diff options
Diffstat (limited to 'keystone-moon/releasenotes/notes')
52 files changed, 0 insertions, 557 deletions
diff --git a/keystone-moon/releasenotes/notes/.placeholder b/keystone-moon/releasenotes/notes/.placeholder deleted file mode 100644 index e69de29b..00000000 --- a/keystone-moon/releasenotes/notes/.placeholder +++ /dev/null diff --git a/keystone-moon/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml b/keystone-moon/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml deleted file mode 100644 index 89ef1082..00000000 --- a/keystone-moon/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -deprecations: - - > - [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] - The V8 Assignment driver interface is deprecated. Support for the V8 - Assignment driver interface is planned to be removed in the 'O' release of - OpenStack. -other: - - The list_project_ids_for_user(), list_domain_ids_for_user(), - list_user_ids_for_project(), list_project_ids_for_groups(), - list_domain_ids_for_groups(), list_role_ids_for_groups_on_project() and - list_role_ids_for_groups_on_domain() methods have been removed from the - V9 version of the Assignment driver. diff --git a/keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml b/keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml deleted file mode 100644 index 98306f3e..00000000 --- a/keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -features: - - > - [`blueprint domain-specific-roles <https://blueprints.launchpad.net/keystone/+spec/domain-specific-roles>`_] - Roles can now be optionally defined as domain specific. Domain specific - roles are not referenced in policy files, rather they can be used to allow - a domain to build their own private inference rules with implied roles. A - domain specific role can be assigned to a domain or project within its - domain, and any subset of global roles it implies will appear in a token - scoped to the respective domain or project. The domain specific role - itself, however, will not appear in the token. diff --git a/keystone-moon/releasenotes/notes/Role_V9_driver-971c3aae14d9963d.yaml b/keystone-moon/releasenotes/notes/Role_V9_driver-971c3aae14d9963d.yaml deleted file mode 100644 index 08bda86f..00000000 --- a/keystone-moon/releasenotes/notes/Role_V9_driver-971c3aae14d9963d.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -deprecations: - - > - [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] - The V8 Role driver interface is deprecated. Support for the V8 Role driver - interface is planned to be removed in the 'O' release of OpenStack. diff --git a/keystone-moon/releasenotes/notes/V9ResourceDriver-26716f97c0cc1a80.yaml b/keystone-moon/releasenotes/notes/V9ResourceDriver-26716f97c0cc1a80.yaml deleted file mode 100644 index 8003b702..00000000 --- a/keystone-moon/releasenotes/notes/V9ResourceDriver-26716f97c0cc1a80.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -deprecations: - - The V8 Resource driver interface is deprecated. Support for the V8 - Resource driver interface is planned to be removed in the 'O' release of - OpenStack. diff --git a/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml b/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml deleted file mode 100644 index 997ee64a..00000000 --- a/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -features: - - > - [`blueprint bootstrap <https://blueprints.launchpad.net/keystone/+spec/bootstrap>`_] - keystone-manage now supports the bootstrap command - on the CLI so that a keystone install can be - initialized without the need of the admin_token - filter in the paste-ini. -security: - - The use of admin_token filter is insecure compared - to the use of a proper username/password. Historically - the admin_token filter has been left enabled in - Keystone after initialization due to the way CMS - systems work. Moving to an out-of-band initialization using - ``keystone-manage bootstrap`` will eliminate the security concerns around - a static shared string that conveys admin access to keystone - and therefore to the entire installation. diff --git a/keystone-moon/releasenotes/notes/admin_token-a5678d712783c145.yaml b/keystone-moon/releasenotes/notes/admin_token-a5678d712783c145.yaml deleted file mode 100644 index 8547c6d3..00000000 --- a/keystone-moon/releasenotes/notes/admin_token-a5678d712783c145.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -upgrade: - - > - [`bug 1473553 <https://bugs.launchpad.net/keystone/+bug/1473553>`_] - The `keystone-paste.ini` must be updated to put the ``admin_token_auth`` - middleware before ``build_auth_context``. See the sample - `keystone-paste.ini` for the correct `pipeline` value. Having - ``admin_token_auth`` after ``build_auth_context`` is deprecated and will - not be supported in a future release. -deprecations: - - > - [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] - The ``admin_token_auth`` filter must now be placed before the - ``build_auth_context`` filter in `keystone-paste.ini`. diff --git a/keystone-moon/releasenotes/notes/admin_token-c634ec12fc714255.yaml b/keystone-moon/releasenotes/notes/admin_token-c634ec12fc714255.yaml deleted file mode 100644 index 69b70dbb..00000000 --- a/keystone-moon/releasenotes/notes/admin_token-c634ec12fc714255.