We are amped to announce the release of: keystone 13.0.0: OpenStack Identity This release is part of the queens release series. Download the package from: https://tarballs.openstack.org/keystone/ For more details, please see below. 13.0.0 ^^^^^^ Bug Fixes * [bug 1748970 (https://bugs.launchpad.net/keystone/+bug/1748970)] A bug was introduced in Queens that resulted in system role assignments being returned when querying the role assignments API for a specific role. The issue is fixed and the list of roles returned from "GET /v3/role_assignments?role.id={role_id}" respects system role assignments. * [bug 1749264 (https://bugs.launchpad.net/keystone/+bug/1749264)] A user's system role assignment will be removed when the user is deleted. * [bug 1749267 (https://bugs.launchpad.net/keystone/+bug/1749267)] A group's system role assignments are removed when the group is deleted. * [bug 1750415 (https://bugs.launchpad.net/keystone/+bug/1750415)] Fixes an implementation fault in application credentials where the application credential reference was not populated in the token data, causing problems with the token validation when caching was disabled. Changes in keystone 12.0.0.0rc1..13.0.0 --------------------------------------- 8476768 Update 3.10 versioning to limits and system scope afca5cc Populate application credential data in token ae0edae Imported Translations from Zanata 7aec54a Add docs for application credentials 8646f40 Delete system role assignments when deleting groups ddd7ff3 Grant admin a role on the system during bootstrap a1ea04d Fix querying role_assignment with system roles 8242fc7 Imported Translations from Zanata 89152d7 Expose bug in system assignment when deleting groups 445837f Delete system role assignments when deleting users 298f445 Expose bug in system assignment when deleting users 752d299 Expose bug in /role_assignments API with system-scope 1365916 Imported Translations from Zanata e46148e Update UPPER_CONSTRAINTS_FILE for stable/queens a196509 Update .gitreview for stable/queens 620d80e Add placeholder migrations for Queens 62ee18b Delete SQL users before deleting domain b2308f8 Reorganize api-ref: v3-ext federation mapping.inc 5a174a5 Reorganize api-ref: v3-ext federation service-provider 572fac9 Reorganize api-ref: v3-ext oauth.inc 6e5c7e8 Replace port 35357 with 5000 for ubuntu guide 06ab0c9 Reorganize api-ref: v3 os-pki a45e99f Reorganize api-ref: v3-ext federation identity-provider 1121ccf Reorganize api-ref: v3-ext trust.inc f6b6691 Remove v2.0 from documentation guides 1dec4d5 Remove v2.0 extension documentation 4b172f0 Update curl request documentation to remove v2.0 3a6b1bb Remove v2 and v2-admin API documentation d5e9c0b Remove all v2.0 APIs except the ec2tokens API ae7c7a0 Update sample configuration file for Queens 6075dcd Imported Translations from Zanata 8761066 Finish refactoring self.*_api out of tests c6cfaad Add cache invalidation when delete application credential 0af4391 Expose a bug that application credential cache is not invalidated 63fde3e Fix cache invalidation for application credential 10e8e69 Expose a bug that cache invalidation doesn't work for application credential e740d72 Update the base class for application credential e7a4d43 Fix list users by name bbe2d7e Refactor self.*_api out of tests aff66d6 Use keystone.common.provider_api for auth APIs fe19875 Fix the wrong description 6b49de6 Remove the redundant word f463bdc Validate identity providers during token validation 1c6d049 Update historical context about the removal of v2.0 51d22a8 Document flat limit enforcement model 92db247 add 'tags' in request body of projects 45e8b6e Increase MySQL max_connections for unit tests d1e751b Add scope_types for user policies 21af4fe Use native Zuul v3 tox job f5322a8 Update documentation to reflect system-scope 9da1929 Add a release note for application credentials d827e6e Impose limits on application credentials 5e97f2d Enable application_credential auth by default 0462ff8 Add api-ref for application credentials 29280b1 Add application credential auth plugin 166eced Add Application Credentials controller 2832f1a Zuul: Remove project name c22b9e9 Refresh the admin_token doc 544f079 Remove pki_setup step in doc 005f462 Add documentation describing unified limits ace2e10 Handle TZ change in iso8601 >=0.1.12 60d0283 Remove PKI/PKIZ token in doc a616462 Add api-ref for unified limits 4606183 Expose unified limit APIs 9ba24b9 Implement policies for limits 0b241dc Add limit provider 0cde8da Improve limit sql backend fc46c02 Replace Chinese punctuation with English punctuation d5e5467 Add release note for system-scope a50fafd Implement GET /v3/auth/system 7070215 Updated from global requirements 5d6f4bb Implement system-scoped tokens 6d2bf2e Document scope_types for project policies 42fc6bf Add scope_types to trust policies 7dbf84c