aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/releasenotes/notes
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/releasenotes/notes')
-rw-r--r--keystone-moon/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml13
-rw-r--r--keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml11
-rw-r--r--keystone-moon/releasenotes/notes/Role_V9_driver-971c3aae14d9963d.yaml6
-rw-r--r--keystone-moon/releasenotes/notes/V9ResourceDriver-26716f97c0cc1a80.yaml5
-rw-r--r--keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml17
-rw-r--r--keystone-moon/releasenotes/notes/admin_token-a5678d712783c145.yaml14
-rw-r--r--keystone-moon/releasenotes/notes/admin_token-c634ec12fc714255.yaml11
-rw-r--r--keystone-moon/releasenotes/notes/bp-domain-config-default-82e42d946ee7cb43.yaml7
-rw-r--r--keystone-moon/releasenotes/notes/bp-url-safe-naming-ad90d6a659f5bf3c.yaml7
-rw-r--r--keystone-moon/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml13
-rw-r--r--keystone-moon/releasenotes/notes/bug-1519210-de76097c974f9c93.yaml7
-rw-r--r--keystone-moon/releasenotes/notes/bug-1535878-change-get_project-permission-e460af1256a2c056.yaml8
-rw-r--r--keystone-moon/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml21
-rw-r--r--keystone-moon/releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml6
-rw-r--r--keystone-moon/releasenotes/notes/catalog-caching-12f2532cfb71325a.yaml7
-rw-r--r--keystone-moon/releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml9
-rw-r--r--keystone-moon/releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml6
-rw-r--r--keystone-moon/releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml7
-rw-r--r--keystone-moon/releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml8
-rw-r--r--keystone-moon/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml26
-rw-r--r--keystone-moon/releasenotes/notes/enable-filter-idp-d0135f4615178cfc.yaml10
-rw-r--r--keystone-moon/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml10
-rw-r--r--keystone-moon/releasenotes/notes/endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml7
-rw-r--r--keystone-moon/releasenotes/notes/extensions-to-core-a0d270d216d47276.yaml25
-rw-r--r--keystone-moon/releasenotes/notes/federation-group-ids-mapping-6c56120d65a5cb22.yaml6
-rw-r--r--keystone-moon/releasenotes/notes/httpd-keystone-d51b7335559b09c8.yaml7
-rw-r--r--keystone-moon/releasenotes/notes/impl-templated-catalog-1d8f6333726b34f8.yaml9
-rw-r--r--keystone-moon/releasenotes/notes/implied-roles-026f401adc0f7fb6.yaml12
-rw-r--r--keystone-moon/releasenotes/notes/insecure_reponse-2a168230709bc8e7.yaml7
-rw-r--r--keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml14
-rw-r--r--keystone-moon/releasenotes/notes/ldap-conn-pool-enabled-90df94652f1ded53.yaml8
-rw-r--r--keystone-moon/releasenotes/notes/ldap-emulation-91c4d535eb9c3d10.yaml8
-rw-r--r--keystone-moon/releasenotes/notes/list_limit-ldap-support-5d31d51466fc49a6.yaml6
-rw-r--r--keystone-moon/releasenotes/notes/list_role_assignment_names-33aedc1e521230b6.yaml7
-rw-r--r--keystone-moon/releasenotes/notes/migration_squash-f655329ddad7fc2a.yaml5
-rw-r--r--keystone-moon/releasenotes/notes/no-default-domain-2161ada44bf7a3f7.yaml7
-rw-r--r--keystone-moon/releasenotes/notes/notify-on-user-group-membership-8c0136ee0484e255.yaml6
-rw-r--r--keystone-moon/releasenotes/notes/oslo.cache-a9ce47bfa8809efa.yaml17
-rw-r--r--keystone-moon/releasenotes/notes/projects_as_domains-3ea8a58b4c2965e1.yaml7
-rw-r--r--keystone-moon/releasenotes/notes/remove-trust-auth-support-from-v2-de316c9ba46d556d.yaml4
-rw-r--r--keystone-moon/releasenotes/notes/removed-as-of-mitaka-9ff14f87d0b98e7e.yaml44
-rw-r--r--keystone-moon/releasenotes/notes/request_context-e143ba9c446a5952.yaml7
-rw-r--r--keystone-moon/releasenotes/notes/revert-v2-token-issued-for-non-default-domain-25ea5337f158ef13.yaml12
-rw-r--r--keystone-moon/releasenotes/notes/s3-aws-v4-c6cb75ce8d2289d4.yaml6
-rw-r--r--keystone-moon/releasenotes/notes/totp-40d93231714c6a20.yaml9
-rw-r--r--keystone-moon/releasenotes/notes/v3-endpoints-in-v2-list-b0439816938713d6.yaml6
-rw-r--r--keystone-moon/releasenotes/notes/v9FederationDriver-cbebcf5f97e1eae2.yaml5
-rw-r--r--keystone-moon/releasenotes/notes/x509-auth-df0a229780b8e3ff.yaml6
48 files changed, 486 insertions, 0 deletions
diff --git a/keystone-moon/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml b/keystone-moon/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml
new file mode 100644
index 00000000..89ef1082
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml
@@ -0,0 +1,13 @@
+---
+deprecations:
+ - >
+ [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
+ The V8 Assignment driver interface is deprecated. Support for the V8
+ Assignment driver interface is planned to be removed in the 'O' release of
+ OpenStack.
