[release-announce] [keystone] keystonemiddleware 4.12.0 (ocata)
no-reply at openstack.org
no-reply at openstack.org
Thu Dec 15 20:16:13 UTC 2016
We are amped to announce the release of:
keystonemiddleware 4.12.0: Middleware for OpenStack Identity
This release is part of the ocata release series.
The source is available from:
http://git.openstack.org/cgit/openstack/keystonemiddleware
Download the package from:
https://pypi.python.org/pypi/keystonemiddleware
Please report issues through launchpad:
http://bugs.launchpad.net/keystonemiddleware
For more details, please see below.
4.12.0
^^^^^^
Fetching expired tokens when using a valid service token is now
allowed. This will help with long running operations that must
continue between services longer than the original expiry of the
token.
New Features
************
* AuthToken middleware will now allow fetching an expired token when
a valid service token is present. This service token must contain
any one of the roles specified in "service_token_roles".
* Service tokens are compared against a list of possible roles for
validity. This will ensure that only services are submitting tokens
as an "X-Service-Token". For backwards compatibility, if
"service_token_roles_required" is not set, a warning will be
emitted. To enforce the check properly, set
"service_token_roles_required" to "True". It currently defaults to
"False"
Upgrade Notes
*************
* Set the "service_token_roles" to a list of roles that services may
have. The likely list is "service" or "admin". Any
"service_token_roles" may apply to accept the service token. Ensure
service users have one of these roles so interservice communication
continues to work correctly. When verified, set the
"service_token_roles_required" flag to "True" to enforce this
behaviour. This will become the default setting in future releases.
Deprecation Notes
*****************
* For backwards compatibility the "service_token_roles_required"
option in "[keystone_authtoken]" was added. The option defaults to
"False" and has been immediately deprecated. This will allow the
current behaviour that service tokens are validated but not checked
for roles to continue. The option should be set to "True" as soon as
possible. The option will default to "True" in a future release.
Changes in keystonemiddleware 4.11.0..4.12.0
--------------------------------------------
4c6282f Pass ?allow_expired
7924f5d Updated from global requirements
1d930a2 clean up a few doc building warnings
29a879c Add docutils contraint on 0.13.1 to fix building
3dab9e2 Updated from global requirements
f637eee Updated from global requirements
69fcd5f Updated from global requirements
Diffstat (except docs and test files)
-------------------------------------
keystonemiddleware/auth_token/__init__.py | 101 +++++++++----
keystonemiddleware/auth_token/_identity.py | 17 ++-
keystonemiddleware/auth_token/_opts.py | 13 ++
.../unit/auth_token/test_auth_token_middleware.py | 157 ++++++++++++++++++---
.../notes/allow-expired-5ddbabcffc5678af.yaml | 30 ++++
requirements.txt | 6 +-
setup.cfg | 2 +-
test-requirements.txt | 1 +
12 files changed, 285 insertions(+), 65 deletions(-)
Requirements updates
--------------------
diff --git a/requirements.txt b/requirements.txt
index 736c3e4..cdadc0f 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -5 +5 @@
-keystoneauth1>=2.14.0 # Apache-2.0
+keystoneauth1>=2.16.0 # Apache-2.0
@@ -14,2 +14,2 @@ pycadf!=2.0.0,>=1.1.0 # Apache-2.0
-python-keystoneclient>=3.6.0 # Apache-2.0
-requests>=2.10.0 # Apache-2.0
+python-keystoneclient>=3.8.0 # Apache-2.0
+requests!=2.12.2,>=2.10.0 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index ee49232..e95235b 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -8,0 +9 @@ coverage>=4.0 # Apache-2.0
+docutils>=0.11,!=0.13.1 # OSI-Approved Open Source, Public Domain
More information about the Release-announce
mailing list