From 2e7b4f2027a1147ca28301e4f88adf8274b39a1f Mon Sep 17 00:00:00 2001
From: DUVAL Thomas <thomas.duval@orange.com>
Date: Thu, 9 Jun 2016 09:11:50 +0200
Subject: Update Keystone core to Mitaka.

Change-Id: Ia10d6add16f4a9d25d1f42d420661c46332e69db
---
 .../notes/add-bootstrap-cli-192500228cc6e574.yaml       | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml

(limited to 'keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml')

diff --git a/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml b/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml
new file mode 100644
index 00000000..997ee64a
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml
@@ -0,0 +1,17 @@
+---
+features:
+  - >
+    [`blueprint bootstrap <https://blueprints.launchpad.net/keystone/+spec/bootstrap>`_]
+    keystone-manage now supports the bootstrap command
+    on the CLI so that a keystone install can be
+    initialized without the need of the admin_token
+    filter in the paste-ini.
+security:
+  - The use of admin_token filter is insecure compared
+    to the use of a proper username/password. Historically
+    the admin_token filter has been left enabled in
+    Keystone after initialization due to the way CMS
+    systems work. Moving to an out-of-band initialization using
+    ``keystone-manage bootstrap`` will eliminate the security concerns around
+    a static shared string that conveys admin access to keystone
+    and therefore to the entire installation.
-- 
cgit 1.2.3-korg