We are delighted to announce the release of: keystone 15.0.0: OpenStack Identity This release is part of the stein release series. The source is available from: https://git.openstack.org/cgit/openstack/keystone Download the package from: https://tarballs.openstack.org/keystone/ Please report issues through: https://bugs.launchpad.net/keystone/+bugs For more details, please see below. 15.0.0 ^^^^^^ Prelude ******* This release leverages oslo.policy's policy-in-code feature to modify the default check strings and scope types for nearly all of keystone's API policies. These changes make the policies more precise than they were before, using the reader, member, and admin roles where previously only the admin role and a catch-all rule was available. The changes also take advantage of system, domain, and project scope, allowing you to create role assignments for your users that are appropriate to the actions they need to perform. Eventually this will allow you to set "[oslo_policy]/enforce_scope=true" in your keystone configuration, which simplifies access control management by ensuring that oslo.policy checks both the role and the scope on API requests. However, please be aware that not all policies have been converted in this release and some changes are still under development. During the transition phase, if you have not overridden a policy, the old default and the new default will be OR'd together. This means that, for example, where we have changed the policy rule from "'rule:admin_required'" to "'role:reader and system_scope:all'", both policy rules will be in effect. Please check your current policies and role assignments before upgrading to ensure the policies will not be too permissive for your deployment. To hide the deprecation warnings and opt into the less permissive rules, you can override the policy configuration to use the newer policy rule. New Features ************ * [bug 1748027 (https://bugs.launchpad.net/keystone/+bug/1748027)] The user API now supports the "admin", "member", and "reader" default roles across system-scope, domain-scope, and project-scope. * [bug 1750660 (https://bugs.launchpad.net/keystone/+bug/1750660)] The project API now supports the "admin", "member", and "reader" default roles across system-scope, domain-scope, and project-scope. * [bug 1805368 (https://bugs.launchpad.net/keystone/+bug/1805368)] [bug 1750669 (https://bugs.launchpad.net/keystone/+bug/1750669)] The system assignment API now supports the "admin", "member", and "reader" default roles across system-scope, domain-scope, and project-scope. The grant API now supports the "admin", "member", and "reader" default roles for system-scope. * [bug 1750673 (https://bugs.launchpad.net/keystone/+bug/1750673)] The role assignment API now supports the "admin", "member", and "reader" default roles across system-scope, domain-scope, and project-scope. Upgrade Notes ************* * [bug 1748027 (https://bugs.launchpad.net/keystone/+bug/1748027)] The user API uses new default policies that make it more accessible to end users and administrators in a secure way. Please consider these new defaults if your deployment overrides user policies. * [bug 1750660 (https://bugs.launchpad.net/keystone/+bug/1750660)] The project API uses new default policies that make it more accessible to end users and administrators in a secure way. Please consider these new defaults if your deployment overrides project policies. * [bug 1805368 (https://bugs.launchpad.net/keystone/+bug/1805368)] [bug 1750669 (https://bugs.launchpad.net/keystone/+bug/1750669)] The system assignment and grant APIs uses new default policies that make it more accessible to end users and administrators in a secure way. Please consider these new defaults if your deployment overrides system assignment policies. * [bug 1750673 (https://bugs.launchpad.net/keystone/+bug/1750673)] The role assignment API uses new default policies that make it more accessible to end users and administrators in a secure way. Please consider these new policies if your deployment overrides role assignment policies. * [bug 1806762 (https://bugs.launchpad.net/keystone/+bug/1806762)] The user policies defined in "policy.v3cloudsample.json" have been removed. These policies are now obsolete after incorporating system- scope, domain-scope, and project-scope into the user API and implementing default roles. * [bug 1804462 (https://bugs.launchpad.net/keystone/+bug/1804462)] The group policies defined in "policy.v3cloudsample.json" have been removed. These policies are now obsolete after incorporating system- scope and domain-scope into the groups API and implementing default roles. Deprecation Notes ***************** * [bug 1748027 (https://bugs.launchpad.net/keystone/+bug/1748027)] The user policies have been deprecated. The "identity:get_user" policy now uses "(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" instead of "rule:admin_or_owner". The "identity:list_users" policy now uses "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" instead of "rule:admin_required". The "identity:create_user", "identity:update_user", and "identity:delete_user" policies now use "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" instead of "rule:admin_required". These new defaults automatically include support for a read-only role and allow for more granular access to user APIs, making it easier for system and domain administrators to delegate authorization, safely. Please consider these new defaults if your deployment overrides user policies. * [bug 1750660 (https://bugs.launchpad.net/keystone/+bug/1750660)] The project policies have been deprecated. The "identity:get_project" policy now uses "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" instead of "rule:admin_required or project_id:%(target.project.id)s". The "identity:list_projects" policy now uses "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s" instead of "rule:admin_required". The "identity:list_user_projects" policy now uses "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" instead of "rule:admin_or_owner". The "identity:create_project" now uses "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" instead of "rule:admin_required". These new defaults automatically include support for a read-only role and allow for more granular access to project APIs, making it easier for system and domain administrators to delegate authorization, safely. Please consider these new defaults if your deployment overrides the project policies. * [bug 1805368 (https://bugs.launchpad.net/keystone/+bug/1805368)] [bug 1750669 (https://bugs.launchpad.net/keystone/+bug/1750669)] The system assignment and grant policies have been deprecated. The "identity:list_system_grants_for_user", "identity:check_system_grant_for_user", "identity:list_system_grants_for_group", and "identity:check_system_grant_for_group" policies now use "role:reader and system_scope:all" instead of "rule:admin_required". The "identity:create_system_grant_for_user", "identity:revoke_system_grant_for_user", "identity:create_system_grant_for_group", and "identity:revoke_system_grant_for_group" policies now use "role:admin and system_scope:all" instead of "rule:admin_required". The "identity:check_grant" and "identity:list_grants" policies now use "role:reader and system_scope:all" instead of "rule:admin_required". The "identity:create_grant" and "identity:revoke_grant" policies now use "role:admin and system_scope:all" instead of "rule:admin_required". These new defaults automatically include support for a read-only role and allow for more granular access to the system assignment and grant APIs, making it easier for administrators to delegate authorization, safely. Please consider these new defaults if your deployment overrides the system assignment APIs. * [bug 1750673 (https://bugs.launchpad.net/keystone/+bug/1750673)] The role assignment "identity:list_role_assignments" policy now uses "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain.id)s)" instead of "rule:admin_required". This new default automatically includes support for a read-only role and allows for more granular access to the role assignment API. Please consider this new default if your deployment overrides the role assignment policies. Security Issues *************** * [bug 1748027 (https://bugs.launchpad.net/keystone/+bug/1748027)] The user API now uses system-scope, domain-scope, project-scope and default roles to provide better accessibility to users in a secure way. * [bug 1750660 (https://bugs.launchpad.net/keystone/+bug/1750660)] The project API now uses system-scope, domain-scope, project-scope and default roles to provide better accessibility to users in a secure way. * [bug 1805368 (https://bugs.launchpad.net/keystone/+bug/1805368)] [bug 1750669 (https://bugs.launchpad.net/keystone/+bug/1750669)] The system assignment API now uses system-scope, domain-scope, project- scope, and default roles to provide better accessibility to users in a secure way. The grant API now uses system-scope and default to provide better accessbility to operators. * [bug 1750673 (https://bugs.launchpad.net/keystone/+bug/1750673)] The role assignment API now uses system-scope, domain-scope, project- scope, and default roles to provide better accessbility to users in a secure way. Bug Fixes ********* * [bug 1801873 (https://bugs.launchpad.net/keystone/+bug/1801873)] This fixes an issue where an LDAP-backed domain could not be deleted due to the existence of shadow users in the SQL database. * [bug 1806762 (https://bugs.launchpad.net/keystone/+bug/1806762)] The user policies in "policy.v3cloudsample.json" policy file have been removed in favor of better defaults in code. These policies weren't tested exhaustively and were misleading to users and operators. * [bug 1804462 (https://bugs.launchpad.net/keystone/+bug/1804462)] The group policies in "policy.v3cloudsample.json" policy file have been removed in favor of better defaults in code. These policies weren't tested exhaustively and were misleading to users and operators. * [bug 1817313 (https://bugs.launchpad.net/keystone/+bug/1817313)] Raise METHOD NOT ALLOWED for OS-Federation protocols creation if the protocol_id is not in the URL. The corrective action was to split the LIST from CRUD resources so that the routing regexes can work as expected. * [bug 1819036 (https://bugs.launchpad.net/keystone/+bug/1819036)] Middleware that processes requests in front of keystone now caches tokens per request, eliminating unnecessary round trips to validate tokens on every request. This change doesn't require the usage of any configuration options to take effect. The fix for this bug improved performance ~20% during testing and impacts most of keystone's API. Changes in keystone 14.0.0.0rc1..15.0.0 --------------------------------------- c78581b46 DRY: Remove redundant policies from policy.v3cloudsample.json 2c102cad4 Remove redundant policies from v3cloudsample 2c00a6974 Add domain scope support for group policies b86df692d Delete shadow users when domain is deleted 2727e837d Add release prelude about changing policies 95442b7dd Raise METHOD NOT ALLOWED instead of 500 error on protocol CRUD 7f257513f Consolidate user protection tests 933b7509a Make system admin policies consistent for grants db3b293cd Implement system reader functionality for grants 6c1d53fd8 Replace URL name to the correct one in Keystone Docs b7a64a931 Remove system assignment policies from policy.v3cloudsample.json 56e481279 Test domain and project users against group system assignment API 02eebfe57 Update group system grant policies for admins 1d8ac830a Update system group assignment policies for reader and member de083009e Test project users against system assignment API 4ccb4c258 Test domain users against system assignment API ad108dafe Update system grant policies for system admin 0786fde39 Update system grant policies for system member fd08266ab Update system grant policies for system reader 570e47dbf Remove assignment policies from policy.v3cloudsample.json 10305cf72 Add role assignment testing for project users 8da74c175 Add explicit testing for project users and the user API a5fbec6a0 Implement domain admin functionality for user API 3d3fa99a0 Remove project policies from policy.v3cloudsample.json 24c875fe7 Implement domain admin functionality for projects 2696c36f5 Add role assignment test coverage for domain admins fb944086d Add role assignment test coverage for domain members c56611ff5 Implement domain reader for role_assignments 86cf26310 Only validate tokens once per request dd6da4cd4 Implement domain member functionality for user API 69868c6bf Implement domain reader functionality for user API 0f663420b Replace openstack.org git:// URLs with https:// 04dc72a90 Implement domain member functionality for projects 6e4d06861 Pin Werkzeug in lower-constraints d6df1dff3 PY3: Ensure LDAP searches use unicode attributes 05bb9b2db Use ForbiddenAction for invalid action instead of Forbidden 5bd12384f Add schema placeholders for Stein 65165e7e8 Implement domain reader functionality for projects 79be1dc10 Small refactor for create nonlocal user 9d366a528 Mention allow_expired_window in fernet FAQ fd5da18bf Fix the incorrect release name of project guide 1edb5c3bb trivial: fix broken link in trust API reference c90384804 Migrate keystone-dsvm-grenade-multinode job to Ubuntu Bionic f0c2e798f Remove publish-loci post job 261eeaa19 Add