We are satisfied to announce the release of: keystone 9.0.0: OpenStack Identity This release is part of the mitaka release series. For more details, please see below. 9.0.0 ^^^^^ New Features ************ * [blueprint domain-specific-roles (https://blueprints.launchpad.net/keystone/+spec/domain-specific- roles)] Roles can now be optionally defined as domain specific. Domain specific roles are not referenced in policy files, rather they can be used to allow a domain to build their own private inference rules with implied roles. A domain specific role can be assigned to a domain or project within its domain, and any subset of global roles it implies will appear in a token scoped to the respective domain or project. The domain specific role itself, however, will not appear in the token. * [blueprint bootstrap (https://blueprints.launchpad.net/keystone/+spec/bootstrap)] keystone-manage now supports the bootstrap command on the CLI so that a keystone install can be initialized without the need of the admin_token filter in the paste-ini. * [blueprint domain-config-default (https://blueprints.launchpad.net/keystone/+spec/domain-config- default)] The Identity API now supports retrieving the default values for the configuration options that can be overriden via the domain specific configuration API. * [blueprint url-safe-naming (https://blueprints.launchpad.net/keystone/+spec/url-safe-naming)] The names of projects and domains can optionally be ensured to be url safe, to support the future ability to specify projects using hierarchical naming. * [bug 1490804 (https://bugs.launchpad.net/keystone/+bug/1490804)] Audit IDs are included in the token revocation list. * [bug 1519210 (https://bugs.launchpad.net/keystone/+bug/1519210)] A user may now opt-out of notifications by specifying a list of event types using the *notification_opt_out* option in *keystone.conf*. These events are never sent to a messaging service. * [bug 1542417 (https://bugs.launchpad.net/keystone/+bug/1542417)] Added support for a *user_description_attribute* mapping to the LDAP driver configuration. * [bug 1526462 (https://bugs.launchpad.net/keystone/+bug/1526462)] Support for posixGroups with OpenDirectory and UNIX when using the LDAP identity driver. * [bug 1489061 (https://bugs.launchpad.net/keystone/+bug/1489061)] Caching has been added to catalog retrieval on a per user ID and project ID basis. This affects both the v2 and v3 APIs. As a result this should provide a performance benefit to fernet-based deployments. * Keystone supports "$(project_id)s" in the catalog. It works the same as "$(tenant_id)s". Use of "$(tenant_id)s" is deprecated and catalog endpoints should be updated to use "$(project_id)s". * [bug 1525317 (https://bugs.launchpad.net/keystone/+bug/1525317)] Enable filtering of identity providers based on *id*, and *enabled* attributes. * [bug 1555830 (https://bugs.launchpad.net/keystone/+bug/1555830)] Enable filtering of service providers based on *id*, and *enabled* attributes. * [blueprint federation-group-ids-mapped-without-domain-reference (https://blueprints.launchpad.net/keystone/+spec/federation-group- ids-mapped-without-domain-reference)] Enhanced the federation mapping engine to allow for group IDs to be referenced without a domain ID. * [blueprint implied-roles (https://blueprints.launchpad.net/keystone/+spec/implied-roles)] Keystone now supports creating implied roles. Role inference rules can now be added to indicate when the assignment of one role implies the assignment of another. The rules are of the form *prior_role* implies *implied_role*. At token generation time, user/group assignments of roles that have implied roles will be expanded to also include such roles in the token. The expansion of implied roles is controlled by the *prohibited_implied_role* option in the *[assignment]* section of *keystone.conf*. * [bug 96869 (https://bugs.launchpad.net/keystone/+bug/968696)] A pair of configuration options have been added to the "[resource]" section to specify a special "admin" project: "admin_project_domain_name" and "admin_project_name". If these are defined, any scoped token issued for that project will have an additional identifier "is_admin_project" added to the token. This identifier can then be checked by the policy rules in the policy files of the services when evaluating access control policy for an API. Keystone does not yet support the ability for a project acting as a domain to be the admin project. That will be added once the rest of the code for projects acting as domains is merged. * [bug 1515302 (https://bugs.launchpad.net/keystone/+bug/1515302)] Two new configuration options have been added to the *[ldap]* section. *user_enabled_emulation_use_group_config* and *project_enabled_emulation_use_group_config*, which allow deployers to choose if they want to override the default group LDAP schema option. * [bug 1501698 (https://bugs.launchpad.net/keystone/+bug/1501698)] Support parameter *list_limit* when LDAP is used as identity backend. * [bug 1479569 (https://bugs.launchpad.net/keystone/+bug/1479569)] Names have been added to list role assignments (GET /role_assignments?include_names=True), rather