+other:
+ - The list_project_ids_for_user(), list_domain_ids_for_user(),
+ list_user_ids_for_project(), list_project_ids_for_groups(),
+ list_domain_ids_for_groups(), list_role_ids_for_groups_on_project() and
+ list_role_ids_for_groups_on_domain() methods have been removed from the
+ V9 version of the Assignment driver.
diff --git a/keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml b/keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml
new file mode 100644
index 00000000..98306f3e
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml
@@ -0,0 +1,11 @@
+---
+features:
+ - >
+ [`blueprint domain-specific-roles <https://blueprints.launchpad.net/keystone/+spec/domain-specific-roles>`_]
+ Roles can now be optionally defined as domain specific. Domain specific
+ roles are not referenced in policy files, rather they can be used to allow
+ a domain to build their own private inference rules with implied roles. A
+ domain specific role can be assigned to a domain or project within its
+ domain, and any subset of global roles it implies will appear in a token
+ scoped to the respective domain or project. The domain specific role
+ itself, however, will not appear in the token.
diff --git a/keystone-moon/releasenotes/notes/Role_V9_driver-971c3aae14d9963d.yaml b/keystone-moon/releasenotes/notes/Role_V9_driver-971c3aae14d9963d.yaml
new file mode 100644
index 00000000..08bda86f
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/Role_V9_driver-971c3aae14d9963d.yaml
@@ -0,0 +1,6 @@
+---
+deprecations:
+ - >
+ [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
+ The V8 Role driver interface is deprecated. Support for the V8 Role driver
+ interface is planned to be removed in the 'O' release of OpenStack.
diff --git a/keystone-moon/releasenotes/notes/V9ResourceDriver-26716f97c0cc1a80.yaml b/keystone-moon/releasenotes/notes/V9ResourceDriver-26716f97c0cc1a80.yaml
new file mode 100644
index 00000000..8003b702
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/V9ResourceDriver-26716f97c0cc1a80.yaml
@@ -0,0 +1,5 @@
+---
+deprecations:
+ - The V8 Resource driver interface is deprecated. Support for the V8
+ Resource driver interface is planned to be removed in the 'O' release of
+ OpenStack.
diff --git a/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml b/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml
new file mode 100644
index 00000000..997ee64a
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml
@@ -0,0 +1,17 @@
+---
+features:
+ - >
+ [`blueprint bootstrap <https://blueprints.launchpad.net/keystone/+spec/bootstrap>`_]
+ keystone-manage now supports the bootstrap command
+ on the CLI so that a keystone install can be
+ initialized without the need of the admin_token
+ filter in the paste-ini.
+security:
+ - The use of admin_token filter is insecure compared
+ to the use of a proper username/password. Historically
+ the admin_token filter has been left enabled in
+ Keystone after initialization due to the way CMS
+ systems work. Moving to an out-of-band initialization using
+ ``keystone-manage bootstrap`` will eliminate the security concerns around
+ a static shared string that conveys admin access to keystone
+ and therefore to the entire installation.
diff --git a/keystone-moon/releasenotes/notes/admin_token-a5678d712783c145.yaml b/keystone-moon/releasenotes/notes/admin_token-a5678d712783c145.yaml
new file mode 100644
index 00000000..8547c6d3
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/admin_token-a5678d712783c145.yaml
@@ -0,0 +1,14 @@
+---
+upgrade:
+ - >
+ [`bug 1473553 <https://bugs.launchpad.net/keystone/+bug/1473553>`_]
+ The `keystone-paste.ini` must be updated to put the ``admin_token_auth``
+ middleware before ``build_auth_context``. See the sample
+ `keystone-paste.ini` for the correct `pipeline` value. Having
+ ``admin_token_auth`` after ``build_auth_context`` is deprecated and will
+ not be supported in a future release.
+deprecations:
+ - >
+ [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
+ The ``admin_token_auth`` filter must now be placed before the
+ ``build_auth_context`` filter in `keystone-paste.ini`.
diff --git a/keystone-moon/releasenotes/notes/admin_token-c634ec12fc714255.yaml b/keystone-moon/releasenotes/notes/admin_token-c634ec12fc714255.yaml
new file mode 100644
index 00000000..69b70dbb
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/admin_token-c634ec12fc714255.yaml
@@ -0,0 +1,11 @@
+---
+security:
+ - The admin_token method of authentication was never intended to be
+ used for any purpose other than bootstrapping an install. However
+ many deployments had to leave the admin_token method enabled due
+ to restrictions on editing the paste file used to configure the
+ web pipelines. To minimize the risk from this mechanism, the
+ `admin_token` configuration value now defaults to a python `None`
+ value. In addition, if the value is set to `None`, either explicitly or
+ implicitly, the `admin_token` will not be enabled, and an attempt to
+ use it will lead to a failed authentication.