hint for order of keys during distribution 87d6c019b Add service developer documentation for scopes 72bedeba7 Make system members the same as system readers for credentials a022e2730 Drop py35 jobs c83fcbc42 Remove service policies from policy.v3cloudsample.json f475783f1 Switch federation check jobs to opensuse e8aa678a2 Add driver support for app cred access rules 182524d97 Add SQL migrations for app cred access rules 02540b7de Add a permissive mode for access rules config e1d31eda3 Add manager for access rules config f028ca4ed Add JSON driver for access rules config 24b8db9e0 Remove protocol policies from v3cloudsample.json 537c6769e Add tests for project users interacting with services 6d756ad61 Remove role policies from policy.v3cloudsample.json 512f0b4f7 Add tests for project users interacting with roles 31eecfb2a Add tests for domain users interacting with roles 6c6c6049f Remove endpoint policies from policy.v3cloudsample.json 87e50c029 Remove domain policies from policy.v3cloudsample.json 321a8cb03 Add role assignment test coverage for system admin b35fb58ea Add role assignment test coverage for system members 63c6e6c39 Reorganize role assignment tests for system users ca835d913 Implement system reader for role_assignments c0e6d4498 Remove idp policies from policy.v3cloudsample.json 76165b3f5 Add py37 tox env 875ecfb56 Add tests for domain users interacting with services f377351ac Update service policies for system admin f2b2ab11d Add shibboleth config to log output 4d2a219a3 Update introduction of external services doc 3111b8b9b Address follow-up comments in contributor guide for specs c3d46e1c9 [api-ref] add domain level limit support fdd3b9765 Release note for domain level limit 8667f42be Update project depth check 7e98d297a Add domain level support for strict-two-level-model df173c7c9 Add domain level limit support - API 347269184 Add domain level limit support - Manager 65f76c172 Remove mapping policies from policy.v3cloudsample.json e4e258a5d Add tests for project users interacting with mappings ebad027f2 Deprecate cache_on_issue configuration option 950e7d1f6 Add JWS token provider documentation 32d92f801 Add OpenSUSE support in devstack federation plugin 22c08b546 Add experimental job for OpenSUSE 431e5a81b Fix mock for v2 test 833df8cd1 Add documentation for writing specifications 64e9b03b7 Remove unused sample token fixtures 9168127c7 Fix bindep for SUSE 579909e3f add python 3.7 unit test job 0931f08cd Correcting tests with project_id 4e72b95c6 Add domain_id column for limit bc531229b [SQLite] Ensure change is addressed for limit table 1b7db4a06 Remove region policies from policy.v3cloudsample.json bb8ebfd65 Add tests for project users interacting with regions be83c6d71 Add tests for domain users interacting with regions f3b69e4b4 Update region policies to use system admin 833b00e57 Add region tests for system member role f62f73c54 Implement system admin role in groups API 1b261e8be populate request context with X.509 tokenless cred information 49ada37ce Fix wrong example for direct_maps 505fe2047 Fixes incorrect params 96adccd0e Implement JWS token provider ab5fe081a Seperated CADF notifications tests for request_id 51a68525c Added request_id and global_request_id to basic notifications 96eb890a0 Converting the API tests to use flask's test_client 29fb7ae39 Implement system admin role in users API 4f724f2d9 Implement system member role user test coverage 40d3458fc Implement system reader role for users 4c84739e2 Replace 'tenant_id' with 'project_id' e61991248 Add PyJWT as a requirement 3f4a8a117 Add test fixture for the JWS key repository 1abe8a2ec Add keystone-manage create_jws_keypair functionality 781aea619 Add configuration options for JWS provider 016861592 Test case for bad type user in assertion b4e97a9c9 Adjust Indents to meet PEP8 E117 af3aef940 Handle special cases with msgpack and python3 0f52bafef Add experimental job for CentOS 12d566910 Add CentOS support in devstack federation plugin 6bac9930e Remove service provider policies from v3cloudsample.json 6564b4064 Add documentation for Auth Receipts and MFA a011fb678 bump Keystone version for Stein 2c8f81af6 Allow project users to retrieve domains def21c699 Fix wrong urls 09ade53c1 Optimize fernet token and receipts in cli.py eca0829c4 PY3: switch to using unicode text values f1501b99e Expose receipt_setup and receipt_rotate command 3db38cabc Clean up the create_arguments_apply methods 1d32de5fe Allow domain users to access the GET domain API d27be745d Update doc for token_setup and token_rotate f81afc7ce Fix nits f8834bc9a Fix app_cred schema spell nit 1d4e40252 Update limit policies for system admin 7368e5c67 Do not use self in classmethod 1be7e4b42 Add tests for project users interacting with endpoints 56f9a218e Add tests for domain users interacting with endpoints cdbdcf85f Update endpoint policies for system admin 7e028774a Add endpoint tests for system member role dcf8a445e Update endpoint policies for system reader ef529f290 Add tests for domain users interacting with mappings e94dff934 Update mapping policies for system admin 57b3eb016 Add mapping tests for system member role cc256054c Update mapping policies for system reader 774da554e Add tests for project users interacting with idps caf147ad0 Add tests for domain users interacting with idps a4c5d8043 Update idp policies for system admin c347c4ff2 Add idp tests for system member role 27bf50d12 Update idp policies for system reader fdf8cb1f0 Add region protection tests for system readers 2ca4836a9 Update role policies for system admin d43736544 Reuse common system role definitions for roles API 532b9625d Add tests for project users interacting with protocols c7cd4bcd5 Add tests for domain users interacting with protocols 87d93db90 Implement system admin role in protocol API 85b87fa47 Add protocol tests for system member role a3c3a62a1 Update protocol policies for system reader 4cf85fcd5 Add limit tests for system member role 3fee23999 Add limit protection tests 7af769278 Remove registered limit policies from policy.v3cloudsample.json bd2b7f3ed Add tests for project users interacting with registered limits e29ff512b Allow domain users to access the registered limits API 5f1635ce8 Remove duplicated TOC in configuration guide 718d122fe Implement system admin role in project API 6037ac58d Implement system member role project test coverage b35928d5d Implement system reader role for projects ec7f8b95b Enhance the openidc guide dcb9d8d08 Enhance the mellon guide 83c37f4a9 Enhance the shibboleth guide 069392fe9 Consolidate WebSSO guide into SP instructions 708d3f4d5 Add section on configuring protected auth paths 4d7bc6a36 Reorganize guide on configuring a keystone SP 3d6930e17 Clean