diff options
Diffstat (limited to 'keystone-moon/releasenotes')
48 files changed, 486 insertions, 0 deletions
diff --git a/keystone-moon/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml b/keystone-moon/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml new file mode 100644 index 00000000..89ef1082 --- /dev/null +++ b/keystone-moon/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml @@ -0,0 +1,13 @@ +--- +deprecations: + - > + [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] + The V8 Assignment driver interface is deprecated. Support for the V8 + Assignment driver interface is planned to be removed in the 'O' release of + OpenStack. +other: + - The list_project_ids_for_user(), list_domain_ids_for_user(), + list_user_ids_for_project(), list_project_ids_for_groups(), + list_domain_ids_for_groups(), list_role_ids_for_groups_on_project() and + list_role_ids_for_groups_on_domain() methods have been removed from the + V9 version of the Assignment driver. diff --git a/keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml b/keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml new file mode 100644 index 00000000..98306f3e --- /dev/null +++ b/keystone-moon/releasenotes/notes/DomainSpecificRoles-fc5dd2ef74a1442c.yaml @@ -0,0 +1,11 @@ +--- +features: + - > + [`blueprint domain-specific-roles <https://blueprints.launchpad.net/keystone/+spec/domain-specific-roles>`_] + Roles can now be optionally defined as domain specific. Domain specific + roles are not referenced in policy files, rather they can be used to allow + a domain to build their own private inference rules with implied roles. A + domain specific role can be assigned to a domain or project within its + domain, and any subset of global roles it implies will appear in a token + scoped to the respective domain or project. The domain specific role + itself, however, will not appear in the token. diff --git a/keystone-moon/releasenotes/notes/Role_V9_driver-971c3aae14d9963d.yaml b/keystone-moon/releasenotes/notes/Role_V9_driver-971c3aae14d9963d.yaml new file mode 100644 index 00000000..08bda86f --- /dev/null +++ b/keystone-moon/releasenotes/notes/Role_V9_driver-971c3aae14d9963d.yaml @@ -0,0 +1,6 @@ +--- +deprecations: + - > + [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] + The V8 Role driver interface is deprecated. Support for the V8 Role driver + interface is planned to be removed in the 'O' release of OpenStack. diff --git a/keystone-moon/releasenotes/notes/V9ResourceDriver-26716f97c0cc1a80.yaml b/keystone-moon/releasenotes/notes/V9ResourceDriver-26716f97c0cc1a80.yaml new file mode 100644 index 00000000..8003b702 --- /dev/null +++ b/keystone-moon/releasenotes/notes/V9ResourceDriver-26716f97c0cc1a80.yaml @@ -0,0 +1,5 @@ +--- +deprecations: + - The V8 Resource driver interface is deprecated. Support for the V8 + Resource driver interface is planned to be removed in the 'O' release of + OpenStack. diff --git a/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml b/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml new file mode 100644 index 00000000..997ee64a --- /dev/null +++ b/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml @@ -0,0 +1,17 @@ +--- +features: + - > + [`blueprint bootstrap <https://blueprints.launchpad.net/keystone/+spec/bootstrap>`_] + keystone-manage now supports the bootstrap command + on the CLI so that a keystone install can be + initialized without the need of the admin_token + filter in the paste-ini. +security: + - The use of admin_token filter is insecure compared + to the use of a proper username/password. Historically + the admin_token filter has been left enabled in + Keystone after initialization due to the way CMS + systems work. Moving to an out-of-band initialization using + ``keystone-manage bootstrap`` will eliminate the security concerns around + a static shared string that conveys admin access to keystone + and therefore to the entire installation. diff --git a/keystone-moon/releasenotes/notes/admin_token-a5678d712783c145.yaml b/keystone-moon/releasenotes/notes/admin_token-a5678d712783c145.yaml new file mode 100644 index 00000000..8547c6d3 --- /dev/null +++ b/keystone-moon/releasenotes/notes/admin_token-a5678d712783c145.yaml @@ -0,0 +1,14 @@ +--- +upgrade: + - > + [`bug 1473553 <https://bugs.launchpad.net/keystone/+bug/1473553>`_] + The `keystone-paste.ini` must be updated to put the ``admin_token_auth`` + middleware before ``build_auth_context``. See the sample + `keystone-paste.ini` for the correct `pipeline` value. Having + ``admin_token_auth`` after ``build_auth_context`` is