diff --git a/keystone-moon/releasenotes/notes/bp-domain-config-default-82e42d946ee7cb43.yaml b/keystone-moon/releasenotes/notes/bp-domain-config-default-82e42d946ee7cb43.yaml
new file mode 100644
index 00000000..a78f831f
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/bp-domain-config-default-82e42d946ee7cb43.yaml
@@ -0,0 +1,7 @@
+---
+features:
+ - >
+ [`blueprint domain-config-default <https://blueprints.launchpad.net/keystone/+spec/domain-config-default>`_]
+ The Identity API now supports retrieving the default values for the
+ configuration options that can be overriden via the domain specific
+ configuration API.
diff --git a/keystone-moon/releasenotes/notes/bp-url-safe-naming-ad90d6a659f5bf3c.yaml b/keystone-moon/releasenotes/notes/bp-url-safe-naming-ad90d6a659f5bf3c.yaml
new file mode 100644
index 00000000..1c81d866
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/bp-url-safe-naming-ad90d6a659f5bf3c.yaml
@@ -0,0 +1,7 @@
+---
+features:
+ - >
+ [`blueprint url-safe-naming <https://blueprints.launchpad.net/keystone/+spec/url-safe-naming>`_]
+ The names of projects and domains can optionally be ensured to be url safe,
+ to support the future ability to specify projects using hierarchical
+ naming.
diff --git a/keystone-moon/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml b/keystone-moon/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml
new file mode 100644
index 00000000..0d5c2034
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml
@@ -0,0 +1,13 @@
+---
+features:
+ - >
+ [`bug 1490804 <https://bugs.launchpad.net/keystone/+bug/1490804>`_]
+ Audit IDs are included in the token revocation list.
+security:
+ - >
+ [`bug 1490804 <https://bugs.launchpad.net/keystone/+bug/1490804>`_]
+ [`CVE-2015-7546 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7546>`_]
+ A bug is fixed where an attacker could avoid token revocation when the PKI
+ or PKIZ token provider is used. The complete remediation for this
+ vulnerability requires the corresponding fix in the keystonemiddleware
+ project.
diff --git a/keystone-moon/releasenotes/notes/bug-1519210-de76097c974f9c93.yaml b/keystone-moon/releasenotes/notes/bug-1519210-de76097c974f9c93.yaml
new file mode 100644
index 00000000..0b7192b1
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/bug-1519210-de76097c974f9c93.yaml
@@ -0,0 +1,7 @@
+---
+features:
+ - >
+ [`bug 1519210 <https://bugs.launchpad.net/keystone/+bug/1519210>`_]
+ A user may now opt-out of notifications by specifying a list of
+ event types using the `notification_opt_out` option in `keystone.conf`.
+ These events are never sent to a messaging service.
diff --git a/keystone-moon/releasenotes/notes/bug-1535878-change-get_project-permission-e460af1256a2c056.yaml b/keystone-moon/releasenotes/notes/bug-1535878-change-get_project-permission-e460af1256a2c056.yaml
new file mode 100644
index 00000000..68cb7e1d
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/bug-1535878-change-get_project-permission-e460af1256a2c056.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+ - >
+ [`bug 1535878 <https://bugs.launchpad.net/keystone/+bug/1535878>`_]
+ Originally, to perform GET /projects/{project_id}, the provided policy
+ files required a user to have at least project admin level of permission.
+ They have been updated to allow it to be performed by any user who has a
+ role on the project.
diff --git a/keystone-moon/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml b/keystone-moon/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml
new file mode 100644
index 00000000..bc6ec728
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml
@@ -0,0 +1,21 @@
+---
+features:
+ - >
+ [`bug 1542417 <https://bugs.launchpad.net/keystone/+bug/1542417>`_]
+ Added support for a `user_description_attribute` mapping
+ to the LDAP driver configuration.
+upgrade:
+ - >
+ The LDAP driver now also maps the user description attribute after
+ user retrieval from LDAP.
+ If this is undesired behavior for your setup, please add `description`
+ to the `user_attribute_ignore` LDAP driver config setting.
+
+ The default mapping of the description attribute is set to `description`.
+ Please adjust the LDAP driver config setting `user_description_attribute`
+ if your LDAP uses a different attribute name (for instance to `displayName`
+ in case of an AD backed LDAP).
