[release-announce] [keystone] keystone 11.0.0 (ocata)
no-reply at openstack.org
no-reply at openstack.org
Wed Feb 22 13:46:01 UTC 2017
We jubilantly announce the release of:
keystone 11.0.0: OpenStack Identity
This release is part of the ocata release series.
Download the package from:
https://tarballs.openstack.org/keystone/
For more details, please see below.
11.0.0
^^^^^^
* The default token provider is now Fernet.
* The PKI and PKIz token format has been removed. See "Other Notes"
for more details.
* Support for writing to LDAP has been removed. See "Other Notes"
for more details.
New Features
************
* [blueprint allow-expired
(https://blueprints.launchpad.net/keystone/+spec/allow-expired)] An
*allow_expired* flag is added to the token validation call
("GET/HEAD /v3/auth/tokens") that allows fetching a token that has
expired. This allows for validating tokens in long running
operations.
* [blueprint password-expires-validation
(https://blueprints.launchpad.net/keystone/+spec/password-expires-
validation)] Token responses will now have a "password_expires_at"
field in the "user" object, this can be expressed briefly as:
{"token": {"user": {"password_expires_at": null}}}
If PCI support is enabled, via the "[security_compliance]"
configuration options, then the "password_expires_at" field will be
populated with a timestamp. Otherwise, it will default to "null",
indicating the password does not expire.
* [blueprint pci-dss-notifications
(https://blueprints.launchpad.net/keystone/+spec/pci-dss-
notifications)] CADF notifications now extend to PCI-DSS events. A
"reason" object is added to the notification. A "reason" object has
both a "reasonType" (a short description of the reason) and
"reasonCode" (the HTTP return code). The following events will be
impacted:
* If a user does not change their passwords at least once every
X days. See "[security_compliance] password_expires_days".
* If a user is locked out after many failed authentication
attempts. See "[security_compliance] lockout_failure_attempts".
* If a user submits a new password that was recently used. See
"[security_compliance] unique_last_password_count".
* If a password does not meet the specified criteria. See
"[security_compliance] password_regex".
* If a user attempts to change their password too often. See
"[security_compliance] minimum_password_age".
For additional details see: event notifications (Seehttps://docs.op
enstack.org/developer/keystone/event_notifications.html)
* [blueprint pci-dss-password-requirements-api
(https://blueprints.launchpad.net/keystone/+spec/pci-dss-password-
requirements-api)] Added a new API
("/v3/domains/{domain_id}/config/security_compliance") to retrieve
regular expression requirements for passwords. Specifically,
"[security_compliance] password_regex" and "[security_compliance]
password_regex_description" will be returned. Note that these
options are only meaningful if PCI support is enabled, via various
"[security_compliance]" configuration options.
* [blueprint pci-dss-query-password-expired-users
(https://blueprints.launchpad.net/keystone/+spec/pci-dss-query-
password-expired-users)] Added a "password_expires_at" query to
"/v3/users" and "/v3/groups/{group_id}/users". The
"password_expires_at" query is comprised of two parts, an "operator"
(valid choices listed below) and a "timestamp" (of form "YYYY-MM-
DDTHH:mm:ssZ"). The APIs will filter the list of users based on the
"operator" and "timestamp" given.
* lt - password expires before the timestamp
* lte - password expires at or before timestamp
* gt - password expires after the timestamp
* gte - password expires at or after the timestamp
* eq - password expires at the timestamp
* neq - password expires not at the timestamp
* [blueprint per-user-auth-plugin-reqs
(https://blueprints.launchpad.net/keystone/+spec/per-user-auth-
plugin-reqs)] Per-user Multi-Factor-Auth rules (MFA Rules) have been
implemented. These rules define which auth methods can be used (e.g.
Password, TOTP) and provides the ability to require multiple auth
forms to successfully get a token.
The MFA rules are set via the user create and update API
("POST/PATCH /v3/users") call; the options allow an admin to force a
user to use specific forms of authentication or combinations of
forms of authentication to get a token. The rules are specified as
follows:
user["options"]["multi_factor_auth_rules"] = [["password", "totp"], ["password", "custom-auth-method"]]
The rules are specified as a list of lists. The elements of the sub-
lists must be strings and are intended to mirror the required
authentication method names (e.g. "password", "totp", etc) as
defined in the "keystone.conf" file in the "[auth] methods" option.
Each list of methods specifies a rule. If the auth methods provided
by a user match (or exceed) the auth methods in the list, that rule
is used. The first rule found (rules will not be processed in a
specific order) that matches will be used. If a user has the ruleset
defined as "[["password", "totp"]]" the user must provide both
password and totp auth methods (and both methods must succeed) to
receive a token. However, if a user has a ruleset defined as
"[["password"], ["password", "totp"]]" the user may use the
"password" method on it's own but would be required to use both
"password" and "totp" if "totp" is specified at all.
Any auth methods that are not defined in "keystone.conf" in the
"[auth] methods" option are ignored when the rules are processed.
Empty rules are not allowed. If a rule is empty due to no-valid auth
methods existing within it, the rule is discarded at authentication
time. If there are no rules or no valid rules for the user,
authentication occurs in the default manner: any single configured
auth method is sufficient to receive a token.
In the case a user should be exempt from MFA Rules, regardless if
they are set, the User-Option "multi_factor_auth_enabled" may be
set to "False" for that user via the user create and update API
("POST/PATCH /v3/users") call. If this option is set to "False" the
MFA rules will be ignored for the user. Any other value except
"False" will result in the MFA Rules being processed; the option can
only be a boolean ("True" or "False") or "None" (which will result
in the default behavior (same as "True") but the option will no
longer be shown in the "user["options"]" dictionary.
To mark a user exempt from the MFA Rules:
user["options"]["multi_factor_auth_enabled"] = False
The "token" auth method typically should not be specified in any MFA
Rules. The "token" auth method will include all previous auth
methods for the original auth request and will match the appropriate
ruleset. This is intentional, as the "token" method is used for
rescoping/changing active projects.
SECURITY INFO: The MFA rules are only processed when authentication
happens through the V3 authentication APIs. If V2 Auth is enabled it
is possible to circumvent the MFA rules if the user can authenticate
via V2 Auth API. It is recommended to disable V2 authentication for
full enforcement of the MFA rules.
* [blueprint manage-migration
(https://blueprints.launchpad.net/keystone/+spec/manage-migration)]
The federated identity mapping engine now supports the ability to
automatically provision "projects" for "federated users". A role
assignment will automatically be created for the user on the
specificed proejct. If the project specified within the mapping does
not exist, it will be automatically created in the "domain"
associated with the "identity provider". This behavior can be
triggered using a specific syntax within the "local" rules section
of a mapping. For more information see: mapping combinations (https
://docs.openstack.org/developer/keystone/federation/federated_ident
ity.html#mapping-combinations)
* [blueprint support-federated-attr
(https://blueprints.launchpad.net/keystone/+spec/support-federated-
attr)] Added new filters to the *list user* API ("GET /v3/users") to
support querying federted identity atttributes: "idp_id",
"protocol_id", and "unique_id".
* [bug 1638603 (https://bugs.launchpad.net/keystone/+bug/1638603)]
Add support for nested groups in Active Directory. A new boolean
option "[ldap] group_ad_nesting" has been added, it defaults to
"False". Enable the option is using Active Directory with nested
groups. This option will impact the "list_users_in_group",
"list_groups_for_user", and "check_user_in_group" operations.
* [bug 1641645 (https://bugs.launchpad.net/keystone/+bug/1641645)]
RBAC protection was removed from the *Self-service change user
password* API ("/v3/user/$user_id/password"), meaning, a user can
now change their password without a token specified in the "X-Auth-
Token" header. This change will allow a user, with an expired
password, to update their password without the need of an
administrator.
* [bug 1641654 (https://bugs.launchpad.net/keystone/+bug/1641654)]
The "healthcheck" middleware from *oslo.middleware* has been added
to the keystone application pipelines by default. This middleware
provides a common method to check the health of keystone. Refer to
the example paste provided in "keystone-paste.ini" to see how to
include the "healthcheck" middleware.
* [bug 1641816 (https://bugs.launchpad.net/keystone/+bug/1641816)]
The "[token] cache_on_issue" option is now enabled by default. This
option has no effect unless global caching and token caching are
enabled.
* [bug 1642348 (https://bugs.launchpad.net/keystone/+bug/1642348)]
Added new option "[security_compliance] lockout_ignored_user_ids" to
allow deployers to specify users that are exempt from PCI lockout
rules.
* [Bug 1645487 (https://bugs.launchpad.net/keystone/+bug/1645487)]
Added a new PCI-DSS feature that will require users to immediately
change their password upon first use for new users and after an
administrative password reset. The new feature can be enabled by
setting [security_compliance] "change_password_upon_first_use" to
"True".
Upgrade Notes
*************
* [blueprint allow-expired
(https://blueprints.launchpad.net/keystone/+spec/allow-expired)] To
allow long running operations to complete services must be able to
fetch expired tokens via the "allow_expired" flag. The length of
time a token is retrievable for beyond its traditional expiry is
managed by the "[token] allow_expired_window" option and so the data
must be retrievable for this about of time. When using fernet tokens
this means that the key rotation period must exceed this time so
that older tokens are still decrytable. Ensure that you do not
rotate fernet keys faster than "[token] expiration" + "[token]
allow_expired_window" seconds.