than returning just the internal IDs of the objects the names are also returned. * Domains are now represented as top level projects with the attribute *is_domain* set to true. Such projects will appear as parents for any previous top level projects. Projects acting as domains can be created, read, updated, and deleted via either the project API or the domain API (V3 only). * [bug 1500222 (https://bugs.launchpad.net/keystone/+bug/1500222)] Added information such as: user ID, project ID, and domain ID to log entries. As a side effect of this change, both the user's domain ID and project's domain ID are now included in the auth context. * [bug 1473042 (https://bugs.launchpad.net/keystone/+bug/1473042)] Keystone's S3 compatibility support can now authenticate using AWS Signature Version 4. * [blueprint totp-auth (https://blueprints.launchpad.net/keystone/+spec/totp-auth)] Keystone now supports authenticating via Time-based One-time Password (TOTP). To enable this feature, add the "totp" auth plugin to the *methods* option in the *[auth]* section of *keystone.conf*. More information about using TOTP can be found in keystone's developer documentation (http://docs.openstack.org/developer/keystone/auth-totp.html). * [blueprint x509-ssl-client-cert-authn (https://blueprints.launchpad.net/keystone/+spec/x509-ssl-client- cert-authn)] Keystone now supports tokenless client SSL x.509 certificate authentication and authorization. Upgrade Notes ************* * [bug 1473553 (https://bugs.launchpad.net/keystone/+bug/1473553)] The *keystone-paste.ini* must be updated to put the "admin_token_auth" middleware before "build_auth_context". See the sample *keystone- paste.ini* for the correct *pipeline* value. Having "admin_token_auth" after "build_auth_context" is deprecated and will not be supported in a future release. * The LDAP driver now also maps the user description attribute after user retrieval from LDAP. If this is undesired behavior for your setup, please add *description* to the *user_attribute_ignore* LDAP driver config setting. The default mapping of the description attribute is set to *description*. Please adjust the LDAP driver config setting *user_description_attribute* if your LDAP uses a different attribute name (for instance to *displayName* in case of an AD backed LDAP). If your *user_additional_attribute_mapping* setting contains *description:description* you can remove this mapping, since this is now the default behavior. * The default setting for the *os_inherit* configuration option is changed to True. If it is required to continue with this portion of the API disabled, then override the default setting by explicitly specifying the os_inherit option as False. * The *keystone-paste.ini* file must be updated to remove extension filters, and their use in "[pipeline:api_v3]". Remove the following filters: "[filter:oauth1_extension]", "[filter:federation_extension]", "[filter:endpoint_filter_extension]", and "[filter:revoke_extension]". See the sample keystone-paste.ini (https://git.openstack.org/cgit/openstack/keystone/tree/etc /keystone-paste.ini) file for guidance. * The *keystone-paste.ini* file must be updated to remove extension filters, and their use in "[pipeline:public_api]" and "[pipeline:admin_api]" pipelines. Remove the following filters: "[filter:user_crud_extension]", "[filter:crud_extension]". See the sample keystone-paste.ini (https://git.openstack.org/cgit/openstack/keystone/tree/etc /keystone-paste.ini) file for guidance. * A new config option, *insecure_debug*, is added to control whether debug information is returned to clients. This used to be controlled by the *debug* option. If you'd like to return extra information to clients set the value to "true". This extra information may help an attacker. * The configuration options for LDAP connection pooling, *[ldap] use_pool* and *[ldap] use_auth_pool*, are now both enabled by default. Only deployments using LDAP drivers are affected. Additional configuration options are available in the *[ldap]* section to tune connection pool size, etc. * [bug 1541092 (https://bugs.launchpad.net/keystone/+bug/1541092)] Only database upgrades from Kilo and newer are supported. * Keystone now uses oslo.cache. Update the *[cache]* section of *keystone.conf* to point to oslo.cache backends: "oslo_cache.memcache_pool" or "oslo_cache.mongo". Refer to the sample configuration file for examples. See oslo.cache (http://docs.openstack.org/developer/oslo.cache) for additional documentation. Deprecation Notes ***************** * [blueprint deprecated-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of- mitaka)] The V8 Assignment driver interface is deprecated. Support for the V8 Assignment driver interface is planned to be removed in the 'O' release of OpenStack. * [blueprint deprecated-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of- mitaka)] The V8 Role driver interface is deprecated. Support for the V8 Role driver interface is planned to be removed in the 'O' release of OpenStack. * The V8 Resource driver interface is deprecated. Support for the V8 Resource driver interface is planned to be removed in the 'O' release of