+
+ If your `user_additional_attribute_mapping` setting contains
+ `description:description` you can remove this mapping, since this is
+ now the default behavior.
diff --git a/keystone-moon/releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml b/keystone-moon/releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml
new file mode 100644
index 00000000..0befecd3
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - >
+ [`bug 1526462 <https://bugs.launchpad.net/keystone/+bug/1526462>`_]
+ Support for posixGroups with OpenDirectory and UNIX when using
+ the LDAP identity driver.
diff --git a/keystone-moon/releasenotes/notes/catalog-caching-12f2532cfb71325a.yaml b/keystone-moon/releasenotes/notes/catalog-caching-12f2532cfb71325a.yaml
new file mode 100644
index 00000000..785fb3cf
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/catalog-caching-12f2532cfb71325a.yaml
@@ -0,0 +1,7 @@
+---
+features:
+ - >
+ [`bug 1489061 <https://bugs.launchpad.net/keystone/+bug/1489061>`_]
+ Caching has been added to catalog retrieval on a per user ID and project
+ ID basis. This affects both the v2 and v3 APIs. As a result this should
+ provide a performance benefit to fernet-based deployments.
diff --git a/keystone-moon/releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml b/keystone-moon/releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml
new file mode 100644
index 00000000..e0c381d9
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml
@@ -0,0 +1,9 @@
+---
+deprecations:
+ - Use of ``$(tenant_id)s`` in the catalog endpoints is deprecated in favor
+ of ``$(project_id)s``.
+features:
+ - Keystone supports ``$(project_id)s`` in the catalog. It works the same as
+ ``$(tenant_id)s``. Use of ``$(tenant_id)s`` is deprecated and catalog
+ endpoints should be updated to use ``$(project_id)s``.
+
diff --git a/keystone-moon/releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml b/keystone-moon/releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml
new file mode 100644
index 00000000..ce372ede
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml
@@ -0,0 +1,6 @@
+---
+deprecations:
+ - >
+ [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
+ Deprecate the ``enabled`` option from ``[endpoint_policy]``, it will be
+ removed in the 'O' release, and the extension will always be enabled.
diff --git a/keystone-moon/releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml b/keystone-moon/releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml
new file mode 100644
index 00000000..7b9c8e08
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml
@@ -0,0 +1,7 @@
+---
+deprecations:
+ - >
+ [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
+ The token memcache and memcache_pool persistence
+ backends have been deprecated in favor of using
+ Fernet tokens (which require no persistence).
diff --git a/keystone-moon/releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml b/keystone-moon/releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml
new file mode 100644
index 00000000..59680274
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml
@@ -0,0 +1,8 @@
+---
+deprecations:
+ - >
+ [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
+ Deprecated all v2.0 APIs. The keystone team recommends using v3 APIs instead.
+ Most v2.0 APIs will be removed in the 'Q' release. However, the authentication
+ APIs and EC2 APIs are indefinitely deprecated and will not be removed in
+ the 'Q' release.
diff --git a/keystone-moon/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml b/keystone-moon/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml
new file mode 100644
index 00000000..31c7ff85
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml
@@ -0,0 +1,26 @@
+---
+deprecations:
+ - >
+ [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
+ As of the Mitaka release, the PKI and PKIz token formats have been
+ deprecated. They will be removed in the 'O' release. Due to this change,
+ the `hash_algorithm` option in the `[token]` section of the
+ configuration file has also been deprecated. Also due to this change, the
+ ``keystone-manage pki_setup`` command has been deprecated as well.
+ - >
+ [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
+ As of the Mitaka release, write support for the LDAP driver of the Identity
+ backend has been deprecated. This includes the following operations: create user,
+ create group, delete user, delete group, update user, update group,
+ add user to group, and remove user from group. These operations will be
+ removed in the 'O' release.
+ - >
+ [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
+ As of the Mitaka release, the auth plugin `keystone.auth.plugins.saml2.Saml2`
+ has been deprecated. It is recommended to use `keystone.auth.plugins.mapped.Mapped`
+ instead. The ``saml2`` plugin will be removed in the 'O' release.
+ - >
+ [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
+ As of the Mitaka release, the simple_cert_extension is deprecated since it
+ is only used in support of the PKI and PKIz token formats. It will be
+ removed in the 'O' release.
diff --git a/keystone-moon/releasenotes/notes/enable-filter-idp-d0135f4615178cfc.yaml b/keystone-moon/releasenotes/notes/enable-filter-idp-d0135f4615178cfc.yaml
new file mode 100644
index 00000000..f4c1bbe7
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/enable-filter-idp-d0135f4615178cfc.yaml
@@ -0,0 +1,10 @@
+---
+features:
+ - >
+ [`bug 1525317 <https://bugs.launchpad.net/keystone/+bug/1525317>`_]
+ Enable filtering of identity providers based on `id`, and `enabled`
+ attributes.
+ - >
+ [`bug 1555830 <https://bugs.launchpad.net/keystone/+bug/1555830>`_]
+ Enable filtering of service providers based on `id`, and `enabled`
+ attributes. \ No newline at end of file
diff --git a/keystone-moon/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml b/keystone-moon/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml
new file mode 100644
index 00000000..8346285a
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml
@@ -0,0 +1,10 @@
+---
+upgrade:
+ - >
+ The default setting for the `os_inherit` configuration option is
+ changed to True. If it is required to continue with this portion
+ of the API disabled, then override the default setting by explicitly
+ specifying the os_inherit option as False.