* [bug 1547684 (https://bugs.launchpad.net/keystone/+bug/1547684)] A
minor change to the "policy.v3cloudsample.json" sample file was
performed so the sample file loads correctly. The "cloud_admin" rule
has changed from:
"role:admin and (token.is_admin_project:True or domain_id:admin_domain_id)"
To the properly written:
"role:admin and (is_admin_project:True or domain_id:admin_domain_id)"
Adjust configuration tools as necessary, see the "fixes" section for
more details on this change.
* [bug 1561054 (https://bugs.launchpad.net/keystone/+bug/1561054)]
The default token provider has switched from UUID to Fernet. Please
note that Fernet requires a key repository to be in place prior to
running Ocata, this can be done running "keystone-manage
fernet_setup". Additionally, for multi-node deployments, it is
imperative that a key distribution process be in use before
upgrading. Once a key repository has been created it should be
distributed to all keystone nodes in the deployment. This ensures
that each keystone node will be able to validate tokens issued
across the deployment. If you do not wish to switch token formats,
you will need to explicitly set the token provider for each node in
the deployment by setting "[token] provider" to "uuid" in
"keystone.conf". Documentation can be found at fernet-tokens
(https://docs.openstack.org/developer/keystone/configuration.html
#encryption-keys-for-fernet-tokens).
* [bug 1641654 (https://bugs.launchpad.net/keystone/+bug/1641654)]
The "healthcheck" middleware from *oslo.middleware* has been added
to the keystone application pipelines by default. The following
section has been added to "keystone-paste.ini":
[filter:healthcheck]
use = egg:oslo.middleware#healthcheck
It is recommended to have the "healthcheck" middleware first in the
pipeline:
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler ...
* [bug 1641660 (https://bugs.launchpad.net/keystone/+bug/1641660)]
The default value for "[DEFAULT] notification_format" has been
changed from "basic" to "cadf". The CADF notifications have more
information about the user that initiated the request.
* [bug 1641660 (https://bugs.launchpad.net/keystone/+bug/1641660)]
The default value for "[DEFAULT] notification_opt_out" has been
changed to include: "identity.authenticate.success",
"identity.authenticate.pending" and "identity.authenticate.failed".
If a deployment relies on these notifications, then override the
default setting.
* [bug 1642687 (https://bugs.launchpad.net/keystone/+bug/1642687)]
Upon a successful upgrade, all existing "identity providers" will
now be associated with a automatically created domain. Each
"identity provider" that existed prior to the *Ocata* release will
now have a "domain_id" field. The new domain will have an "id"
(random UUID), a "name" (that will match the "identity provider" ID
, and be "enabled" by default.
* [Related to Bug 1649446
(https://bugs.launchpad.net/keystone/+bug/1649446)] The
"identity:list_revoke_events" rule has been changed in both sample
policy files, "policy.json" and "policy.v3cloudsample.json". From:
"identity:list_revoke_events": ""
To:
"identity:list_revoke_events": "rule:service_or_admin"
Deprecation Notes
*****************
* [bug 1659995 (https://bugs.launchpad.net/keystone/+bug/1659995)]
The config option "[security_compliance]
ignore_password_expires_user_ids" has been deprecated in favor of
using the option value set, available via the user create and update
API call
* [blueprint deprecated-as-of-ocata
(https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
ocata)] The catalog backend "endpoint_filter.sql" has been
deprecated in the *Ocata* release, it has been consolidated with the
"sql" backend. It is recommended to replace the
"endpoint_filter.sql" catalog backend with the "sql" backend. The
"endpoint_filter.sql" backend will be removed in the *Pike* release.
* [blueprint deprecated-as-of-ocata
(https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
ocata)] Various KVS backends and config options have been deprecated
and will be removed in the *Pike* release. This includes:
* "keystone.common.kvs.backends.inmemdb.MemoryBackend"
* "keystone.common.kvs.backends.memcached.MemcachedBackend"
* "keystone.token.persistence.backends.kvs.Token"
* all config options under "[kvs]" in *keystone.conf*
* the config option "[memcached] servers" in *keystone.conf*
Critical Issues
***************
* [bug 1561054 (https://bugs.launchpad.net/keystone/+bug/1561054)]
If upgrading to Fernet tokens, you must have a key repository and
key distribution mechanism in place, otherwise token validation may
not work. Please see the upgrade section for more details.
Security Issues
***************
* [bug 1650676 (https://bugs.launchpad.net/keystone/+bug/1656076)]
Authentication plugins now required "AuthContext" objects to be
used. This has added security features to ensure information such as
the "user_id" does not change between authentication methods being
processed by the server. The
"keystone.controllers.Auth.authenticate" method now requires the
argument "auth_context" to be an actual "AuthContext" object.
Bug Fixes
*********
* [bug 1524030 (https://bugs.launchpad.net/keystone/+bug/1524030)]
During token validation we have reduced the number of revocation
events returned, only returning a subset of events relevant to the
token. Thus, improving overall token validation performance.
* [bug 1651989 (https://bugs.launchpad.net/keystone/+bug/1651989)]
Due to "bug 1547684", when using the "policy.v3cloudsample.json"
sample file, a domain admin token was being treated as a cloud
admin. Since the "is_admin_project" functionality only supports
project-scoped tokens, we automatically set any domain scoped token
to have the property "is_admin_project" to "False".
[bug 1547684 (https://bugs.launchpad.net/keystone/+bug/1547684)] A
typo in the "policy.v3cloudsample.json" sample file was causing
*oslo.policy* to not load the file. See the "upgrades" section for
more details.
* [bug 1571878 (https://bugs.launchpad.net/keystone/+bug/1571878)] A
valid "mapping_id" is now required when creating or updating a
federation protocol. If the "mapping_id" does not exist, a "400 -
Bad Request" will be returned.
* [bug 1616424 (https://bugs.launchpad.net/keystone/+bug/1616424)]
Provide better exception messages when creating OAuth request tokens
and OAuth access tokens via the "/v3/OS-OAUTH1/request_token" and
"/v3/OS-OAUTH1/access_token" APIs, respectively.
* [bug 1622310 (https://bugs.launchpad.net/keystone/+bug/1622310)]
Trusts will now be invalidated if: the project to which the trust is
scoped, or the user (trustor or trustee) for which the delegation is
assigned, has been deleted.
* [bug 1636950 (https://bugs.launchpad.net/keystone/+bug/1636950)]
New option "[ldap] connection_timeout" allows a deployer to set a
"OPT_NETWORK_TIMEOUT" value to use with the LDAP server. This allows
the LDAP server to return a "SERVER_DOWN" exception, if the LDAP URL
is incorrect if there is a connection failure. By default, the value
for "[ldap] connection_timeout" is -1, meaning it is disabled. Set a
postive value (in seconds) to enable the option.
* [bug 1642457 (https://bugs.launchpad.net/keystone/+bug/1642457)]
Handle disk write and IO failures when rotating keys for Fernet
tokens. Rather than creating empty keys, properly catch and log
errors when unable to write to disk.
* [bug 1642687 (https://bugs.launchpad.net/keystone/+bug/1642687)]
When registering an "identity provider" via the OS-FEDERATION API,
it is now recommended to include a "domain_id" to associate with the
"identity provider" in the request. Federated users that
authenticate with the "identity provider" will now be associated
with the "domain_id" specified. If no "domain_id" is specified, then
a domain will be automatically created.
* [bug 1642687 (https://bugs.launchpad.net/keystone/+bug/1642687)]
Users that authenticate with an "identity provider" will now have a
"domain_id" attribute, that is associated with the "identity
provider".
* [bug 1642692 (https://bugs.launchpad.net/keystone/+bug/1642692)]
When a *federation protocol* is deleted, all users that
authenticated with the *federation protocol* will also be deleted.
* [bug 1649138 (https://bugs.launchpad.net/keystone/+bug/1649138)]
When using LDAP as an identity backend, the initial bind will now
occur upon creation of a connection object, i.e. early on when
performing LDAP queries, no matter whether the bind is authenticated
or anonymous, so that any connection errors can be handled correctly
and early.
* [Bug 1649446 (https://bugs.launchpad.net/keystone/+bug/1651989)]
The default policy for listing revocation events has changed.
Previously, any authenticated user could list revocation events; it
is now, by default, an admin or service user only function. This can
be changed by modifying the policy file being used by keystone.
* [bug 1656076 (https://bugs.launchpad.net/keystone/+bug/1656076)]
The various plugins under "keystone.controllers.Auth.authenticate"
now require "AuthContext" objects to be returned.
* [bug 1659995 (https://bugs.launchpad.net/keystone/+bug/1659995)]
New options have been made available via the user create and update
API ("POST/PATCH /v3/users") call, the options will allow an admin
to mark users as exempt from certain PCI requirements via an API.
Set the following user attributes to "True" or "False" in an API
request. To mark a user as exempt from the PCI password lockout
policy:
user['options']['ignore_lockout_failure_attempts']
To mark a user as exempt from the PCI password expiry policy:
user['options']['ignore_password_expiry']
To mark a user as exempt from the PCI reset policy:
user['options']['ignore_change_password_upon_first_use']
Other Notes
***********
* [bug 1017606 (https://bugs.launchpad.net/keystone/+bug/1017606)]
The signature on the "get_catalog" and "get_v3_catalog" methods of
"keystone.catalog.backends.base.CatalogDriverBase" have been
updated. Third-party extensions that extend the abstract class
("CatalogDriverBase") should be updated according to the new
parameter names. The method signatures have changed from:
get_catalog(self, user_id, tenant_id)
get_v3_catalog(self, user_id, tenant_id)
to:
get_catalog(self, user_id, project_id)
get_v3_catalog(self, user_id, project_id)
* [bug 1524030 (https://bugs.launchpad.net/keystone/+bug/1524030)]
The signature on the "list_events" method of
"keystone.revoke.backends.base.RevokeDriverBase" has been updated.
