[release-announce] keystone 27.0.0 (epoxy)

2 Apr 2025

We are glad to announce the release of:

keystone 27.0.0

This release is part of the epoxy release series.

The source is available from:

    https://opendev.org/openstack/keystone

Download the package from:

    https://tarballs.openstack.org/keystone/

Please report issues through:

    https://bugs.launchpad.net/keystone/+bugs

For more details, please see below.

Changes in keystone 26.0.0..27.0.0
----------------------------------

94535666d Replace tabs
ad93445fd Use default member role in federation tests
1066c6c4b Add JSON Schema to `services` and validation decorators to services resource.
685393b16 Imported Translations from Zanata
93cd6cfaa Add JSON Schema to `endpoint groups` and validation decorators to endpoint groups resource.
7d5b86a9e Add JSON schema and validation for role grants
f3dfcad86 Add JSON schema & validation for `role assignment`
bf93dba87 Fix jsonschema parameters of service_providers:get operation
4a4137d5f Drop the sha512_crypt module
01c599592 Fix invalid jsonschema for trusts
5ec777fa3 Add JSON schema to `identity provider` and validation decorators to identity provider resource.
aa0cdc539 Add JSON Schema to `application credentials` and validation decorators to application credential resource.
ba8bf97fa Implement pagination for users and groups
4f4a3e097 Add jsonschema for Group resource
fcf8b4c6c Add jsonschemas to the User resource
39746b741 Remove templated catalog driver
d16cb8771 Add doc of OAuth 2.0 Mutual-TLS Authenticate
798483bf0 Add upgrade job from 2024.1
488167f8d Add JSON schema and validation for `implied role`
0a690d47b Add JSON schema and validation for `role` resource
32ddd8ccf Add JSON schema to `service provider` and validation decorators to service provider resource.
628db853f Fix domain `immutable` lockdown
9f4ba1880 Add jsonschema decorators for domain resource
05462354c Replace deprecated FormatChecker.cls_checks
3b6d285aa Add JSON Schema to `endpoints` and validation decorators to endpoints resource.
b7ece00f5 Add JSON schema to `registered limits`
8fe72cfe5 Fix wsgi service name for the federation tests
37b02476e Enable projects and domains pagination
e80bae20e Add JSON schema to `trust` and validation decorators to trust resource.
85c759ebd Add JSON Schema to `access rules`
93d0ef72f Add JSON schema to `limits`
51045cc0d Replace sphinxcontrib-*diag
0dbe496e1 Don't use private oslo.context attribute
57c6b3187 Add new keystone.wsgi module
ae4e54148 Unify response code for EC2_S3_Resource
04ff247ad Remove default override for config options policy_file
5f384c4cd Move OIDC job to check
ae7b3a053 Ruff the code
e1b4edb14 Remove Python 3.8 support
bc8bdce77 extend docs explaining OIDC
5cf620a08 Enable JsonSchema validation for `project`
f74ddfdf9 Add JsonSchema to `credentials`
a59ac9d82 Remove direct dependency on memcache
7edc29914 Complete getting rid of passlib
412b477eb Switch to cryptography for pbkdf2_sha512 password hashing
02583542c Switch to crypt from passlib
364e8bb71 Switch to direct usage of bcrypt
4c4bd6e1d Switch to hashlib.scrypt from passlib
1cf7d94d6 Fix logic of fernet creation when running as root
f89863601 Imported Translations from Zanata
89b0ceba9 Update master for stable/2024.2
7ac41c21e Deprecate ineffective [DEFAULT] max_param_size
c450599cb Update mod_openidc config for devstack
379823ab6 Document usage of the Domain Manager persona
b00cb4197 Prevent circlular imports in keystone.api
a1d3a275b Add JsonSchema validation framework
9fd7b952d Update development setup doc
bf8ad76d4 docs: Remove warning about unified limits API