+deprecations:
+ - The `os_inherit` configuration option is disabled. In the future, this
+ option will be removed and this portion of the API will be always enabled.
diff --git a/keystone-moon/releasenotes/notes/endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml b/keystone-moon/releasenotes/notes/endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml
new file mode 100644
index 00000000..d94db3ba
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+ - >
+ [`bug 1516469 <https://bugs.launchpad.net/keystone/+bug/1516469>`_]
+ Endpoints filtered by endpoint_group project association will be
+ included in the service catalog when a project scoped token is issued and
+ ``endpoint_filter.sql`` is used for the catalog driver.
diff --git a/keystone-moon/releasenotes/notes/extensions-to-core-a0d270d216d47276.yaml b/keystone-moon/releasenotes/notes/extensions-to-core-a0d270d216d47276.yaml
new file mode 100644
index 00000000..ced7d5a7
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/extensions-to-core-a0d270d216d47276.yaml
@@ -0,0 +1,25 @@
+---
+upgrade:
+ - >
+ The `keystone-paste.ini` file must be updated to remove extension
+ filters, and their use in ``[pipeline:api_v3]``.
+ Remove the following filters: ``[filter:oauth1_extension]``,
+ ``[filter:federation_extension]``, ``[filter:endpoint_filter_extension]``,
+ and ``[filter:revoke_extension]``. See the sample `keystone-paste.ini
+ <https://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini>`_
+ file for guidance.
+ - >
+ The `keystone-paste.ini` file must be updated to remove extension filters,
+ and their use in ``[pipeline:public_api]`` and ``[pipeline:admin_api]`` pipelines.
+ Remove the following filters: ``[filter:user_crud_extension]``,
+ ``[filter:crud_extension]``. See the sample `keystone-paste.ini
+ <https://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini>`_
+ file for guidance.
+other:
+ - >
+ [`blueprint move-extensions <https://blueprints.launchpad.net/keystone/+spec/move-extensions>`_]
+ If any extension migrations are run, for example: ``keystone-manage db_sync
+ --extension endpoint_policy`` an error will be returned. This is working as
+ designed. To run these migrations simply run: ``keystone-manage db_sync``.
+ The complete list of affected extensions are: ``oauth1``, ``federation``,
+ ``endpoint_filter``, ``endpoint_policy``, and ``revoke``.
diff --git a/keystone-moon/releasenotes/notes/federation-group-ids-mapping-6c56120d65a5cb22.yaml b/keystone-moon/releasenotes/notes/federation-group-ids-mapping-6c56120d65a5cb22.yaml
new file mode 100644
index 00000000..04d45dae
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/federation-group-ids-mapping-6c56120d65a5cb22.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - >
+ [`blueprint federation-group-ids-mapped-without-domain-reference <https://blueprints.launchpad.net/keystone/+spec/federation-group-ids-mapped-without-domain-reference>`_]
+ Enhanced the federation mapping engine to allow for group IDs to be
+ referenced without a domain ID.
diff --git a/keystone-moon/releasenotes/notes/httpd-keystone-d51b7335559b09c8.yaml b/keystone-moon/releasenotes/notes/httpd-keystone-d51b7335559b09c8.yaml
new file mode 100644
index 00000000..86bb378e
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/httpd-keystone-d51b7335559b09c8.yaml
@@ -0,0 +1,7 @@
+---
+deprecations:
+ - >
+ [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
+ The file ``httpd/keystone.py`` has been deprecated in favor of
+ ``keystone-wsgi-admin`` and ``keystone-wsgi-public`` and may be
+ removed in the 'O' release.
diff --git a/keystone-moon/releasenotes/notes/impl-templated-catalog-1d8f6333726b34f8.yaml b/keystone-moon/releasenotes/notes/impl-templated-catalog-1d8f6333726b34f8.yaml
new file mode 100644
index 00000000..3afd9159
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/impl-templated-catalog-1d8f6333726b34f8.yaml
@@ -0,0 +1,9 @@
+---
+other:
+ - >
+ [`bug 1367113 <https://bugs.launchpad.net/keystone/+bug/1367113>`_]
+ The "get entity" and "list entities" functionality for the KVS catalog
+ backend has been reimplemented to use the data from the catalog template.
+ Previously this would only act on temporary data that was created at
+ runtime. The create, update and delete entity functionality now raises
+ an exception.
diff --git a/keystone-moon/releasenotes/notes/implied-roles-026f401adc0f7fb6.yaml b/keystone-moon/releasenotes/notes/implied-roles-026f401adc0f7fb6.yaml
new file mode 100644
index 00000000..065fd541
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/implied-roles-026f401adc0f7fb6.yaml
@@ -0,0 +1,12 @@
+---
+features:
+ - >
+ [`blueprint implied-roles <https://blueprints.launchpad.net/keystone/+spec/implied-roles>`_]
+ Keystone now supports creating implied roles. Role inference rules can now
+ be added to indicate when the assignment of one role implies the assignment
+ of another. The rules are of the form `prior_role` implies
+ `implied_role`. At token generation time, user/group assignments of roles
+ that have implied roles will be expanded to also include such roles in the
+ token. The expansion of implied roles is controlled by the
+ `prohibited_implied_role` option in the `[assignment]`
+ section of `keystone.conf`.
