keystone/+bug/1757022>`_] In "
|
|
"previous releases, ``keystone-manage mapping_purge --type {user,group}`` "
|
|
"command would purge all mapping incorrectly instead of only purging the "
|
|
"specified type mappings. ``keystone-manage mapping_purge --type {user,group}"
|
|
"`` now purges only specified type mappings as expected."
|
|
msgstr ""
|
|
"[`bug 1757022 <https://bugs.launchpad.net/keystone/+bug/1757022>`_] In "
|
|
"previous releases, ``keystone-manage mapping_purge --type {user,group}`` "
|
|
"command would purge all mapping incorrectly instead of only purging the "
|
|
"specified type mappings. ``keystone-manage mapping_purge --type {user,group}"
|
|
"`` now purges only specified type mappings as expected."
|
|
|
|
msgid ""
|
|
"[`bug 1759289 <https://bugs.launchpad.net/keystone/+bug/1759289>`_] The "
|
|
"``keystone-manage token_flush`` command no longer establishes a connection "
|
|
"to a database, or persistence backend. It's usage should be removed if "
|
|
"you're using a supported non-persistent token format. If you're relying on "
|
|
"external token providers that write tokens to disk and would like to "
|
|
"maintain this functionality, please consider porting it to a separate tool."
|
|
msgstr ""
|
|
"[`bug 1759289 <https://bugs.launchpad.net/keystone/+bug/1759289>`_] The "
|
|
"``keystone-manage token_flush`` command no longer establishes a connection "
|
|
"to a database, or persistence backend. It's usage should be removed if "
|
|
"you're using a supported non-persistent token format. If you're relying on "
|
|
"external token providers that write tokens to disk and would like to "
|
|
"maintain this functionality, please consider porting it to a separate tool."
|
|
|
|
msgid ""
|
|
"[`bug 1760205 <https://bugs.launchpad.net/keystone/+bug/1760205>`_] When "
|
|
"deleting a shadow user, the related cache info is not invalidated so that "
|
|
"Keystone will raise 404 UserNotFound error when authenticating with the "
|
|
"previous federation info. This bug has been fixed now."
|
|
msgstr ""
|
|
"[`bug 1760205 <https://bugs.launchpad.net/keystone/+bug/1760205>`_] When "
|
|
"deleting a shadow user, the related cache info is not invalidated so that "
|
|
"Keystone will raise 404 UserNotFound error when authenticating with the "
|
|
"previous federation info. This bug has been fixed now."
|
|
|
|
msgid "``delete group``"
|
|
msgstr "``delete group``"
|
|
|
|
msgid "``delete user``"
|
|
msgstr "``delete user``"
|
|
|
|
msgid "``issue_v2_token``"
|
|
msgstr "``issue_v2_token``"
|
|
|
|
msgid "``issue_v3_token``"
|
|
msgstr "``issue_v3_token``"
|
|
|
|
msgid ""
|
|
"``keystone-manage db_sync`` will no longer create the Default domain. This "
|
|
"domain is used as the domain for any users created using the legacy v2.0 "
|
|
"API. A default domain is created by ``keystone-manage bootstrap`` and when a "
|
|
"user or project is created using the legacy v2.0 API."
|
|
msgstr ""
|
|
"``keystone-manage db_sync`` will no longer create the Default domain. This "
|
|
"domain is used as the domain for any users created using the legacy v2.0 "
|
|
"API. A default domain is created by ``keystone-manage bootstrap`` and when a "
|
|
"user or project is created using the legacy v2.0 API."
