We are jazzed to announce the release of: keystone 21.0.0: OpenStack Identity This release is part of the yoga release series. The source is available from: https://opendev.org/openstack/keystone Download the package from: https://tarballs.openstack.org/keystone/ Please report issues through: https://bugs.launchpad.net/keystone/+bugs For more details, please see below. Changes in keystone 20.0.0..21.0.0 ---------------------------------- 0eba22f33 Fix bindep.txt for current RPM based distributions e833bd847 Fix API path in document e826b05c3 Add Python3 xena unit tests 06383f5f6 Add Python3 wallaby unit tests dce38678f sql: Prepare for alembic migration a6887c13e sql: Remove dead helpers d023b103e Properly instantiate FernetUtils 1e0cd9019 Fix issue with LDAP backend returning bytes instead of string 3b24c7933 sql: Add initial Yoga migration branches b547f6727 sql: Add additional changes to initial alembic migration afce7ca8e sql: Populate initial alembic migration 1885f8157 sql: Move test-only code to tests 0b906c652 sql: Vendor 'oslo_db.sqlalchemy.migration' aebd037f5 sql: Move migrations to 'legacy_migrations' 15847926e sql: Remove dead code 9f42c5ad6 cmd: Remove deprecated '--extension' argument 44886a0f6 sql: Add initial alembic scaffolding f34b842d7 sql: Reorder tables to reflect creation order 3e2b01d5f sql: Squash ussuri migrations 10b67ba1f sql: Squash train migrations 1639282e4 sql: Squash stein migrations 30ec0df2a sql: Squash rocky migrations 6058ae332 sql: Squash queens migrations 677303732 sql: Squash pike migrations 6525ae297 sql: Squash ocata migrations 4fe0f10b6 sql: Squash newton migrations (part 2) 5823f2184 sql: Remove duplicated constants 06b47cbc8 sql: Remove 'get_init_version' f639c4053 Change the min value of pool_retry_max to 1 837a55c3b Add generate schemas tool 36f2ee58d Add 'StandardLogging' fixture 2264f4330 sql: Rename initial migrations 503421d3d sql: Remove legacy 'migrate_repo' migration repo 7695d81a4 sql: Fold unique constraints into table definitions 8f31e2ac6 sql: Fold indexes into table defintions 7e779ffec sql: Squash newton migrations (part 1) 7a146850e sql: Squash mitaka migrations 771c943ad Add 'WarningsFixture' c80b183aa sql: Squash liberty migrations e92bf89f7 sql: Trivial formatting changes 03238e343 Add support for pysaml2 >= 7.1.0 36295cfb4 tox: Random fixups 0b64050e6 using standard library secrets function token_bytes to replace os.urandom 6f87111a9 Explicitly check policy name in policy warning tests 9a8686aee Deprecate ineffective [memcache] options 081a675db Fix response code of 'Revoke Token' in api-ref 36d6fc7f8 Accept STS and IAM services from Ceph Obj Gateway 1154b5fd3 Fix oslo policy warning assert in unit tests 8d1827086 Temporary exclude the common.sql.core.py from sphinx-apidoc target e53480651 Remove broken tempest-full-py3-opensuse15 job 60e898c47 Fix typos in application credential policies c10d5c88e Fix typo in identity provider policies 3e63ce942 Update master for stable/xena 23477a13a Improve performance on trust deletion d9cd6b734 Replace deprecated assertDictContainsSubset 82da8824d Fix typos in ec2 credential policies 170344713 setup.cfg: Replace dashes with underscores 876ee4b01 Add details to bootstrap docs for system role assignments ddd06618a fix E741 ambiguous variable name c97afecd5 Replace assertItemsEqual with assertCountEqual Diffstat (except docs and test files) ------------------------------------- .zuul.yaml | 6 +- api-ref/source/v3/authenticate-v3.inc | 2 +- bindep.txt | 4 +- keystone/api/s3tokens.py | 5 +- keystone/api/users.py | 4 +- keystone/cmd/cli.py | 178 +- keystone/common/cache/core.py | 4 +- keystone/common/fernet_utils.py | 4 +- keystone/common/policies/application_credential.py | 4 +- keystone/common/policies/ec2_credential.py | 12 +- keystone/common/policies/identity_provider.py | 8 +- keystone/common/sql/alembic.ini | 100 + keystone/common/sql/contract_repo/README | 4 - .../002_password_created_at_not_nullable.py | 39 - ...move_unencrypted_blob_column_from_credential.py | 60 - .../versions/004_reset_password_created_at.py | 37 - .../sql/contract_repo/versions/005_placeholder.py | 18 - .../sql/contract_repo/versions/006_placeholder.py | 18 - .../sql/contract_repo/versions/007_placeholder.py | 18 - .../sql/contract_repo/versions/008_placeholder.py | 18 - .../sql/contract_repo/versions/009_placeholder.py | 18 - .../010_contract_add_revocation_event_index.py | 15 - ...11_contract_user_id_unique_for_nonlocal_user.py | 23 - .../versions/012_contract_add_domain_id_to_idp.py | 38 - ...t_protocol_cascade_delete_for_federated_user.py | 31 - .../014_contract_add_domain_id_to_user_table.py | 94 - .../015_contract_update_federated_user_domain.py | 34 - .../versions/016_contract_add_user_options.py | 16 - .../sql/contract_repo/versions/017_placeholder.py | 18 - .../sql/contract_repo/versions/018_placeholder.py | 18 - .../sql/contract_repo/versions/019_placeholder.py | 18 - .../sql/contract_repo/versions/020_placeholder.py | 18 - .../sql/contract_repo/versions/021_placeholder.py | 18 - .../022_contract_add_default_project_id_index.py | 15 - ...cond_password_column_for_expanded_hash_sizes.py | 15 - .../024_contract_create_created_at_int_columns.py | 61 - .../sql/contract_repo/versions/025_placeholder.py | 18 - .../sql/contract_repo/versions/026_placeholder.py | 18 - .../sql/contract_repo/versions/027_placeholder.py | 18 - .../sql/contract_repo/versions/028_placeholder.py | 18 - .../sql/contract_repo/versions/029_placeholder.py | 18 - .../030_contract_add_project_tags_table.py | 15 - .../031_contract_system_assignment_table.py | 16 - .../032_contract_add_expired_at_int_to_trust.py | 51 - .../versions/033_contract_add_limits_tables.py | 15 - ...4_contract_add_application_credentials_table.py | 15 - ...ystem_column_to_application_credential_table.py | 23 - ...me_application_credential_restriction_column.py | 40 - ...e_service_and_region_fk_for_registered_limit.py | 36 - .../sql/contract_repo/versions/038_placeholder.py | 18 - .../sql/contract_repo/versions/039_placeholder.py | 18 - .../sql/contract_repo/versions/040_placeholder.py | 18 - .../sql/contract_repo/versions/041_placeholder.py | 18 - .../sql/contract_repo/versions/042_placeholder.py | 18 - .../sql/contract_repo/versions/043_placeholder.py | 18 - .../sql/contract_repo/versions/044_placeholder.py | 18 - .../045_contract_add_description_to_limit.py | 15 - ...ct_old_password_data_to_password_hash_column.py | 15 - ..._contract_expand_update_pk_for_unified_limit.py | 63 - ...act_add_registered_limit_id_column_for_limit.py | 15 - .../sql/contract_repo/versions/049_placeholder.py | 18 - .../sql/contract_repo/versions/050_placeholder.py | 18 - .../sql/contract_repo/versions/051_placeholder.py | 18 - .../sql/contract_repo/versions/052_placeholder.py | 18 - ..._contract_add_role_description_to_role_table.py | 15 - .../054_contract_drop_old_passoword_column.py | 21 - .../versions/055_contract_add_domain_to_limit.py | 21 - ...ract_add_application_credential_access_rules.py | 17 - .../sql/contract_repo/versions/057_placeholder.py | 18 - .../sql/contract_repo/versions/058_placeholder.py | 18 - .../sql/contract_repo/versions/059_placeholder.py | 18 - .../sql/contract_repo/versions/060_placeholder.py | 18 - .../sql/contract_repo/versions/061_placeholder.py | 18 - ...ntract_extract_redelegation_data_from_extras.py | 15 - .../versions/063_contract_drop_limit_columns.py | 23 - ...te_id_attribute_to_federation_protocol_table.py | 15 - ...contract_add_user_external_id_to_access_rule.py | 15 - .../066_contract_add_resource_options_table.py | 18 - .../sql/contract_repo/versions/067_placeholder.py | 18 - .../sql/contract_repo/versions/068_placeholder.py | 18 - .../sql/contract_repo/versions/069_placeholder.py | 18 - .../sql/contract_repo/versions/070_placeholder.py | 18 - .../sql/contract_repo/versions/071_placeholder.py | 18 - .../versions/072_contract_drop_domain_id_fk.py | 47 - .../073_contract_expiring_group_membership.py | 15 - keystone/common/sql/data_migration_repo/README | 4 - .../002_password_created_at_not_nullable.py | 15 - .../003_migrate_unencrypted_credentials.py | 39 - .../versions/004_reset_password_created_at.py | 15 - .../versions/005_placeholder.py | 18 - .../versions/006_placeholder.py | 18 - .../versions/007_placeholder.py | 18 - .../versions/008_placeholder.py | 18 - .../versions/009_placeholder.py | 18 - .../010_migrate_add_revocation_event_index.py | 15 - .../011_expand_user_id_unique_for_nonlocal_user.py | 15 - .../versions/012_migrate_add_domain_id_to_idp.py | 55 - ...e_protocol_cascade_delete_for_federated_user.py | 15 - .../014_migrate_add_domain_id_to_user_table.py | 45 - .../015_migrate_update_federated_user_domain.py | 36 - .../versions/016_migrate_add_user_options.py | 16 - .../versions/017_placeholder.py | 18 - .../versions/018_placeholder.py | 18 - .../versions/019_placeholder.py | 18 - .../versions/020_placeholder.py | 18 - .../versions/021_placeholder.py | 18 - .../022_migrate_add_default_project_id_index.py | 15 - ...cond_password_column_for_expanded_hash_sizes.py | 15 - .../024_migrate_create_created_at_int_columns.py | 22 - .../versions/025_placeholder.py | 18 - .../versions/026_placeholder.py | 18 - .../versions/027_placeholder.py | 18 - .../versions/028_placeholder.py | 18 - .../versions/029_placeholder.py | 18 - .../versions/030_migrate_add_project_tags_table.py | 15 - .../031_migrate_system_assignment_table.py | 17 - .../032_migrate_add_expired_at_int_to_trust.py | 22 - .../versions/033_migrate_add_limits_tables.py | 15 - ...34_migrate_add_application_credentials_table.py | 15 - ...ystem_column_to_application_credential_table.py | 15 - ...me_application_credential_restriction_column.py | 15 - ...e_service_and_region_fk_for_registered_limit.py | 15 - .../versions/038_placeholder.py | 18 - .../versions/039_placeholder.py | 18 - .../versions/040_placeholder.py | 18 - .../versions/041_placeholder.py | 18 - .../versions/042_placeholder.py | 18 - .../versions/043_placeholder.py | 18 - .../versions/044_placeholder.py | 18 - .../045_migrate_add_description_to_limit.py | 15 - ...te_old_password_data_to_password_hash_column.py | 26 - .../047_migrate_update_pk_for_unified_limit.py | 37 - ...ate_add_registered_limit_id_column_for_limit.py | 15 - .../versions/049_placeholder.py | 18 - .../versions/050_placeholder.py | 18 - .../versions/051_placeholder.py | 18 - .../versions/052_placeholder.py | 18 - ...3_migrate_add_role_description_to_role_table.py | 15 - .../054_migrate_drop_old_passoword_column.py | 15 - .../versions/055_migrate_add_domain_to_limit.py | 15 - ...rate_add_application_credential_access_rules.py | 17 - .../versions/057_placeholder.py | 18 - .../versions/058_placeholder.py | 18 - .../versions/059_placeholder.py | 18 - .../versions/060_placeholder.py | 18 - .../versions/061_placeholder.py | 18 - ...igrate_extract_redelegation_data_from_extras.py | 43 - .../versions/063_migrate_drop_limit_columns.py | 15 - ...te_id_attribute_to_federation_protocol_table.py | 15 - ..._migrate_add_user_external_id_to_access_rule.py | 15 - .../066_migrate_add_resource_options_table.py | 18 - .../versions/067_placeholder.py | 18 - .../versions/068_placeholder.py | 18 - .../versions/069_placeholder.py | 18 - .../versions/070_placeholder.py | 18 - .../versions/071_placeholder.py | 18 - .../versions/072_migrate_drop_domain_id_fk.py | 20 - .../073_migrate_expiring_group_membership.py | 15 - keystone/common/sql/expand_repo/README | 4 - .../002_password_created_at_not_nullable.py | 18 - ...dd_key_hash_and_encrypted_blob_to_credential.py | 129 - .../versions/004_reset_password_created_at.py | 15 - .../sql/expand_repo/versions/005_placeholder.py | 18 - .../sql/expand_repo/versions/006_placeholder.py | 18 - .../sql/expand_repo/versions/007_placeholder.py | 18 - .../sql/expand_repo/versions/008_placeholder.py | 18 - .../sql/expand_repo/versions/009_placeholder.py | 18 - .../010_expand_add_revocation_event_index.py | 31 - .../011_expand_user_id_unique_for_nonlocal_user.py | 15 - .../versions/012_expand_add_domain_id_to_idp.py | 73 - ...d_protocol_cascade_delete_for_federated_user.py | 15 - .../014_expand_add_domain_id_to_user_table.py | 165 - .../015_expand_update_federated_user_domain.py | 69 - .../versions/016_expand_add_user_options.py | 34 - .../sql/expand_repo/versions/017_placeholder.py | 18 - .../sql/expand_repo/versions/018_placeholder.py | 18 - .../sql/expand_repo/versions/019_placeholder.py | 18 - .../sql/expand_repo/versions/020_placeholder.py | 18 - .../sql/expand_repo/versions/021_placeholder.py | 18 - .../022_expand_add_default_project_id_index.py | 21 - ...cond_password_column_for_expanded_hash_sizes.py | 25 - .../024_expand_create_created_at_int_columns.py | 33 - .../sql/expand_repo/versions/025_placeholder.py | 18 - .../sql/expand_repo/versions/026_placeholder.py | 18 - .../sql/expand_repo/versions/027_placeholder.py | 18 - .../sql/expand_repo/versions/028_placeholder.py | 18 - .../sql/expand_repo/versions/029_placeholder.py | 18 - .../versions/030_expand_add_project_tags_table.py | 44 - .../versions/031_expand_system_assignment_table.py | 33 - .../032_expand_add_expired_at_int_to_trust.py | 35 - .../versions/033_expand_add_limits_tables.py | 68 - .../034_expand_add_application_credential_table.py | 52 - ...me_application_credential_restriction_column.py | 44 - ...e_service_and_region_fk_for_registered_limit.py | 15 - .../sql/expand_repo/versions/038_placeholder.py | 18 - .../sql/expand_repo/versions/039_placeholder.py | 18 - .../sql/expand_repo/versions/040_placeholder.py | 18 - .../sql/expand_repo/versions/041_placeholder.py | 18 - .../sql/expand_repo/versions/042_placeholder.py | 18 - .../sql/expand_repo/versions/043_placeholder.py | 18 - .../sql/expand_repo/versions/044_placeholder.py | 18 - .../045_expand_add_description_to_limit.py | 29 - ...nd_old_password_data_to_password_hash_column.py | 15 - .../047_expand_update_pk_for_unified_limit.py | 103 - ...and_add_registered_limit_id_column_for_limit.py | 40 - .../sql/expand_repo/versions/049_placeholder.py | 18 - .../sql/expand_repo/versions/050_placeholder.py | 18 - .../sql/expand_repo/versions/051_placeholder.py | 18 - .../sql/expand_repo/versions/052_placeholder.py | 18 - ...53_expand_add_role_description_to_role_table.py | 23 - .../054_expand_drop_old_passoword_column.py | 15 - .../versions/055_expand_add_domain_to_limit.py | 34 - ...pand_add_application_credential_access_rules.py | 45 - .../sql/expand_repo/versions/057_placeholder.py | 18 - .../sql/expand_repo/versions/058_placeholder.py | 18 - .../sql/expand_repo/versions/059_placeholder.py | 18 - .../sql/expand_repo/versions/060_placeholder.py | 18 - .../sql/expand_repo/versions/061_placeholder.py | 18 - ...expand_extract_redelegation_data_from_extras.py | 31 - .../versions/063_expand_drop_limit_columns.py | 15 - ...te_id_attribute_to_federation_protocol_table.py | 23 - ...5_expand_add_user_external_id_to_access_rule.py | 39 - ...66_expand_add_role_and_project_option_tables.py | 51 - .../sql/expand_repo/versions/067_placeholder.py | 18 - .../sql/expand_repo/versions/068_placeholder.py | 18 - .../sql/expand_repo/versions/069_placeholder.py | 18 - .../sql/expand_repo/versions/070_placeholder.py | 18 - .../sql/expand_repo/versions/071_placeholder.py | 18 - .../versions/072_expand_drop_domain_id_fk.py | 20 - .../073_expand_expiring_group_membership.py | 47 - .../__init__.py | 0 .../sql/legacy_migrations/contract_repo/README.rst | 13 + .../contract_repo}/__init__.py | 0 .../contract_repo/manage.py | 0 .../contract_repo/migrate.cfg | 0 .../versions/073_contract_initial_migration.py} | 0 .../contract_repo/versions/074_placeholder.py | 0 .../contract_repo/versions/075_placeholder.py | 0 .../contract_repo/versions/076_placeholder.py | 0 .../contract_repo/versions/077_placeholder.py | 0 .../contract_repo/versions/078_placeholder.py | 0 .../versions/079_contract_update_local_id_limit.py | 0 .../contract_repo/versions}/__init__.py | 0 .../data_migration_repo/README.rst | 13 + .../data_migration_repo}/__init__.py | 0 .../data_migration_repo/manage.py | 0 .../data_migration_repo/migrate.cfg | 0 .../versions/073_migrate_initial_migration.py} | 34 +- .../versions/074_placeholder.py | 0 .../versions/075_placeholder.py | 0 .../versions/076_placeholder.py | 0 .../versions/077_placeholder.py | 0 .../versions/078_placeholder.py | 0 .../versions/079_migrate_update_local_id_limit.py | 0 .../data_migration_repo/versions}/__init__.py | 0 .../sql/legacy_migrations/expand_repo/README.rst | 13 + .../expand_repo/__init__.py | 0 .../{ => legacy_migrations}/expand_repo/manage.py | 0 .../expand_repo/migrate.cfg | 0 .../versions/073_expand_initial_migration.py | 1183 +++++++ .../expand_repo/versions/074_placeholder.py | 0 .../expand_repo/versions/075_placeholder.py | 0 .../expand_repo/versions/076_placeholder.py | 0 .../expand_repo/versions/077_placeholder.py | 0 .../expand_repo/versions/078_placeholder.py | 0 .../versions/079_expand_update_local_id_limit.py | 0 .../expand_repo/versions/__init__.py | 0 keystone/common/sql/migrate_repo/README | 4 - keystone/common/sql/migrate_repo/manage.py | 18 - keystone/common/sql/migrate_repo/migrate.cfg | 25 - .../common/sql/migrate_repo/versions/067_kilo.py | 317 -- .../sql/migrate_repo/versions/068_placeholder.py | 18 - .../sql/migrate_repo/versions/069_placeholder.py | 18 - .../sql/migrate_repo/versions/070_placeholder.py | 18 - .../sql/migrate_repo/versions/071_placeholder.py | 18 - .../sql/migrate_repo/versions/072_placeholder.py | 18 - .../versions/073_insert_assignment_inherited_pk.py | 113 - .../versions/074_add_is_domain_project.py | 27 - .../versions/075_confirm_config_registration.py | 