deprecated and will + not be supported in a future release. +deprecations: + - > + [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] + The ``admin_token_auth`` filter must now be placed before the + ``build_auth_context`` filter in `keystone-paste.ini`. diff --git a/keystone-moon/releasenotes/notes/admin_token-c634ec12fc714255.yaml b/keystone-moon/releasenotes/notes/admin_token-c634ec12fc714255.yaml new file mode 100644 index 00000000..69b70dbb --- /dev/null +++ b/keystone-moon/releasenotes/notes/admin_token-c634ec12fc714255.yaml @@ -0,0 +1,11 @@ +--- +security: + - The admin_token method of authentication was never intended to be + used for any purpose other than bootstrapping an install. However + many deployments had to leave the admin_token method enabled due + to restrictions on editing the paste file used to configure the + web pipelines. To minimize the risk from this mechanism, the + `admin_token` configuration value now defaults to a python `None` + value. In addition, if the value is set to `None`, either explicitly or + implicitly, the `admin_token` will not be enabled, and an attempt to + use it will lead to a failed authentication. diff --git a/keystone-moon/releasenotes/notes/bp-domain-config-default-82e42d946ee7cb43.yaml b/keystone-moon/releasenotes/notes/bp-domain-config-default-82e42d946ee7cb43.yaml new file mode 100644 index 00000000..a78f831f --- /dev/null +++ b/keystone-moon/releasenotes/notes/bp-domain-config-default-82e42d946ee7cb43.yaml @@ -0,0 +1,7 @@ +--- +features: + - > + [`blueprint domain-config-default <https://blueprints.launchpad.net/keystone/+spec/domain-config-default>`_] + The Identity API now supports retrieving the default values for the + configuration options that can be overriden via the domain specific + configuration API. diff --git a/keystone-moon/releasenotes/notes/bp-url-safe-naming-ad90d6a659f5bf3c.yaml b/keystone-moon/releasenotes/notes/bp-url-safe-naming-ad90d6a659f5bf3c.yaml new file mode 100644 index 00000000..1c81d866 --- /dev/null +++ b/keystone-moon/releasenotes/notes/bp-url-safe-naming-ad90d6a659f5bf3c.yaml @@ -0,0 +1,7 @@ +--- +features: + - > + [`blueprint url-safe-naming <https://blueprints.launchpad.net/keystone/+spec/url-safe-naming>`_] + The names of projects and domains can optionally be ensured to be url safe, + to support the future ability to specify projects using hierarchical + naming. diff --git a/keystone-moon/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml b/keystone-moon/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml new file mode 100644 index 00000000..0d5c2034 --- /dev/null +++ b/keystone-moon/releasenotes/notes/bug-1490804-de58a9606edb31eb.yaml @@ -0,0 +1,13 @@ +--- +features: + - > + [`bug 1490804 <https://bugs.launchpad.net/keystone/+bug/1490804>`_] + Audit IDs are included in the token revocation list. +security: + - > + [`bug 1490804 <https://bugs.launchpad.net/keystone/+bug/1490804>`_] + [`CVE-2015-7546 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7546>`_] + A bug is fixed where an attacker could avoid token revocation when the PKI + or PKIZ token provider is used. The complete remediation for this + vulnerability requires the corresponding fix in the keystonemiddleware + project. diff --git a/keystone-moon/releasenotes/notes/bug-1519210-de76097c974f9c93.yaml b/keystone-moon/releasenotes/notes/bug-1519210-de76097c974f9c93.yaml new file mode 100644 index 00000000..0b7192b1 --- /dev/null +++ b/keystone-moon/releasenotes/notes/bug-1519210-de76097c974f9c93.yaml @@ -0,0 +1,7 @@ +--- +features: + - > + [`bug 1519210 <https://bugs.launchpad.net/keystone/+bug/1519210>`_] + A user may now opt-out of notifications by specifying a list of + event types using the `notification_opt_out` option in `keystone.conf`. + These events are never sent to a messaging service. diff --git a/keystone-moon/releasenotes/notes/bug-1535878-change-get_project-permission-e460af1256a2c056.yaml b/keystone-moon/releasenotes/notes/bug-1535878-change-get_project-permission-e460af1256a2c056.yaml new file mode 100644 index 00000000..68cb7e1d --- /dev/null +++ b/keystone-moon/releasenotes/notes/bug-1535878-change-get_project-permission-e460af1256a2c056.