OpenStack. * [blueprint deprecated-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of- mitaka)] The "admin_token_auth" filter must now be placed before the "build_auth_context" filter in *keystone-paste.ini*. * Use of "$(tenant_id)s" in the catalog endpoints is deprecated in favor of "$(project_id)s". * [blueprint deprecated-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of- mitaka)] Deprecate the "enabled" option from "[endpoint_policy]", it will be removed in the 'O' release, and the extension will always be enabled. * [blueprint deprecated-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of- mitaka)] The token memcache and memcache_pool persistence backends have been deprecated in favor of using Fernet tokens (which require no persistence). * [blueprint deprecated-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of- mitaka)] Deprecated all v2.0 APIs. The keystone team recommends using v3 APIs instead. Most v2.0 APIs will be removed in the 'Q' release. However, the authentication APIs and EC2 APIs are indefinitely deprecated and will not be removed in the 'Q' release. * [blueprint deprecated-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of- mitaka)] As of the Mitaka release, the PKI and PKIz token formats have been deprecated. They will be removed in the 'O' release. Due to this change, the *hash_algorithm* option in the *[token]* section of the configuration file has also been deprecated. Also due to this change, the "keystone-manage pki_setup" command has been deprecated as well. * [blueprint deprecated-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of- mitaka)] As of the Mitaka release, write support for the LDAP driver of the Identity backend has been deprecated. This includes the following operations: create user, create group, delete user, delete group, update user, update group, add user to group, and remove user from group. These operations will be removed in the 'O' release. * [blueprint deprecated-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of- mitaka)] As of the Mitaka release, the auth plugin *keystone.auth.plugins.saml2.Saml2* has been deprecated. It is recommended to use *keystone.auth.plugins.mapped.Mapped* instead. The "saml2" plugin will be removed in the 'O' release. * [blueprint deprecated-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of- mitaka)] As of the Mitaka release, the simple_cert_extension is deprecated since it is only used in support of the PKI and PKIz token formats. It will be removed in the 'O' release. * The *os_inherit* configuration option is disabled. In the future, this option will be removed and this portion of the API will be always enabled. * [blueprint deprecated-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of- mitaka)] The file "httpd/keystone.py" has been deprecated in favor of "keystone-wsgi-admin" and "keystone-wsgi-public" and may be removed in the 'O' release. * [blueprint deprecated-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of- mitaka)] "keystone.common.cache.backends.memcache_pool", "keystone.common.cache.backends.mongo", and "keystone.common.cache.backends.noop" are deprecated in favor of oslo.cache backends. The keystone backends will be removed in the 'O' release. * The V8 Federation driver interface is deprecated in favor of the V9 Federation driver interface. Support for the V8 Federation driver interface is planned to be removed in the 'O' release of OpenStack. Security Issues *************** * The use of admin_token filter is insecure compared to the use of a proper username/password. Historically the admin_token filter has been left enabled in Keystone after initialization due to the way CMS systems work. Moving to an out-of-band initialization using "keystone-manage bootstrap" will eliminate the security concerns around a static shared string that conveys admin access to keystone and therefore to the entire installation. * The admin_token method of authentication was never intended to be used for any purpose other than bootstrapping an install. However many deployments had to leave the admin_token method enabled due to restrictions on editing the paste file used to configure the web pipelines. To minimize the risk from this mechanism, the *admin_token* configuration value now defaults to a python *None* value. In addition, if the value is set to *None*, either explicitly or implicitly, the *admin_token* will not be enabled, and an attempt to use it will lead to a failed authentication. * [bug 1490804 (https://bugs.launchpad.net/keystone/+bug/1490804)] [CVE-2015-7546 (http://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2015-7546)] A bug is fixed where an attacker could avoid token revocation when the PKI or PKIZ token provider is used. The complete remediation for this vulnerability requires the corresponding fix in the keystonemiddleware project. Bug Fixes ********* * [bug 1535878 (https://bugs.launchpad.net/keystone/+bug/1535878)] Originally, to perform GET /projects/{project_id}, the provided policy files required a user to have at least project admin level of permission. They have been updated to allow it to be performed by any user who has a role on the