diff --git a/keystone-moon/releasenotes/notes/insecure_reponse-2a168230709bc8e7.yaml b/keystone-moon/releasenotes/notes/insecure_reponse-2a168230709bc8e7.yaml
new file mode 100644
index 00000000..ba11ab2a
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/insecure_reponse-2a168230709bc8e7.yaml
@@ -0,0 +1,7 @@
+---
+upgrade:
+ - A new config option, `insecure_debug`, is added to control whether debug
+ information is returned to clients. This used to be controlled by the
+ `debug` option. If you'd like to return extra information to clients
+ set the value to ``true``. This extra information may help an attacker.
+
diff --git a/keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml b/keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml
new file mode 100644
index 00000000..a0c2b3bb
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml
@@ -0,0 +1,14 @@
+---
+features:
+ - >
+ [`bug 96869 <https://bugs.launchpad.net/keystone/+bug/968696>`_]
+ A pair of configuration options have been added to the ``[resource]``
+ section to specify a special ``admin`` project:
+ ``admin_project_domain_name`` and ``admin_project_name``. If these are
+ defined, any scoped token issued for that project will have an additional
+ identifier ``is_admin_project`` added to the token. This identifier can then
+ be checked by the policy rules in the policy files of the services when
+ evaluating access control policy for an API. Keystone does not yet
+ support the ability for a project acting as a domain to be the
+ admin project. That will be added once the rest of the code for
+ projects acting as domains is merged.
diff --git a/keystone-moon/releasenotes/notes/ldap-conn-pool-enabled-90df94652f1ded53.yaml b/keystone-moon/releasenotes/notes/ldap-conn-pool-enabled-90df94652f1ded53.yaml
new file mode 100644
index 00000000..c26eeb3f
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/ldap-conn-pool-enabled-90df94652f1ded53.yaml
@@ -0,0 +1,8 @@
+---
+upgrade:
+ - >
+ The configuration options for LDAP connection pooling, `[ldap] use_pool`
+ and `[ldap] use_auth_pool`, are now both enabled by default. Only
+ deployments using LDAP drivers are affected. Additional configuration
+ options are available in the `[ldap]` section to tune connection pool size,
+ etc.
diff --git a/keystone-moon/releasenotes/notes/ldap-emulation-91c4d535eb9c3d10.yaml b/keystone-moon/releasenotes/notes/ldap-emulation-91c4d535eb9c3d10.yaml
new file mode 100644
index 00000000..1d097ae3
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/ldap-emulation-91c4d535eb9c3d10.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - >
+ [`bug 1515302 <https://bugs.launchpad.net/keystone/+bug/1515302>`_]
+ Two new configuration options have been added to the `[ldap]` section.
+ `user_enabled_emulation_use_group_config` and
+ `project_enabled_emulation_use_group_config`, which allow deployers to
+ choose if they want to override the default group LDAP schema option.
diff --git a/keystone-moon/releasenotes/notes/list_limit-ldap-support-5d31d51466fc49a6.yaml b/keystone-moon/releasenotes/notes/list_limit-ldap-support-5d31d51466fc49a6.yaml
new file mode 100644
index 00000000..4e5f5458
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/list_limit-ldap-support-5d31d51466fc49a6.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - >
+ [`bug 1501698 <https://bugs.launchpad.net/keystone/+bug/1501698>`_]
+ Support parameter `list_limit` when LDAP is used as
+ identity backend.
diff --git a/keystone-moon/releasenotes/notes/list_role_assignment_names-33aedc1e521230b6.yaml b/keystone-moon/releasenotes/notes/list_role_assignment_names-33aedc1e521230b6.yaml
new file mode 100644
index 00000000..267ece71
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/list_role_assignment_names-33aedc1e521230b6.yaml
@@ -0,0 +1,7 @@
+---
+features:
+ - >
+ [`bug 1479569 <https://bugs.launchpad.net/keystone/+bug/1479569>`_]
+ Names have been added to list role assignments
+ (GET /role_assignments?include_names=True), rather than returning
+ just the internal IDs of the objects the names are also returned.
diff --git a/keystone-moon/releasenotes/notes/migration_squash-f655329ddad7fc2a.yaml b/keystone-moon/releasenotes/notes/migration_squash-f655329ddad7fc2a.yaml
new file mode 100644
index 00000000..c7d9d412
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/migration_squash-f655329ddad7fc2a.yaml
@@ -0,0 +1,5 @@
+---
+upgrade:
+ - >
+ [`bug 1541092 <https://bugs.launchpad.net/keystone/+bug/1541092>`_]
+ Only database upgrades from Kilo and newer are supported.