Diffstat (except docs and test files)
-------------------------------------

.pre-commit-config.yaml                            |   14 +-
.zuul.yaml                                         |   26 +-
api-ref/source/conf.py                             |   12 +-
api-ref/source/v3-ext/oauth2.inc                   |   19 +-
api-ref/source/v3-ext/parameters.yaml              |    9 +-
.../samples/OS-OAUTH2/token-create-request.txt     |    2 +-
api-ref/source/v3/domains.inc                      |    2 +
api-ref/source/v3/groups.inc                       |    4 +
api-ref/source/v3/parameters.yaml                  |   30 +
api-ref/source/v3/projects.inc                     |    2 +
api-ref/source/v3/users.inc                        |    4 +
bindep.txt                                         |    3 +
devstack/files/oidc/apache_oidc.conf               |    9 +-
devstack/lib/federation.sh                         |    7 +-
devstack/lib/oidc.sh                               |   11 +-
devstack/tools/oidc/setup_keycloak_client.py       |    2 +-
.../admin/federation/configure_federation.rst      |    4 +-
etc/default_catalog.templates                      |   37 -
httpd/keystone-uwsgi-admin.ini                     |    2 +-
httpd/keystone-uwsgi-public.ini                    |    2 +-
keystone/api/__init__.py                           |   99 --
keystone/api/_shared/EC2_S3_Resource.py            |   28 +-
keystone/api/_shared/implied_roles.py              |    6 +-
keystone/api/auth.py                               |   21 +-
keystone/api/credentials.py                        |  130 +-
keystone/api/discovery.py                          |   11 +-
keystone/api/domains.py                            |  122 +-
keystone/api/endpoints.py                          |  125 +-
keystone/api/groups.py                             |   76 +-
keystone/api/limits.py                             |   93 +-
keystone/api/os_ep_filter.py                       |  109 +-
keystone/api/os_federation.py                      |  203 ++-
keystone/api/os_oauth1.py                          |   14 +-
keystone/api/os_oauth2.py                          |    5 +-
keystone/api/policy.py                             |    4 -
keystone/api/projects.py                           |  152 ++-
keystone/api/registered_limits.py                  |  105 +-
keystone/api/role_assignments.py                   |   42 +-
keystone/api/role_inferences.py                    |   13 +-
keystone/api/roles.py                              |  132 +-
keystone/api/services.py                           |   65 +-
keystone/api/system.py                             |   18 +
keystone/api/trusts.py                             |  159 ++-
keystone/api/users.py                              |  189 +--
keystone/api/validation/__init__.py                |  167 +++
keystone/api/validation/parameter_types.py         |  131 ++
keystone/api/validation/response_types.py          |   55 +
keystone/api/validation/validators.py              |  241 ++++
keystone/application_credential/backends/base.py   |    1 -
keystone/application_credential/backends/sql.py    |    1 -
keystone/application_credential/schema.py          |  331 ++++-
keystone/assignment/backends/base.py               |    1 -
keystone/assignment/backends/sql.py                |    9 +-
keystone/assignment/core.py                        |   32 +-
keystone/assignment/role_backends/base.py          |    1 -
.../assignment/role_backends/resource_options.py   |    4 +-
keystone/assignment/role_backends/sql.py           |    1 -
keystone/assignment/role_backends/sql_model.py     |    3 +-
keystone/assignment/schema.py                      |  413 +++++-
keystone/auth/core.py                              |    4 +-
keystone/auth/plugins/base.py                      |   27 +-
keystone/auth/plugins/core.py                      |    9 +-
keystone/auth/plugins/mapped.py                    |    3 -
keystone/auth/plugins/password.py                  |    1 -
keystone/auth/plugins/token.py                     |    2 -
keystone/auth/plugins/totp.py                      |    1 -
keystone/auth/schema.py                            |   77 +-
keystone/catalog/backends/base.py                  |   32 +-
keystone/catalog/backends/sql.py                   |   15 +-
keystone/catalog/backends/templated.py             |  355 -----
keystone/catalog/schema.py                         |  449 ++++++-
keystone/cmd/bootstrap.py                          |    1 -
keystone/cmd/cli.py                                |   16 +-
keystone/cmd/doctor/__init__.py                    |    9 +-
keystone/cmd/doctor/ldap.py                        |    4 +-
