[release-announce] keystone 14.2.0 (rocky)
no-reply at openstack.org
no-reply at openstack.org
Mon Feb 24 19:37:25 UTC 2020
We are amped to announce the release of:
keystone 14.2.0: OpenStack Identity
This release is part of the rocky stable release series.
The source is available from:
https://opendev.org/openstack/keystone
Download the package from:
https://tarballs.openstack.org/keystone/
Please report issues through:
https://bugs.launchpad.net/keystone/+bugs
For more details, please see below.
14.2.0
^^^^^^
Bug Fixes
* [bug 1773967 (https://bugs.launchpad.net/keystone/+bug/1773967)]
Fixes an issue where users who had role assignments only via a group
membership and not via direct assignment could create but not use
application credentials. It is important to note that federated
users who only have role assignments via a mapped group membership
still cannot create application credentials.
* [bug 1782922 (https://bugs.launchpad.net/keystone/+bug/1782922)]
Fixed the problem where Keystone indiscriminately return the first
RDN as the user ID, regardless whether it matches the configured
'user_id_attribute' or not. This will break deployments where
'group_members_are_ids' are set to False and 'user_id_attribute' is
not in the DN. This patch will perform a lookup by DN if the first
RND does not match the configured 'user_id_attribute'.
* [bug 1801873 (https://bugs.launchpad.net/keystone/+bug/1801873)]
This fixes an issue where an LDAP-backed domain could not be deleted
due to the existence of shadow users in the SQL database.
* [bug 1840291 (https://bugs.launchpad.net/keystone/+bug/1840291)]
Adds retries for "delete_credential_for_user" method to avoid
DBDeadlocks when deleting large number of credentials concurrently.
* [*bug 1843609 <https://bugs.launchpad.net/keystone/+bug/1843609>*]
Fixed an issue where system-scoped tokens couldn't be used to list
users and groups (e.g., GET /v3/users or GET /v3/groups) if
"keystone.conf [identity] domain_specific_drivers_enabled=True" and
the API would return an "HTTP 401 Unauthorized". These APIs now
recognize system-scoped tokens when using domain-specific drivers.
* [bug 1856881 (https://bugs.launchpad.net/keystone/+bug/1856881)]
"keystone-manage bootstrap" can be run in upgrade scenarios where
pre-existing domain-specific roles exist named "admin", "member",
and "reader".
* [Bug 1856904 (https://bugs.launchpad.net/keystone/+bug/1856904)]
The initiator object for CADF notifications now will always contain
the username for the user who initated the action. Previously, the
initator object only contained the user_id, which lead to issues
mapping to users when using LDAP-backed identity providers. This
also helps the initiator object better conform to the OpenStack
standard for CADF.
* [bug 1858012 (https://bugs.launchpad.net/keystone/+bug/1858012)]
Fixes a bug in the /v3/role_assignments filtering where the
*role.id* query parameter didn't properly filter role assignments by
role in cases where there were multiple system role assignments.
Changes in keystone 14.1.0..14.2.0
----------------------------------
dbc64b48b Tell reno to ignore the kilo branch
a50a8973d Fix role_assignments role.id filter
46bfb91a0 Add the missing packages when install keystone
b33f71e21 Always have username in CADF initiator
2e4055e49 Ensure bootstrap handles multiple roles with the same name
417d2c0e6 Make system tokens work with domain-specific drivers
1403a9645 Add test case for expanding implied roles in system tokens
cf83fc105 Allows to use application credentials through group membership
2f7155065 Import LDAP job into project
a972b3a70 Fixing 404 URLs for Rocky
11b2665ef Update broken links to dogpile.cache docs
09547696f Add retry for DBDeadlock in credential delete
ada328786 Remove experimental openSUSE 42.3 job
d70f2a8b3 Updating mapping rule link
e0507d7ec Fix python3 compatibility on LDAP search DN from id
7b84e9fcf Fixing dn_to_id function for cases were id is not in the DN
c220cc450 Revert "Blacklist bandit 1.6.0"
00242bd19 Blacklist bandit 1.6.0
328d20077 OpenDev Migration Patch
b5af5c900 Delete shadow users when domain is deleted
1c013444f Remove message about circular role inferences
8a3b48ce7 Replace openstack.org git:// URLs with https://
Diffstat (except docs and test files)
-------------------------------------
.gitignore | 2 +
.gitreview | 2 +-
.zuul.yaml | 33 +++++-----
keystone/assignment/core.py | 15 ++---
keystone/cmd/bootstrap.py | 8 +++
keystone/common/authorization.py | 4 +-
keystone/common/controller.py | 2 +
keystone/common/policies/base.py | 5 +-
.../097_drop_user_name_domainid_constraint.py | 2 +-
.../104_drop_user_name_domainid_constraint.py | 2 +-
keystone/credential/backends/sql.py | 3 +
keystone/identity/backends/ldap/common.py | 34 ++++++++++-
keystone/identity/backends/ldap/core.py | 7 ++-
keystone/identity/backends/sql_model.py | 2 +-
keystone/identity/core.py | 13 ++--
keystone/identity/shadow_backends/sql.py | 12 ++++
keystone/models/token_model.py | 16 ++---
keystone/notifications.py | 20 +++++-
keystone/oauth1/core.py | 4 +-
.../keystone-dsvm-functional-v3-only/run.yaml | 8 +--
playbooks/legacy/keystone-dsvm-functional/run.yaml | 6 +-
.../keystone-dsvm-grenade-multinode/run.yaml | 10 +--
.../keystone-dsvm-py35-functional-v3-only/run.yaml | 8 +--
.../notes/bug-1773967-b59517a09e0e6141.yaml | 9 +++
.../notes/bug-1782922-db822fda486ac773.yaml | 10 +++
.../notes/bug-1801873-0eb9a5ec3e801190.yaml | 6 ++
.../notes/bug-1840291-35af1ac7ba06e166.yaml | 6 ++
.../notes/bug-1843609-8498b132222596b7.yaml | 9 +++
.../notes/bug-1856881-277103af343187f1.yaml | 7 +++
.../notes/bug-1856904-101af15bb48eb3ca.yaml | 9 +++
.../notes/bug-1858012-584267ada7e33f2c.yaml | 7 +++
reno.yaml | 4 ++
tox.ini | 4 +-
46 files changed, 478 insertions(+), 94 deletions(-)
More information about the Release-announce
mailing list