up keystone-to-keystone section fc3dcc807 Enhance authn sections in federation guide bb30a5181 correct the description on domain re-enable 92ac35fe6 Add tests for project users interacting with sps fba96a26a Add tests for domain users interacting with sps 7ce5e3e24 Update service provider policies for system admin 94b3ba631 Add prerequisites section to keystone-to-keystone 3bcd8968e Invalidate shadow_federated_user cache when deleting protocol 969fa5df6 Remove duplicate RBAC logging from enforcer bc202f704 Update federation SP prerequisites section 5cc61bb64 Use samltest.id as an example sandbox IdP 9bc2b8875 Fix nits in code blocks in federation guide 40e0f5d97 Bring SP/IdP URLs closer to style guide guidance 131acacca Restructure federation guide 67ecc72a0 Update doc with samltest.id e2df5e063 Clarify location for HTTPD instructions 16142d83c Use common system role definitions for registered limits f66070995 Implement system member test coverage for groups feb0d58df Implement system reader role for groups e22bafa25 Add service provider tests for system member role acd5d027e Update service provider policies for system reader 94d02c22e Add service tests for system member role ae926e671 Update service policies for system reader ee11306e9 Use renamed template 'integrated-gate-py3' f4162e368 Add scope checks to common system role definitions 20f11eb88 Remove i18n.enable_lazy() translation 74c1d5aa3 Reorganize admin guide 652a8b39a Consolidate service catalog docs c571c1180 Add irrelevant-files for grenade-py3 jobs f4b006130 Delete outdated keystonemiddleware doc 05ff55e25 Remove example usage from admin guide 79165aa46 Split trusts docs between admin and user guide 46b30535c Move identity sources doc to admin guide 78566e828 Remove message about circular role inferences d46f58fdd Remove Certificates for PKI guide 4a141fea5 Add introduction section to federation docs ecfe59b1a Fix links to external-authentication 06a50907c Move list limit docs to admin guide ccb3d340e Rename admin guide pages 151635e22 Consolidate tokenless X.509 docs 4f5e46284 Update registered limit policies for system admin b3c89e8c3 Consolidate Keystone docs: admin/identity-external-authentication.rst 7fa424f1d Implement system admin role in domains API d5a57414b Implement system member role domain test coverage 9e8849561 Implement system reader role in domains API 4ffdc6c65 Bump oslo.policy and oslo.context versions 0b29be330 Move supported clients section to user guide 8819bbec6 Use request_body_json function 4e39e2abe Move SSL recommendation to installation guide c04756e0c Move "Public ID Generators" to relevant docs fdf7a5b66 Consolidate Keystone docs: federated-identity.rst dd9d06c63 Add role tests for system member role fed5f52c8 Consolidate catalog management guide 567f305b4 Update role policies for system reader 6469f5c31 Change openstack-dev to openstack-discuss 8658011e4 Add registered limit tests for system member role 216a4d5fc Add registered limit protection tests c3ee5e9ca Keep federation jobs running on Xenial bc2f0d03b Clarify docstrings for domain flask refactor cb5a1fe03 Move test utility to common location e5d1eba02 Add missing translation import to common.auth.py dec8c717c Move to password validation schema 5d1a97394 Don't emit a notification for the root domain 0dc5c4eda Pass context objects to policy enforcement ed6366813 Consolidate identity-domain-specific-config.rst dc3b8edaa Consolidate auth-totp.rst 3daeeb4f2 Consolidate event_notifications.rst f1ad6654d Consolidate endpoint-policy.rst 53f0b62e8 Consolidate service-catalog.rst 58f7827ce Update contributor doc 090886902 Use pycodestyle in place of pep8 325d9eea3 Update api-ref to include user options 7f8c1a306 Document user options a383867cd Add scope documentation for service developers 2fe483f27 Remove deprecated secure_proxy_ssl_header config 97279e342 Refactor flask domain config resources b71bb438b Add missing ws seperator between words e765a98dd Add the missing packages when install keystone b4f0d0324 add request_id and global_request_id to cadf notifications 666f33a55 changed port in tools/sample_data.sh 5d6f3e7cc Move irrelevant-files to project definition 512687c25 Add tempest-full-py3 job to zuul file dfe76c811 Remove the repetition words in identity-fernet-token-faq.rst fe5ee0a36 Removing default_assigment_driver bc6b2f1b0 Bump sqlalchemy minimum version to 1.1.0 69025b507 Drop the compatibility password column 4e9f22387 Remove "crypt_strength" option 8d0ad2c93 Correct HTTP OPTIONS method d5eda9930 Update api-ref for set registered limits. df982016d Remove deprecated "bind" in token 5e26466b2 Update more info of vhost file 664914477 Refactor directory creation into a common place ef331f46b Region update extra support 870428e1b Change __all__ list to tuple e37c54c79 Remove redundant variables from context class 0abde0c35 Refresh admin doc 84dc0a290 Fixing nits 25e0e1474 Add abstract method in trusts base.py e4fe2659c Switch devstack plugin to samltest.id fb67da801 Clean up python3.5 usage in tox.ini 605da1015 Add py36 tox environment 604e9dff0 Remove unused lower constraints 0884b727e Replace usage of get_legacy_facade() with get_engine() 2a0d99094 Fix uwsgi --http flag 7fa62c823 Fix an issue with double fernet key rotation 9c38bb5bd Delete PKI middleware debugging section 9420fcca4 Fix developer config dir flask aftermath 733b37f24 Documentation fix - Port number a14837736 Use port 5000, keystone-wsgi-public and --http-socket 028abcb59 Changed the port numbers d9e6c1d4d Implement auth receipts spec 57c6f274a changed port in argument '--bootstrap-admin-url' ee490d822 Unregister "Exception" from flask handler f6ca78661 Add release note for unified limit APIs changing 62e2d9143 Deprecate eventlet related configuration a214482da Remove compatability shim 7eec2c5de Remove check for disabled v3 7c129f1c7 Remove obsolete credential policies 427cab679 Delete "Preparing your environment" section 239bed09a Implement scope_type checking for credentials 9aea3c61f Fix spelling 'unnecessary' 9f4f0656d Remove custom auth middleware documentation 77d59635d Delete the external auth admin guide 49a34948d Remove useless use of :orphan: 8cc91845f Change port and version on v3 endpoints example 50e3fe5c9 Provide a Location on HTTP 300 230ae86a6 Set Default and resource limit as defined schema a02a47a65 Emit CADF notifications on authentication for invalid users 914885fef Delete administrator federation guide 74446ab0a Update keystone-manage bootstrap port instructions 46b12eb29 Fix api-ref v3.9 release identifier 790f9685d Update third endpoint legacy port for Keystone v3 API 4385eb239 Remove unused logging module e5def7c3a Remove useless "clean" file 6fc7eb7fd Trivial: Remove