keystone/cmd/idutils.py                            |    1 -
keystone/cmd/status.py                             |   15 +-
keystone/common/cache/_context_cache.py            |    2 +-
keystone/common/cache/core.py                      |    4 +-
keystone/common/context.py                         |    1 -
keystone/common/driver_hints.py                    |   71 +-
keystone/common/fernet_utils.py                    |   11 +-
keystone/common/json_home.py                       |   18 +-
keystone/common/manager.py                         |   18 +-
keystone/common/password_hashers/__init__.py       |   45 +
keystone/common/password_hashers/bcrypt.py         |  149 +++
keystone/common/password_hashers/pbkdf2.py         |  106 ++
keystone/common/password_hashers/scrypt.py         |  111 ++
keystone/common/password_hashing.py                |   54 +-
keystone/common/policies/base.py                   |    4 +-
keystone/common/policies/project.py                |    4 +-
keystone/common/provider_api.py                    |    7 +-
keystone/common/rbac_enforcer/enforcer.py          |   10 +-
keystone/common/render_token.py                    |   10 +-
keystone/common/resource_options/core.py           |    1 -
.../common/resource_options/options/immutable.py   |   14 +
keystone/common/sql/core.py                        |   43 +-
keystone/common/sql/migrations/autogen.py          |    5 +-
keystone/common/sql/migrations/manage.py           |   16 +-
.../versions/27e647c0fad4_initial_version.py       |  102 +-
..._service_provider_relay_state_server_default.py |    5 +-
keystone/common/sql/upgrades.py                    |   13 +-
keystone/common/utils.py                           |   15 +-
keystone/common/validation/validators.py           |   35 +-
keystone/conf/__init__.py                          |   12 +-
keystone/conf/application_credential.py            |    7 +-
keystone/conf/catalog.py                           |   24 +-
keystone/conf/constants.py                         |    1 -
keystone/conf/default.py                           |   18 +
keystone/conf/endpoint_filter.py                   |    5 +-
keystone/conf/endpoint_policy.py                   |    4 +-
keystone/conf/fernet_receipts.py                   |    5 +-
keystone/conf/fernet_tokens.py                     |    5 +-
keystone/conf/identity.py                          |    3 +-
keystone/conf/identity_mapping.py                  |    6 +-
keystone/conf/oauth1.py                            |    6 +-
keystone/conf/opts.py                              |    5 +-
keystone/conf/policy.py                            |    5 +-
keystone/conf/receipt.py                           |    8 +-
keystone/conf/revoke.py                            |    7 +-
keystone/conf/role.py                              |    7 +-
keystone/conf/shadow_users.py                      |    4 +-
keystone/conf/tokenless_auth.py                    |    6 +-
keystone/conf/totp.py                              |    4 +-
keystone/conf/trust.py                             |    6 +-
keystone/conf/unified_limit.py                     |    8 +-
keystone/conf/wsgi.py                              |    4 +-
keystone/credential/backends/sql.py                |    1 -
keystone/credential/core.py                        |    2 +-
keystone/credential/provider.py                    |    1 -
keystone/credential/providers/fernet/core.py       |    2 +-
keystone/credential/schema.py                      |  143 +-
keystone/endpoint_policy/backends/sql.py           |    1 -
keystone/endpoint_policy/core.py                   |    2 -
keystone/exception.py                              |    9 +-
keystone/federation/backends/base.py               |    1 -
keystone/federation/backends/sql.py                |   11 +-
keystone/federation/core.py                        |    4 +-
keystone/federation/idp.py                         |   19 +-
keystone/federation/schema.py                      |  270 +++-
keystone/federation/utils.py                       |   85 +-
keystone/identity/backends/ldap/common.py          |  113 +-
keystone/identity/backends/ldap/core.py            |   15 +-
keystone/identity/backends/resource_options.py     |    2 +-
keystone/identity/backends/sql.py                  |   73 +-
keystone/identity/backends/sql_model.py            |   20 +-
keystone/identity/core.py                          |   27 +-
keystone/identity/id_generators/sha256.py          |    1 -
keystone/identity/mapping_backends/sql.py          |    1 -
keystone/identity/schema.py                        |  248 +++-
keystone/identity/shadow_backends/sql.py           |    1 -