|
|
|
|
msgid "``keystone.common.kvs.backends.inmemdb.MemoryBackend``"
|
|
msgstr "``keystone.common.kvs.backends.inmemdb.MemoryBackend``"
|
|
|
|
msgid "``keystone.common.kvs.backends.memcached.MemcachedBackend``"
|
|
msgstr "``keystone.common.kvs.backends.memcached.MemcachedBackend``"
|
|
|
|
msgid "``keystone.token.persistence.backends.kvs.Token``"
|
|
msgstr "``keystone.token.persistence.backends.kvs.Token``"
|
|
|
|
msgid "``keystone/common/cache/backends/memcache_pool``"
|
|
msgstr "``keystone/common/cache/backends/memcache_pool``"
|
|
|
|
msgid "``keystone/common/cache/backends/mongo``"
|
|
msgstr "``keystone/common/cache/backends/mongo``"
|
|
|
|
msgid "``keystone/common/cache/backends/noop``"
|
|
msgstr "``keystone/common/cache/backends/noop``"
|
|
|
|
msgid "``keystone/contrib/admin_crud``"
|
|
msgstr "``keystone/contrib/admin_crud``"
|
|
|
|
msgid "``keystone/contrib/endpoint_filter``"
|
|
msgstr "``keystone/contrib/endpoint_filter``"
|
|
|
|
msgid "``keystone/contrib/federation``"
|
|
msgstr "``keystone/contrib/federation``"
|
|
|
|
msgid "``keystone/contrib/oauth1``"
|
|
msgstr "``keystone/contrib/oauth1``"
|
|
|
|
msgid "``keystone/contrib/revoke``"
|
|
msgstr "``keystone/contrib/revoke``"
|
|
|
|
msgid "``keystone/contrib/simple_cert``"
|
|
msgstr "``keystone/contrib/simple_cert``"
|
|
|
|
msgid "``keystone/contrib/user_crud``"
|
|
msgstr "``keystone/contrib/user_crud``"
|
|
|
|
msgid ""
|
|
"``openstack_user_domain`` and ``openstack_project_domain`` attributes were "
|
|
"added to SAML assertion in order to map user and project domains, "
|
|
"respectively."
|
|
msgstr ""
|
|
"``openstack_user_domain`` and ``openstack_project_domain`` attributes were "
|
|
"added to SAML assertion in order to map user and project domains, "
|
|
"respectively."
|
|
|
|
msgid "``remove user from group``"
|
|
msgstr "``remove user from group``"
|
|
|
|
msgid "``update group``"
|
|
msgstr "``update group``"
|
|
|
|
msgid "``update user``"
|
|
msgstr "``update user``"
|
|
|
|
msgid "``validate_non_persistent_token``"
|
|
msgstr "``validate_non_persistent_token``"
|
|
|
|
msgid "``validate_v2_token``"
|
|
msgstr "``validate_v2_token``"
|
|
|
|
msgid "``validate_v3_token``"
|
|
msgstr "``validate_v3_token``"
|
|
|
|
msgid "all config options under ``[kvs]`` in `keystone.conf`"
|
|
msgstr "all config options under ``[kvs]`` in `keystone.conf`"
|
|
|
|
msgid "and will return a list of mappings for a given domain ID."
|
|
msgstr "and will return a list of mappings for a given domain ID."
|
|
|
|
msgid "eq - password expires at the timestamp"
|
|
msgstr "eq - password expires at the timestamp"
|
|
|
|
msgid "gt - password expires after the timestamp"
|
|
msgstr "gt - password expires after the timestamp"
|
|
|
|
msgid "gte - password expires at or after the timestamp"
|
|
msgstr "gte - password expires at or after the timestamp"
|
|
|
|
msgid "lt - password expires before the timestamp"
|
|
msgstr "lt - password expires before the timestamp"
|
|
|
|
msgid "lte - password expires at or before timestamp"
|
|
msgstr "lte - password expires at or before timestamp"
|
|
|
|
msgid "neq - password expires not at the timestamp"
|
|
msgstr "neq - password expires not at the timestamp"
|
|
|
|
msgid ""
|
|
"stats_monitoring and stats_reporting paste filters have been removed, so "
|
|
"references to it must be removed from the ``keystone-paste.ini`` "
|
|
"configuration file."
|
|
msgstr ""
|
|
"stats_monitoring and stats_reporting paste filters have been removed, so "
|
|
"references to it must be removed from the ``keystone-paste.ini`` "
|
|
"configuration file."
|
|
|
|
msgid "the config option ``[memcached] servers`` in `keystone.conf`"
|
|
msgstr "the config option ``[memcached] servers`` in `keystone.conf`"
|
|
|
|
msgid "to::"
|
|
msgstr "to::"
|