Third-party extensions that extend the abstract class
("RevokeDriverBase") should update their code according to the new
parameter names. The method signature has changed from:
list_events(self, last_fetch=None)
to:
list_events(self, last_fetch=None, token=None)
* [bug 1563101 (https://bugs.launchpad.net/keystone/+bug/1563101)]
The token provider driver interface has moved from
"keystone.token.provider.Provider" to
"keystone.token.providers.base.Provider". If implementing a custom
token provider, subclass from the new location.
* [bug 1582585 (https://bugs.launchpad.net/keystone/+bug/1582585)] A
new method "get_domain_mapping_list" was added to
"keystone.identity.mapping_backends.base.MappingDriverBase". Third-
party extensions that extend the abstract class
("MappingDriverBase") should implement this new method. The method
has the following signature:
get_domain_mapping_list(self, domain_id)
and will return a list of mappings for a given domain ID.
* [bug 1611102 (https://bugs.launchpad.net/keystone/+bug/1611102)]
The methods "list_endpoints_for_policy()" and
"get_policy_for_endpoint()" have been removed from the
"keystone.endpoint_policy.backends.base.EndpointPolicyDriverBase"
abstract class, they were unused.
* [bug 1622310 (https://bugs.launchpad.net/keystone/+bug/1622310)] A
new method "delete_trusts_for_project" has been added to
"keystone.trust.backends.base.TrustDriverBase". Third-party
extensions that extend the abstract class ("TrustDriverBase") should
be updated according to the new parameter names. The signature for
the new method is:
delete_trusts_for_project(self, project_id)
* [bug 1642687 (https://bugs.launchpad.net/keystone/+bug/1642687)]
The signature on the "create_federated_user" method of
"keystone.identity.shadow_backends.base.ShadowUsersDriverBase" has
been updated.
Third-party extensions that extend the abstract class
("ShadowUsersDriverBase") should be updated according to the new
parameter names.
The method signature has changed from:
create_federated_user(self, federated_dict)
to:
create_federated_user(self, domain_id, federated_dict)
* [bug 1659730 (https://bugs.launchpad.net/keystone/+bug/1659730)]
The signature on the "authenticate" method of
"keystone.auth.plugins.base.AuthMethodHandler" has been updated.
Third-party extensions that extend the abstract class
("AuthMethodHandler") should update their code according to the new
parameter names. The method signature has changed from:
authenticate(self, context, auth_payload, auth_context)
to:
authenticate(self, request, auth_payload, auth_context)
* PKI and PKIz token formats have been removed in favor of Fernet
tokens.
* Write support for the LDAP has been removed in favor of read-only
support. The following operations are no longer supported for LDAP:
* "create user"
* "create group"
* "delete user"
* "delete group"
* "update user"
* "update group"
* "add user to group"
* "remove user from group"
* Routes and SQL backends for the contrib extensions have been
removed, they have been incorporated into keystone and are no longer
optional. This affects:
* "keystone/contrib/admin_crud"
* "keystone/contrib/endpoint_filter"
* "keystone/contrib/federation"
* "keystone/contrib/oauth1"
* "keystone/contrib/revoke"
* "keystone/contrib/simple_cert"
* "keystone/contrib/user_crud"
* Keystone cache backends have been removed in favor of their
*oslo.cache* counter-part. This affects:
* "keystone/common/cache/backends/mongo"
* "keystone/common/cache/backends/memcache_pool"
* "keystone/common/cache/backends/noop"
* Several token validation methods from the abstract class
"keystone.token.providers.base.Provider" were removed (see below) in
favor of a single method to validate tokens ("validate_token"), that
has the signature "validate_token(self, token_ref)". If using a
custom token provider, update the custom provider accordingly.
* "validate_v2_token"
* "validate_v3_token"
* "validate_non_persistent_token"
* Several token issuance methods from the abstract class
"keystone.token.providers.base.Provider" were removed (see below) in
favor of a single method to issue tokens ("issue_token"). If using a
custom token provider, updated the custom provider accordingly.
* "issue_v2_token"
* "issue_v3_token"
* The "[DEFAULT] domain_id_immutable" configuration option has been
removed in favor of strictly immutable domain IDs.
* The "[endpoint_policy] enabled" configuration option has been
removed in favor of always enabling the endpoint policy extension.
* The auth plugin "keystone.auth.plugins.saml2.Saml2" has been
removed in favor of the auth plugin
"keystone.auth.plugins.mapped.Mapped".
* The "memcache" and "memcache_pool" token persistence backends have
been removed in favor of using Fernet tokens (which require no
persistence).
* The "httpd/keystone.py" file has been removed in favor of the
"keystone-wsgi-admin" and "keystone-wsgi-public" scripts.
* The "keystone/service.py" file has been removed, the logic has
been moved to the "keystone/version/service.py".
* The check for admin token from "build_auth_context" middleware has
been removed. If your deployment requires the use of *admin token*,
update "keystone-paste.ini" so that "admin_token_auth" is before
"build_auth_context" in the paste pipelines, otherwise remove the
"admin_token_auth" middleware from "keystone-paste.ini" entirely.
* The "[assignment] driver" now defaults to "sql". Logic to
determine the default assignment driver if one wasn't supplied
through configuration has been removed. Keystone only supports one
assignment driver and it shouldn't be changed unless you're
deploying a custom assignment driver.
* The "[resource] driver" now defaults to "sql". Logic to determine
the default resource driver if one wasn't supplied through
configuration has been removed. Keystone only supports one resource
driver and it shouldn't be changed unless you're deploying a custom
resource driver.
* The "[os_inherit] enabled" config option has been removed, the
*OS- INHERIT* extension is now always enabled.
* The "[DEFAULT] domain_id_immutable" option has been removed. This
removes the ability to change the "domain_id" attribute of users,
groups, and projects. The behavior was introduced to allow deployers
to migrate entities from one domain to another by updating the
"domain_id" attribute of an entity. This functionality was
deprecated in the Mitaka release is now removed.
Changes in keystone 10.0.0.0rc1..11.0.0
---------------------------------------
9aa0f31 Modify the spelling mistakes
6603d40 Prepare for using standard python tests
63ab7b8 update keystone.conf.sample for ocata-rc
a64b474 Add MFA Rules Release Note
5c861c0 Remove de-dupe for MFA Rule parsing.
1328d49 Add comment to clarify resource-options jsonschema
29951be Cleanup TODO, AuthContext and AuthInfo to auth.core
1451659 Cleanup TODO about auth.controller code moved to core
1130557 Add validation that token method isn't needed in MFARules
a4c226f Add validation for mfa rule validator (storage)
b17c3a5 Process and validate auth methods against MFA rules
feac9e7 No need to enable infer_roles setting
8354fb3 Fix bad error message from FernetUtils
30d9095 Use https for docs.openstack.org references
bc787f0 Update PCI documenation
2e7c7c9 Auth Plugins pass data back via AuthHandlerResponse
5dd81b9 Auth Method Handlers now return a response object always
ab9237f Add MFA Rules and Enabled User options
28945a1 cleanup release notes from PCI options
9844fa1 Create user option `ignore_lockout_failure_attempts`
47cd729 Implement better validation for resource options
930728a Deprecate [security_compliance]\password_expires_ignore_user_ids
dce8a2c Fixes deprecations caused by latest oslo.context
0b3e59e PCI-DSS Force users to change password upon first use
5e2cc88 clean up release notes for ocata
d6a05f5 Reuse already existing groups from upstream tempest config
c2fdd3b add additional deprecation warnings for KVS options
2bb1720 Address follow-up comments from previous patchset
85e8a7b Cleanup for resource-specific options
2a79614 Adds tests showing how mapping locals are handled
9f4fbd8 Add 'options' as an explicit user schema validation
1896d1b Code-Defined Resource-specific Options
c19f243 Set the domain for federated users
6e0faa9 Refactor shadow users tests
2bd88d3 Add domain_id to the user table
6f10795 Do not call `to_dict` outside of a session context
821a4ff Remove code supporting moving resources between domains
91c2dbd Change unit test class to a less generic name
2518ca8 Remove dogpile.core dependencies
3f38162 Verbose breakup of method into seperate methods
3d06b69 Fixed unraised exception in _disallow_write for LDAP
28c70f4 Add password expiration queries for PCI-DSS
35deec2 Add missing parentheses
19c6530 Add queries for federated attributes in list_users
e9a6a84 update entry points related to paste middleware
a7b393b Remove LDAP write support
50e4ed9 Remove releated role_tree_dn test
a551b94 Add warning about using `external` with federation
3ae73b6 Allow user to change own expired password
73939d9 Fix warnings generated by os-api-ref 1.2.0
5e89f1b Improvements to external auth documentation page
5b7b146 Test cross domain authentication via implied roles
e988490 Updates to project mapping documentation
ca51177 Add documentation for auto-provisioning
9e830db Implement federated auto-provisioning