project. * [bug 1516469 (https://bugs.launchpad.net/keystone/+bug/1516469)] Endpoints filtered by endpoint_group project association will be included in the service catalog when a project scoped token is issued and "endpoint_filter.sql" is used for the catalog driver. * Support has now been added to send notification events on user/group membership. When a user is added or removed from a group a notification will be sent including the identifiers of both the user and the group. * [bug 1527759 (https://bugs.launchpad.net/keystone/+bug/1527759)] Reverted the change that eliminates the ability to get a V2 token with a user or project that is not in the default domain. This change broke real-world deployments that utilized the ability to authenticate via V2 API with a user not in the default domain or with a project not in the default domain. The deployer is being convinced to update code to properly handle V3 auth but the fix broke expected and tested behavior. * [bug 1480270 (https://bugs.launchpad.net/keystone/+bug/1480270)] Endpoints created when using v3 of the keystone REST API will now be included when listing endpoints via the v2.0 API. Other Notes *********** * The list_project_ids_for_user(), list_domain_ids_for_user(), list_user_ids_for_project(), list_project_ids_for_groups(), list_domain_ids_for_groups(), list_role_ids_for_groups_on_project() and list_role_ids_for_groups_on_domain() methods have been removed from the V9 version of the Assignment driver. * [blueprint move-extensions (https://blueprints.launchpad.net/keystone/+spec/move-extensions)] If any extension migrations are run, for example: "keystone-manage db_sync --extension endpoint_policy" an error will be returned. This is working as designed. To run these migrations simply run: "keystone-manage db_sync". The complete list of affected extensions are: "oauth1", "federation", "endpoint_filter", "endpoint_policy", and "revoke". * [bug 1367113 (https://bugs.launchpad.net/keystone/+bug/1367113)] The "get entity" and "list entities" functionality for the KVS catalog backend has been reimplemented to use the data from the catalog template. Previously this would only act on temporary data that was created at runtime. The create, update and delete entity functionality now raises an exception. * "keystone-manage db_sync" will no longer create the Default domain. This domain is used as the domain for any users created using the legacy v2.0 API. A default domain is created by "keystone- manage bootstrap" and when a user or project is created using the legacy v2.0 API. * The ability to validate a trust-scoped token against the v2.0 API has been removed, in favor of using the version 3 of the API. * [blueprint removed-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/removed-as-of- mitaka)] Removed "extras" from token responses. These fields should not be necessary and a well-defined API makes this field redundant. This was deprecated in the Kilo release. * [blueprint removed-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/removed-as-of- mitaka)] Removed "RequestBodySizeLimiter" from keystone middleware. The keystone team suggests using "oslo_middleware.sizelimit.RequestBodySizeLimiter" instead. This was deprecated in the Kilo release. * [blueprint removed-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/removed-as-of- mitaka)] Notifications with event_type "identity.created.role_assignment" and "identity.deleted.role_assignment" have been removed. The keystone team suggests listening for "identity.role_assignment.created" and "identity.role_assignment.deleted" instead. This was deprecated in the Kilo release. * [blueprint removed-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/removed-as-of- mitaka)] Removed "check_role_for_trust" from the trust controller, ensure policy files do not refer to this target. This was deprecated in the Kilo release. * [blueprint removed-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/removed-as-of- mitaka)] Removed Catalog KVS backend ("keystone.catalog.backends.sql.Catalog"). This was deprecated in the Icehouse release. * [blueprint removed-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/removed-as-of- mitaka)] The LDAP backend for Assignment has been removed. This was deprecated in the Kilo release. * [blueprint removed-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/removed-as-of- mitaka)] The LDAP backend for Resource has been removed. This was deprecated in the Kilo release. * [blueprint removed-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/removed-as-of- mitaka)] The LDAP backend for Role has been removed. This was deprecated in the Kilo release. * [blueprint removed-as-of-mitaka (https://blueprints.launchpad.net/keystone/+spec/removed-as-of- mitaka)] Removed Revoke KVS backend ("keystone.revoke.backends.kvs.Revoke"). This was deprecated in the Juno release. Changes in keystone 9.0.0.0rc2..9.0.0 ------------------------------------- 3e5fca0 Update federated user display name with shadow_users_api Diffstat (except docs and test files) ------------------------------------- keystone/identity/core.py | 4 ++-- 2 files changed, 30 insertions(+), 2 deletions(-)