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -security: - - The admin_token method of authentication was never intended to be - used for any purpose other than bootstrapping an install. However - many deployments had to leave the admin_token method enabled due - to restrictions on editing the paste file used to configure the - web pipelines. To minimize the risk from this mechanism, the - `admin_token` configuration value now defaults to a python `None` - value. In addition, if the value is set to `None`, either explicitly or - implicitly, the `admin_token` will not be enabled, and an attempt to - use it will lead to a failed authentication. diff --git a/keystone-moon/releasenotes/notes/bp-domain-config-default-82e42d946ee7cb43.yaml b/keystone-moon/releasenotes/notes/bp-domain-config-default-82e42d946ee7cb43.yaml deleted file mode 100644 index a78f831f..00000000 --- a/keystone-moon/releasenotes/notes/bp-domain-config-default-82e42d946ee7cb43.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -features: - - > - [`blueprint domain-config-default <https://blueprints.launchpad.net/keystone/+spec/domain-config-default>`_] - The Identity API now supports retrieving the default values for the - configuration options that can be overriden via the domain specific - configuration API. diff --git a/keystone-moon/releasenotes/notes/bp-url-safe-naming-ad90d6a659f5bf3c.yaml b/keystone-moon/releasenotes/notes/bp-url-safe-naming-ad90d6a659f5bf3c.yaml deleted file mode 100644 index 1c81d866..00000000 --- a/keystone-moon/releasenotes/notes/bp-url-safe-naming-ad90d6a659f5bf3c.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -features: - - > - [`blueprint url-safe-naming <https://blueprints.launchpad.net/keystone/+spec/url-safe-naming>`_] - The names of projects and domains can optionally be ensured to be url safe, - to support the future ability to specify projects using hierarchical - naming. diff --git a/keystone-moon/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml b/keystone-moon/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml deleted file mode 100644 index 0d5c2034..00000000 --- a/keystone-moon/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -features: - - > - [`bug 1490804 <https://bugs.launchpad.net/keystone/+bug/1490804>`_] - Audit IDs are included in the token revocation list. -security: - - > - [`bug 1490804 <https://bugs.launchpad.net/keystone/+bug/1490804>`_] - [`CVE-2015-7546 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7546>`_] - A bug is fixed where an attacker could avoid token revocation when the PKI - or PKIZ token provider is used. The complete remediation for this - vulnerability requires the corresponding fix in the keystonemiddleware - project. diff --git a/keystone-moon/releasenotes/notes/bug-1519210-de76097c974f9c93.yaml b/keystone-moon/releasenotes/notes/bug-1519210-de76097c974f9c93.yaml deleted file mode 100644 index 0b7192b1..00000000 --- a/keystone-moon/releasenotes/notes/bug-1519210-de76097c974f9c93.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -features: - - > - [`bug 1519210 <https://bugs.launchpad.net/keystone/+bug/1519210>`_] - A user may now opt-out of notifications by specifying a list of - event types using the `notification_opt_out` option in `keystone.conf`. - These events are never sent to a messaging service. diff --git a/keystone-moon/releasenotes/notes/bug-1535878-change-get_project-permission-e460af1256a2c056.yaml b/keystone-moon/releasenotes/notes/bug-1535878-change-get_project-permission-e460af1256a2c056.yaml deleted file mode 100644 index 68cb7e1d..00000000 --- a/keystone-moon/releasenotes/notes/bug-1535878-change-get_project-permission-e460af1256a2c056.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -fixes: - - > - [`bug 1535878 <https://bugs.launchpad.net/keystone/+bug/1535878>`_] - Originally, to perform GET /projects/{project_id}, the provided policy - files required a user to have at least project admin level of permission. - They have been updated to allow it to be performed by any user who has a - role on the project. diff --git a/keystone-moon/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml b/keystone-moon/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml deleted file mode 100644 index bc6ec728..00000000 --- a/keystone-moon/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -features: - - > - [`bug 1542417 <https://bugs.launchpad.net/keystone/+bug/1542417>`_] - Added support for a `user_description_attribute` mapping - to the LDAP driver configuration. -upgrade: - - > - The LDAP driver now also maps the user description attribute after - user retrieval from LDAP. - If this is undesired behavior for your setup, please add `description` - to the `user_attribute_ignore` LDAP driver config setting. - - The default mapping of the description attribute is set to `description`. - Please adjust the LDAP driver config setting `user_description_attribute` - if your LDAP uses a different attribute name (for instance to `displayName` - in case of an AD backed LDAP). - - If your `user_additional_attribute_mapping` setting contains - `description:description` you can remove this mapping, since this is - now the default behavior. diff --git a/keystone-moon/releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml b/keystone-moon/releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml deleted file mode 100644 index 0befecd3..00000000 --- a/keystone-moon/releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -features: - - > - [`bug 1526462 <https://bugs.launchpad.net/keystone/+bug/1526462>`_] - Support for posixGroups with OpenDirectory and UNIX when using - the LDAP identity driver. diff --git a/keystone-moon/releasenotes/notes/catalog-caching-12f2532cfb71325a.yaml b/keystone-moon/releasenotes/notes/catalog-caching-12f2532cfb71325a.yaml deleted file mode 100644 index 785fb3cf..00000000 --- a/keystone-moon/releasenotes/notes/catalog-caching-12f2532cfb71325a.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -features: - - > - [`bug 1489061 <https://bugs.launchpad.net/keystone/+bug/1489061>`_] - Caching has been added to catalog retrieval on a per user ID and project - ID basis. This affects both the v2 and v3 APIs. As a result this should - provide a performance benefit to fernet-based deployments. diff --git a/keystone-moon/releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml b/keystone-moon/releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml deleted file mode 100644 index e0c381d9..00000000 --- a/keystone-moon/releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -deprecations: - - Use of ``$(tenant_id)s`` in the catalog endpoints is deprecated in favor - of ``$(project_id)s``. -features: - - Keystone supports ``$(project_id)s`` in the catalog. It works the same as - ``$(tenant_id)s``. Use of ``$(tenant_id)s`` is deprecated and catalog - endpoints should be updated to use ``$(project_id)s``. - diff --git a/keystone-moon/releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml b/keystone-moon/releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml deleted file mode 100644 index ce372ede..00000000 --- a/keystone-moon/releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -deprecations: - - > - [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] - Deprecate the ``enabled`` option from ``[endpoint_policy]``, it will be - removed in the 'O' release, and the extension will always be enabled. diff --git a/keystone-moon/releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml b/keystone-moon/releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml deleted file mode 100644 index 7b9c8e08..00000000 --- a/keystone-moon/releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -deprecations: - - > - [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] - The token memcache and memcache_pool persistence - backends have been deprecated in favor of using - Fernet tokens (which require no persistence). diff --git a/keystone-moon/releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml b/keystone-moon/releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml deleted file mode 100644 index 59680274..00000000 --- a/keystone-moon/releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -deprecations: - - > - [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] - Deprecated all v2.0 APIs. The keystone team recommends using v3 APIs instead. - Most v2.0 APIs will be removed in the 'Q' release. However, the authentication - APIs and EC2 APIs are indefinitely deprecated and will not be removed in - the 'Q' release. diff --git a/keystone-moon/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml b/keystone-moon/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml deleted file mode 100644 index 31c7ff85..00000000 --- a/keystone-moon/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -deprecations: - - > - [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] - As of the Mitaka release, the PKI and PKIz token formats have been - deprecated. They will be removed in the 'O' release. Due to this change, - the `hash_algorithm` option in the `[token]` section of the - configuration file has also been deprecated. Also due to this change, the - ``keystone-manage pki_setup`` command has been deprecated as well. - - > - [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] - As of the Mitaka release, write support for the LDAP driver of the Identity - backend has been deprecated. This includes the following operations: create user, - create group, delete user, delete group, update user, update group, - add user to group, and remove user from group. These operations will be - removed in the 'O' release. - - > - [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] - As of the Mitaka release, the auth plugin `keystone.auth.plugins.saml2.Saml2` - has been deprecated. It is recommended to use `keystone.auth.plugins.mapped.Mapped` - instead. The ``saml2`` plugin will be removed in the 'O' release. - - > - [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] - As of the Mitaka release, the simple_cert_extension is deprecated since it - is only used in support of the PKI and PKIz token formats. It will be - removed in the 'O' release. diff --git a/keystone-moon/releasenotes/notes/deprecations-c4afc19dc5324b9c.yaml b/keystone-moon/releasenotes/notes/deprecations-c4afc19dc5324b9c.yaml deleted file mode 100644 index 0c1c4f11..00000000 --- a/keystone-moon/releasenotes/notes/deprecations-c4afc19dc5324b9c.