d08894d Fix typo in main docs page
9785f6a switch @hybrid_property to @property
9e1e2c2 Catch potential SyntaxError in federation mapping
7f2b7e5 Fix typo in shibboleth federation docs
3039e6c Handling of 'region' parameter as None
ee2747b Corrected punctuation on multiple exceptions
0d2f249 Exclude 'keystone_tempest_plugin' in doc build
0f3f08c Force use of AuthContext object in .authentcate()
45f7ff3 Cascade delete federated_user fk
7e69eef update sample config for ocata release
ee3eb00 Drop type in filters
03ceac6 Add DB operations tracing
066bf83 fix broken links
9602807 Changed 'Driver' reference to 'TokenDriverBase'
f2d0f8c Fix keystone-manage mapping_engine tester
f8ee249 Add anonymous bind to get_connection method
2d239cf Set connection timeout for LDAP configuration
872939d Invalid parameter name on interface
dd71d11 Bump API version and date
d4a890a listing revoke events should be admin only
1c94ae7 Adds projects mapping to the mapping engine
d42bb2d Updated docstring for test_sql_upgrade.py
b63cc5f Use public interfaces of pep8 for hacking
d4129c2 [api-ref] Clean up OS-EP-FILTER association docs
b4c97d3 Remove comment from previous migration
6e71105 [api-ref] Clean up OS-EP-FILTER documentation
ebbc06e Fixed not in toctree warnings when building docs
83b2109 Remove stevedore warning when building docs
74af136 Update docs to require domain_id when registering Identity Providers
e439476 Retry on deadlock Transactions in backend
62ae2e4 Fix region_id responses and requests to be consistent
3838cff Remove endpoint_id parameter from EP-FILTER docs
131c8c1 [api] fix ep filter example
8c190a1 Require domain_id when registering Identity Providers
41d70a6 Fix minor typo
a2a06d0 Remove references to Python 3.4
54dc086 Improve assertion in test
efb5875 Use assertGreater(len(x), y) instead of assertTrue(len(x) > y)
42d19a0 Correct invalid rst in api docs
318a333 Fixed 7 tests running twice in v3 identity
b4012e8 Fix issues with keystone-dsvm-py35-functional-v3-only on py35
f19f131 Fix the usage of tempest.client.Manager class
ec4d055 Correct timestamp format in token responses
ddff3bd Remove unused exceptions from CADF notifications
46749a9 Minor improvement in test_user_id_persistence
663865d Remove CONF.domain_id_immutable
48864fd Fix test function name with two underscores to have only one
62fa3cd Updated from global requirements
11545b5 Fix import ordering in tempest plugins
76139d1 [api] Inconsistency between v3 API and keystone token timestamps
647b83d Federated authentication via ECP functional tests
937a1a3 Removes unnecessary utf-8 encoding
5b7c9a6 Handle disk write failure when doing Fernet key rotation
ef48072 Fix cloud_admin rule and ensure only project tokens can be cloud admin
1dbbec0 Updated from global requirements
2674918 Remove duplicate role assignment in federated setup
0145084 Remove unused variables from federation tests
a5d8069 Remove unused variables from unit test method
eff8381 Add reason to CADF notifications in docs
dbb05ae [doc] point release note docs to project team guide
1a00498 [api] set `is_admin_project` on tokens for admin project
91167ad Settings for test cases
7fe14c8 Add reason to notifications for PCI-DSS
c5eb31f Fix typo in doc
e1e3f2f fix one typo.
15c1e7a Updated from global requirements
944b3b0 Wrap invalidation region to context-local cache
eac57b8 move common sql test helpers to base class
2dfd163 Use assertGreater(len(x), y) instead of assertTrue(len(x) > y)
52f6fe1 replace assertTrue with assertIs.
bb89d92 Replace logging with oslo_log.
3845e36 expose v3policy failure with is_admin_token
a54ab53 Add doctor checks for ldap symptoms
1000501 Implement password requirements API
ed7d2f0 Fix a typo in comment
1417939 Add unit tests for doctor token_fernet symptoms
e77a249 Remove impossible case from _option_dict method
48573a7 Make _option_dict() a method for domain_config_api
c68dc42 Add unit tests for doctor tokens symptoms
4624f47 Add checks for doctor credential symptoms
e3f55e7 Make user to nonlocal_user a 1:1 relationship
34f1201 Add id to conflict error if caused by duplicate id
76b1110 Refactors _get_names_from_role_assignments
ccf5dc7 Do not manually remove /etc/shibboleth folder
b0f9237 API Documentation for user password expires
3204796 Revert "API Documentation for user password expires"
1eb38e4 API Documentation for user password expires
b36e1c4 Clean up keystone doc landing page
e4ecc04 Add doctor tests on security_compliance and rename
48841fd Fix typo in api-ref doc
fd54718 Move V2TokenDataHelper to the v2.0 controller
8307f2c Remove exception from v2 validation path
90f2f96 Make bootstrap idempotent when it needs to be
aa97a9c Add unit tests for doctor's database symptoms
f5b6912 Print name with duplicate error on user creation
2dae412 Expose idempotency issue with bootstrap
6b16e2c Print domain name in mapping_populate error message
f12f83b Correct missspellings of secret
4de9d6b Trivial indentation corrections in mappings doc
359b10c Add doctor check for debug mode enabled
b9c8963 Fixed multiple warnings in tox -edocs
b9890f8 Get assignments with names honors inheritance flag
f84b40a Updated from global requirements
aa531a0 Add test to expose bug 1625230
fd13637 Invalidate token cache after token delete
26d40dc Revert "Rename doctor symptom in security_compliance"
812982a Domain included for role in list_role_assignment
28fd030 api-ref update for roles assignments with names
ac4f22c Rename doctor symptom in security_compliance
5fe929d Corrects sample-data incorrect credential call
8002025 Correct minor issues in test schema
cb7bfce Add unit tests for doctor federation file
3e5ead0 Remove CONF.os_inherit.enabled
bb8be1e Add unit tests for doctor's caching symptoms
65d2330 Updated from global requirements
f3d58a5 Updated from global requirements
8aa7b73 More info in schema validation error
24dd022 Minor fix in role_assignments api-ref
74942e4 Include mapped in the default auth methods
d16ec35 Validate token issue input
9e54c62 Removes unused exceptions
7310375 Removes unused method from assignment core
54b57e2 Removes unused default_assignment_driver method
4f12020 Removed unused EXTENSION_TO_ADD test declarations
71cde67 Use sha512.hash() instead of .encrypt()
df721d0 Don't invalidate all user tokens of roleless group
bd37276 Upload service provider metadata to testshib
54d2ecc Updated from global requirements
e120ac3 SAML federation docs refer to old WSGIScriptAlias
7765130 cache_on_issue default to true
7e9039b Make try/except work for passlib 1.6 and 1.7
2223374 Document token header in federation auth response
364462e Refactor Keystone admin-tokens and admin-users v2
1df211a ignore deprecation warning for .encrypt()
d9a6ead Send the identity.deleted.role_assignment after the deletion
fcebc2f Allow fetching an expired token
d51246c Show team and repo badges on README
05f2317 Remove eventlet-related call to sleep
a0104c7 Add a comment about not using assertTrue
41bb06a clean up developer docs
03319d1 Improvements in error messages
cfcf395 Remove trailing "d" from -days param of OpenSSL command
eeaa4d7 Swap the notification formats in the docs
1e6f780 Normalizes use of ForbiddenAction in trusts
165e5a9 Enable CADF notification format by default
852a518 Remove unused statements in matches
49ec1d2 Fix doc example
deeb8df Remove extension and auth_token middleware docs
4c5b15e Move docs from key_terms to architecture
0a9051b move content from configuringservices to configuration
2edc392 Update configuration.rst documentation
5ae4ca1 Verbose 401/403 debug responses
a93d03e Fix the misspelling in `keystone/tests/unit/test_cli.py`
5a930e7 refactor notification test to work with either format
ef30103 Clarify the v2.0 validation path
adb4513 Remove metadata from token provider
4f1af94 Lockout ignore user list
98b3109 Add developer docs for keystone-manage doctor
f4a30aa [api] add changelog from 3.0 -> 3.7
fbafc06 Devstack plugin to federate with testshib.org
34b0cf2 Remove entry_points to non-existent drivers
0bbc94e Fix typo in doc
5d93b99 remove release note about LDAP write removal
d3e955f Change "Change User Password" request example
3f92a97 Fixes remaining nits in endpoint_policy tests
2d540f5 Remove reference to future removal of saml
fea1936 Limits config fixture usage to where it's needed
3d513da Updated from global requirements
eff2b3b Remove format_token method
c0c23fd Remove issue_v3_token in favor of issue_token
dd1e705 Remove issue_v2_token
4c095cc refactor the token controller
e361a3a Use issue_v3_token instead of issue_v2_token
a74be79 Updates to the architecture doc
e8e56dc Support nested groups in Active Directory
eeac2cb Add healthcheck middleware to pipelines
6ed37d2 Request cache should not update context
32affef Change cfg.set_defaults into cors.set_defaults
470d92f Updated from global requirements
6589dbd Updated from global requirements
52f58eb Doc warning for keystone db migration
08e9ba9 Wording error in upgrading documentation
e28dddd Updated from global requirements
52c2a81 fix credentials backend tests
18bb515 Allow running expand & migrate at the same time
c5bcc34 Add test cases for passing "None" as a hint
2d56415 Fix test_revoke to run all tests after pki removal
1b79994 Updated from global requirements
57cc1e3 Switch fernet to be the default token provider.