diff --git a/keystone-moon/releasenotes/notes/no-default-domain-2161ada44bf7a3f7.yaml b/keystone-moon/releasenotes/notes/no-default-domain-2161ada44bf7a3f7.yaml
new file mode 100644
index 00000000..a449ad67
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/no-default-domain-2161ada44bf7a3f7.yaml
@@ -0,0 +1,7 @@
+---
+other:
+ - >
+ ``keystone-manage db_sync`` will no longer create the Default domain. This
+ domain is used as the domain for any users created using the legacy v2.0
+ API. A default domain is created by ``keystone-manage bootstrap`` and when
+ a user or project is created using the legacy v2.0 API.
diff --git a/keystone-moon/releasenotes/notes/notify-on-user-group-membership-8c0136ee0484e255.yaml b/keystone-moon/releasenotes/notes/notify-on-user-group-membership-8c0136ee0484e255.yaml
new file mode 100644
index 00000000..d80ab826
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/notify-on-user-group-membership-8c0136ee0484e255.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+ - Support has now been added to send notification events
+ on user/group membership. When a user is added or removed
+ from a group a notification will be sent including the
+ identifiers of both the user and the group.
diff --git a/keystone-moon/releasenotes/notes/oslo.cache-a9ce47bfa8809efa.yaml b/keystone-moon/releasenotes/notes/oslo.cache-a9ce47bfa8809efa.yaml
new file mode 100644
index 00000000..dc989154
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/oslo.cache-a9ce47bfa8809efa.yaml
@@ -0,0 +1,17 @@
+---
+upgrade:
+ - >
+ Keystone now uses oslo.cache. Update the `[cache]` section of
+ `keystone.conf` to point to oslo.cache backends:
+ ``oslo_cache.memcache_pool`` or ``oslo_cache.mongo``. Refer to the
+ sample configuration file for examples. See `oslo.cache
+ <http://docs.openstack.org/developer/oslo.cache>`_ for additional
+ documentation.
+deprecations:
+ - >
+ [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
+ ``keystone.common.cache.backends.memcache_pool``,
+ ``keystone.common.cache.backends.mongo``, and
+ ``keystone.common.cache.backends.noop`` are deprecated in favor of
+ oslo.cache backends. The keystone backends will be removed in the 'O'
+ release.
diff --git a/keystone-moon/releasenotes/notes/projects_as_domains-3ea8a58b4c2965e1.yaml b/keystone-moon/releasenotes/notes/projects_as_domains-3ea8a58b4c2965e1.yaml
new file mode 100644
index 00000000..7845df9a
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/projects_as_domains-3ea8a58b4c2965e1.yaml
@@ -0,0 +1,7 @@
+---
+features:
+ - Domains are now represented as top level projects with the attribute
+ `is_domain` set to true. Such projects will appear as parents for any
+ previous top level projects. Projects acting as domains can be created,
+ read, updated, and deleted via either the project API or the domain API
+ (V3 only).
diff --git a/keystone-moon/releasenotes/notes/remove-trust-auth-support-from-v2-de316c9ba46d556d.yaml b/keystone-moon/releasenotes/notes/remove-trust-auth-support-from-v2-de316c9ba46d556d.yaml
new file mode 100644
index 00000000..0c591dcc
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/remove-trust-auth-support-from-v2-de316c9ba46d556d.yaml
@@ -0,0 +1,4 @@
+---
+other:
+ - The ability to validate a trust-scoped token against the v2.0 API has been
+ removed, in favor of using the version 3 of the API.
diff --git a/keystone-moon/releasenotes/notes/removed-as-of-mitaka-9ff14f87d0b98e7e.yaml b/keystone-moon/releasenotes/notes/removed-as-of-mitaka-9ff14f87d0b98e7e.yaml
new file mode 100644
index 00000000..b0964c95
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/removed-as-of-mitaka-9ff14f87d0b98e7e.yaml
@@ -0,0 +1,44 @@
+---
+other:
+ - >
+ [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_]
+ Removed ``extras`` from token responses. These fields should not be
+ necessary and a well-defined API makes this field redundant. This was
+ deprecated in the Kilo release.
+ - >
+ [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_]
+ Removed ``RequestBodySizeLimiter`` from keystone middleware. The keystone
+ team suggests using ``oslo_middleware.sizelimit.RequestBodySizeLimiter``
+ instead. This was deprecated in the Kilo release.
+ - >
+ [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_]
+ Notifications with event_type ``identity.created.role_assignment`` and
+ ``identity.deleted.role_assignment`` have been removed. The keystone team
+ suggests listening for ``identity.role_assignment.created`` and
+ ``identity.role_assignment.deleted`` instead. This was deprecated in the
+ Kilo release.
+ - >
+ [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_]
+ Removed ``check_role_for_trust`` from the trust controller, ensure policy
+ files do not refer to this target. This was deprecated in the Kilo
+ release.
+ - >
+ [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_]
+ Removed Catalog KVS backend (``keystone.catalog.backends.sql.Catalog``).
+ This was deprecated in the Icehouse release.
+ - >
+ [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_]
+ The LDAP backend for Assignment has been removed. This was deprecated in
+ the Kilo release.
+ - >
+ [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_]
+ The LDAP backend for Resource has been removed. This was deprecated in
+ the Kilo release.