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - > + [`bug 1535878 <https://bugs.launchpad.net/keystone/+bug/1535878>`_] + Originally, to perform GET /projects/{project_id}, the provided policy + files required a user to have at least project admin level of permission. + They have been updated to allow it to be performed by any user who has a + role on the project. diff --git a/keystone-moon/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml b/keystone-moon/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml new file mode 100644 index 00000000..bc6ec728 --- /dev/null +++ b/keystone-moon/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml @@ -0,0 +1,21 @@ +--- +features: + - > + [`bug 1542417 <https://bugs.launchpad.net/keystone/+bug/1542417>`_] + Added support for a `user_description_attribute` mapping + to the LDAP driver configuration. +upgrade: + - > + The LDAP driver now also maps the user description attribute after + user retrieval from LDAP. + If this is undesired behavior for your setup, please add `description` + to the `user_attribute_ignore` LDAP driver config setting. + + The default mapping of the description attribute is set to `description`. + Please adjust the LDAP driver config setting `user_description_attribute` + if your LDAP uses a different attribute name (for instance to `displayName` + in case of an AD backed LDAP). + + If your `user_additional_attribute_mapping` setting contains + `description:description` you can remove this mapping, since this is + now the default behavior. diff --git a/keystone-moon/releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml b/keystone-moon/releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml new file mode 100644 index 00000000..0befecd3 --- /dev/null +++ b/keystone-moon/releasenotes/notes/bug_1526462-df9a3f3974d9040f.yaml @@ -0,0 +1,6 @@ +--- +features: + - > + [`bug 1526462 <https://bugs.launchpad.net/keystone/+bug/1526462>`_] + Support for posixGroups with OpenDirectory and UNIX when using + the LDAP identity driver. diff --git a/keystone-moon/releasenotes/notes/catalog-caching-12f2532cfb71325a.yaml b/keystone-moon/releasenotes/notes/catalog-caching-12f2532cfb71325a.yaml new file mode 100644 index 00000000..785fb3cf --- /dev/null +++ b/keystone-moon/releasenotes/notes/catalog-caching-12f2532cfb71325a.yaml @@ -0,0 +1,7 @@ +--- +features: + - > + [`bug 1489061 <https://bugs.launchpad.net/keystone/+bug/1489061>`_] + Caching has been added to catalog retrieval on a per user ID and project + ID basis. This affects both the v2 and v3 APIs. As a result this should + provide a performance benefit to fernet-based deployments. diff --git a/keystone-moon/releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml b/keystone-moon/releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml new file mode 100644 index 00000000..e0c381d9 --- /dev/null +++ b/keystone-moon/releasenotes/notes/catalog_project_id-519f5a70f9f7c4c6.yaml @@ -0,0 +1,9 @@ +--- +deprecations: + - Use of ``$(tenant_id)s`` in the catalog endpoints is deprecated in favor + of ``$(project_id)s``. +features: + - Keystone supports ``$(project_id)s`` in the catalog. It works the same as + ``$(tenant_id)s``. Use of ``$(tenant_id)s`` is deprecated and catalog + endpoints should be updated to use ``$(project_id)s``. + diff --git a/keystone-moon/releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml b/keystone-moon/releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml new file mode 100644 index 00000000..ce372ede --- /dev/null +++ b/keystone-moon/releasenotes/notes/deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml @@ -0,0 +1,6 @@ +--- +deprecations: + - > + [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] + Deprecate the ``enabled`` option from ``[endpoint_policy]``, it will be + removed in the 'O' release, and the extension will always be enabled. diff --git a/keystone-moon/releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml b/keystone-moon/releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml new file mode 100644 index 00000000..7b9c8e08 --- /dev/null +++ b/keystone-moon/releasenotes/notes/deprecate-memcache-token-persistence-eac88c80147ea241.yaml @@ -0,0 +1,7 @@ +--- +deprecations: + - > + [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] + The token memcache and memcache_pool persistence + backends have been deprecated in favor of using + Fernet tokens (which require no persistence). diff --git a/keystone-moon/releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml b/keystone-moon/releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml new file mode 100644 index 00000000..59680274 --- /dev/null +++ b/keystone-moon/releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml @@ -0,0 +1,8 @@ +--- +deprecations: + - > + [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] + Deprecated all v2.0 APIs. The keystone team recommends using v3 APIs instead. + Most v2.0 APIs will be removed in the 'Q' release. However, the