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -other: - - Running keystone in eventlet remains deprecated and will be removed in the - Mitaka release. - - Using LDAP as the resource backend, i.e for projects and domains, is now - deprecated and will be removed in the Mitaka release. - - Using the full path to the driver class is deprecated in favor of using - the entrypoint. In the Mitaka release, the entrypoint must be used. - - In the [resource] and [role] sections of the ``keystone.conf`` file, not - specifying the driver and using the assignment driver is deprecated. In - the Mitaka release, the resource and role drivers will default to the SQL - driver. - - In ``keystone-paste.ini``, using ``paste.filter_factory`` is deprecated in - favor of the "use" directive, specifying an entrypoint. - - Not specifying a domain during a create user, group or project call, which - relied on falling back to the default domain, is now deprecated and will - be removed in the N release. - - Certain deprecated methods from the assignment manager were removed in - favor of the same methods in the [resource] and [role] manager. diff --git a/keystone-moon/releasenotes/notes/enable-filter-idp-d0135f4615178cfc.yaml b/keystone-moon/releasenotes/notes/enable-filter-idp-d0135f4615178cfc.yaml deleted file mode 100644 index f4c1bbe7..00000000 --- a/keystone-moon/releasenotes/notes/enable-filter-idp-d0135f4615178cfc.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -features: - - > - [`bug 1525317 <https://bugs.launchpad.net/keystone/+bug/1525317>`_] - Enable filtering of identity providers based on `id`, and `enabled` - attributes. - - > - [`bug 1555830 <https://bugs.launchpad.net/keystone/+bug/1555830>`_] - Enable filtering of service providers based on `id`, and `enabled` - attributes.
\ No newline at end of file diff --git a/keystone-moon/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml b/keystone-moon/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml deleted file mode 100644 index 8346285a..00000000 --- a/keystone-moon/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -upgrade: - - > - The default setting for the `os_inherit` configuration option is - changed to True. If it is required to continue with this portion - of the API disabled, then override the default setting by explicitly - specifying the os_inherit option as False. -deprecations: - - The `os_inherit` configuration option is disabled. In the future, this - option will be removed and this portion of the API will be always enabled. diff --git a/keystone-moon/releasenotes/notes/endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml b/keystone-moon/releasenotes/notes/endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml deleted file mode 100644 index d94db3ba..00000000 --- a/keystone-moon/releasenotes/notes/endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -fixes: - - > - [`bug 1516469 <https://bugs.launchpad.net/keystone/+bug/1516469>`_] - Endpoints filtered by endpoint_group project association will be - included in the service catalog when a project scoped token is issued and - ``endpoint_filter.sql`` is used for the catalog driver. diff --git a/keystone-moon/releasenotes/notes/extensions-to-core-a0d270d216d47276.yaml b/keystone-moon/releasenotes/notes/extensions-to-core-a0d270d216d47276.yaml deleted file mode 100644 index ced7d5a7..00000000 --- a/keystone-moon/releasenotes/notes/extensions-to-core-a0d270d216d47276.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -upgrade: - - > - The `keystone-paste.ini` file must be updated to remove extension - filters, and their use in ``[pipeline:api_v3]``. - Remove the following filters: ``[filter:oauth1_extension]``, - ``[filter:federation_extension]``, ``[filter:endpoint_filter_extension]``, - and ``[filter:revoke_extension]``. See the sample `keystone-paste.ini - <https://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini>`_ - file for guidance. - - > - The `keystone-paste.ini` file must be updated to remove extension filters, - and their use in ``[pipeline:public_api]`` and ``[pipeline:admin_api]`` pipelines. - Remove the following filters: ``[filter:user_crud_extension]``, - ``[filter:crud_extension]``. See the sample `keystone-paste.ini - <https://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini>`_ - file for guidance. -other: - - > - [`blueprint move-extensions <https://blueprints.launchpad.net/keystone/+spec/move-extensions>`_] - If any extension migrations are run, for example: ``keystone-manage db_sync - --extension endpoint_policy`` an error will be returned. This is working as - designed. To run these migrations simply run: ``keystone-manage db_sync``. - The complete list of affected extensions are: ``oauth1``, ``federation``, - ``endpoint_filter``, ``endpoint_policy``, and ``revoke``. diff --git a/keystone-moon/releasenotes/notes/federation-group-ids-mapping-6c56120d65a5cb22.yaml b/keystone-moon/releasenotes/notes/federation-group-ids-mapping-6c56120d65a5cb22.yaml deleted file mode 100644 index 04d45dae..00000000 --- a/keystone-moon/releasenotes/notes/federation-group-ids-mapping-6c56120d65a5cb22.