+ - >
+ [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_]
+ The LDAP backend for Role has been removed. This was deprecated in the
+ Kilo release.
+ - >
+ [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_]
+ Removed Revoke KVS backend (``keystone.revoke.backends.kvs.Revoke``).
+ This was deprecated in the Juno release.
diff --git a/keystone-moon/releasenotes/notes/request_context-e143ba9c446a5952.yaml b/keystone-moon/releasenotes/notes/request_context-e143ba9c446a5952.yaml
new file mode 100644
index 00000000..b00153db
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/request_context-e143ba9c446a5952.yaml
@@ -0,0 +1,7 @@
+---
+features:
+ - >
+ [`bug 1500222 <https://bugs.launchpad.net/keystone/+bug/1500222>`_]
+ Added information such as: user ID, project ID, and domain ID to log
+ entries. As a side effect of this change, both the user's domain ID and
+ project's domain ID are now included in the auth context.
diff --git a/keystone-moon/releasenotes/notes/revert-v2-token-issued-for-non-default-domain-25ea5337f158ef13.yaml b/keystone-moon/releasenotes/notes/revert-v2-token-issued-for-non-default-domain-25ea5337f158ef13.yaml
new file mode 100644
index 00000000..cc28c7f3
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/revert-v2-token-issued-for-non-default-domain-25ea5337f158ef13.yaml
@@ -0,0 +1,12 @@
+fixes:
+ - >
+ [`bug 1527759 <https://bugs.launchpad.net/keystone/+bug/1527759>`_]
+ Reverted the change that eliminates the ability to get
+ a V2 token with a user or project that is not in the
+ default domain. This change broke real-world deployments
+ that utilized the ability to authenticate via V2 API
+ with a user not in the default domain or with a
+ project not in the default domain. The deployer
+ is being convinced to update code to properly handle
+ V3 auth but the fix broke expected and tested
+ behavior.
diff --git a/keystone-moon/releasenotes/notes/s3-aws-v4-c6cb75ce8d2289d4.yaml b/keystone-moon/releasenotes/notes/s3-aws-v4-c6cb75ce8d2289d4.yaml
new file mode 100644
index 00000000..85fcd6d8
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/s3-aws-v4-c6cb75ce8d2289d4.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - >
+ [`bug 1473042 <https://bugs.launchpad.net/keystone/+bug/1473042>`_]
+ Keystone's S3 compatibility support can now authenticate using AWS
+ Signature Version 4.
diff --git a/keystone-moon/releasenotes/notes/totp-40d93231714c6a20.yaml b/keystone-moon/releasenotes/notes/totp-40d93231714c6a20.yaml
new file mode 100644
index 00000000..fcfdb049
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/totp-40d93231714c6a20.yaml
@@ -0,0 +1,9 @@
+---
+features:
+ - >
+ [`blueprint totp-auth <https://blueprints.launchpad.net/keystone/+spec/totp-auth>`_]
+ Keystone now supports authenticating via Time-based One-time Password (TOTP).
+ To enable this feature, add the ``totp`` auth plugin to the `methods`
+ option in the `[auth]` section of `keystone.conf`. More information
+ about using TOTP can be found in `keystone's developer documentation
+ <http://docs.openstack.org/developer/keystone/auth-totp.html>`_.
diff --git a/keystone-moon/releasenotes/notes/v3-endpoints-in-v2-list-b0439816938713d6.yaml b/keystone-moon/releasenotes/notes/v3-endpoints-in-v2-list-b0439816938713d6.yaml
new file mode 100644
index 00000000..ae184605
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/v3-endpoints-in-v2-list-b0439816938713d6.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+ - >
+ [`bug 1480270 <https://bugs.launchpad.net/keystone/+bug/1480270>`_]
+ Endpoints created when using v3 of the keystone REST API will now be
+ included when listing endpoints via the v2.0 API.
diff --git a/keystone-moon/releasenotes/notes/v9FederationDriver-cbebcf5f97e1eae2.yaml b/keystone-moon/releasenotes/notes/v9FederationDriver-cbebcf5f97e1eae2.yaml
new file mode 100644
index 00000000..7db04c81
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/v9FederationDriver-cbebcf5f97e1eae2.yaml
@@ -0,0 +1,5 @@
+---
+deprecations:
+ - The V8 Federation driver interface is deprecated in favor of the V9
+ Federation driver interface. Support for the V8 Federation driver
+ interface is planned to be removed in the 'O' release of OpenStack.
diff --git a/keystone-moon/releasenotes/notes/x509-auth-df0a229780b8e3ff.yaml b/keystone-moon/releasenotes/notes/x509-auth-df0a229780b8e3ff.yaml
new file mode 100644
index 00000000..421acd6d
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/x509-auth-df0a229780b8e3ff.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - >
+ [`blueprint x509-ssl-client-cert-authn <https://blueprints.launchpad.net/keystone/+spec/x509-ssl-client-cert-authn>`_]
+ Keystone now supports tokenless client SSL x.509 certificate authentication
+ and authorization.