8a66ef6 Remove support for PKI and PKIz tokens
1a1c625 Doc the difference between memcache and cache
cda7688 Doctor ldap check fix for config files
e498979 Additional logging when authenticating
2e70ecd Document OS-SIMPLE-CERT Routes
c70baa0 Document v2 Revoked Token Route
095ed91 Add api-ref /auth/tokens/OS-PKI/revoked (v3)
731a766 Fix broken links in the docs
75e8cd1 Add structure for Devstack plugin
a4fdb40 Add bindep environment to tox
e49a95f Pass a request to controllers instead of a context
357bb56 Create default role as a part of bootstrap
093d14f Updated from global requirements
339d6a6 Don't deprecate the LDAP property which is still needed
707b023 Clarifying on the remove of `build_auth_context` middleware
2870deb log.error use _ of i18n
fd6445e Doctor check for LDAP domain specific configs
b8435cc Updated from global requirements
53f104f Updated from global requirements
de8fbcf Validate mapping exists when creating/updating a protocol
f516777 Remove new_id() in test_revoke
1c38db6 Adds warning when no domain configs were uploaded
e5add63 Add release note for fernet tokens
d45d82f Tweak api-ref doc for v3 roles
bc756d5 Tweak api-ref doc for v3 roles status codes
43b55f1 Reorder APIs in api-ref for v3 groups
c7c0b99 [api-ref] Remove the duplicated sample
bef1444 Follow-on of memcache token persistence removal
1939159 changed domain id to name in JSON request
e3962e5 More configuration doc edits
980554a Remove backend dependencies from token provider
696a10c Updated from global requirements
382279f [api-ref] Fix couple of issues on OS-INHERIT API
35b9f08 Code cleanup
4f92ac0 Replace tenant with project for keystone catalog
e7e577c Imported Translations from Zanata
38f79a8 Update, correct, and enhance federation docs
f0319c7 Invalidate trust when the related project is deleted
8b68bbd Remove unused arg(project and initiator)
25d0535 Drop MANIFEST.in - it's not needed by pbr
f77db0a Ignore unknown arguments to fetch_token
02452d0 Return password_expires_at during auth
d49f2b1 Move the token abstract base class out of core
ca73d29 Add is_admin_project to policy dict
94f1074 Fix a typo in token_formatters.py
9e84371 Improve check_token validation performance
477189d Add revocation event indexes
130a72d Add docs for PCI-DSS
52642cc Invalidate trust when the trustor or trustee is deleted
27d2176 Updated from global requirements
1974f2d [api] add a note about project name restrictions
71134fb One validate method to rule them all...
f84dd99 Simplify the KeystoneToken model
52bde3c Remove validate_v2_token() method
abe6157 [api] remove `user_id` and `project_id` from policy
38f2305 Remove the decorator where it's not applied
8789949 Optimize remove unused variable
c3c4112 Remove those redundant variable declaration
9fa78cb [doc] Correct mapping JSON example
ade01da Remove no use variable (domain_id)
ab02ec0 Remove redundant variable declaration
fd3e627 Deprecate `endpoint_filter.sql` backend
ba96448 remove deprecated `[endpoint_policy] enable` option
86229b3 Pass initiator to Manager as a kwarg
3e0242c create release notes for removed functionality
76d588b Remove driver version specifiers from tests
a82d799 Enable release notes translation
1181399 Remove driver version from identity backend test names
bbcc1ef Remove driver version from docs
12d8591 Updated from global requirements
4888a11 Default the assignment backend to SQL
3b17b27 remove legacy driver tox target
9aec18b Use validate_v3_token instead of validate_token
d3054b5 Ensure all v2.0 tokens are validated the same way
6f6543b Make sure all v3 tokens are validated the same way
7c00add re-add valid comment about None domain ID
d7b836e Default the resource backend to SQL
4fd55f2 Make returning is_domain conditional
9117e45 Move audit initiator creation to request
cb43ea8 Don't validate token expiry in the persistence backend
29fbffa Add tests for validating expired tokens
5046ba0 Fix a typo in _init_.py
432fa4a Remove password history validation from admin password resets
ac04a51 Updating the document regarding LDAP options
cd23e77 Updated from global requirements
38f9a82 Remove the unused sdx doc files
635d4a4 Updated from global requirements
ec7cec0 Remove the no use arg (auth=None)
bb1e6d0 Fix typo in docstring
a20d66c Tweak api-ref for v3 groups status codes
86483a7 Updated from global requirements
28e6144 Add Apache 2.0 license to source file
e828d59 Fix a typo in core.py and bp-domain-config-default-82e42d946ee7cb43.yaml
4be9164 Validate password history for self-service password changes
7f3296d Make test_v3_auth exercise the whole API
810e156 Remove stable driver interfaces
a0ee0bb Updated from global requirements
ae0d189 Remove the check for admin token in build_auth_context middleware
abab343 Reorder APIs in api-ref doc for v3 users
ca4b452 Fix a docstring typo in test_v3_resource.py
ee32611 Using assertIsNone(...) instead of assertIs(None, ...)
a615a85 Updated from global requirements
4a079a4 remove deprecated items from contrib
d3ece04 Update man page for Ocata release version and date
09131e1 Using assertIsNone() instead of assertIs(None)
7b66744 Remove default=None when set value in config
7d56cb7 Undeprecate options used for signing
a0fb216 Remove unused path in the v2 token controller
7f3f596 Fix the belongsTo query parameter
ba984db Fix 'API Specification for Endpoint Filtering' broken link
e88097f Add domain check in domain-specific role implication
f0172f8 Override credential key repository for null key tests
36be7e5 Remove useless method override
564c495 remove memcache token persistence backends
9f9b728 remove keystone/service.py
d1ed08d remove saml2 auth plugin
2388cef remove httpd/keystone.py
1371fb4 remove cache backends
5035ea1 Revert "Allow compatibility with keystonemiddleware 4.0.0"
3c7e140 Consolidate the common code into one method
54e41a3 Handle the exception from creating request token properly
9488ec5 Fix formatting strings in LOG.debug
3adb158 Fix formatting strings in LOG.warning
be5385c Handle the exception from creating access token properly
0c14179 Updated from global requirements
3d00a20 Tweak status code in api-ref doc for v3 users
5fc08a7 Fix prameters names in Keystone API v2-ext
f1da1c0 Refactor Keystone admin-tenant API v2
32352f4 Refactor Keystone admin-endpoint API
4d08a1c Fix for unindent warning in doc build
3a84987 add placeholder migrations for newton
0c82abc Remove default=None for config options
0818d42 Ensure the sqla-migrate scripts cache is cleared
d312859 Move test_sql_upgrade.MigrationRepository into keystone.common
5c6d1f3 Rename sql.migration_helpers to sql.upgrades
47d4d08 Give domain admin rights to domain specific implied roles
981b46c Update reno for stable/newton
2d79b03 Refactor find_migrate_repo(): require caller to specify repo
32328de Fixes password created_at errors due to the server_default
e226948 Move the responsibility for stdout to the CLI module
50430f5 Use a read-only DB session to retrieve schema version
1249360 Move rolling upgrade repo names into constants
8ec5930 Removal of imports within functions
dfa6e3f Trivial fixes in the ldap common functions
b52e0de Test that rolling upgrade repos are in lockstep
be80981 Adds tests for verify_length_and_trunc_password()
97585c1 EndpointPolicy driver doesn't inherit interface
f534f36 Faster id mapping lookup
c4784d7 Create unit tests for endpoint policy drivers
c6ed3cd Use URIOpt for endpoint URL options
Diffstat (except docs and test files)
-------------------------------------
CONTRIBUTING.rst | 4 +-
HACKING.rst | 2 +-
MANIFEST.in | 21 -
README.rst | 17 +-
api-ref/source/conf.py | 2 +-
api-ref/source/v2-admin/admin-certificates.inc | 41 +
api-ref/source/v2-admin/admin-endpoints.inc | 34 +-