authentication + APIs and EC2 APIs are indefinitely deprecated and will not be removed in + the 'Q' release. diff --git a/keystone-moon/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml b/keystone-moon/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml new file mode 100644 index 00000000..31c7ff85 --- /dev/null +++ b/keystone-moon/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml @@ -0,0 +1,26 @@ +--- +deprecations: + - > + [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] + As of the Mitaka release, the PKI and PKIz token formats have been + deprecated. They will be removed in the 'O' release. Due to this change, + the `hash_algorithm` option in the `[token]` section of the + configuration file has also been deprecated. Also due to this change, the + ``keystone-manage pki_setup`` command has been deprecated as well. + - > + [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] + As of the Mitaka release, write support for the LDAP driver of the Identity + backend has been deprecated. This includes the following operations: create user, + create group, delete user, delete group, update user, update group, + add user to group, and remove user from group. These operations will be + removed in the 'O' release. + - > + [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] + As of the Mitaka release, the auth plugin `keystone.auth.plugins.saml2.Saml2` + has been deprecated. It is recommended to use `keystone.auth.plugins.mapped.Mapped` + instead. The ``saml2`` plugin will be removed in the 'O' release. + - > + [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] + As of the Mitaka release, the simple_cert_extension is deprecated since it + is only used in support of the PKI and PKIz token formats. It will be + removed in the 'O' release. diff --git a/keystone-moon/releasenotes/notes/enable-filter-idp-d0135f4615178cfc.yaml b/keystone-moon/releasenotes/notes/enable-filter-idp-d0135f4615178cfc.yaml new file mode 100644 index 00000000..f4c1bbe7 --- /dev/null +++ b/keystone-moon/releasenotes/notes/enable-filter-idp-d0135f4615178cfc.yaml @@ -0,0 +1,10 @@ +--- +features: + - > + [`bug 1525317 <https://bugs.launchpad.net/keystone/+bug/1525317>`_] + Enable filtering of identity providers based on `id`, and `enabled` + attributes. + - > + [`bug 1555830 <https://bugs.launchpad.net/keystone/+bug/1555830>`_] + Enable filtering of service providers based on `id`, and `enabled` + attributes.
\ No newline at end of file diff --git a/keystone-moon/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml b/keystone-moon/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml new file mode 100644 index 00000000..8346285a --- /dev/null +++ b/keystone-moon/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml @@ -0,0 +1,10 @@ +--- +upgrade: + - > + The default setting for the `os_inherit` configuration option is + changed to True. If it is required to continue with this portion + of the API disabled, then override the default setting by explicitly + specifying the os_inherit option as False. +deprecations: + - The `os_inherit` configuration option is disabled. In the future, this + option will be removed and this portion of the API will be always enabled. diff --git a/keystone-moon/releasenotes/notes/endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml b/keystone-moon/releasenotes/notes/endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml new file mode 100644 index 00000000..d94db3ba --- /dev/null +++ b/keystone-moon/releasenotes/notes/endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - > + [`bug 1516469 <https://bugs.launchpad.net/keystone/+bug/1516469>`_] + Endpoints filtered by endpoint_group project association will be + included in the service catalog when a project scoped token is issued and + ``endpoint_filter.sql`` is used for the catalog driver. diff --git a/keystone-moon/releasenotes/notes/extensions-to-core-a0d270d216d47276.yaml b/keystone-moon/releasenotes/notes/extensions-to-core-a0d270d216d47276.yaml new file mode 100644 index 00000000..ced7d5a7 --- /dev/null +++ b/keystone-moon/releasenotes/notes/extensions-to-core-a0d270d216d47276.yaml @@ -0,0 +1,25 @@ +--- +upgrade: + - > + The `keystone-paste.ini` file must be updated to remove extension + filters, and their use in ``[pipeline:api_v3]``. + Remove the following filters: ``[filter:oauth1_extension]``, + ``[filter:federation_extension]``, ``[filter:endpoint_filter_extension]``, + and ``[filter:revoke_extension]``. See the sample `keystone-paste.ini + <https://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini>`_ + file for guidance. + - > + The `keystone-paste.ini` file must be updated to remove extension filters, + and their use in ``[pipeline:public_api]`` and ``[pipeline:admin_api]`` pipelines. + Remove the following filters: ``[filter:user_crud_extension]``, + ``[filter:crud_extension]``. See the sample `keystone-paste.ini + <https://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini>`_ + file for guidance. +other: + - > + [`blueprint move-extensions <https://blueprints.launchpad.net/keystone/+spec/move-extensions>`_] + If any extension migrations are run, for example: ``keystone-manage db_sync + --extension endpoint_policy`` an error will be returned. This is working as + designed. To run these migrations simply run: ``keystone-manage db_sync``. + The complete list of affected extensions are: ``oauth1``, ``federation``, + ``endpoint_filter``, ``endpoint_policy``, and ``revoke``. diff --git a/keystone-moon/releasenotes/notes/federation-group-ids-mapping-6c56120d65a5cb22.yaml b/keystone-moon/releasenotes/notes/federation-group-ids-mapping-6c56120d65a5cb22.yaml new file mode 100644 index 00000000..04d45dae --- /dev/null +++ b/keystone-moon/releasenotes/notes/federation-group-ids-mapping-6c56120d65a5cb22.yaml @@ -0,0 +1,6 @@ +--- +features: + - > + [`blueprint federation-group-ids-mapped-without-domain-reference <https://blueprints.launchpad.net/keystone/+spec/federation-group-ids-mapped-without-domain-reference>`_] + Enhanced the federation mapping engine to allow for group IDs to be + referenced without a domain ID. diff --git a/keystone-moon/releasenotes/notes/httpd-keystone-d51b7335559b09c8.yaml b/keystone-moon/releasenotes/notes/httpd-keystone-d51b7335559b09c8.yaml new file mode 100644 index 00000000..86bb378e --- /dev/null +++ b/keystone-moon/releasenotes/notes/httpd-keystone-d51b7335559b09c8.yaml @@ -0,0 +1,7 @@ +--- +deprecations: + - > + [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] + The file ``httpd/keystone.py`` has been deprecated in favor of + ``keystone-wsgi-admin`` and ``keystone-wsgi-public`` and may be + removed in the 'O' release. diff --git a/keystone-moon/releasenotes/notes/impl-templated-catalog-1d8f6333726b34f8.yaml b/keystone-moon/releasenotes/notes/impl-templated-catalog-1d8f6333726b34f8.yaml new file mode 100644 index 00000000..3afd9159 --- /dev/null +++ b/keystone-moon/releasenotes/notes/impl-templated-catalog-1d8f6333726b34f8.yaml @@ -0,0 +1,9 @@ +--- +other: + - > + [`bug 1367113 <https://bugs.launchpad.net/keystone/+bug/1367113>`_] + The "get entity" and "list entities" functionality for the KVS catalog + backend has been reimplemented to use the data from the catalog template. + Previously this would only act on temporary data that was created at + runtime. The create, update and delete entity functionality now raises + an exception. diff --git a/keystone-moon/releasenotes/notes/implied-roles-026f401adc0f7fb6.yaml b/keystone-moon/releasenotes/notes/implied-roles-026f401adc0f7fb6.yaml new file mode 100644 index 00000000..065fd541 --- /dev/null +++ b/keystone-moon/releasenotes/notes/implied-roles-026f401adc0f7fb6.yaml @@ -0,0 +1,12 @@ +--- +features: + - > + [`blueprint implied-roles <https://blueprints.launchpad.net/keystone/+spec/implied-roles>`_] + Keystone now supports creating implied roles. Role inference rules can now + be added to indicate when the assignment of one role implies the assignment + of another. The rules are of the form `prior_role` implies + `implied_role`. At token generation time, user/group assignments of roles + that have implied roles will be expanded to also include such roles in the + token. The expansion of implied roles is controlled by the + `prohibited_implied_role` option in the `[assignment]` + section of `keystone.conf`. diff --git a/keystone-moon/releasenotes/notes/insecure_reponse-2a168230709bc8e7.yaml b/keystone-moon/releasenotes/notes/insecure_reponse-2a168230709bc8e7.yaml new file mode 100644 index 00000000..ba11ab2a --- /dev/null +++ b/keystone-moon/releasenotes/notes/insecure_reponse-2a168230709bc8e7.yaml @@ -0,0 +1,7 @@ +--- +upgrade: + - A new config option, `insecure_debug`, is added to control whether debug + information is returned to clients. This used to be controlled by the + `debug` option. If you'd like to return extra information to clients + set the value to ``true``. This extra information may help an attacker. + diff --git a/keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml b/keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml new file mode 100644 index 00000000..a0c2b3bb --- /dev/null +++ b/keystone-moon/releasenotes/notes/is-admin-24b34238c83b3a82.yaml @@ -0,0 +1,14 @@ +--- +features: + - > + [`bug 96869 <https://bugs.launchpad.net/keystone/+bug/968696>`_] + A pair of configuration options have been added to the ``[resource]`` + section to specify a special ``admin`` project: + ``admin_project_domain_name`` and ``admin_project_name``. If these are + defined, any scoped token issued for that project will have an additional + identifier ``is_admin_project`` added to the token. This identifier can then + be checked by the policy rules in the policy files of the services when + evaluating access control policy for an API. Keystone does not yet + support the ability for a project acting as a domain to be the + admin project. That will be added once the rest of the code for + projects acting as domains is merged. diff --git a/keystone-moon/releasenotes/notes/ldap-conn-pool-enabled-90df94652f1ded53.yaml b/keystone-moon/releasenotes/notes/ldap-conn-pool-enabled-90df94652f1ded53.yaml new file mode 100644 index 00000000..c26eeb3f --- /dev/null +++ b/keystone-moon/releasenotes/notes/ldap-conn-pool-enabled-90df94652f1ded53.yaml @@ -0,0 +1,8 @@ +--- +upgrade: + - > + The configuration options for LDAP connection pooling, `[ldap] use_pool` + and `[ldap] use_auth_pool`, are now both enabled by default. Only + deployments using LDAP drivers are affected. Additional configuration + options are available in the `[ldap]` section to tune connection pool size, + etc. diff --git a/keystone-moon/releasenotes/notes/ldap-emulation-91c4d535eb9c3d10.yaml b/keystone-moon/releasenotes/notes/ldap-emulation-91c4d535eb9c3d10.yaml new file mode 100644 index 00000000..1d097ae3 --- /dev/null +++ b/keystone-moon/releasenotes/notes/ldap-emulation-91c4d535eb9c3d10.yaml @@ -0,0 +1,8 @@ +--- +features: + - > + [`bug 1515302 <https://bugs.launchpad.net/keystone/+bug/1515302>`_] + Two new configuration options have been added to the `[ldap]` section. + `user_enabled_emulation_use_group_config` and + `project_enabled_emulation_use_group_config`, which allow deployers to + choose if they want to override the default group LDAP schema option. diff --git a/keystone-moon/releasenotes/notes/list_limit-ldap-support-5d31d51466fc49a6.yaml b/keystone-moon/releasenotes/notes/list_limit-ldap-support-5d31d51466fc49a6.yaml new file mode 100644 index 00000000..4e5f5458 --- /dev/null +++ b/keystone-moon/releasenotes/notes/list_limit-ldap-support-5d31d51466fc49a6.yaml @@ -0,0 +1,6 @@ +--- +features: + - > + [`bug 1501698 <https://bugs.launchpad.net/keystone/+bug/1501698>`_] + Support parameter `list_limit` when LDAP is used as + identity backend. diff --git a/keystone-moon/releasenotes/notes/list_role_assignment_names-33aedc1e521230b6.yaml b/keystone-moon/releasenotes/notes/list_role_assignment_names-33aedc1e521230b6.yaml new file mode 100644 index 00000000..267ece71 --- /dev/null +++ b/keystone-moon/releasenotes/notes/list_role_assignment_names-33aedc1e521230b6.yaml @@ -0,0 +1,7 @@ +--- +features: + - > + [`bug 1479569 <https://bugs.launchpad.net/keystone/+bug/1479569>`_] + Names have been added to list role assignments + (GET /role_assignments?include_names=True), rather than returning + just the internal IDs of the objects the names are also returned. diff --git a/keystone-moon/releasenotes/notes/migration_squash-f655329ddad7fc2a.yaml b/keystone-moon/releasenotes/notes/migration_squash-f655329ddad7fc2a.yaml new file mode 100644 index 00000000..c7d9d412 --- /dev/null +++ b/keystone-moon/releasenotes/notes/migration_squash-f655329ddad7fc2a.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - > + [`bug 1541092 <https://bugs.launchpad.net/keystone/+bug/1541092>`_] + Only database upgrades from Kilo and newer are supported. diff --git a/keystone-moon/releasenotes/notes/no-default-domain-2161ada44bf7a3f7.yaml b/keystone-moon/releasenotes/notes/no-default-domain-2161ada44bf7a3f7.yaml new file mode 100644 index 00000000..a449ad67 --- /dev/null +++ b/keystone-moon/releasenotes/notes/no-default-domain-2161ada44bf7a3f7.yaml @@ -0,0 +1,7 @@ +--- +other: + - > + ``keystone-manage db_sync`` will no longer create the Default domain. This + domain is used as the domain for any users created using the legacy v2.0 + API. A default domain is created by ``keystone-manage bootstrap`` and when + a user or project is created using the legacy v2.0 API. diff --git a/keystone-moon/releasenotes/notes/notify-on-user-group-membership-8c0136ee0484e255.yaml b/keystone-moon/releasenotes/notes/notify-on-user-group-membership-8c0136ee0484e255.yaml new file mode 100644 index 00000000..d80ab826 --- /dev/null +++ b/keystone-moon/releasenotes/notes/notify-on-user-group-membership-8c0136ee0484e255.