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -features: - - > - [`blueprint federation-group-ids-mapped-without-domain-reference <https://blueprints.launchpad.net/keystone/+spec/federation-group-ids-mapped-without-domain-reference>`_] - Enhanced the federation mapping engine to allow for group IDs to be - referenced without a domain ID. diff --git a/keystone-moon/releasenotes/notes/httpd-keystone-d51b7335559b09c8.yaml b/keystone-moon/releasenotes/notes/httpd-keystone-d51b7335559b09c8.yaml deleted file mode 100644 index 86bb378e..00000000 --- a/keystone-moon/releasenotes/notes/httpd-keystone-d51b7335559b09c8.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -deprecations: - - > - [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] - The file ``httpd/keystone.py`` has been deprecated in favor of - ``keystone-wsgi-admin`` and ``keystone-wsgi-public`` and may be - removed in the 'O' release. diff --git a/keystone-moon/releasenotes/notes/impl-templated-catalog-1d8f6333726b34f8.yaml b/keystone-moon/releasenotes/notes/impl-templated-catalog-1d8f6333726b34f8.yaml deleted file mode 100644 index 3afd9159..00000000 --- a/keystone-moon/releasenotes/notes/impl-templated-catalog-1d8f6333726b34f8.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -other: - - > - [`bug 1367113 <https://bugs.launchpad.net/keystone/+bug/1367113>`_] - The "get entity" and "list entities" functionality for the KVS catalog - backend has been reimplemented to use the data from the catalog template. - Previously this would only act on temporary data that was created at - runtime. The create, update and delete entity functionality now raises - an exception. diff --git a/keystone-moon/releasenotes/notes/implied-roles-026f401adc0f7fb6.yaml b/keystone-moon/releasenotes/notes/implied-roles-026f401adc0f7fb6.yaml deleted file mode 100644 index 065fd541..00000000 --- a/keystone-moon/releasenotes/notes/implied-roles-026f401adc0f7fb6.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -features: - - > - [`blueprint implied-roles <https://blueprints.launchpad.net/keystone/+spec/implied-roles>`_] - Keystone now supports creating implied roles. Role inference rules can now - be added to indicate when the assignment of one role implies the assignment - of another. The rules are of the form `prior_role` implies - `implied_role`. At token generation time, user/group assignments of roles - that have implied roles will be expanded to also include such roles in the - token. The expansion of implied roles is controlled by the - `prohibited_implied_role` option in the `[assignment]` - section of `keystone.conf`. diff --git a/keystone-moon/releasenotes/notes/insecure_reponse-2a168230709bc8e7.yaml b/keystone-moon/releasenotes/notes/insecure_reponse-2a168230709bc8e7.yaml deleted file mode 100644 index ba11ab2a..00000000 --- a/keystone-moon/releasenotes/notes/insecure_reponse-2a168230709bc8e7.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -upgrade: - - A new config option, `insecure_debug`, is added to control whether debug - information is returned to clients. This used to be controlled by the - `debug` option. If you'd like to return extra information to clients - set the value to ``true``. This extra information may help an attacker. - diff --git a/keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml b/keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml deleted file mode 100644 index a0c2b3bb..00000000 --- a/keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -features: - - > - [`bug 96869 <https://bugs.launchpad.net/keystone/+bug/968696>`_] - A pair of configuration options have been added to the ``[resource]`` - section to specify a special ``admin`` project: - ``admin_project_domain_name`` and ``admin_project_name``. If these are - defined, any scoped token issued for that project will have an additional - identifier ``is_admin_project`` added to the token. This identifier can then - be checked by the policy rules in the policy files of the services when - evaluating access control policy for an API. Keystone does not yet - support the ability for a project acting as a domain to be the - admin project. That will be added once the rest of the code for - projects acting as domains is merged. diff --git a/keystone-moon/releasenotes/notes/ldap-conn-pool-enabled-90df94652f1ded53.yaml b/keystone-moon/releasenotes/notes/ldap-conn-pool-enabled-90df94652f1ded53.yaml deleted file mode 100644 index c26eeb3f..00000000 --- a/keystone-moon/releasenotes/notes/ldap-conn-pool-enabled-90df94652f1ded53.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -upgrade: - - > - The configuration options for LDAP connection pooling, `[ldap] use_pool` - and `[ldap] use_auth_pool`, are now both enabled by default. Only - deployments using LDAP drivers are affected. Additional configuration - options are available in the `[ldap]` section to tune connection pool size, - etc. diff --git a/keystone-moon/releasenotes/notes/ldap-emulation-91c4d535eb9c3d10.yaml b/keystone-moon/releasenotes/notes/ldap-emulation-91c4d535eb9c3d10.yaml deleted file mode 100644 index 1d097ae3..00000000 --- a/keystone-moon/releasenotes/notes/ldap-emulation-91c4d535eb9c3d10.