repeated if conditions 4f84fafbe Updating doc of unified limit 7e42d333c Adding 'date' for trust_flush d465a58f0 Add caching on trust role validation to improve performance 8e9de8a51 Allow registered limit's region_id to be None c3f590bc1 Add a test for idp and federated user cascade deleting 33295032d Fix example for getting system scoped token 708dbceef Remaining cases of MappingEngineTester 2e85dc47c Set min and max length for resource_name 6369796eb Implement scaffolding for upgrade checks fc787bb4b Fixing update unified limit api-ref 48dcdb5ad Remove deprecated token_flush 906a1d3f6 Invalidate app cred AFTER deletion 0bac1d7e8 Update API version to 3.11 8df640096 Added test case update registered limit with region 708b775d4 Remove incorrect copyright notice. ea6755a82 Remove paste-ini 184c84ae7 Remove pre-flask legacy code 5c70aef2d Make collection_key and member_key raise if unset 9c463ab40 Increment versioning with pbr instruction 1edcb35a4 Loosen the assertion for logging scope type warnings 9051d403a Expand implied roles in system-scoped tokens 6d7cfdb4b Add test case for expanding implied roles in system tokens 8543dbbc2 Move loadapp to a generic place a394558dc Make policy file support in fixture optional 3c05956e6 Use tempest-pg-full ce93950f4 Cleanup test_wsgi 8a6f17593 Flask comment/docstring cleanup 595967bba Move AuthContextMiddleware 848c8fa63 Convert Normalizing filter to flask native Middleware 18d597f8e Internally defined middleware don't use stevedore 1c05f5f88 Make Request Logging a little better 9b052e4c0 Register exceptions with a Flask Error Handler e666839bc Cleanup keystone.server.flask.application ee9b035cf Replace JSON Body middleware with flask-native func 35c9bb7ef Convert S3 and EC2 auth to flask native dispatching 0ab08e75b Remove skip for test_locked_out_user_sends_notification 46380baeb Convert projects API to Flask 86f968163 Convert /v3/users to flask native dispatching ca2e817a5 add unit tests for healthcheck 4bd30c78f Replace openSUSE experimental check with newer version 54b6227c1 Auth flask conversion cleanup d97832e8e Convert auth to flask native dispatching f26efd719 Update notification tests to work with o-m 9.0.0 f4b6ae424 Don't mock internal implementation details of oslo f39c28e44 Update log translation hacking check 104956c65 Don't quote {posargs} in tox.ini 012dac29b Enable foreign keys for unit test 3d43b0250 Update doc string for transform_to_group_ids 659ab0a84 Follow Zuul job rename 7c2a77d3c Add release names to api-ref 84e1b9ac1 Avoid using dict.get() in assertions 39a1f71c5 Clarify group-mapping example in docs 6aba78a7a Purge soft-deleted trusts 816b472a9 LDAP attribute names non-case-sensitive fbd46e3ce Organize project tag api-ref by route 8697da7da Add build_target arguement to enforcer 1efecc92c Properly replace flask view args in links 94e6b2841 Adding test case for MappingEngineTester a8e26936a Fix command to verify role removal in docs 826f037eb Add python3 functional test job 1a5bbb567 Convert legacy functional jobs to Zuul-v3-native 3c6a124fa Update auto-provisioning example to use reader 46a28313f Enable Foreign keys for sql backend unit test 4c09affde Add releasenote for bug fix 1789450 d6d3bf911 Comment out un-runnable tests ee46f7353 Mapped Groups don't exist breaks WebSSO d027dd2ba Add hint back 8232dabcf Implement Trust Flush via keystone-manage. c96c7fd03 Properly normalize domain ids in flask ca5e38e8c Use templates for cover and lower-constraints 3c493437b Make OSA rolling upgrade test experimental cbda685ea Rename v3-only functional zuul job 4b2c45669 Remove unused revoke_by_user_and_project 8696865b1 Address issues with flask conversion of os-federation 296f20f0a Convert domains api to flask 114cdeb7e Move use of constraints out of install_cmd 4975b79e8 Ensure view args is in policy dict aebb568ef Rename py35 v3 only check 8c397fa72 Convert OS-INHERIT API to flask native dispatching f62d98a08 Fix a translation of log 2a04d78db Convert groups API to flask native dispatching 22f5f7303 Fix RBACEnforcer get_member_from_driver mechanism 0a641462c Refactor ProviderAPIs object to better design pattern 94f8f103a Convert OS-FEDERATION to flask native dispatching ac2b2160d Update the documentation bug tag 08390d4be api-ref: Remove broken link 430d7f765 Added support for a ``description`` attribute for Identity Roles e41065849 Update the minimimum required version of oslo.log 67435147e Incorrect use of translation _() 0df5bb0d0 Update RDO install guide for v3 c838d93c3 Remove member_role_id/name 87a39635e Convert policy API to flask f98080c9d Fix db model inconsistency for FederatedUser f62a36e5d add python 3.6 unit test job c1a03c7d4 switch documentation job to new PTI 160871090 import zuul job settings from project-config 8d72644c1 Use items() instead of iteritems() c41dc6f03 Add details and clarify examples on casing 3003c1a6c Address nits 88cd89683 Re-Add scope.system to filters 4d3cdd5d2 Add placeholder migrations for Rocky 34609d557 Change unique_last_password_count default to 0 25a5d48d1 Trivial: Remove app_conf kwarg from testing setup d3d618f69 Trivial: Add missing space in exception 41f23eed5 Move json_home "extension" rel functions 180f2ce5e Convert system (role) api to flask native dispatching 81fd50935 Do not log token string 665d5beda Convert role_assignments API to flask native dispatching e1381fe3f Add safety to the inferred target extraction during enforcement 22c22f200 Use osc in k2k example ec3fbf34e Fix a bug that issue token with project-scope gets error 0f5300ddb Convert role_inferences API to flask native dispatching cfc5a730b Convert Roles API to flask native dispatching 56d9c30f8 Convert endpoints api to flask native dispatching 18c6e838b Convert services api to flask native dispatching 84c074f28 Convert regions API to flask native dispatching ac210ce2a Remove unused util function a0e059c20 Redundant parameters in api-ref:domain-config 4ec63548c Add callback action back in fd8b5f320 Set initiator id as user_id for auth events 959052f97 Update reno for stable/rocky 1ff80e22e More accurate explanation in api-ref:application credentials fe4956b19 Imported Translations from Zanata 72b59b0cc Allow wrap_member and wrap_collection to specify target 13897ef69 Pass path into full_url and base_url 44da48f01 Remove redundant get_project call 637990bf7 Convert OS-SIMPLE-CERT to flask dispatching 8eaf0854f Migrate OS-EP-FILTER to flask native dispatching 5b25f50c3 Update api-ref for unified limits 3831fe785 Expose a bug that issue token with project-scope gets error 91b400909 Unified code style nullable description parameter db5d2bcf1 Remove get_catalog from manage layer c69d3408c Update response codes for authentication API reference 