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - Support has now been added to send notification events + on user/group membership. When a user is added or removed + from a group a notification will be sent including the + identifiers of both the user and the group. diff --git a/keystone-moon/releasenotes/notes/oslo.cache-a9ce47bfa8809efa.yaml b/keystone-moon/releasenotes/notes/oslo.cache-a9ce47bfa8809efa.yaml new file mode 100644 index 00000000..dc989154 --- /dev/null +++ b/keystone-moon/releasenotes/notes/oslo.cache-a9ce47bfa8809efa.yaml @@ -0,0 +1,17 @@ +--- +upgrade: + - > + Keystone now uses oslo.cache. Update the `[cache]` section of + `keystone.conf` to point to oslo.cache backends: + ``oslo_cache.memcache_pool`` or ``oslo_cache.mongo``. Refer to the + sample configuration file for examples. See `oslo.cache + <http://docs.openstack.org/developer/oslo.cache>`_ for additional + documentation. +deprecations: + - > + [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_] + ``keystone.common.cache.backends.memcache_pool``, + ``keystone.common.cache.backends.mongo``, and + ``keystone.common.cache.backends.noop`` are deprecated in favor of + oslo.cache backends. The keystone backends will be removed in the 'O' + release. diff --git a/keystone-moon/releasenotes/notes/projects_as_domains-3ea8a58b4c2965e1.yaml b/keystone-moon/releasenotes/notes/projects_as_domains-3ea8a58b4c2965e1.yaml new file mode 100644 index 00000000..7845df9a --- /dev/null +++ b/keystone-moon/releasenotes/notes/projects_as_domains-3ea8a58b4c2965e1.yaml @@ -0,0 +1,7 @@ +--- +features: + - Domains are now represented as top level projects with the attribute + `is_domain` set to true. Such projects will appear as parents for any + previous top level projects. Projects acting as domains can be created, + read, updated, and deleted via either the project API or the domain API + (V3 only). diff --git a/keystone-moon/releasenotes/notes/remove-trust-auth-support-from-v2-de316c9ba46d556d.yaml b/keystone-moon/releasenotes/notes/remove-trust-auth-support-from-v2-de316c9ba46d556d.yaml new file mode 100644 index 00000000..0c591dcc --- /dev/null +++ b/keystone-moon/releasenotes/notes/remove-trust-auth-support-from-v2-de316c9ba46d556d.yaml @@ -0,0 +1,4 @@ +--- +other: + - The ability to validate a trust-scoped token against the v2.0 API has been + removed, in favor of using the version 3 of the API. diff --git a/keystone-moon/releasenotes/notes/removed-as-of-mitaka-9ff14f87d0b98e7e.yaml b/keystone-moon/releasenotes/notes/removed-as-of-mitaka-9ff14f87d0b98e7e.yaml new file mode 100644 index 00000000..b0964c95 --- /dev/null +++ b/keystone-moon/releasenotes/notes/removed-as-of-mitaka-9ff14f87d0b98e7e.yaml @@ -0,0 +1,44 @@ +--- +other: + - > + [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] + Removed ``extras`` from token responses. These fields should not be + necessary and a well-defined API makes this field redundant. This was + deprecated in the Kilo release. + - > + [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] + Removed ``RequestBodySizeLimiter`` from keystone middleware. The keystone + team suggests using ``oslo_middleware.sizelimit.RequestBodySizeLimiter`` + instead. This was deprecated in the Kilo release. + - > + [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] + Notifications with event_type ``identity.created.role_assignment`` and + ``identity.deleted.role_assignment`` have been removed. The keystone team + suggests listening for ``identity.role_assignment.created`` and + ``identity.role_assignment.deleted`` instead. This was deprecated in the + Kilo release. + - > + [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] + Removed ``check_role_for_trust`` from the trust controller, ensure policy + files do not refer to this target. This was deprecated in the Kilo + release. + - > + [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] + Removed Catalog KVS backend (``keystone.catalog.backends.sql.Catalog``). + This was deprecated in the Icehouse release. + - > + [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] + The LDAP backend for Assignment has been removed. This was deprecated in + the Kilo release. + - > + [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] + The LDAP backend for Resource has been removed. This was deprecated in + the Kilo release. + - > + [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] + The LDAP backend for Role has been removed. This was deprecated in the + Kilo