Add scope_types to grant policies de7e79f Add scope_types to role assignment policies 59b1aac Fix column rename migration for mariadb 10.2 2176eb4 Remove foreign key for registered limit 19a2ccb Introduce assertions for system-scoped token testing 0a9867f Implement system-scope in the token provider API 265076a Teach TokenFormatter how to handle system scope a7d2b62 Remove the deprecated "giturl" option 705ff13 Relay system information in RoleAssignmentNotFound 5fe9e37 Rename application credential restriction column fcf616e Update token doc 62c912b Update keystone v2/tokenauth example f063cb0 Reorganize api-ref: v3-ext revoke.inc 7d4c366 Reorganize api-ref: v3-ext ep-filter.inc 7430f11 Reorganize api-ref: v3-ext simple-cert.inc 51d725c Reorganize api-ref: v3-ext federation projects-domains.inc 757a8b0 Document scope_types for credential policies 93b8b59 Document scope_types for ec2 policies de1007a Move token_formatter to token aba66ad Document fixes needed for token scope_types 693928d Add scope_types to service provider policies 80556da Add scope_types to group policies a2b9301 Add scope_types to domain config policies d94d9c5 Add system column to app cred table 103aef5 Fix outdated links 0bc28e8 Add ability to list all system role assignments eefc69e Add system role assignment documentation 716abfc Add Application Credentials manager 37877a1 Handle TODO notes for using new_user_ref ad6a2bc Updated from global requirements 52a32aa Add application credentials driver 086dddd Make entries in policy_mapping.rst consistent 476d73a Add application credentials db migration e176e0f Fix indentation in docs 76bcc16 remove _append_null_domain_id decorator 076ae3e Fix wrong url in domains-config-v3.inc aa482b3 msgpack-python has been renamed to msgpack 5a74f85 adjust response code order in 'regions-v3.inc' 99724db Fix wrong url in config-options.rst b9adc77 adjust response code order in 'authenticate-v3.inc' 57b8918 Reorganize api-ref: v3-ext endpoint-policy.inc 08b570b Imported Translations from Zanata 30e1cae Extract expiration validation to utils 086dd27 Implement controller logic for system group assignments 96f46b3 adjust response code order in ''policies.inc'' d23856a adjust response code order in ''domains-config-v3.inc'' c8d1c2e put response code in table of ''domains.inc'' 17e242e adjust response code in order of credentials.inc 07bc97f fix wrong url link of User trusts 3992a97 Reorganize api-ref: v3-ext federation assertion.inc 410a8f6 Implement controller logic for system user assignments 1f0473a Add schema check for authorize request token 3bcaec3 Remove whitespace from policy sample file 9875135 Use keystone.common.provider_api for trust APIs 7229381 Add db operation for unified limit 6d0ca2f Add new tables for unified limits d69fdd9 Fix federation unit test e7b1163 add response example and 'extra' info of create user c3e3b6b Add scope_types to domain policies d7ccb81 Add scope_types for policy policies f89154c Add scope_types to oauth policies bcc3a4e Add scope_types to token revocation policies d38343a Add scope_types to endpoint group policies 5ed86b2 Migrate jobs to zuulV3 7867efb Add scope_types to role policies cfb0d59 Add scope_types to implied role policies 07b07d5 Add expired_at_int column to trusts 93fa014 Add scope_types for revoke event policies 6104b62 Add scope_types to protocol policies b342cbd Add scope_types to project endpoint policies 0615067 Add scope_types to policy association policies 5fa9a9f Add scope_types to mapping policies a21d3dc Add scope_types to identity provider policies cef8293 Add scope_types to service policies 113f37d Handle InvalidScope exception from oslo.policy c063264 Use keystone.common.provider_api directly in assignment a1af30e Add scope_types to region policies 8623611 Add scope_types to endpoint policies 85c957c Expose a get_enforcer method for oslo.policy scripts 1825e65 Reorganize api-ref: v3 project-tags 338e855 Reorganize api-ref: v3 authenticate-v3 c973c8f Deprecate [trust]/enabled option bf548cb Use keystone.common.provider_api for resource APIs 3c7a0f3 Re-organize api-ref: v3 inherit.inc e6fb231 Implement get_unique_role_by_name b05d997 Reorganize api-ref: v3-ext federation projects-domains f80b8dd Reorganize api-ref: v3 regions-v3 6d2b2c5 Reorganize api-ref: v3 policies 05c96d0 Remove duplicated release note eb35d45 Reorganize api-ref: v3 credentials 1e16ee1 Reorganize api-ref: v3 domains-config-v3 ba6c5af Reorganize api-ref: v3 service-catalog 0540954 Reorganize api-ref: v3 projects 31accd1 Reorganize api-ref: v3 roles 26b8fb0 Use keystone.common.provider_api for identity APIs 2f9b444 Use keystone.common.provider_api for revoke APIs 822aff1 Use keystone.common.provider_api for policy APIs e679ec1 Use keystone.common.provider_api for oauth APIs 3ae0cb8 Use keystone.common.provider_api for federation APIs 88d840e