keystone/limit/backends/base.py                    |    1 -
keystone/limit/backends/sql.py                     |    1 -
keystone/limit/core.py                             |    1 -
keystone/limit/models/flat.py                      |    1 -
keystone/limit/models/strict_two_level.py          |   26 +-
keystone/limit/schema.py                           |  412 +++++-
keystone/locale/en_GB/LC_MESSAGES/keystone.po      |   21 +-
keystone/models/revoke_model.py                    |   14 +-
keystone/models/token_model.py                     |   24 +-
keystone/notifications.py                          |   42 +-
keystone/oauth1/core.py                            |   12 +-
keystone/oauth1/validator.py                       |    1 -
keystone/oauth2/handlers.py                        |    2 +-
keystone/policy/backends/base.py                   |    1 -
keystone/policy/backends/sql.py                    |    1 -
keystone/receipt/handlers.py                       |    7 +-
keystone/receipt/provider.py                       |    3 +-
keystone/receipt/providers/fernet/core.py          |    4 +-
keystone/receipt/receipt_formatters.py             |    1 -
keystone/resource/backends/base.py                 |    1 -
keystone/resource/backends/resource_options.py     |    4 +-
keystone/resource/backends/sql.py                  |   42 +-
keystone/resource/backends/sql_model.py            |    1 -
keystone/resource/config_backends/sql.py           |    1 -
keystone/resource/core.py                          |    4 +-
keystone/resource/schema.py                        |  235 +++-
keystone/revoke/backends/sql.py                    |    2 +-
keystone/revoke/core.py                            |    3 +-
keystone/server/backends.py                        |    1 -
keystone/server/flask/application.py               |   68 +-
keystone/server/flask/common.py                    |   80 +-
.../request_processing/middleware/auth_context.py  |   11 +-
.../protection/v3/test_application_credential.py   |   69 +-
.../unit/application_credential/test_backends.py   |    5 +-
.../unit/assignment/role_backends/test_sql.py      |    2 -
.../unit/default_catalog_multi_region.templates    |   27 -
.../unit/endpoint_policy/backends/test_base.py     |   14 +-
.../unit/endpoint_policy/backends/test_sql.py      |    1 -
.../unit/identity/backends/test_ldap_common.py     |   31 +-
.../unit/receipt/test_receipt_serialization.py     |    1 -
.../unit/resource/config_backends/test_sql.py      |    1 -
.../test_associate_project_endpoint_extension.py   |  361 ++----
keystone/token/provider.py                         |    3 +-
keystone/token/providers/jws/core.py               |    5 +-
keystone/token/token_formatters.py                 |    3 +-
keystone/trust/backends/base.py                    |    1 -
keystone/trust/backends/sql.py                     |    5 +-
keystone/trust/schema.py                           |  241 +++-
keystone/wsgi/__init__.py                          |    0
keystone/wsgi/api.py                               |   22 +
.../add-keystone-wsgi-module-afae3f86df07eca9.yaml |   22 +
.../deprecate-max-param-size-6e0770e0c9d21dd6.yaml |    6 +
.../notes/drop-passlib-9b398c8f08f5e9ee.yaml       |    8 +
.../pagination-identity-b127b6d3042d3d3a.yaml      |    6 +
.../pagination-projects-ea311579da4bb83b.yaml      |   12 +
.../notes/remove-py38-4e33bcf77029f0d0.yaml        |    5 +
...t-password-hashing-module-be4c5ed3f50017c0.yaml |    6 +
...-templated-catalog-driver-042dd821dbad684a.yaml |    6 +
.../sha512_crypt_deprecation-91a19080f1e884e4.yaml |    7 +
releasenotes/source/2024.2.rst                     |    6 +
releasenotes/source/conf.py                        |    9 +-
releasenotes/source/index.rst                      |    1 +
.../locale/en_GB/LC_MESSAGES/releasenotes.po       |  152 ++-
.../source/locale/fr/LC_MESSAGES/releasenotes.po   |  120 --
.../locale/ko_KR/LC_MESSAGES/releasenotes.po       |  202 ---
requirements.txt                                   |    3 +-
ruff.toml                                          |   15 +
setup.cfg                                          |    7 +-
tox.ini                                            |   23 +-
366 files changed, 11103 insertions(+), 8397 deletions(-)


Requirements updates
--------------------

diff --git a/requirements.txt b/requirements.txt
index d67878709..3b03fc21d 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -16 +15,0 @@ stevedore>=1.20.0 # Apache-2.0
-passlib>=1.7.0 # BSD
@@ -29 +28 @@ oslo.middleware>=3.31.0 # Apache-2.0
-oslo.policy>=3.10.0 # Apache-2.0
+oslo.policy>=4.5.0 # Apache-2.0

    

[release-announce] keystone 27.0.0 (epoxy)

no-reply＠openstack.org