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -features: - - > - [`bug 1515302 <https://bugs.launchpad.net/keystone/+bug/1515302>`_] - Two new configuration options have been added to the `[ldap]` section. - `user_enabled_emulation_use_group_config` and - `project_enabled_emulation_use_group_config`, which allow deployers to - choose if they want to override the default group LDAP schema option. diff --git a/keystone-moon/releasenotes/notes/list_limit-ldap-support-5d31d51466fc49a6.yaml b/keystone-moon/releasenotes/notes/list_limit-ldap-support-5d31d51466fc49a6.yaml deleted file mode 100644 index 4e5f5458..00000000 --- a/keystone-moon/releasenotes/notes/list_limit-ldap-support-5d31d51466fc49a6.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -features: - - > - [`bug 1501698 <https://bugs.launchpad.net/keystone/+bug/1501698>`_] - Support parameter `list_limit` when LDAP is used as - identity backend. diff --git a/keystone-moon/releasenotes/notes/list_role_assignment_names-33aedc1e521230b6.yaml b/keystone-moon/releasenotes/notes/list_role_assignment_names-33aedc1e521230b6.yaml deleted file mode 100644 index 267ece71..00000000 --- a/keystone-moon/releasenotes/notes/list_role_assignment_names-33aedc1e521230b6.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -features: - - > - [`bug 1479569 <https://bugs.launchpad.net/keystone/+bug/1479569>`_] - Names have been added to list role assignments - (GET /role_assignments?include_names=True), rather than returning - just the internal IDs of the objects the names are also returned. diff --git a/keystone-moon/releasenotes/notes/migration_squash-f655329ddad7fc2a.yaml b/keystone-moon/releasenotes/notes/migration_squash-f655329ddad7fc2a.yaml deleted file mode 100644 index c7d9d412..00000000 --- a/keystone-moon/releasenotes/notes/migration_squash-f655329ddad7fc2a.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -upgrade: - - > - [`bug 1541092 <https://bugs.launchpad.net/keystone/+bug/1541092>`_] - Only database upgrades from Kilo and newer are supported. diff --git a/keystone-moon/releasenotes/notes/new_features-e33d793d8a5ca76a.yaml b/keystone-moon/releasenotes/notes/new_features-e33d793d8a5ca76a.yaml deleted file mode 100644 index 06e1db2c..00000000 --- a/keystone-moon/releasenotes/notes/new_features-e33d793d8a5ca76a.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -features: - - > - **Experimental** - Domain specific configuration options can be stored in - SQL instead of configuration files, using the new REST APIs. - - > - **Experimental** - Keystone now supports tokenless authorization with - X.509 SSL client certificate. - - Configuring per-Identity Provider WebSSO is now supported. - - > - ``openstack_user_domain`` and ``openstack_project_domain`` attributes were - added to SAML assertion in order to map user and project domains, - respectively. - - The credentials list call can now have its results filtered by credential - type. - - Support was improved for out-of-tree drivers by defining stable driver - interfaces. - - Several features were hardened, including Fernet tokens, federation, - domain specific configurations from database and role assignments. - - Certain variables in ``keystone.conf`` now have options, which determine - if the user's setting is valid. diff --git a/keystone-moon/releasenotes/notes/no-default-domain-2161ada44bf7a3f7.yaml b/keystone-moon/releasenotes/notes/no-default-domain-2161ada44bf7a3f7.yaml deleted file mode 100644 index a449ad67..00000000 --- a/keystone-moon/releasenotes/notes/no-default-domain-2161ada44bf7a3f7.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -other: - - > - ``keystone-manage db_sync`` will no longer create the Default domain. This - domain is used as the domain for any users created using the legacy v2.0 - API. A default domain is created by ``keystone-manage bootstrap`` and when - a user or project is created using the legacy v2.0 API. diff --git a/keystone-moon/releasenotes/notes/notify-on-user-group-membership-8c0136ee0484e255.yaml b/keystone-moon/releasenotes/notes/notify-on-user-group-membership-8c0136ee0484e255.yaml deleted file mode 100644 index d80ab826..00000000 --- a/keystone-moon/releasenotes/notes/notify-on-user-group-membership-8c0136ee0484e255.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -fixes: - - Support has now been added to send notification events - on user/group membership. When a user is added or removed - from a group a notification will be sent including the - identifiers of both the user and the group. diff --git a/keystone-moon/releasenotes/notes/oslo.cache-a9ce47bfa8809efa.yaml b/keystone-moon/releasenotes/notes/oslo.cache-a9ce47bfa8809efa.yaml deleted file mode 100644 index dc989154..00000000 --- a/keystone-moon/releasenotes/notes/oslo.cache-a9ce47bfa8809efa.