Use keystone.common.provider_api for endpoint_policy APIs 224dfff Use keystone.common.provider_api for credential APIs 2e778f8 Use keystone.common.provider_api for catalog APIs 114edb4 Use keystone.common.provider_api for token APIs 050ee62 modify LOG.error tip message 06fe070 Performance: improve get_role cd9064d Add group system grant policies 7e10251 Replace parse_strtime with datetime.strptime 9ca1c23 Remove private methods for v2.0 and v3 tokens c4874dd Ensure building scope is mutually exclusive 616542a Add user system grant policies 420f50e Implement manager logic for group+system roles 05e3ddb Implement manager logic for user+system roles f86db08 Implement backend logic for system roles bd72962 Add a new table for system role assignments db12357 Refactor project tags encoding af15155 Expose a bug when authorize request token ba61e84 Bump API version and date to 3.9 07bba32 Create doc/requirements.txt 9a0443b remove some misleading info in Update user API doc. 4e70a5d Updated from global requirements 4fc045f remove "admin_token_auth" related content" 4783d1f Remove rolling_upgrade_password_hash_compat 23d14f5 Deprecate member_role_id and member_role_name 3b209ed Migrate functional tests to stestr 81f9fe6 Remove Dependency Injection 03ba867 Rename fernet_utils to token_utils 3cc3986 Remove extra parameter for token auth 0982791 Refresh sample_data.sh 2be384b Improve exception logging with 500 response e9332a2 Remove dead code for auth_context cfbc2aa Updated from global requirements 82a53de Reorganize api-ref:v3 groups b84927a Handle deprecation of inspect.getargspec f71a78d Enforce policy on oslo-context 4af3a43 Correct error message for request token 8f99c8a Refresh the Controller list ccbad41 Updated from global requirements 227d38e Update keystone testing documentation f97df5c Fix role schema in trust object 8eb29c3 Validate disabled domains and projects online 756d281 Add New in Pike note to using db_sync check f8e79ab Fix 500 error when create trust with invalid role key 62f9e57 Expose a bug when create trust with roles 55ef19d Remove member role assignment 29af9bf Fix wrong links in keystone documentation 4c824c8 Add schema check for OS-TRUST:trust authentication cf43e3a Expose a bug when authenticating for a trust-scoped token 49d75d6 Update the help message for unique_last_password_count 10f4686 Remove apache-httpd related link 43bac9a Populate user, project and domain names from token into context c0968ed Remove setting of version/release from releasenotes dd0f787 Updated from global requirements f3c5c9c Update cache doc d2da034 Updated from global requirements 503882c Fix 500 error when authenticate with "mapped" 82a7617 Updated from global requirements 789573a Filter users/groups in ldap with whitespaces 621ea65 Deprecate policies API aaccc5b Change url in middleware test to v3 e2295ed Remove ensure_default_domain_exists 59a3ea3 Ensure listing projects always returns tags 0d3e20a Consolidate V2Controller functionality 64fdb17 Remove v2 token value model f03927f Add non-voting rolling upgrade test dd473ce Remove "no auth token" debug log cbdc84a Partially clarify federation auth plugins f776fc1 Handle ldap size limit exeeded exception ef4f836 policy.v3cloudsample.json: remove redundant blank space 1956f6a Remove expired password v2 test e619551 Remove v2 token test models ef4e7d1 Remove/update v2 catalog endpoint tests 350f09d Remove unnecessary dependency injection aeeac73 Remove identity v2 to v3 test case 0ff3534 Reorganize api-ref: v3 domains 8e84a4c Correct parameter to follow convention 665cca0 Remove v2 schema and validation tests de78845 Implement project tags API controller and router ee90002 Implement project tags logic into manager 6d320f7 Implement backend logic for project tags 3758143 Remove v2.0 assignment schema 0579dec Add project tags api-ref documentation and reno 8f2273a Deleting an identity provider doesn't invalidate tokens bd452fb Add policy for project tags 5329071 Add JSON schema validation for project tags 11d1894 Fix initial mapping example e1d680e Fix list in caching documentation 47dbd25 Updated from global requirements de9546b Refactor test_backend_ldap tests 67967c8 Emit deprecation warning for federated domain/project APIs d0adf7d Reorganize api-ref: v3-ext federation auth ad1b677 Update the release name in install tutorial 06cefd9 Reorganize api-ref: v3 users 682dc05 Add explain of mapping group attribute 0286c3a Remove v2.0 identity API documentation 99ad40e Add database migration for project tags e58d630 Remove the v2_deprecated decorator 09b828d Remove the v3 to v2 resource test case 5194a36 Remove admin_token_auth steps from install guide 087b07b Remove the v2.0 validate path from validate_token 9bf97e1 Remove v2.0 test plumbing 8e85cb1 Remove v2.0 auth APIs 139aa01 Remove v2.0 token APIs f5bd968 Move auth header