.../v2-admin/admin-endpoints_parameters.yaml | 71 --
api-ref/source/v2-admin/admin-tenants.inc | 81 +-
api-ref/source/v2-admin/admin-tokens.inc | 48 +-
api-ref/source/v2-admin/admin-users.inc | 84 +-
api-ref/source/v2-admin/index.rst | 1 +
api-ref/source/v2-admin/parameters.yaml | 305 +++--
.../admin/show-ca-certificate-v2-response.txt | 19 +
.../admin/show-signing-certificate-v2-response.txt | 19 +
api-ref/source/v2-ext/ksadm-admin.inc | 142 +--
api-ref/source/v2-ext/kscrud.inc | 6 +-
api-ref/source/v2-ext/ksec2-admin.inc | 42 +-
api-ref/source/v2-ext/parameters.yaml | 155 +--
api-ref/source/v2/index.rst | 3 +-
api-ref/source/v2/overview.inc | 16 +-
api-ref/source/v2/parameters.yaml | 21 +-
api-ref/source/v2/revocations.inc | 32 +
.../v2/samples/admin/extension-show-response.json | 2 +-
.../v2/samples/admin/extensions-list-response.json | 16 +-
.../v2/samples/admin/revoked-tokens-response.json | 3 +
.../v2/samples/admin/version-show-response.json | 2 +-
.../v2/samples/admin/versions-list-response.json | 2 +-
api-ref/source/v3-ext/ep-filter.inc | 306 ++---
api-ref/source/v3-ext/federation.inc | 7 +
.../v3-ext/federation/assertion/assertion.inc | 6 +-
api-ref/source/v3-ext/federation/auth/auth.inc | 6 +-
.../source/v3-ext/federation/auth/parameters.yaml | 9 +
.../v3-ext/federation/identity-provider/idp.inc | 36 +-
.../federation/identity-provider/parameters.yaml | 9 +
.../identity-provider/samples/get-response.json | 1 +
.../identity-provider/samples/list-response.json | 2 +
.../samples/register-request.json | 1 +
.../samples/register-response.json | 1 +
.../identity-provider/samples/update-response.json | 1 +
.../source/v3-ext/federation/mapping/mapping.inc | 10 +-
.../projects-domains/projects-domains.inc | 4 +-
.../v3-ext/federation/service-provider/sp.inc | 10 +-
api-ref/source/v3-ext/index.rst | 2 +
api-ref/source/v3-ext/oauth.inc | 28 +-
api-ref/source/v3-ext/parameters.yaml | 2 +-
api-ref/source/v3-ext/revoke.inc | 2 +-
.../create-endpoint-group-request.json | 2 +-
.../OS-EP-FILTER/get-projects-response.json | 29 -
.../list-associations-by-endpoint-response.json | 29 +
.../list-associations-by-project-response.json | 29 +
.../OS-EP-FILTER/list-endpoints-response.json | 29 -
.../update-endpoint-group-request.json | 7 +
.../update-endpoint-group-response.json | 14 +
.../show-ca-certificate-response.txt | 19 +
.../show-signing-certificate-response.txt | 19 +
api-ref/source/v3-ext/simple-cert.inc | 42 +
api-ref/source/v3-ext/trust.inc | 18 +-
api-ref/source/v3/authenticate-v3.inc | 33 +-
api-ref/source/v3/credentials.inc | 10 +-
api-ref/source/v3/domains-config-v3.inc | 28 +-
api-ref/source/v3/domains.inc | 10 +-
api-ref/source/v3/groups.inc | 354 +++---
api-ref/source/v3/index.rst | 124 +-
api-ref/source/v3/inherit.inc | 92 +-
api-ref/source/v3/os-pki.inc | 32 +
api-ref/source/v3/parameters.yaml | 79 +-
api-ref/source/v3/policies.inc | 22 +-
api-ref/source/v3/projects.inc | 21 +-
api-ref/source/v3/regions-v3.inc | 10 +-
api-ref/source/v3/roles.inc | 961 ++++++++++------
.../auth-password-explicit-unscoped-response.json | 3 +-
.../auth-password-project-scoped-response.json | 3 +-
...auth-password-unscoped-request-with-domain.json | 2 +-
.../admin/auth-password-unscoped-response.json | 3 +-
.../auth-password-user-name-unscoped-request.json | 18 -
.../samples/admin/auth-token-scoped-response.json | 3 +-
.../admin/auth-token-unscoped-response.json | 3 +-
.../samples/admin/credential-update-request.json | 2 +-
.../samples/admin/credential-update-response.json | 2 +-
.../v3/samples/admin/get-pki-revoked-response.json | 3 +
.../samples/admin/group-roles-list-response.json | 23 -
.../samples/admin/identity-versions-response.json | 2 +-
.../v3/samples/admin/policies-list-response.json | 8 +-
.../v3/samples/admin/policy-create-request.json | 4 +-
.../v3/samples/admin/policy-create-response.json | 2 -
.../v3/samples/admin/policy-show-response.json | 4 +-
.../v3/samples/admin/policy-update-request.json | 4 +-
.../v3/samples/admin/policy-update-response.json | 4 +-
...ents-effective-list-include-names-response.json | 10 +-
.../admin/user-password-update-request.json | 2 +-
.../v3/samples/admin/user-roles-list-response.json | 23 -
api-ref/source/v3/service-catalog.inc | 20 +-
api-ref/source/v3/status.yaml | 4 +
api-ref/source/v3/users.inc | 348 +++---
config-generator/keystone.conf | 1 -
devstack/files/federation/shib_apache_alias.txt | 1 +
devstack/files/federation/shib_apache_handler.txt | 16 +
devstack/files/federation/shibboleth2.xml | 77 ++
devstack/lib/federation.sh | 127 +++
devstack/plugin.sh | 64 ++
etc/keystone-paste.ini | 13 +-
etc/keystone.conf.sample | 813 ++++++++------
etc/policy.json | 3 +-
etc/policy.v3cloudsample.json | 17 +-
examples/pki/cms/auth_token_revoked.json | 85 --
examples/pki/cms/auth_token_revoked.pem | 44 -
examples/pki/cms/auth_token_scoped.json | 85 --
examples/pki/cms/auth_token_scoped.pem | 44 -
examples/pki/cms/auth_token_unscoped.json | 23 -
examples/pki/cms/auth_token_unscoped.pem | 19 -
examples/pki/cms/revocation_list.json | 8 -
examples/pki/cms/revocation_list.pem | 15 -
examples/pki/gen_pki.sh | 233 ----
httpd/keystone.py | 41 -
keystone/assignment/V8_backends/__init__.py | 0
keystone/assignment/V8_backends/sql.py | 452 --------
keystone/assignment/V8_role_backends/__init__.py | 0
keystone/assignment/V8_role_backends/sql.py | 80 --
keystone/assignment/backends/base.py | 251 -----
keystone/assignment/backends/sql.py | 5 +-
keystone/assignment/controllers.py | 103 +-
keystone/assignment/core.py | 207 +---
keystone/assignment/role_backends/base.py | 134 ---
keystone/assignment/role_backends/sql.py | 2 +-
keystone/assignment/routers.py | 157 ++-
keystone/auth/__init__.py | 4 +
keystone/auth/controllers.py | 485 ++------
keystone/auth/core.py | 478 +++++++-
keystone/auth/plugins/base.py | 39 +-
keystone/auth/plugins/core.py | 2 -
keystone/auth/plugins/external.py | 14 +-
keystone/auth/plugins/mapped.py | 195 +++-
keystone/auth/plugins/oauth1.py | 12 +-
keystone/auth/plugins/password.py | 8 +-
keystone/auth/plugins/saml2.py | 35 -
keystone/auth/plugins/token.py | 51 +-
keystone/auth/plugins/totp.py | 8 +-
keystone/auth/schema.py | 83 ++
keystone/catalog/backends/base.py | 14 +-
keystone/catalog/backends/sql.py | 95 +-
keystone/catalog/backends/templated.py | 16 +-
keystone/catalog/controllers.py | 88 +-
keystone/catalog/core.py | 23 +-
keystone/cmd/cli.py | 226 ++--
keystone/cmd/doctor/__init__.py | 2 +
keystone/cmd/doctor/caching.py | 2 +-
keystone/cmd/doctor/credential.py | 6 +-
keystone/cmd/doctor/database.py | 3 +-
keystone/cmd/doctor/debug.py | 28 +
keystone/cmd/doctor/ldap.py | 95 ++
keystone/cmd/doctor/security_compliance.py | 2 +-
keystone/cmd/doctor/tokens.py | 6 -
keystone/cmd/doctor/tokens_fernet.py | 6 +-
keystone/cmd/manage.py | 5 +-
keystone/common/authorization.py | 3 +-
keystone/common/cache/_context_cache.py | 10 +-
keystone/common/cache/backends/__init__.py | 0
keystone/common/cache/backends/memcache_pool.py | 28 -
keystone/common/cache/backends/mongo.py | 25 -
keystone/common/cache/backends/noop.py | 56 -
keystone/common/cache/core.py | 4 +
keystone/common/context.py | 12 +-
keystone/common/controller.py | 46 +-
keystone/common/driver_hints.py | 9 +-
keystone/common/fernet_utils.py | 71 +-
keystone/common/json_home.py | 10 +-
keystone/common/kvs/backends/inmemdb.py | 5 +
keystone/common/kvs/backends/memcached.py | 5 +
keystone/common/kvs/core.py | 2 +-
keystone/common/manager.py | 32 -
keystone/common/openssl.py | 2 +-
keystone/common/request.py | 48 +-
keystone/common/resource_options.py | 228 ++++
keystone/common/sql/contract_repo/manage.py | 13 +
...move_unencrypted_blob_column_from_credential.py | 4 +-
.../versions/004_reset_password_created_at.py | 37 +
