openstack/releases
Code Issues Proposed changes
a9f99dfca9
releases/deliverables/train/keystone.yaml
Elod Illes 0ac8349173 [keystone] Transition Train to End of Life 
With the new resolution '2023-07-24 Unmaintained status replaces
Extended Maintenance' [1] the last 3 EM branches (Xena, Wallaby,
Victoria) will transition to Unmaintained, but older branches (Ussuri,
Train) should move to End of Life unless someone steps up as maintainer
of this branch for this project.

To signal this, please add a -1 for this patch if you or the team want
to keep this branch open for further maintenance.
If there is no response from anyone within a reasonable time frame,
then PTLs/release liaisons will be asked to confirm the EOL transition
with their +1.

[1] https://governance.openstack.org/tc/resolutions/20230724-unmaintained-branches.html

Change-Id: Ic2148137a8cc55bae5876f079dc6bb1c6e8308be
2023-12-08 18:28:03 +01:00

81 lines
3.6 KiB
YAML
Raw Blame History

---
launchpad: keystone
release-model: cycle-with-rc
team: keystone
type: service
repository-settings:
openstack/keystone: {}
cycle-highlights:
- All keystone APIs now use the default reader, member, and admin
roles in their default policies. This means that it is now possible
to create a user with finer-grained access to keystone APIs than
was previously possible with the default policies. For example,
it is possible to create an "auditor" user that can only access
keystone's GET APIs. Please be aware that depending on the default
and overridden policies of other OpenStack services, such a user
may still be able to access creative or destructive APIs for other
services.
- All keystone APIs now support system scope as a policy target, where
applicable. This means that it is now possible to set ``[oslo_policy]/enforce_scope``
to ``true`` in `keystone.conf`, which, with the default policies,
will allow keystone to distinguish between project-specific requests
and requests that operate on an entire deployment. This makes it
safe to grant admin access to a specific keystone project without
giving admin access to all of keystone's APIs, but please be aware
that depending on the default and overridden policies of other OpenStack
services, a project admin may still have admin-level privileges
outside of the project scope for other services.
- Keystone domains can now be created with a user-provided ID, which
allows for all IDs for users created within such a domain to be
predictable. This makes scaling cloud deployments across multiple
sites easier as domain and user IDs no longer need to be explicitly
synced.
- Application credentials now support access rules, a user-provided
list of OpenStack API requests for which an application credential
is permitted to be used. This level of access control is supplemental
to traditional role-based access control managed through policy
rules.
- Keystone roles, projects, and domains may now be made immutable,
so that certain important resources like the default roles or service
projects cannot be accidentally modified or deleted. This is managed
through resource options on roles, projects, and domains. The ``keystone-manage
bootstrap`` command now allows the deployer to opt into creating
the default roles as immutable at deployment time, which will become
the default behavior in the future. Roles that existed prior to
running ``keystone-manage bootstrap`` can be made immutable via
resource update.
releases:
- version: 16.0.0.0rc1
projects:
- repo: openstack/keystone
hash: e860c69831289a800a1d7bb52e8621fc460f260b
- version: 16.0.0.0rc2
projects:
- repo: openstack/keystone
hash: dc9e9e32dfbf9fd9c58f9f8e2b35f0bcfd62328e
- version: 16.0.0
projects:
- repo: openstack/keystone
hash: dc9e9e32dfbf9fd9c58f9f8e2b35f0bcfd62328e
diff-start: 15.0.0.0rc1
- version: 16.0.1
projects:
- repo: openstack/keystone
hash: 40cbb7bebd50276412daa1981ff5a7c7b3b899a5
- version: 16.0.2
projects:
- repo: openstack/keystone
hash: c65455965aec303b55bc76388314a2b96a2bc12c
- version: train-em
projects:
- repo: openstack/keystone
hash: c65455965aec303b55bc76388314a2b96a2bc12c
- version: train-eol
projects:
- repo: openstack/keystone
hash: 9d699a73fda748a6f280cbd61568b847316faa0a
branches:
- name: stable/train
location: 16.0.0.0rc1
release-notes: https://docs.openstack.org/releasenotes/keystone/train.html
View Git Blame Copy Permalink