definitions into authorization 75f24c6 Remove v2.0 identity APIs c5f5c2c Use stestr directly instead of ostestr a98fca3 Remove middleware reference to PARAMS_ENV and CONTEXT_ENV 71e5431 Migrate to stestr fdb6adf Updated from global requirements 0502d74 Add default configuration files to data_files d03f35e Add unit tests to mapping_purge bf2c54f Replace assertRegexpMatches with assertregex 36d4e62 Update API reference link in README 3ef8214 Refactor removal of duplicate projects/domains cdfcac6 Update links in keystone cc63cb9 Fix role assignment api-ref docs 6883e76 Update invalid url in admin docs 4e912c2 Remove keystone-all doc b5f8142 Fix typos in bootstrap doc 0f3909b Properly normalize protocol in Fedrations update_protocol 35468f2 Two different API achieve listing role assignments 8829e5e Add backport migrations for Pike 76bd54d Adds Bandit #nosec flag to instances of SHA1 bdf47dd Policy exception a3c2eb1 Remove duplicate code a41d761 Fix a typo 8dff328 Increase multi region endpoints test coverage 40653ea Replace DbMigrationError with DBMigrationError 7fda51d Confusing notes of ephemeral user's domain b5c3dec Confusing log messages in project hierarchy checking ebed5dd Remove vestigate HUDSON_PUBLISH_DOCS reference 3dc5933 Add test GET for member url in the Assignment API f2d2bcb Remove v2.0 resource APIs 9eef179 Remove v2.0 assignment APIs 70ad022 Remove v2.0 service and endpoint APIs 428828d Fix endpoint examples in api-ref 0451533 Copy specific distro pages for install guide 785d8fe Imported Translations from Zanata 296429f Log format error a1f19c7 Updated from global requirements 2373cfb Ignore release notes for pike and master 428cec4 Clarify documentation for release notes 6a20aa8 Revert "Fix wrong links" 94e3e98 Remove missing release note from previous revert d1562fb Include a link in release note for bug 1698900 faec97f Delete redundant code c025cb3 Call methods with kwargs instead of positionals 058a23c Remove duplicate roles from federated auth df03cb2 Add the step to create a domain 38974af Add int storage of datetime for password created/expires 3d46c8a Resource backend is SQL only now 00c4448 Assert default project id is not domain 77500b3 Fix wrong links 5fbe540 Imported Translations from Zanata ad094a6 Remove deprecation of domain_config_upload f57a318 Update reno for stable/pike 455a21e Update docs: fernet is the default provider 8278555 Updated URLs in docs 0505765 Add description of domain_id in creating user/group 1cf1cd4 Fix typo in index documentation 3fbdada Use log debug instead of warning Diffstat (except docs and test files) ------------------------------------- .gitignore | 2 +- .gitreview | 1 + .stestr.conf | 4 + .testr.conf | 16 - .zuul.yaml | 139 + HACKING.rst | 11 +- README.rst | 6 +- api-ref/source/conf.py | 5 - api-ref/source/index.rst | 2 - api-ref/source/v2-admin/admin-certificates.inc | 41 - api-ref/source/v2-admin/admin-endpoints.inc | 78 - api-ref/source/v2-admin/admin-tenants.inc | 267 -- api-ref/source/v2-admin/admin-tokens.inc | 173 -- api-ref/source/v2-admin/admin-users.inc | 231 -- api-ref/source/v2-admin/admin-versions.inc | 29 - api-ref/source/v2-admin/index.rst | 14 - api-ref/source/v2-admin/parameters.yaml | 360 --- .../samples/admin/endpoint-create-request.json | 9 - .../samples/admin/endpoint-create-response.json | 9 - .../samples/admin/endpoint-list-response.json | 18 - .../samples/admin/roles-list-response.json | 10 - .../admin/show-ca-certificate-v2-response.txt | 19 - .../admin/show-signing-certificate-v2-response.txt | 19 - .../samples/admin/tenant-show-response.json | 8 - .../samples/admin/tenant-update-request.json | 8 - .../admin/tenantwithoutid-create-request.json | 7 - .../admin/token-endpoints-list-response.json | 122 - .../samples/admin/token-validate-response.json | 28 - .../samples/admin/user-create-request.json | 9 - .../v2-admin/samples/admin/user-show-response.json | 9 - .../samples/admin/user-update-request.json | 6 - .../samples/admin/user-update-response.json | 10 - .../samples/admin/users-list-response.json | 19 - api-ref/source/v2-ext/index.rst | 2 - api-ref/source/v2-ext/ksadm-admin.inc | 449 --- api-ref/source/v2-ext/kscrud.inc | 26 - api-ref/source/v2-ext/ksec2-admin.inc | 188 +- api-ref/source/v2-ext/parameters.yaml | 64 +- .../OS-KSADM/credentials-show-response.json | 11 - .../samples/OS-KSADM/role-create-request.json | 7 - .../samples/OS-KSADM/role-show-response.json | 7 - .../samples/OS-KSADM/roles-list-response.json | 10 - .../samples/OS-KSADM/service-create-request.json | 8 - .../samples/OS-KSADM/service-show-response.json | 8 - .../samples/OS-KSADM/services-list-response.json | 17 - .../samples/OS-KSADM/user-set-enabled-request.json | 5 - .../OS-KSADM/user-set-password-request.json | 5 - .../samples/OS-KSADM/user-show-response.json | 10 - .../OS-KSADM/user-update-tenant-request.json | 5 - .../samples/OS-KSEC2/authenticate-request.json | 16 + .../samples/OS-KSEC2/authenticate-response.json | 31 + .../OS-KSEC2/credentials-show-response.json | 11 + api-ref/source/v2/identity-api-extensions.inc | 70 - api-ref/source/v2/identity-auth.inc | 122 - api-ref/source/v2/index.rst | 13 - api-ref/source/v2/overview.inc | 272 -- api-ref/source/v2/parameters.yaml | 257 -- api-ref/source/v2/revocations.inc | 32 - .../samples/admin/UserUpdatePasswordRequest.json | 6 - .../admin/authenticate-credentials-request.json | 9 - .../v2/samples/admin/authenticate-response.json | 184 -- .../samples/admin/authenticate-token-request.json | 8 - .../v2/samples/admin/extension-show-response.json | 16 - .../v2/samples/admin/extensions-list-response.json | 118 - .../v2/samples/admin/revoked-tokens-response.json | 3 - .../v2/samples/admin/tenants-list-request-JSON.txt | 5 - .../v2/samples/admin/tenants-list-response.json | 17 - .../v2/samples/admin/user-create-response.json | 10 - .../v2/samples/admin/user-update-response.json | 9 - .../v2/samples/admin/users-list-response.json | 88 - .../v2/samples/admin/version-show-response.json | 24 - .../v2/samples/admin/versions-list-response.json | 45 - .../client/authenticate-credentials-request.json | 9 - .../v2/samples/client/authenticate-response.json | 184 -- api-ref/source/v2/versions.inc | 39 - api-ref/source/v3-ext/endpoint-policy.inc | 209 +- api-ref/source/v3-ext/ep-filter.inc | 381 ++- api-ref/source/v3-ext/federation.inc | 6 +- .../v3-ext/federation/assertion/assertion.inc | 49 +- api-ref/source/v3-ext/federation/auth/auth.inc | 59 +- .../source/v3-ext/federation/auth/parameters.yaml | 4 +- .../v3-ext/federation/identity-provider/idp.inc | 239 +- .../source/v3-ext/federation/mapping/mapping.inc | 103 +- .../federation/projects-domains/parameters.yaml | 4 +- .../projects-domains/projects-domains.inc | 42 +- .../v3-ext/federation/service-provider/sp.inc | 110 +- api-ref/source/v3-ext/oauth.inc | 443 ++- api-ref/source/v3-ext/parameters.yaml | 27 +- api-ref/source/v3-ext/revoke.inc | 31 +- api-ref/source/v3-ext/simple-cert.inc | 40 +- api-ref/source/v3-ext/trust.inc | 285 +- api-ref/source/v3/application-credentials.inc | 304 ++ api-ref/source/v3/authenticate-v3.inc | 558 +++- api-ref/source/v3/credentials.inc | 191 +- api-ref/source/v3/domains-config-v3.inc | 469 ++- api-ref/source/v3/domains.inc | 188 +- api-ref/source/v3/groups.inc | 336 ++- api-ref/source/v3/index.rst | 29 +- api-ref/source/v3/inherit.inc | 315 +- api-ref/source/v3/os-pki.inc | 38 +- api-ref/source/v3/parameters.yaml | 361 ++- api-ref/source/v3/policies.inc | 191 +- api-ref/source/v3/project-tags.inc | 375 +++ api-ref/source/v3/projects.inc | 230 +- api-ref/source/v3/regions-v3.inc | 186 +- api-ref/source/v3/roles.inc | 1025 ++++--- .../application-credential-create-request.json | 12 + .../application-credential-create-response.json | 21 + .../admin/application-credential-get-response.json | 20 + .../application-credential-list-response.json | 45 + .../auth-application-credential-id-request.json | 13 + .../auth-application-credential-name-request.json | 16 + .../auth-application-credential-response.json | 60 + .../auth-password-explicit-unscoped-response.json | 1 - .../auth-password-project-scoped-response.json | 1 - ...password-system-scoped-request-with-domain.json | 23 + .../admin/auth-password-unscoped-response.json | 1 - .../samples/admin/auth-token-scoped-response.json | 1 - .../admin/auth-token-unscoped-response.json | 1 - .../v3/samples/admin/endpoint-create-response.json | 3 +- .../v3/samples/admin/endpoint-update-request.json | 1 - .../get-available-system-scopes-response.json | 10 + .../v3/samples/admin/limit-show-response.json | 13 + .../v3/samples/admin/limits-create-request.json | 17 + .../v3/samples/admin/limits-create-response.json | 26 + .../v3/samples/admin/limits-list-response.json | 31 + .../v3/samples/admin/limits-update-request.json | 12 + .../v3/samples/admin/limits-update-response.json | 26 + .../list-system-roles-for-group-response.json | 18 + .../admin/list-system-roles-for-user-response.json | 17 + .../v3/samples/admin/project-create-response.json | 3 +- .../samples/admin/project-tags-list-response.json | 3 + .../samples/admin/project-tags-update-request.json | 3 + .../admin/project-tags-update-response.json | 20 + .../v3/samples/admin/project-update-response.json | 3 +- .../v3/samples/admin/projects-list-response.json | 24 +- .../admin/registered-limit-show-response.json | 12 + .../admin/registered-limits-create-request.json | 15 + .../admin/registered-limits-create-response.json | 24 + .../admin/registered-limits-list-response.json | 29 + .../admin/registered-limits-update-request.json | 17 + .../admin/registered-limits-update-response.json | 24 + .../v3/samples/admin/user-create-request.json | 4 +- api-ref/source/v3/service-catalog.inc | 