32a4f410b Docs: Remove the TokenAuth middleware Diffstat (except docs and test files) ------------------------------------- .zuul.yaml | 241 ++-- api-ref/source/index.rst | 6 - api-ref/source/v3-ext/trust.inc | 5 +- api-ref/source/v3/application-credentials.inc | 4 +- api-ref/source/v3/authenticate-v3.inc | 221 ++- api-ref/source/v3/domains-config-v3.inc | 7 +- api-ref/source/v3/index.rst | 83 +- api-ref/source/v3/parameters.yaml | 187 ++- api-ref/source/v3/project-tags.inc | 95 +- api-ref/source/v3/projects.inc | 1 + api-ref/source/v3/roles.inc | 6 + .../admin/domain-specific-role-create-request.json | 1 + .../admin/get-service-catalog-response.json | 2 +- .../v3/samples/admin/limit-show-response.json | 3 +- .../v3/samples/admin/limits-create-request.json | 2 +- .../v3/samples/admin/limits-create-response.json | 6 +- .../v3/samples/admin/limits-list-response.json | 4 +- .../v3/samples/admin/limits-update-response.json | 1 + .../admin/registered-limits-create-response.json | 2 +- .../admin/registered-limits-list-response.json | 2 +- .../v3/samples/admin/role-create-request.json | 1 + .../v3/samples/admin/role-create-response.json | 1 + .../v3/samples/admin/role-inferences-response.json | 6 + .../v3/samples/admin/role-show-response.json | 1 + .../v3/samples/admin/role-update-request.json | 1 + .../v3/samples/admin/role-update-response.json | 1 + .../v3/samples/admin/roles-list-response.json | 5 + .../v3/samples/admin/user-create-request.json | 5 +- .../v3/samples/admin/user-create-response.json | 3 + .../v3/samples/admin/user-update-request.json | 5 +- .../v3/samples/admin/user-update-response.json | 3 + .../v3/samples/auth/requests/project-id-totp.json | 20 + .../auth/responses/auth-receipt-password.json | 20 + .../responses/project-scoped-password-totp.json | 67 + api-ref/source/v3/status.yaml | 8 + api-ref/source/v3/unified_limits.inc | 22 +- api-ref/source/v3/users.inc | 4 + bindep.txt | 10 +- devstack/files/federation/attribute-map.xml | 3 + devstack/lib/federation.sh | 63 +- .../{advanced-topics => admin}/auth-totp.rst | 2 + .../{identity-bootstrap.rst => bootstrap.rst} | 6 +- ...dentity-caching-layer.rst => caching-layer.rst} | 4 +- ...y-case-insensitive.rst => case-insensitive.rst} | 37 +- .../admin/cli-manage-projects-users-and-roles.rst | 32 +- .../configure_tokenless_x509.rst | 0 ...al-encryption.rst => credential-encryption.rst} | 0 .../event_notifications.rst | 2 +- .../external-authentication.rst} | 86 -- .../admin/federation/configure_federation.rst | 763 +++++++++++ .../federation/mapping_combinations.rst | 950 +++++++------ ...y-fernet-token-faq.rst => fernet-token-faq.rst} | 20 +- .../admin/identity-auth-token-middleware.rst | 74 - .../admin/identity-domain-specific-config.rst | 69 - .../admin/identity-external-authentication.rst | 41 - .../admin/identity-keystone-usage-and-features.rst | 50 - ...grate-with-ldap.rst => integrate-with-ldap.rst} | 19 +- ...one-manage-services.rst => manage-services.rst} | 167 ++- .../{identity-performance.rst => performance.rst} | 22 +- ...rity-compliance.rst => security-compliance.rst} | 65 +- ...i-protection.rst => service-api-protection.rst} | 0 .../{identity-tokens.rst => tokens-overview.rst} | 38 +- ...ntity-unified-limits.rst => unified-limits.rst} | 8 +- .../{identity-upgrading.rst => upgrading.rst} | 0 ...ity-url-safe-naming.rst => url-safe-naming.rst} | 1 - .../federation/configure_federation.rst | 563 -------- .../federation/federated_identity.rst | 12 - .../advanced-topics/federation/shibboleth.rst | 295 ---- .../identity-use-trusts.rst => user/trusts.rst} | 29 +- etc/keystone-paste.ini | 94 -- etc/policy.v3cloudsample.json | 173 +-- .../__init__.py | 5 +- .../backends}/__init__.py | 0 .../backends/base.py} | 25 +- keystone/access_rules_config/backends/json.py | 162 +++ keystone/access_rules_config/core.py | 80 ++ keystone/api/__init__.py | 80 +- keystone/api/_shared/EC2_S3_Resource.py | 125 ++ keystone/api/_shared/__init__.py | 9 + keystone/api/_shared/authentication.py | 252 ++++ keystone/api/_shared/implied_roles.py | 50 + keystone/api/_shared/json_home_relations.py | 87 ++ keystone/api/_shared/saml.py | 54 + keystone/api/auth.py | 545 ++++++++ keystone/api/credentials.py | 65 +- keystone/api/discovery.py | 78 +- keystone/api/domains.py | 520 +++++++ keystone/api/ec2tokens.py | 91 ++ keystone/api/endpoints.py | 144 ++ keystone/api/groups.py | 248 ++++ keystone/api/limits.py | 20 +- keystone/api/os_ep_filter.py | 298 ++++ keystone/api/os_federation.py | 530 ++++++++ keystone/api/os_inherit.py | 426 ++++++ keystone/api/os_oauth1.py | 17 +- keystone/api/os_revoke.py | 10 +- keystone/api/os_simple_cert.py | 74 + keystone/api/policy.py | 276 ++++ keystone/api/projects.py | 559 ++++++++ keystone/api/regions.py | 103 ++ keystone/api/registered_limits.py | 2 +- keystone/api/role_assignments.py | 377 ++++++ keystone/api/role_inferences.py | 70 + keystone/api/roles.py | 297 ++++ keystone/api/s3tokens.py | 123 ++ keystone/api/services.py | 79 ++ keystone/api/system.py | 189 +++ keystone/api/trusts.py | 35 +- keystone/api/users.py | 768 +++++++++++ keystone/application_credential/__init__.py | 1 - keystone/application_credential/backends/sql.py | 52 +- keystone/application_credential/controllers.py | 153 --- keystone/application_credential/core.py | 7 +- keystone/application_credential/routers.py | 55 - keystone/application_credential/schema.py | 2 +- keystone/assignment/__init__.py | 1 - keystone/assignment/backends/base.py | 8 +- keystone/assignment/backends/sql.py | 12 +- keystone/assignment/controllers.py | 914 ------------- keystone/assignment/core.py | 67 +- keystone/assignment/role_backends/sql.py | 4 +- keystone/assignment/routers.py | 301 ----- keystone/assignment/schema.py | 3 +- keystone/auth/__init__.py | 2 - keystone/auth/controllers.py | 453 ------- keystone/auth/core.py | 33 +- keystone/auth/plugins/application_credential.py | 3 +- keystone/auth/plugins/base.py | 4 +- keystone/auth/plugins/core.py | 31 + keystone/auth/plugins/external.py | 34 +- keystone/auth/plugins/mapped.py | 31 +- keystone/auth/plugins/oauth1.py | 14 +- keystone/auth/plugins/password.py | 3 +- keystone/auth/plugins/token.py | 14 +- keystone/auth/plugins/totp.py | 2 +- keystone/auth/routers.py | 65 - keystone/catalog/__init__.py | 1 - keystone/catalog/backends/sql.py | 1 + keystone/catalog/controllers.py | 459 ------- keystone/catalog/core.py | 25 +- keystone/catalog/routers.py | 184 --- keystone/catalog/schema.py | 4 +- keystone/cmd/bootstrap.py | 2 +- keystone/cmd/cli.py | 256 +++- keystone/cmd/status.py | 33 + keystone/common/authorization.py | 153 +-- keystone/common/clean.py | 87 -- keystone/common/context.py | 40 +- keystone/common/controller.py | 621 --------- keystone/common/dependency.py | 59 - keystone/common/extension.py | 44 - keystone/common/fernet_utils.py | 28 +- keystone/common/json_home.py | 2 + keystone/common/jwt_utils.py | 43 + keystone/common/policies/base.py | 16 + keystone/common/policies/credential.py | 99 +- keystone/common/policies/domain.py | 75 +- keystone/common/policies/endpoint.py | 61 +- keystone/common/policies/grant.py | 137 +- keystone/common/policies/group.py | 175 ++- keystone/common/policies/identity_provider.py | 65 +- keystone/common/policies/limit.py | 18 +- keystone/common/policies/mapping.py | 65 +- keystone/common/policies/project.py | 161 ++- keystone/common/policies/protocol.py | 65 +- keystone/common/policies/region.py | 48 +- keystone/common/policies/registered_limit.py | 16 +- keystone/common/policies/role.py | 65 +- keystone/common/policies/role_assignment.py | 36 +- keystone/common/policies/service.py | 65 +- keystone/common/policies/service_provider.py | 65 +- keystone/common/policies/user.py | 117 +- keystone/common/provider_api.py | 141 +- keystone/common/rbac_enforcer/enforcer.py | 96 +- keystone/common/render_token.py | 145 ++ keystone/common/request.py | 137 -- keystone/common/router.py | 85 -- .../sql/contract_repo/versions/049_placeholder.py | 18 + .../sql/contract_repo/versions/050_placeholder.py | 18 + .../sql/contract_repo/versions/051_placeholder.py | 18 + .../sql/contract_repo/versions/052_placeholder.py | 18 + ..._contract_add_role_description_to_role_table.py | 15 + .../054_contract_drop_old_passoword_column.py | 21 + .../versions/055_contract_add_domain_to_limit.py | 21 + ...act_add_application_credential_access_rules.py} | 6 +- .../sql/contract_repo/versions/057_placeholder.py | 18 + .../sql/contract_repo/versions/058_placeholder.py | 18 + .../sql/contract_repo/versions/059_placeholder.py | 18 + .../sql/contract_repo/versions/060_placeholder.py | 18 + .../sql/contract_repo/versions/061_placeholder.py | 18 + keystone/common/sql/core.py | 2 +- .../versions/049_placeholder.py | 18 + .../versions/050_placeholder.py | 18 + .../versions/051_placeholder.py | 18 + .../versions/052_placeholder.py | 18 + ...3_migrate_add_role_description_to_role_table.py | 15 + .../054_migrate_drop_old_passoword_column.py | 15 + .../versions/055_migrate_add_domain_to_limit.py | 15 + ...rate_add_application_credential_access_rules.py | 17 + .../versions/057_placeholder.py | 18 + .../versions/058_placeholder.py | 18 + .../versions/059_placeholder.py | 18 + .../versions/060_placeholder.py | 18 + .../versions/061_placeholder.py | 18 + ...and_add_registered_limit_id_column_for_limit.py | 14 + .../sql/expand_repo/versions/049_placeholder.py | 18 + .../sql/expand_repo/versions/050_placeholder.py | 18 + .../sql/expand_repo/versions/051_placeholder.py | 18 + .../sql/expand_repo/versions/052_placeholder.py | 18 + ...53_expand_add_role_description_to_role_table.py | 23 + .../054_expand_drop_old_passoword_column.py | 15 + .../versions/055_expand_add_domain_to_limit.py | 34 + ...pand_add_application_credential_access_rules.py | 44 + .../sql/expand_repo/versions/057_placeholder.py | 18 + .../sql/expand_repo/versions/058_placeholder.py | 18 + .../sql/expand_repo/versions/059_placeholder.py | 18 + .../sql/expand_repo/versions/060_placeholder.py | 18 + .../sql/expand_repo/versions/061_placeholder.py | 18 + keystone/common/tokenless_auth.py | 2 +- keystone/common/utils.py | 55 +- keystone/common/wsgi.py | 703 ---------- keystone/conf/__init__.py | 32 +- keystone/conf/access_rules_config.py | 78 ++ keystone/conf/default.py | 85 -- keystone/conf/fernet_receipts.py | 71 + keystone/conf/jwt_tokens.py | 58 + keystone/conf/opts.py | 11 - keystone/conf/receipt.py | 86 ++ keystone/conf/security_compliance.py | 8 +- keystone/conf/token.py | 40 +- keystone/contrib/ec2/controllers.py | 334 ----- keystone/contrib/ec2/core.py | 34 - keystone/contrib/ec2/routers.py | 60 - keystone/contrib/s3/core.py | 119 -- keystone/credential/providers/fernet/core.py | 13 +- keystone/endpoint_policy/controllers.py | 173 --- keystone/endpoint_policy/routers.py | 87 -- keystone/exception.py | 45 +- keystone/federation/controllers.py | 549 -------- keystone/federation/core.py | 15 + keystone/federation/idp.py | 22 +- keystone/federation/routers.py | 267 ---- keystone/federation/utils.py | 42 +- keystone/identity/__init__.py | 1 - keystone/identity/backends/base.py | 5 - keystone/identity/backends/ldap/common.py | 149 +- keystone/identity/backends/ldap/core.py | 6 +- keystone/identity/backends/sql.py | 10 +- keystone/identity/backends/sql_model.py | 31 +- keystone/identity/controllers.py | 205 --- keystone/identity/core.py | 51 +- keystone/identity/routers.py | 76 -- keystone/identity/schema.py | 31 +- keystone/identity/shadow_backends/sql.py | 18 +- keystone/limit/backends/base.py | 2 - keystone/limit/backends/sql.py | 31 +- keystone/limit/core.py | 13 +- keystone/limit/models/strict_two_level.py | 99 +- keystone/limit/schema.py | 56 +- keystone/locale/de/LC_MESSAGES/keystone.po | 23 +- keystone/locale/en_GB/LC_MESSAGES/keystone.po | 73 +- keystone/locale/es/LC_MESSAGES/keystone.po | 25 +- keystone/locale/fr/LC_MESSAGES/keystone.po | 22 +- keystone/locale/it/LC_MESSAGES/keystone.po | 22 +- keystone/locale/ja/LC_MESSAGES/keystone.po | 22 +- keystone/locale/ko_KR/LC_MESSAGES/keystone.po | 21 +- keystone/locale/pt_BR/LC_MESSAGES/keystone.po | 21 +- keystone/locale/ru/LC_MESSAGES/keystone.po | 22 +- keystone/locale/tr_TR/LC_MESSAGES/keystone.po | 17 +- keystone/locale/zh_CN/LC_MESSAGES/keystone.po | 20 +- keystone/locale/zh_TW/LC_MESSAGES/keystone.po | 20 +- keystone/middleware/core.py | 87 -- keystone/models/receipt_model.py | 150 +++ keystone/models/token_model.py | 87 +- keystone/notifications.py | 78 +- keystone/oauth1/controllers.py | 143 -- keystone/oauth1/core.py | 15 +- keystone/oauth1/routers.py | 101 -- keystone/policy/__init__.py | 1 - keystone/policy/controllers.py | 79 -- keystone/{contrib/ec2 => receipt}/__init__.py | 12 +- keystone/receipt/handlers.py | 74 + keystone/receipt/provider.py | 176 +++ keystone/receipt/providers/__init__.py | 0 keystone/receipt/providers/base.py | 54 + keystone/receipt/providers/fernet/__init__.py | 20 + keystone/receipt/providers/fernet/core.py | 66 + keystone/receipt/receipt_formatters.py | 303 +++++ keystone/resource/__init__.py | 1 - keystone/resource/backends/sql.py | 72 +- keystone/resource/controllers.py | 338 ----- keystone/resource/core.py | 25 +- keystone/resource/routers.py | 133 -- keystone/revoke/core.py | 4 - keystone/server/backends.py | 9 +- keystone/server/flask/__init__.py | 3 +- keystone/server/flask/application.py | 270 ++-- keystone/server/flask/common.py | 375 ++++-- keystone/server/flask/core.py | 37 +- .../server/flask/request_processing/__init__.py | 0 .../server/flask/request_processing/json_body.py | 69 + .../request_processing/middleware/__init__.py | 0 .../request_processing/middleware/auth_context.py} | 255 +++- .../request_processing/middleware/url_normalize.py | 38 + .../server/flask/request_processing/req_logging.py | 29 + .../unit/access_rules_config/backends/__init__.py | 0 .../unit/access_rules_config/backends/test_json.py | 84 ++ .../unit/access_rules_config/test_backends.py | 69 + .../application_credential/backends/test_sql.py | 12 + .../unit/application_credential/test_backends.py | 48 +- .../unit/identity/backends/test_ldap_common.py | 9 +- .../unit/identity/shadow_users/test_backend.py | 16 +- .../unit/protection/v3/test_identity_providers.py | 390 ++++++ .../unit/protection/v3/test_registered_limits.py | 422 ++++++ .../unit/protection/v3/test_service_providers.py | 421 ++++++ .../unit/protection/v3/test_system_assignments.py | 640 +++++++++ .../unit/receipt/test_receipt_serialization.py | 61 + keystone/token/_simple_cert.py | 74 - keystone/token/provider.py | 4 +- keystone/token/providers/fernet/core.py | 25 + .../routers.py => token/providers/jws/__init__.py} | 5 +- keystone/token/providers/jws/core.py | 196 +++ keystone/token/token_formatters.py | 115 +- keystone/trust/backends/base.py | 16 + keystone/trust/backends/sql.py | 22 + keystone/version.py | 2 +- lower-constraints.txt | 99 +- .../keystone-dsvm-functional-v3-only/post.yaml | 15 - .../keystone-dsvm-functional-v3-only/run.yaml | 60 - .../legacy/keystone-dsvm-functional/post.yaml | 15 - playbooks/legacy/keystone-dsvm-functional/run.yaml | 57 - .../keystone-dsvm-grenade-multinode/run.yaml | 4 +- .../post.yaml | 15 - .../keystone-dsvm-py35-functional-v3-only/run.yaml | 68 - .../add-description-to-role-88ab5bb8a96cc002.yaml | 6 + .../notes/bp-json-web-tokens-37ce3bcd1356cf1b.yaml | 8 + .../bp-mfa-auth-receipt-8b459431c1f360ce.yaml | 18 + .../notes/bp-upgrade-checks-0dc692a392a96879.yaml | 9 + .../notes/bug-1473292-c21481e6aec29ec2.yaml | 25 + .../notes/bug-1729933-4a09201e9dface2a.yaml | 10 + .../notes/bug-1735250-b60332a7f288cf94.yaml | 8 + .../notes/bug-1744195-a7154ac2e8556efc.yaml | 7 + .../notes/bug-1748027-decc2e11154b97cf.yaml | 39 + .../notes/bug-1750660-e2a360ddd6790fc4.yaml | 39 + .../notes/bug-1750669-dfce859550126f03.yaml | 52 + .../notes/bug-1750673-b53f74944d767ae9.yaml | 30 + .../notes/bug-1753585-7e11213743754999.yaml | 6 + .../notes/bug-1757151-43eb3baaa175f904.yaml | 7 + ...stone-conversion-to-flask-372a5654a55675c6.yaml | 26 + .../notes/bug-1780503-70ca1ba3f428dd41.yaml | 8 + .../notes/bug-1784536-9d1d1e149c605a1d.yaml | 6 + .../notes/bug-1787874-13499ec227b8e26c.yaml | 16 + .../notes/bug-1788415-3190279e9c900f76.yaml | 25 + .../notes/bug-1788694-4dc8b3ec47fc6084.yaml | 6 + .../notes/bug-1789450-9dec1383ffd3de01.yaml | 8 + .../notes/bug-1792026-2de8345a89e2256b.yaml | 9 + .../notes/bug-1794376-53ce14528f00f01d.yaml | 32 + .../notes/bug-1794864-3116bf165a146be6.yaml | 41 + .../notes/bug-1796887-eaea84e3f9a8ff9f.yaml | 7 + .../notes/bug-1801095-6e28d7a86719da74.yaml | 6 + .../notes/bug-1801873-0eb9a5ec3e801190.yaml | 6 + .../notes/bug-1804292-0107869c7029f79e.yaml | 14 + .../notes/bug-1804446-1a281eadbb044070.yaml | 29 + .../notes/bug-1804462-59ad43f98242dea0.yaml | 14 + .../notes/bug-1804463-74537652166cf656.yaml | 31 + .../notes/bug-1804482-aa95619320d098fa.yaml | 15 + .../notes/bug-1804483-1d9ccfcb24f25f51.yaml | 31 + .../notes/bug-1804516-24b0b10ed6fe0589.yaml | 32 + .../notes/bug-1804517-a351aec088fee066.yaml | 16 + .../notes/bug-1804519-8384a9ead261d4c2.yaml | 14 + .../notes/bug-1804520-d124599967923052.yaml | 13 + .../notes/bug-1804521-3c0d9f567e8f532f.yaml | 31 + .../notes/bug-1804522-00df902cd2d74ee3.yaml | 34 + .../notes/bug-1804523-d1768909b13b167e.yaml | 32 + .../notes/bug-1805369-ed98d3fcfafb5c43.yaml | 47 + .../notes/bug-1805372-af4ebf4b19500b72.yaml | 30 + .../notes/bug-1805402-75d0d93f31af620f.yaml | 32 + .../notes/bug-1805403-c003627a64768716.yaml | 37 + .../notes/bug-1805406-252b45d443af20b3.yaml | 41 + .../notes/bug-1805880-3fc6b30309a4370f.yaml | 14 + .../notes/bug-1806713-cf5feab23fc78a23.yaml | 16 + .../notes/bug-1806762-09f414995924db23.yaml | 15 + .../notes/bug-1806762-2092fee9f6c87dc3.yaml | 15 + .../notes/bug-1806762-c3bfc71cb9bb94f3.yaml | 26 + .../notes/bug-1806762-daed3e27f58f0f6d.yaml | 17 + .../notes/bug-1810393-5a7d379842c51d9b.yaml | 6 + .../notes/bug-1811605-9d23080d7e949c25.yaml | 10 + .../notes/bug-1813085-cf24b204e95fd7f5.yaml | 7 + .../notes/bug-1814589-f3e7f554bee1c317.yaml | 7 + .../notes/bug-1816927-e17f4e596e611380.yaml | 8 + .../notes/bug-1817313-c11481e6eed29ec2.yaml | 8 + .../notes/bug-1819036-e2d24655c70d0aad.yaml | 9 + .../notes/bug-1820333-356dcc8bf9f73fed.yaml | 18 + .../deprecated-as-of-stein-0166965502cb3be2.yaml | 7 + ...omain-level-limit-support-60e1e330d06227ed.yaml | 9 + .../removed-as-of-stein-5eb23253b72ab54e.yaml | 27 + .../scope-and-default-roles-a733c235731bb558.yaml | 25 + .../tenant_id_to_project_id-42d95d93011785cb.yaml | 5 + ...fied-limit-api-improvment-b34d18769d18a0a7.yaml | 15 + releasenotes/source/index.rst | 1 + .../locale/en_GB/LC_MESSAGES/releasenotes.po | 178 ++- releasenotes/source/rocky.rst | 6 + requirements.txt | 15 +- setup.cfg | 20 +- test-requirements.txt | 3 +- tools/sample_data.sh | 2 +- tox.ini | 31 +- 567 files changed, 36893 insertions(+), 17332 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index 355f4c256..e3de1c6df 100644 --- a/requirements.txt +++ b/requirements.txt @@ -11 +10,0 @@ WebOb>=1.7.1 # MIT -Routes>=2.3.1 # MIT @@ -16 +15 @@ six>=1.10.0 # MIT -SQLAlchemy!=1.1.5,!=1.1.6,!=1.1.7,!=1.1.8,>=1.0.10 # MIT +SQLAlchemy>=1.1.0 # MIT @@ -21 +20 @@ python-keystoneclient>=3.8.0 # Apache-2.0 -keystonemiddleware>=4.17.0 # Apache-2.0 +keystonemiddleware>=5.1.0 # Apache-2.0 @@ -27 +26 @@ oslo.config>=5.2.0 # Apache-2.0 -oslo.context>=2.21.0 # Apache-2.0 +oslo.context>=2.22.0 # Apache-2.0 @@ -31 +30 @@ oslo.i18n>=3.15.3 # Apache-2.0 -oslo.log>=3.36.0 # Apache-2.0 +oslo.log>=3.38.0 # Apache-2.0 @@ -33 +32 @@ oslo.middleware>=3.31.0 # Apache-2.0 -oslo.policy>=1.30.0 # Apache-2.0 +oslo.policy>=1.43.1 # Apache-2.0 @@ -34,0 +34 @@ oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 +oslo.upgradecheck>=0.1.0 # Apache-2.0 @@ -37,0 +38 @@ pysaml2>=4.5.0 +PyJWT>=1.6.1 # MIT @@ -41 +42 @@ pycadf!=2.0.0,>=1.1.0 # Apache-2.0 -msgpack>=0.4.0 # Apache-2.0 +msgpack>=0.5.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index 1e29765cf..a86a1fa44 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -5 +5 @@ -hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 +hacking>=1.1.0,<1.2.0 # Apache-2.0 @@ -6,0 +7 @@ pep257==0.7.0 # MIT License +pycodestyle>=2.0.0 # MIT License