.../sql/contract_repo/versions/005_placeholder.py | 18 +
.../sql/contract_repo/versions/006_placeholder.py | 18 +
.../sql/contract_repo/versions/007_placeholder.py | 18 +
.../sql/contract_repo/versions/008_placeholder.py | 18 +
.../sql/contract_repo/versions/009_placeholder.py | 18 +
.../010_contract_add_revocation_event_index.py | 15 +
...11_contract_user_id_unique_for_nonlocal_user.py | 23 +
.../versions/012_contract_add_domain_id_to_idp.py | 38 +
...3_protocol_cascade_delete_for_federated_user.py | 31 +
.../014_contract_add_domain_id_to_user_table.py | 95 ++
.../015_contract_update_federated_user_domain.py | 34 +
.../versions/016_contract_add_user_options.py | 16 +
keystone/common/sql/core.py | 46 +-
keystone/common/sql/data_migration_repo/manage.py | 13 +
.../002_password_created_at_not_nullable.py | 3 -
.../versions/004_reset_password_created_at.py | 15 +
.../versions/005_placeholder.py | 18 +
.../versions/006_placeholder.py | 18 +
.../versions/007_placeholder.py | 18 +
.../versions/008_placeholder.py | 18 +
.../versions/009_placeholder.py | 18 +
.../010_migrate_add_revocation_event_index.py | 15 +
.../011_expand_user_id_unique_for_nonlocal_user.py | 15 +
.../versions/012_migrate_add_domain_id_to_idp.py | 55 +
...3_protocol_cascade_delete_for_federated_user.py | 15 +
.../014_migrate_add_domain_id_to_user_table.py | 45 +
.../015_migrate_update_federated_user_domain.py | 36 +
.../versions/016_migrate_add_user_options.py | 16 +
keystone/common/sql/expand_repo/manage.py | 13 +
...dd_key_hash_and_encrypted_blob_to_credential.py | 4 +-
.../versions/004_reset_password_created_at.py | 15 +
.../sql/expand_repo/versions/005_placeholder.py | 18 +
.../sql/expand_repo/versions/006_placeholder.py | 18 +
.../sql/expand_repo/versions/007_placeholder.py | 18 +
.../sql/expand_repo/versions/008_placeholder.py | 18 +
.../sql/expand_repo/versions/009_placeholder.py | 18 +
.../010_expand_add_revocation_event_index.py | 31 +
.../011_expand_user_id_unique_for_nonlocal_user.py | 15 +
.../versions/012_expand_add_domain_id_to_idp.py | 73 ++
...3_protocol_cascade_delete_for_federated_user.py | 15 +
.../014_expand_add_domain_id_to_user_table.py | 165 +++
.../015_expand_update_federated_user_domain.py | 69 ++
.../versions/016_expand_add_user_options.py | 34 +
keystone/common/sql/migrate_repo/manage.py | 13 +
.../versions/081_add_endpoint_policy_table.py | 4 +-
.../versions/082_add_federation_tables.py | 4 +-
.../migrate_repo/versions/083_add_oauth1_tables.py | 4 +-
.../migrate_repo/versions/084_add_revoke_tables.py | 4 +-
.../versions/085_add_endpoint_filtering_table.py | 4 +-
.../versions/093_migrate_domains_to_projects.py | 6 +-
keystone/common/sql/migration_helpers.py | 254 -----
keystone/common/sql/upgrades.py | 293 +++++
keystone/common/tokenless_auth.py | 4 +-
keystone/common/utils.py | 32 +-
keystone/common/validation/validators.py | 8 +-
keystone/common/wsgi.py | 15 +-
keystone/conf/__init__.py | 44 +-
keystone/conf/assignment.py | 8 +-
keystone/conf/auth.py | 15 +-
keystone/conf/constants.py | 9 +-
keystone/conf/default.py | 59 +-
keystone/conf/endpoint_policy.py | 17 -
keystone/conf/kvs.py | 19 +
keystone/conf/ldap.py | 151 +--
keystone/conf/memcache.py | 27 +-
keystone/conf/os_inherit.py | 49 -
keystone/conf/resource.py | 6 +-
keystone/conf/security_compliance.py | 30 +-
keystone/conf/signing.py | 62 +-
keystone/conf/token.py | 60 +-
keystone/contrib/admin_crud/__init__.py | 15 -
keystone/contrib/admin_crud/core.py | 32 -
keystone/contrib/ec2/controllers.py | 28 +-
keystone/contrib/ec2/core.py | 4 +-
.../endpoint_filter/backends/catalog_sql.py | 62 +-
keystone/contrib/endpoint_filter/backends/sql.py | 30 -
keystone/contrib/endpoint_filter/routers.py | 33 -
keystone/contrib/federation/__init__.py | 0
keystone/contrib/federation/backends/__init__.py | 0
keystone/contrib/federation/backends/sql.py | 29 -
keystone/contrib/federation/routers.py | 31 -
keystone/contrib/oauth1/__init__.py | 0
keystone/contrib/oauth1/backends/__init__.py | 0
keystone/contrib/oauth1/backends/sql.py | 30 -
keystone/contrib/oauth1/routers.py | 33 -
keystone/contrib/revoke/__init__.py | 0
keystone/contrib/revoke/backends/__init__.py | 0
keystone/contrib/revoke/backends/sql.py | 28 -
keystone/contrib/revoke/routers.py | 31 -
keystone/contrib/s3/core.py | 4 +-
keystone/contrib/simple_cert/__init__.py | 13 -
keystone/contrib/simple_cert/routers.py | 33 -
keystone/contrib/user_crud/__init__.py | 15 -
keystone/contrib/user_crud/core.py | 32 -
keystone/credential/backends/base.py | 2 +-
keystone/credential/backends/sql.py | 2 +-
keystone/credential/core.py | 15 -
keystone/credential/providers/fernet/core.py | 5 +-
keystone/endpoint_policy/backends/base.py | 31 +-
keystone/endpoint_policy/backends/sql.py | 3 +-
keystone/endpoint_policy/core.py | 15 -
keystone/exception.py | 176 +--
keystone/federation/V8_backends/__init__.py | 0
keystone/federation/V8_backends/sql.py | 389 -------
keystone/federation/backends/base.py | 162 +--
keystone/federation/backends/sql.py | 5 +-
keystone/federation/controllers.py | 6 +-
keystone/federation/core.py | 87 +-
keystone/federation/schema.py | 19 +-
keystone/federation/utils.py | 37 +-
keystone/i18n.py | 2 +-
keystone/identity/backends/base.py | 30 +-
keystone/identity/backends/ldap/common.py | 210 ++--
keystone/identity/backends/ldap/core.py | 238 ++--
keystone/identity/backends/resource_options.py | 121 ++
keystone/identity/backends/sql.py | 70 +-
keystone/identity/backends/sql_model.py | 160 ++-
keystone/identity/controllers.py | 88 +-
keystone/identity/core.py | 253 +++--
keystone/identity/mapping_backends/base.py | 11 +-
keystone/identity/mapping_backends/sql.py | 6 +-
keystone/identity/schema.py | 12 +-
keystone/identity/shadow_backends/base.py | 30 +-
keystone/identity/shadow_backends/sql.py | 52 +-
keystone/locale/de/LC_MESSAGES/keystone.po | 180 +--
keystone/locale/es/LC_MESSAGES/keystone.po | 176 +--
keystone/locale/fr/LC_MESSAGES/keystone.po | 178 +--
keystone/locale/it/LC_MESSAGES/keystone.po | 172 +--
keystone/locale/ja/LC_MESSAGES/keystone.po | 173 +--
.../locale/ko_KR/LC_MESSAGES/keystone-log-error.po | 22 +-
.../locale/ko_KR/LC_MESSAGES/keystone-log-info.po | 25 +-
.../ko_KR/LC_MESSAGES/keystone-log-warning.po | 48 +-
keystone/locale/ko_KR/LC_MESSAGES/keystone.po | 160 +--
keystone/locale/pt_BR/LC_MESSAGES/keystone.po | 174 +--
keystone/locale/ru/LC_MESSAGES/keystone.po | 166 +--
.../locale/tr_TR/LC_MESSAGES/keystone-log-error.po | 18 +-
.../tr_TR/LC_MESSAGES/keystone-log-warning.po | 25 +-
keystone/locale/tr_TR/LC_MESSAGES/keystone.po | 52 +-
.../locale/zh_CN/LC_MESSAGES/keystone-log-error.po | 12 +-
keystone/locale/zh_CN/LC_MESSAGES/keystone.po | 195 +---
keystone/locale/zh_TW/LC_MESSAGES/keystone.po | 155 +--
keystone/middleware/auth.py | 33 +-
keystone/models/revoke_model.py | 18 -
keystone/models/token_model.py | 192 ++--
keystone/notifications.py | 77 +-
keystone/oauth1/backends/base.py | 2 +-
keystone/oauth1/backends/sql.py | 6 +-
keystone/oauth1/controllers.py | 100 +-
keystone/oauth1/core.py | 41 +-
keystone/oauth1/validator.py | 6 +-
keystone/policy/backends/base.py | 2 +-
keystone/policy/backends/rules.py | 5 +-
keystone/policy/controllers.py | 16 +-
keystone/policy/core.py | 15 -
keystone/resource/V8_backends/__init__.py | 0
keystone/resource/V8_backends/sql.py | 260 -----
keystone/resource/backends/base.py | 371 +-----
keystone/resource/backends/sql.py | 2 +-
keystone/resource/config_backends/base.py | 2 +-
keystone/resource/config_backends/sql.py | 2 +-
keystone/resource/controllers.py | 71 +-
keystone/resource/core.py | 193 ++--
keystone/resource/routers.py | 4 +-
keystone/revoke/backends/base.py | 7 +-
keystone/revoke/backends/sql.py | 46 +-