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -upgrade: - - > - Keystone now uses oslo.cache. Update the `[cache]` section of - `keystone.conf` to point to oslo.cache backends: - ``oslo_cache.memcache_pool`` or ``oslo_cache.mongo``. Refer to the - sample configuration file for examples. See `oslo.cache - <http://docs.openstack.org/developer/oslo.cache>`_ for additional - documentation. -deprecations: - - > - [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] - ``keystone.common.cache.backends.memcache_pool``, - ``keystone.common.cache.backends.mongo``, and - ``keystone.common.cache.backends.noop`` are deprecated in favor of - oslo.cache backends. The keystone backends will be removed in the 'O' - release. diff --git a/keystone-moon/releasenotes/notes/projects_as_domains-3ea8a58b4c2965e1.yaml b/keystone-moon/releasenotes/notes/projects_as_domains-3ea8a58b4c2965e1.yaml deleted file mode 100644 index 7845df9a..00000000 --- a/keystone-moon/releasenotes/notes/projects_as_domains-3ea8a58b4c2965e1.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -features: - - Domains are now represented as top level projects with the attribute - `is_domain` set to true. Such projects will appear as parents for any - previous top level projects. Projects acting as domains can be created, - read, updated, and deleted via either the project API or the domain API - (V3 only). diff --git a/keystone-moon/releasenotes/notes/remove-trust-auth-support-from-v2-de316c9ba46d556d.yaml b/keystone-moon/releasenotes/notes/remove-trust-auth-support-from-v2-de316c9ba46d556d.yaml deleted file mode 100644 index 0c591dcc..00000000 --- a/keystone-moon/releasenotes/notes/remove-trust-auth-support-from-v2-de316c9ba46d556d.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -other: - - The ability to validate a trust-scoped token against the v2.0 API has been - removed, in favor of using the version 3 of the API. diff --git a/keystone-moon/releasenotes/notes/removed-as-of-mitaka-9ff14f87d0b98e7e.yaml b/keystone-moon/releasenotes/notes/removed-as-of-mitaka-9ff14f87d0b98e7e.yaml deleted file mode 100644 index b0964c95..00000000 --- a/keystone-moon/releasenotes/notes/removed-as-of-mitaka-9ff14f87d0b98e7e.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -other: - - > - [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] - Removed ``extras`` from token responses. These fields should not be - necessary and a well-defined API makes this field redundant. This was - deprecated in the Kilo release. - - > - [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] - Removed ``RequestBodySizeLimiter`` from keystone middleware. The keystone - team suggests using ``oslo_middleware.sizelimit.RequestBodySizeLimiter`` - instead. This was deprecated in the Kilo release. - - > - [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] - Notifications with event_type ``identity.created.role_assignment`` and - ``identity.deleted.role_assignment`` have been removed. The keystone team - suggests listening for ``identity.role_assignment.created`` and - ``identity.role_assignment.deleted`` instead. This was deprecated in the - Kilo release. - - > - [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] - Removed ``check_role_for_trust`` from the trust controller, ensure policy - files do not refer to this target. This was deprecated in the Kilo - release. - - > - [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] - Removed Catalog KVS backend (``keystone.catalog.backends.sql.Catalog``). - This was deprecated in the Icehouse release. - - > - [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] - The LDAP backend for Assignment has been removed. This was deprecated in - the Kilo release. - - > - [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] - The LDAP backend for Resource has been removed. This was deprecated in - the Kilo release. - - > - [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] - The LDAP backend for Role has been removed. This was deprecated in the - Kilo release. - - > - [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] - Removed Revoke KVS backend (``keystone.revoke.backends.kvs.Revoke``). - This was deprecated in the Juno release. diff --git a/keystone-moon/releasenotes/notes/request_context-e143ba9c446a5952.yaml b/keystone-moon/releasenotes/notes/request_context-e143ba9c446a5952.yaml deleted file mode 100644 index b00153db..00000000 --- a/keystone-moon/releasenotes/notes/request_context-e143ba9c446a5952.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -features: - - > - [`bug 1500222 <https://bugs.launchpad.net/keystone/+bug/1500222>`_] - Added information such as: user ID, project ID, and domain ID to log - entries. As a side effect of this change, both the user's domain ID and - project's domain ID are now included in the auth context. diff --git a/keystone-moon/releasenotes/notes/revert-v2-token-issued-for-non-default-domain-25ea5337f158ef13.yaml b/keystone-moon/releasenotes/notes/revert-v2-token-issued-for-non-default-domain-25ea5337f158ef13.yaml deleted file mode 100644 index cc28c7f3..00000000 --- a/keystone-moon/releasenotes/notes/revert-v2-token-issued-for-non-default-domain-25ea5337f158ef13.yaml +++ /dev/null @@ -1,12 +0,0 @@ -fixes: - - > - [`bug 1527759 <https://bugs.launchpad.net/keystone/+bug/1527759>`_] - Reverted the change that eliminates the ability to get - a V2 token with a user or project that is not in the - default domain. This change broke real-world deployments - that utilized the ability to authenticate via V2 API - with a user not in the default domain or with a - project not in the default domain. The deployer - is being convinced to update code to properly handle - V3 auth but the fix broke expected and tested - behavior. diff --git a/keystone-moon/releasenotes/notes/s3-aws-v4-c6cb75ce8d2289d4.yaml b/keystone-moon/releasenotes/notes/s3-aws-v4-c6cb75ce8d2289d4.yaml deleted file mode 100644 index 85fcd6d8..00000000 --- a/keystone-moon/releasenotes/notes/s3-aws-v4-c6cb75ce8d2289d4.