Open Stack

We are amped to announce the release of:

keystonemiddleware 4.12.0: Middleware for OpenStack Identity

This release is part of the ocata release series.

The source is available from:

    http://git.openstack.org/cgit/openstack/keystonemiddleware

Download the package from:

    https://pypi.python.org/pypi/keystonemiddleware

Please report issues through launchpad:

    http://bugs.launchpad.net/keystonemiddleware

For more details, please see below.

4.12.0
^^^^^^

Fetching expired tokens when using a valid service token is now
allowed. This will help with long running operations that must
continue between services longer than the original expiry of the
token.


New Features
************

* AuthToken middleware will now allow fetching an expired token when
  a valid service token is present. This service token must contain
  any one of the roles specified in "service_token_roles".

* Service tokens are compared against a list of possible roles for
  validity. This will ensure that only services are submitting tokens
  as an "X-Service-Token". For backwards compatibility, if
  "service_token_roles_required" is not set, a warning will be
  emitted. To enforce the check properly, set
  "service_token_roles_required" to "True". It currently defaults to
  "False"


Upgrade Notes
*************

* Set the "service_token_roles" to a list of roles that services may
  have. The likely list is "service" or "admin". Any
  "service_token_roles" may apply to accept the service token. Ensure
  service users have one of these roles so interservice communication
  continues to work correctly. When verified, set the
  "service_token_roles_required" flag to "True" to enforce this
  behaviour. This will become the default setting in future releases.


Deprecation Notes
*****************

* For backwards compatibility the "service_token_roles_required"
  option in "[keystone_authtoken]" was added. The option defaults to
  "False" and has been immediately deprecated. This will allow the
  current behaviour that service tokens are validated but not checked
  for roles to continue. The option should be set to "True" as soon as
  possible. The option will default to "True" in a future release.

Changes in keystonemiddleware 4.11.0..4.12.0
--------------------------------------------

4c6282f Pass ?allow_expired
7924f5d Updated from global requirements
1d930a2 clean up a few doc building warnings
29a879c Add docutils contraint on 0.13.1 to fix building
3dab9e2 Updated from global requirements
f637eee Updated from global requirements
69fcd5f Updated from global requirements


Diffstat (except docs and test files)
-------------------------------------

keystonemiddleware/auth_token/__init__.py          | 101 +++++++++----
keystonemiddleware/auth_token/_identity.py         |  17 ++-
keystonemiddleware/auth_token/_opts.py             |  13 ++
.../unit/auth_token/test_auth_token_middleware.py  | 157 ++++++++++++++++++---
.../notes/allow-expired-5ddbabcffc5678af.yaml      |  30 ++++
requirements.txt                                   |   6 +-
setup.cfg                                          |   2 +-
test-requirements.txt                              |   1 +
12 files changed, 285 insertions(+), 65 deletions(-)


Requirements updates
--------------------

diff --git a/requirements.txt b/requirements.txt
index 736c3e4..cdadc0f 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -5 +5 @@
-keystoneauth1>=2.14.0 # Apache-2.0
+keystoneauth1>=2.16.0 # Apache-2.0
@@ -14,2 +14,2 @@ pycadf!=2.0.0,>=1.1.0 # Apache-2.0
-python-keystoneclient>=3.6.0 # Apache-2.0
-requests>=2.10.0 # Apache-2.0
+python-keystoneclient>=3.8.0 # Apache-2.0
+requests!=2.12.2,>=2.10.0 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index ee49232..e95235b 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -8,0 +9 @@ coverage>=4.0 # Apache-2.0
+docutils>=0.11,!=0.13.1 # OSI-Approved Open Source, Public Domain