release. + - > + [`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_] + Removed Revoke KVS backend (``keystone.revoke.backends.kvs.Revoke``). + This was deprecated in the Juno release. diff --git a/keystone-moon/releasenotes/notes/request_context-e143ba9c446a5952.yaml b/keystone-moon/releasenotes/notes/request_context-e143ba9c446a5952.yaml new file mode 100644 index 00000000..b00153db --- /dev/null +++ b/keystone-moon/releasenotes/notes/request_context-e143ba9c446a5952.yaml @@ -0,0 +1,7 @@ +--- +features: + - > + [`bug 1500222 <https://bugs.launchpad.net/keystone/+bug/1500222>`_] + Added information such as: user ID, project ID, and domain ID to log + entries. As a side effect of this change, both the user's domain ID and + project's domain ID are now included in the auth context. diff --git a/keystone-moon/releasenotes/notes/revert-v2-token-issued-for-non-default-domain-25ea5337f158ef13.yaml b/keystone-moon/releasenotes/notes/revert-v2-token-issued-for-non-default-domain-25ea5337f158ef13.yaml new file mode 100644 index 00000000..cc28c7f3 --- /dev/null +++ b/keystone-moon/releasenotes/notes/revert-v2-token-issued-for-non-default-domain-25ea5337f158ef13.yaml @@ -0,0 +1,12 @@ +fixes: + - > + [`bug 1527759 <https://bugs.launchpad.net/keystone/+bug/1527759>`_] + Reverted the change that eliminates the ability to get + a V2 token with a user or project that is not in the + default domain. This change broke real-world deployments + that utilized the ability to authenticate via V2 API + with a user not in the default domain or with a + project not in the default domain. The deployer + is being convinced to update code to properly handle + V3 auth but the fix broke expected and tested + behavior. diff --git a/keystone-moon/releasenotes/notes/s3-aws-v4-c6cb75ce8d2289d4.yaml b/keystone-moon/releasenotes/notes/s3-aws-v4-c6cb75ce8d2289d4.yaml new file mode 100644 index 00000000..85fcd6d8 --- /dev/null +++ b/keystone-moon/releasenotes/notes/s3-aws-v4-c6cb75ce8d2289d4.yaml @@ -0,0 +1,6 @@ +--- +features: + - > + [`bug 1473042 <https://bugs.launchpad.net/keystone/+bug/1473042>`_] + Keystone's S3 compatibility support can now authenticate using AWS + Signature Version 4. diff --git a/keystone-moon/releasenotes/notes/totp-40d93231714c6a20.yaml b/keystone-moon/releasenotes/notes/totp-40d93231714c6a20.yaml new file mode 100644 index 00000000..fcfdb049 --- /dev/null +++ b/keystone-moon/releasenotes/notes/totp-40d93231714c6a20.yaml @@ -0,0 +1,9 @@ +--- +features: + - > + [`blueprint totp-auth <https://blueprints.launchpad.net/keystone/+spec/totp-auth>`_] + Keystone now supports authenticating via Time-based One-time Password (TOTP). + To enable this feature, add the ``totp`` auth plugin to the `methods` + option in the `[auth]` section of `keystone.conf`. More information + about using TOTP can be found in `keystone's developer documentation + <http://docs.openstack.org/developer/keystone/auth-totp.html>`_. diff --git a/keystone-moon/releasenotes/notes/v3-endpoints-in-v2-list-b0439816938713d6.yaml b/keystone-moon/releasenotes/notes/v3-endpoints-in-v2-list-b0439816938713d6.yaml new file mode 100644 index 00000000..ae184605 --- /dev/null +++ b/keystone-moon/releasenotes/notes/v3-endpoints-in-v2-list-b0439816938713d6.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - > + [`bug 1480270 <https://bugs.launchpad.net/keystone/+bug/1480270>`_] + Endpoints created when using v3 of the keystone REST API will now be + included when listing endpoints via the v2.0 API. diff --git a/keystone-moon/releasenotes/notes/v9FederationDriver-cbebcf5f97e1eae2.yaml b/keystone-moon/releasenotes/notes/v9FederationDriver-cbebcf5f97e1eae2.yaml new file mode 100644 index 00000000..7db04c81 --- /dev/null +++ b/keystone-moon/releasenotes/notes/v9FederationDriver-cbebcf5f97e1eae2.yaml @@ -0,0 +1,5 @@ +--- +deprecations: + - The V8 Federation driver interface is deprecated in favor of the V9 + Federation driver interface. Support for the V8 Federation driver + interface is planned to be removed in the 'O' release of OpenStack. diff --git a/keystone-moon/releasenotes/notes/x509-auth-df0a229780b8e3ff.yaml b/keystone-moon/releasenotes/notes/x509-auth-df0a229780b8e3ff.yaml new file mode 100644 index 00000000..421acd6d --- /dev/null +++ b/keystone-moon/releasenotes/notes/x509-auth-df0a229780b8e3ff.yaml @@ -0,0 +1,6 @@ +--- +features: + - > + [`blueprint x509-ssl-client-cert-authn <https://blueprints.launchpad.net/keystone/+spec/x509-ssl-client-cert-authn>`_] + Keystone now supports tokenless client SSL x.509 certificate authentication + and authorization. |