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -features: - - > - [`bug 1473042 <https://bugs.launchpad.net/keystone/+bug/1473042>`_] - Keystone's S3 compatibility support can now authenticate using AWS - Signature Version 4. diff --git a/keystone-moon/releasenotes/notes/totp-40d93231714c6a20.yaml b/keystone-moon/releasenotes/notes/totp-40d93231714c6a20.yaml deleted file mode 100644 index fcfdb049..00000000 --- a/keystone-moon/releasenotes/notes/totp-40d93231714c6a20.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -features: - - > - [`blueprint totp-auth <https://blueprints.launchpad.net/keystone/+spec/totp-auth>`_] - Keystone now supports authenticating via Time-based One-time Password (TOTP). - To enable this feature, add the ``totp`` auth plugin to the `methods` - option in the `[auth]` section of `keystone.conf`. More information - about using TOTP can be found in `keystone's developer documentation - <http://docs.openstack.org/developer/keystone/auth-totp.html>`_. diff --git a/keystone-moon/releasenotes/notes/upgrade_notes-ca81f5d531ab3522.yaml b/keystone-moon/releasenotes/notes/upgrade_notes-ca81f5d531ab3522.yaml deleted file mode 100644 index be8282ce..00000000 --- a/keystone-moon/releasenotes/notes/upgrade_notes-ca81f5d531ab3522.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -upgrade: - - The EC2 token middleware, deprecated in Juno, is no longer available in - keystone. It has been moved to the keystonemiddleware package. - - The ``compute_port`` configuration option, deprecated in Juno, is no longer - available. - - The XML middleware stub has been removed, so references to it must be - removed from the ``keystone-paste.ini`` configuration file. - - stats_monitoring and stats_reporting paste filters have been removed, so - references to it must be removed from the ``keystone-paste.ini`` - configuration file. - - The external authentication plugins ExternalDefault, ExternalDomain, - LegacyDefaultDomain, and LegacyDomain, deprecated in Icehouse, are no - longer available. - - The ``keystone.conf`` file now references entrypoint names for drivers. - For example, the drivers are now specified as "sql", "ldap", "uuid", - rather than the full module path. See the sample configuration file for - other examples. - - We now expose entrypoints for the ``keystone-manage`` command instead of a - file. - - Schema downgrades via ``keystone-manage db_sync`` are no longer supported. - Only upgrades are supported. - - Features that were "extensions" in previous releases (OAuth delegation, - Federated Identity support, Endpoint Policy, etc) are now enabled by - default. - - A new ``secure_proxy_ssl_header`` configuration option is available when - running keystone behind a proxy. - - Several configuration options have been deprecated, renamed, or moved to - new sections in the ``keystone.conf`` file. - - Domain name information can now be used in policy rules with the attribute - ``domain_name``. diff --git a/keystone-moon/releasenotes/notes/v3-endpoints-in-v2-list-b0439816938713d6.yaml b/keystone-moon/releasenotes/notes/v3-endpoints-in-v2-list-b0439816938713d6.yaml deleted file mode 100644 index ae184605..00000000 --- a/keystone-moon/releasenotes/notes/v3-endpoints-in-v2-list-b0439816938713d6.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -fixes: - - > - [`bug 1480270 <https://bugs.launchpad.net/keystone/+bug/1480270>`_] - Endpoints created when using v3 of the keystone REST API will now be - included when listing endpoints via the v2.0 API. diff --git a/keystone-moon/releasenotes/notes/v9FederationDriver-cbebcf5f97e1eae2.yaml b/keystone-moon/releasenotes/notes/v9FederationDriver-cbebcf5f97e1eae2.yaml deleted file mode 100644 index 7db04c81..00000000 --- a/keystone-moon/releasenotes/notes/v9FederationDriver-cbebcf5f97e1eae2.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -deprecations: - - The V8 Federation driver interface is deprecated in favor of the V9 - Federation driver interface. Support for the V8 Federation driver - interface is planned to be removed in the 'O' release of OpenStack. diff --git a/keystone-moon/releasenotes/notes/x509-auth-df0a229780b8e3ff.yaml b/keystone-moon/releasenotes/notes/x509-auth-df0a229780b8e3ff.yaml deleted file mode 100644 index 421acd6d..00000000 --- a/keystone-moon/releasenotes/notes/x509-auth-df0a229780b8e3ff.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -features: - - > - [`blueprint x509-ssl-client-cert-authn <https://blueprints.launchpad.net/keystone/+spec/x509-ssl-client-cert-authn>`_] - Keystone now supports tokenless client SSL x.509 certificate authentication - and authorization. |