keystone/revoke/controllers.py | 6 +
keystone/revoke/core.py | 26 +-
keystone/server/backends.py | 2 +-
keystone/service.py | 61 -
.../legacy_drivers/assignment/V8/__init__.py | 0
.../backend/legacy_drivers/assignment/V8/sql.py | 39 -
.../backend/legacy_drivers/assignment/__init__.py | 0
.../legacy_drivers/federation/V8/__init__.py | 0
.../backend/legacy_drivers/federation/V8/api_v3.py | 108 --
.../backend/legacy_drivers/federation/__init__.py | 0
.../backend/legacy_drivers/resource/V8/__init__.py | 0
.../unit/backend/legacy_drivers/resource/V8/sql.py | 71 --
.../backend/legacy_drivers/resource/__init__.py | 0
.../backend/legacy_drivers/role/V8/__init__.py | 0
.../unit/backend/legacy_drivers/role/V8/sql.py | 30 -
.../unit/backend/legacy_drivers/role/__init__.py | 0
.../unit/common/test_resource_options_common.py | 77 ++
.../unit/config_files/backend_pool_liveldap.conf | 3 +-
.../unit/config_files/backend_tls_liveldap.conf | 1 -
.../unit/endpoint_policy/backends/__init__.py | 0
.../unit/endpoint_policy/backends/test_base.py | 150 +++
.../unit/endpoint_policy/backends/test_sql.py | 43 +
.../unit/identity/backends/test_ldap_common.py | 132 +--
.../unit/identity/shadow_users/test_backend.py | 150 +++
.../test_associate_project_endpoint_extension.py | 41 +-
keystone/token/_simple_cert.py | 4 +-
keystone/token/controllers.py | 742 +++++++-----
keystone/token/persistence/__init__.py | 2 +-
keystone/token/persistence/backends/kvs.py | 23 +-
keystone/token/persistence/backends/memcache.py | 39 -
.../token/persistence/backends/memcache_pool.py | 34 -
keystone/token/persistence/backends/sql.py | 17 +-
keystone/token/persistence/core.py | 47 +-
keystone/token/provider.py | 394 +------
keystone/token/providers/base.py | 99 ++
keystone/token/providers/common.py | 557 +++------
keystone/token/providers/fernet/core.py | 10 +-
.../token/providers/fernet/token_formatters.py | 62 +-
keystone/token/providers/pki.py | 67 --
keystone/token/providers/pkiz.py | 65 --
keystone/token/utils.py | 31 -
keystone/trust/backends/base.py | 11 +-
keystone/trust/backends/sql.py | 20 +-
keystone/trust/controllers.py | 42 +-
keystone/trust/core.py | 28 +-
keystone/v2_crud/admin_crud.py | 4 +-
keystone/v2_crud/user_crud.py | 59 +-
keystone/version/__init__.py | 2 +-
keystone/version/controllers.py | 6 +-
keystone/version/service.py | 4 +-
keystone_tempest_plugin/clients.py | 8 +-
keystone_tempest_plugin/config.py | 46 +-
keystone_tempest_plugin/plugin.py | 12 +-
.../services/identity/clients.py | 7 +-
.../services/identity/v3/auth_client.py | 40 +
.../identity/v3/identity_providers_client.py | 9 +-
.../services/identity/v3/saml2_client.py | 92 ++
.../api/identity/v3/test_identity_providers.py | 22 +-
.../api/identity/v3/test_service_providers.py | 2 +-
.../scenario/test_federated_authentication.py | 176 +++
.../notes/bp-allow-expired-f5d845b9601bc1ef.yaml | 18 +
.../bp-domain-config-default-82e42d946ee7cb43.yaml | 2 +-
...ssword-expires-validation-4b32fe7032595932.yaml | 13 +
.../bp-pci-dss-notifications-808a205a637bac25.yaml | 22 +
...password-requirements-api-87bc724b2aa554f7.yaml | 9 +
...ry-password-expired-users-a7c96a3843bb9abc.yaml | 15 +
...per-user-auth-plugin-reqs-feb95fd907be4b40.yaml | 64 ++
.../notes/bp-shadow-mapping-06fc7c71a401d707.yaml | 12 +
...bp-support-federated-attr-94084d4073f50280.yaml | 7 +
.../notes/bug-1017606-98313bb4c1edf250.yaml | 19 +
.../notes/bug-1524030-ccff6b0ec9d1cbf2.yaml | 23 +
.../notes/bug-1547684-911aed68a0d3df17.yaml | 29 +
.../notes/bug-1561054-dbe88b552a936a05.yaml | 23 +
.../notes/bug-1563101-134df5b99ea48f00.yaml | 7 +
.../notes/bug-1571878-1bcaea5337905af0.yaml | 7 +
.../notes/bug-1582585-a368ac5a252ec84f.yaml | 15 +
.../notes/bug-1611102-e1348cbec9b1110a.yaml | 8 +
.../notes/bug-1616424-c46ba773f7ac40ae.yaml | 7 +
.../notes/bug-1622310-c501cf77437fdfa6.yaml | 18 +
.../notes/bug-1636950-8fa1a47fce440977.yaml | 10 +
releasenotes/notes/bug-1638603-354ee4167e6e.yaml | 9 +
.../notes/bug-1641645-516709f9da3de26f.yaml | 9 +
.../notes/bug-1641654-8630ce7bcde43a7e.yaml | 21 +
.../notes/bug-1641660-f938267e1ec54071.yaml | 13 +
.../notes/bug-1641816-8b39f3f73359c778.yaml | 6 +
.../notes/bug-1642348-83d4c86ad3984d75.yaml | 6 +
.../notes/bug-1642457-4533f9810a8cd927.yaml | 7 +
.../notes/bug-1642687-5497fb56fe86806d.yaml | 18 +
.../notes/bug-1642687-c7ab1c9be152db20.yaml | 23 +
.../notes/bug-1642692-d669c8fcf9e171d9.yaml | 6 +
.../notes/bug-1645487-ca22c216ec26cc9b.yaml | 8 +
.../notes/bug-1649138-c53974f6bb0eab14.yaml | 9 +
.../notes/bug-1649446-efff94143823755d.yaml | 19 +
.../notes/bug-1656076-c4422270f73b43b.yaml | 15 +
.../notes/bug-1659730-17834ba2dde668ae.yaml | 18 +
.../notes/bug-1659995-f3e716de743b7291.yaml | 26 +
.../deprecated-as-of-ocata-a5b2f1e3e39f818e.yaml | 19 +
.../integrate-osprofiler-ad0e16a542b12899.yaml | 2 +-
.../notes/oslo.cache-a9ce47bfa8809efa.yaml | 2 +-
.../removed-as-of-ocata-436bb4b839e74494.yaml | 103 ++
releasenotes/notes/totp-40d93231714c6a20.yaml | 2 +-
releasenotes/source/conf.py | 3 +
releasenotes/source/index.rst | 1 +
releasenotes/source/newton.rst | 6 +
requirements.txt | 24 +-
setup.cfg | 36 +-
test-requirements.txt | 18 +-
tools/sample_data.sh | 8 +-
tools/test-setup.sh | 57 +
tox.ini | 34 +-
583 files changed, 23346 insertions(+), 18774 deletions(-)
Requirements updates
--------------------
diff --git a/requirements.txt b/requirements.txt
index fd007ac..1ae6ccf 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -9,2 +9,2 @@ Babel>=2.3.4 # BSD
-pbr>=1.6 # Apache-2.0
-WebOb>=1.2.3 # MIT
+pbr>=1.8 # Apache-2.0
+WebOb>=1.6.0 # MIT
@@ -19,4 +19,4 @@ sqlalchemy-migrate>=0.9.6 # Apache-2.0
-stevedore>=1.16.0 # Apache-2.0
-passlib>=1.6 # BSD
-python-keystoneclient!=2.1.0,>=2.0.0 # Apache-2.0
-keystonemiddleware!=4.1.0,!=4.5.0,>=4.0.0 # Apache-2.0
+stevedore>=1.17.1 # Apache-2.0
+passlib>=1.7.0 # BSD
+python-keystoneclient>=3.8.0 # Apache-2.0
+keystonemiddleware>=4.12.0 # Apache-2.0
@@ -25 +25 @@ oslo.concurrency>=3.8.0 # Apache-2.0
-oslo.config>=3.14.0 # Apache-2.0
+oslo.config!=3.18.0,>=3.14.0 # Apache-2.0
@@ -27,2 +27,2 @@ oslo.context>=2.9.0 # Apache-2.0
-oslo.messaging>=5.2.0 # Apache-2.0
-oslo.db!=4.13.1,!=4.13.2,>=4.10.0 # Apache-2.0
+oslo.messaging>=5.14.0 # Apache-2.0
+oslo.db>=4.15.0 # Apache-2.0
@@ -30 +30 @@ oslo.i18n>=2.1.0 # Apache-2.0
-oslo.log>=1.14.0 # Apache-2.0
+oslo.log>=3.11.0 # Apache-2.0
@@ -32 +32 @@ oslo.middleware>=3.0.0 # Apache-2.0
-oslo.policy>=1.9.0 # Apache-2.0
+oslo.policy>=1.17.0 # Apache-2.0
@@ -34 +34 @@ oslo.serialization>=1.10.0 # Apache-2.0
-oslo.utils>=3.16.0 # Apache-2.0
+oslo.utils>=3.18.0 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index 41e60a7..444a2b0 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -9,2 +9,2 @@ bashate>=0.2 # Apache-2.0
-os-testr>=0.7.0 # Apache-2.0
-freezegun # Apache-2.0
+os-testr>=0.8.0 # Apache-2.0
+freezegun>=0.3.6 # Apache-2.0
@@ -13 +13 @@ freezegun # Apache-2.0
-oslo.db[fixtures,mysql,postgresql]!=4.13.1,!=4.13.2,>=4.10.0 # Apache-2.0
+oslo.db[fixtures,mysql,postgresql]>=4.15.0 # Apache-2.0
@@ -16 +16 @@ oslo.db[fixtures,mysql,postgresql]!=4.13.1,!=4.13.2,>=4.10.0 # Apache-2.0
-coverage>=3.6 # Apache-2.0
+coverage>=4.0 # Apache-2.0
@@ -20 +20 @@ fixtures>=3.0.0 # Apache-2.0/BSD
-lxml>=2.3 # BSD
+lxml!=3.7.0,>=2.3 # BSD
@@ -25 +25 @@ oslotest>=1.10.0 # Apache-2.0
-sphinx!=1.3b1,<1.3,>=1.2.1 # BSD
+sphinx!=1.3b1,<1.4,>=1.2.1 # BSD
@@ -35,2 +35,2 @@ testtools>=1.4.0 # MIT
-oslosphinx!=3.4.0,>=2.5.0 # Apache-2.0
-reno>=1.8.0 # Apache2
+oslosphinx>=4.7.0 # Apache-2.0
+reno>=1.8.0 # Apache-2.0
@@ -41 +41 @@ tempest>=12.1.0 # Apache-2.0
-requests>=2.10.0 # Apache-2.0
+requests!=2.12.2,>=2.10.0 # Apache-2.0
More information about the Release-announce
mailing list