29 - .../sql/migrate_repo/versions/076_placeholder.py | 18 - .../sql/migrate_repo/versions/077_placeholder.py | 18 - .../sql/migrate_repo/versions/078_placeholder.py | 18 - .../sql/migrate_repo/versions/079_placeholder.py | 18 - .../sql/migrate_repo/versions/080_placeholder.py | 18 - .../versions/081_add_endpoint_policy_table.py | 54 - .../versions/082_add_federation_tables.py | 97 - .../migrate_repo/versions/083_add_oauth1_tables.py | 75 - .../migrate_repo/versions/084_add_revoke_tables.py | 55 - .../versions/085_add_endpoint_filtering_table.py | 70 - .../086_add_duplicate_constraint_trusts.py | 26 - .../sql/migrate_repo/versions/087_implied_roles.py | 43 - .../versions/088_domain_specific_roles.py | 60 - .../090_add_local_user_and_password_tables.py | 42 - ...grate_data_to_local_user_and_password_tables.py | 84 - .../092_make_implied_roles_fks_cascaded.py | 46 - .../versions/093_migrate_domains_to_projects.py | 125 - .../versions/094_add_federated_user_table.py | 45 - ...5_add_integer_pkey_to_revocation_event_table.py | 62 - .../versions/096_drop_role_name_constraint.py | 50 - .../097_drop_user_name_domainid_constraint.py | 67 - .../sql/migrate_repo/versions/098_placeholder.py | 18 - .../sql/migrate_repo/versions/099_placeholder.py | 18 - .../sql/migrate_repo/versions/100_placeholder.py | 18 - .../versions/101_drop_role_name_constraint.py | 53 - .../migrate_repo/versions/102_drop_domain_table.py | 21 - .../versions/103_add_nonlocal_user_table.py | 32 - .../104_drop_user_name_domainid_constraint.py | 71 - .../versions/105_add_password_date_columns.py | 30 - .../106_allow_password_column_to_be_nullable.py | 21 - .../versions/107_add_user_date_columns.py | 30 - .../versions/108_add_failed_auth_columns.py | 26 - .../109_add_password_self_service_column.py | 24 - .../common/sql/migrate_repo/versions/__init__.py | 0 keystone/common/sql/migrations/README.rst | 15 + keystone/common/sql/migrations/env.py | 80 + .../script.py.mako} | 27 +- .../versions/27e647c0fad4_initial_version.py | 1106 +++++++ .../common/sql/migrations/versions/CONTRACT_HEAD | 1 + .../common/sql/migrations/versions/EXPAND_HEAD | 1 + .../yoga/contract/e25ffa003242_initial.py} | 17 +- .../versions/yoga/expand/29e87d24a316_initial.py} | 17 +- keystone/common/sql/upgrades.py | 372 +-- keystone/common/utils.py | 7 + keystone/conf/ldap.py | 8 +- keystone/conf/memcache.py | 26 +- keystone/credential/providers/fernet/core.py | 2 +- keystone/federation/idp.py | 12 +- keystone/identity/backends/ldap/common.py | 19 +- .../unit/endpoint_policy/backends/test_base.py | 2 +- .../unit/identity/shadow_users/test_backend.py | 4 +- .../test_associate_project_endpoint_extension.py | 8 +- keystone/trust/backends/base.py | 2 +- keystone/trust/backends/sql.py | 6 +- keystone/trust/core.py | 18 +- lower-constraints.txt | 2 +- .../notes/bug-1897280-e7065c4368a325ad.yaml | 7 + .../notes/bug-1941020-f694395a9bcea72f.yaml | 11 + ...change_min_pool_retry_max-f5e7c8d315401426.yaml | 6 + ...ove-db_sync-extension-opt-2ab1f29340281215.yaml | 6 + .../remove-legacy-migrations-647f60019c8dd9e8.yaml | 7 + releasenotes/source/index.rst | 1 + releasenotes/source/xena.rst | 6 + requirements.txt | 2 +- setup.cfg | 8 +- tools/generate-schemas | 134 + tox.ini | 44 +- 378 files changed, 4120 insertions(+), 11087 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index f77c24665..c7e4605f3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -26 +26 @@ oslo.middleware>=3.31.0 # Apache-2.0 -oslo.policy>=3.7.0 # Apache-2.0 +oslo.policy>=3.10.0 # Apache-2.0