431 +-- api-ref/source/v3/system-roles.inc | 417 +++ api-ref/source/v3/unified_limits.inc | 589 ++++ api-ref/source/v3/users.inc | 329 +- devstack/plugin.sh | 2 +- .../admin/identity-auth-token-middleware.rst | 4 +- .../admin/identity-keystone-usage-and-features.rst | 43 +- .../advanced-topics/configure_tokenless_x509.rst | 5 +- .../federation/configure_federation.rst | 20 +- .../advanced-topics/federation/shibboleth.rst | 11 +- etc/keystone.conf.sample | 203 +- etc/policy.v3cloudsample.json | 46 +- httpd/README | 2 +- keystone/application_credential/__init__.py | 14 + .../application_credential/backends/__init__.py | 0 keystone/application_credential/backends/base.py | 97 + keystone/application_credential/backends/sql.py | 156 + keystone/application_credential/controllers.py | 155 + keystone/application_credential/core.py | 222 ++ keystone/application_credential/routers.py | 54 + keystone/application_credential/schema.py | 50 + keystone/assignment/backends/base.py | 62 + keystone/assignment/backends/sql.py | 86 + keystone/assignment/controllers.py | 482 ++- keystone/assignment/core.py | 499 +++- keystone/assignment/routers.py | 52 +- keystone/assignment/schema.py | 15 - keystone/auth/controllers.py | 133 +- keystone/auth/core.py | 138 +- keystone/auth/plugins/application_credential.py | 42 + keystone/auth/plugins/base.py | 3 +- keystone/auth/plugins/core.py | 53 +- keystone/auth/plugins/external.py | 15 +- keystone/auth/plugins/mapped.py | 33 +- keystone/auth/plugins/oauth1.py | 8 +- keystone/auth/plugins/password.py | 6 +- keystone/auth/plugins/token.py | 26 +- keystone/auth/plugins/totp.py | 12 +- keystone/auth/routers.py | 6 + keystone/auth/schema.py | 15 + keystone/catalog/backends/base.py | 3 +- keystone/catalog/backends/sql.py | 2 - keystone/catalog/controllers.py | 298 +- keystone/catalog/core.py | 8 +- keystone/catalog/schema.py | 18 - keystone/cmd/cli.py | 72 +- keystone/cmd/doctor/credential.py | 10 +- keystone/cmd/doctor/tokens_fernet.py | 10 +- keystone/common/authorization.py | 97 +- keystone/common/context.py | 1 + keystone/common/controller.py | 129 +- keystone/common/dependency.py | 170 +- keystone/common/fernet_utils.py | 314 -- keystone/common/json_home.py | 3 + keystone/common/manager.py | 33 +- keystone/common/policies/__init__.py | 6 + keystone/common/policies/access_token.py | 9 + keystone/common/policies/application_credential.py | 65 + keystone/common/policies/auth.py | 15 + keystone/common/policies/consumer.py | 5 + keystone/common/policies/credential.py | 15 + keystone/common/policies/domain.py | 5 + keystone/common/policies/domain_config.py | 16 + keystone/common/policies/ec2_credential.py | 19 + keystone/common/policies/endpoint.py | 5 + keystone/common/policies/endpoint_group.py | 11 + keystone/common/policies/grant.py | 114 +- keystone/common/policies/group.py | 16 + keystone/common/policies/identity_provider.py | 11 + keystone/common/policies/implied_role.py | 10 + keystone/common/policies/limit.py | 67 + keystone/common/policies/mapping.py | 11 + keystone/common/policies/policy.py | 7 + keystone/common/policies/policy_association.py | 15 + keystone/common/policies/project.py | 107 + keystone/common/policies/project_endpoint.py | 9 + keystone/common/policies/protocol.py | 8 + keystone/common/policies/region.py | 11 + keystone/common/policies/registered_limit.py | 67 + keystone/common/policies/revoke_event.py | 5 + keystone/common/policies/role.py | 20 + keystone/common/policies/role_assignment.py | 17 + keystone/common/policies/service.py | 5 + keystone/common/policies/service_provider.py | 11 + keystone/common/policies/token.py | 28 + keystone/common/policies/token_revocation.py | 5 + keystone/common/policies/trust.py | 9 + keystone/common/policies/user.py | 43 + keystone/common/policy.py | 16 +- keystone/common/provider_api.py | 87 + .../024_contract_create_created_at_int_columns.py | 61 + .../sql/contract_repo/versions/025_placeholder.py | 18 + .../sql/contract_repo/versions/026_placeholder.py | 18 + .../sql/contract_repo/versions/027_placeholder.py | 18 + .../sql/contract_repo/versions/028_placeholder.py | 18 + .../sql/contract_repo/versions/029_placeholder.py | 18 + .../030_contract_add_project_tags_table.py | 15 + .../031_contract_system_assignment_table.py | 16 + .../032_contract_add_expired_at_int_to_trust.py | 51 + .../versions/033_contract_add_limits_tables.py | 15 + ...4_contract_add_application_credentials_table.py | 15 + ...ystem_column_to_application_credential_table.py | 23 + ...me_application_credential_restriction_column.py | 40 + ...e_service_and_region_fk_for_registered_limit.py | 36 + .../sql/contract_repo/versions/038_placeholder.py | 18 + .../sql/contract_repo/versions/039_placeholder.py | 18 + .../sql/contract_repo/versions/040_placeholder.py | 18 + .../sql/contract_repo/versions/041_placeholder.py | 18 + .../sql/contract_repo/versions/042_placeholder.py | 18 + .../sql/contract_repo/versions/043_placeholder.py | 18 + .../sql/contract_repo/versions/044_placeholder.py | 18 + keystone/common/sql/core.py | 51 + .../024_migrate_create_created_at_int_columns.py | 22 + .../versions/025_placeholder.py | 18 + .../versions/026_placeholder.py | 18 + .../versions/027_placeholder.py | 18 + .../versions/028_placeholder.py | 18 + .../versions/029_placeholder.py | 18 + .../versions/030_migrate_add_project_tags_table.py | 15 + .../031_migrate_system_assignment_table.py | 17 + .../032_migrate_add_expired_at_int_to_trust.py | 22 + .../versions/033_migrate_add_limits_tables.py | 15 + ...34_migrate_add_application_credentials_table.py | 15 + ...ystem_column_to_application_credential_table.py | 15 + ...me_application_credential_restriction_column.py | 15 + ...e_service_and_region_fk_for_registered_limit.py | 15 + .../versions/038_placeholder.py | 18 + .../versions/039_placeholder.py | 18 + .../versions/040_placeholder.py | 18 + .../versions/041_placeholder.py | 18 + .../versions/042_placeholder.py | 18 + .../versions/043_placeholder.py | 18 + .../versions/044_placeholder.py | 18 + .../024_expand_create_created_at_int_columns.py | 33 + .../sql/expand_repo/versions/025_placeholder.py | 18 + .../sql/expand_repo/versions/026_placeholder.py | 18 + .../sql/expand_repo/versions/027_placeholder.py | 18 + .../sql/expand_repo/versions/028_placeholder.py | 18 + .../sql/expand_repo/versions/029_placeholder.py | 18 + .../versions/030_expand_add_project_tags_table.py | 44 + .../versions/031_expand_system_assignment_table.py | 33 + .../032_expand_add_expired_at_int_to_trust.py | 35 + .../versions/033_expand_add_limits_tables.py | 68 + .../034_expand_add_application_credential_table.py | 52 + ...ystem_column_to_application_credential_table.py | 25 + ...me_application_credential_restriction_column.py | 44 + ...e_service_and_region_fk_for_registered_limit.py | 15 + .../sql/expand_repo/versions/038_placeholder.py | 18 + .../sql/expand_repo/versions/039_placeholder.py | 18 + .../sql/expand_repo/versions/040_placeholder.py | 18 + .../sql/expand_repo/versions/041_placeholder.py | 18 + .../sql/expand_repo/versions/042_placeholder.py | 18 + .../sql/expand_repo/versions/043_placeholder.py | 18 + .../sql/expand_repo/versions/044_placeholder.py | 18 + keystone/common/sql/upgrades.py | 10 +- keystone/common/token_utils.py | 314 ++ keystone/common/tokenless_auth.py | 6 +- keystone/common/utils.py | 32 +- keystone/common/wsgi.py | 7 +- keystone/conf/__init__.py | 5 +- keystone/conf/application_credential.py | 68 + keystone/conf/auth.py | 11 + keystone/conf/constants.py | 3 +- keystone/conf/default.py | 20 +- keystone/conf/identity.py | 20 - keystone/conf/resource.py | 8 + keystone/conf/security_compliance.py | 9 +- keystone/conf/trust.py | 7 + keystone/conf/unified_limit.py | 65 + keystone/contrib/ec2/controllers.py | 186 +- keystone/contrib/s3/core.py | 19 - keystone/credential/controllers.py | 20 +- keystone/credential/core.py | 22 +- keystone/credential/provider.py | 3 +- keystone/credential/providers/fernet/core.py | 16 +- keystone/endpoint_policy/controllers.py | 86 +- keystone/endpoint_policy/core.py | 18 +- keystone/exception.py | 53 +- keystone/federation/controllers.py | 94 +- keystone/federation/core.py | 46 +- keystone/i18n.py | 2 +- keystone/identity/backends/ldap/common.py | 29 +- keystone/identity/backends/sql_model.py | 39 +- keystone/identity/controllers.py | 216 +- keystone/identity/core.py | 121 +- keystone/identity/generator.py | 3 +- keystone/identity/mapping_backends/base.py | 3 +- keystone/identity/mapping_backends/sql.py | 2 - keystone/identity/routers.py | 10 - keystone/identity/schema.py | 45 - keystone/identity/shadow_backends/sql.py | 13 +- keystone/limit/__init__.py | 15 + keystone/limit/backends/__init__.py | 0 keystone/limit/backends/base.py | 167 ++ keystone/limit/backends/sql.py | 252 ++ keystone/limit/controllers.py | 130 + keystone/limit/core.py | 110 + keystone/limit/routers.py | 66 + keystone/limit/schema.py | 116 + keystone/locale/de/LC_MESSAGES/keystone.po | 36 +- keystone/locale/en_GB/LC_MESSAGES/keystone.po | 1725 +++++++++++ keystone/locale/es/LC_MESSAGES/keystone.po | 35 +- keystone/locale/fr/LC_MESSAGES/keystone.po | 35 +- keystone/locale/it/LC_MESSAGES/keystone.po | 35 +- keystone/locale/ja/LC_MESSAGES/keystone.po | 36 +- keystone/locale/ko_KR/LC_MESSAGES/keystone.po | 34 +- keystone/locale/pt_BR/LC_MESSAGES/keystone.po | 35 +- keystone/locale/ru/LC_MESSAGES/keystone.po | 35 +- keystone/locale/tr_TR/LC_MESSAGES/keystone.po | 13 +- keystone/locale/zh_CN/LC_MESSAGES/keystone.po | 33 +- keystone/locale/zh_TW/LC_MESSAGES/keystone.po | 33 +- keystone/middleware/auth.py | 104 +- keystone/middleware/core.py | 57 +- keystone/models/revoke_model.py | 50 - keystone/models/token_model.py | 12 +- keystone/notifications.py | 7 +- keystone/oauth1/controllers.py | 68 +- keystone/oauth1/core.py | 23 +- keystone/oauth1/schema.py | 14 + keystone/oauth1/validator.py | 20 +- keystone/policy/controllers.py | 34 +- keystone/policy/core.py | 18 +- keystone/resource/backends/sql.py | 105 +- keystone/resource/controllers.py | 235 +- keystone/resource/core.py | 170 +- keystone/resource/routers.py | 40 +- keystone/resource/schema.py | 62 +- keystone/revoke/controllers.py | 8 +- keystone/revoke/core.py | 32 +- keystone/server/backends.py | 44 +- keystone/server/common.py | 2 - .../application_credential/backends/__init__.py | 0 .../application_credential/backends/test_sql.py | 50 + .../unit/application_credential/test_backends.py | 292 ++ .../unit/assignment/role_backends/test_sql.py | 43 +- .../unit/identity/backends/test_ldap_common.py | 36 +- .../unit/identity/shadow_users/test_backend.py | 40 +- .../test_associate_project_endpoint_extension.py | 68 +- keystone/token/__init__.py | 1 - keystone/token/_simple_cert.py | 20 - keystone/token/controllers.py | 689 ----- keystone/token/persistence/__init__.py | 2 +- keystone/token/persistence/core.py | 35 +- keystone/token/provider.py | 69 +- keystone/token/providers/common.py | 367 ++- keystone/token/providers/fernet/core.py | 58 +- .../token/providers/fernet/token_formatters.py | 701 ----- keystone/token/routers.py | 59 - keystone/token/token_formatters.py | 823 +++++ keystone/trust/backends/sql.py | 13 +- keystone/trust/controllers.py | 95 +- keystone/trust/core.py | 8 +- keystone/trust/schema.py | 17 +- keystone/v2_crud/__init__.py | 0 keystone/v2_crud/admin_crud.py | 240 -- keystone/v2_crud/user_crud.py | 119 - keystone/version/__init__.py | 2 +- keystone/version/controllers.py | 4 +- keystone/version/service.py | 33 +- .../keystone-dsvm-functional-v3-only/post.yaml | 15 + .../keystone-dsvm-functional-v3-only/run.yaml | 60 + .../legacy/keystone-dsvm-functional/post.yaml | 15 + playbooks/legacy/keystone-dsvm-functional/run.yaml | 57 + .../keystone-dsvm-grenade-multinode/post.yaml | 15 + .../keystone-dsvm-grenade-multinode/run.yaml | 47 + .../post.yaml | 15 + .../keystone-dsvm-py35-functional-v3-only/run.yaml | 68 + ...-expires-at-int-to-trusts-60ae3c5d0c00808a.yaml | 8 + .../add-unified-limit-apis-c9ebc5116bc2cf93.yaml | 9 + ...p-application-credentials-c699f1f17c7d4e2f.yaml | 24 + .../notes/bp-system-scope-7d236ee5992d4e20.yaml | 21 + .../notes/bug-1291157-00b5c714a097e84c.yaml | 7 + .../notes/bug-1524030-0814724d5c2b7c8d.yaml | 10 + .../notes/bug-1652012-b3aea7c0d5affdb6.yaml | 7 - .../notes/bug-1701324-739a31f38037f77b.yaml | 5 + .../notes/bug-1702211-abb59adda73fd78e.yaml | 9 + .../notes/bug-1718747-50d39fa87bdbb12b.yaml | 17 + .../notes/bug-1727099-1af277b35db34372.yaml | 9 + .../notes/bug-1727726-0b47608811a2cd16.yaml | 9 + .../notes/bug-1733754-4d9d3042b8501ec6.yaml | 7 + .../notes/bug-1734244-1b4ea83baa72566d.yaml | 6 + .../notes/bug-1736875-c790f568c5f4d671.yaml | 11 + .../notes/bug-1738895-342864cd0285bc42.yaml | 7 + .../notes/bug-1740951-82b7e4bd608742ab.yaml | 8 + .../notes/bug-1747694-48c8caa4871300e3.yaml | 7 + .../notes/bug-1748970-eb63ad2030e296f3.yaml | 9 + .../notes/bug-1749264-676ca02902bcd169.yaml | 6 + .../notes/bug-1749267-96153d2fa6868f67.yaml | 5 + .../notes/bug-1750415-95ede3a9685b6e0c.yaml | 7 + .../notes/bug_1698900-f195125bf341d887.yaml | 1 + .../deprecate-policies-api-b104fbd1d2367b1b.yaml | 5 + .../deprecated-as-of-queens-8ad7f826e4f08f57.yaml | 20 + .../notes/project-tags-1e72a6779d9d02c5.yaml | 18 + .../removed-as-of-queens-94c04e88c08f89aa.yaml | 15 + ...resource-backend-sql-only-03154d8712b36bd0.yaml | 12 + .../notes/token-formatter-ec58aba00fa83706.yaml | 8 + releasenotes/source/conf.py | 14 +- releasenotes/source/index.rst | 1 + .../source/locale/ja/LC_MESSAGES/releasenotes.po | 3150 -------------------- releasenotes/source/pike.rst | 19 + releasenotes/source/unreleased.rst | 13 + requirements.txt | 41 +- setup.cfg | 22 +- test-requirements.txt | 31 +- tools/sample_data.sh | 104 +- tools/test-setup.sh | 4 + tox.ini | 17 +- 596 files changed, 30873 insertions(+), 26340 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index fa2f24d..1059e35 100644 --- a/requirements.txt +++ b/requirements.txt @@ -12 +12 @@ PasteDeploy>=1.5.0 # MIT -Paste # MIT +Paste>=2.0.2 # MIT @@ -14,2 +14,2 @@ Routes>=2.3.1 # MIT -cryptography!=2.0,>=1.6 # BSD/Apache-2.0 -six>=1.9.0 # MIT +cryptography!=2.0,>=1.9 # BSD/Apache-2.0 +six>=1.10.0 # MIT @@ -21 +21 @@ python-keystoneclient>=3.8.0 # Apache-2.0 -keystonemiddleware>=4.12.0 # Apache-2.0 +keystonemiddleware>=4.17.0 # Apache-2.0 @@ -24,14 +24,14 @@ scrypt>=0.8.0 # BSD -oslo.cache>=1.5.0 # Apache-2.0 -oslo.concurrency>=3.8.0 # Apache-2.0 -oslo.config!=4.3.0,!=4.4.0,>=4.0.0 # Apache-2.0 -oslo.context>=2.14.0 # Apache-2.0 -oslo.messaging!=5.25.0,>=5.24.2 # Apache-2.0 -oslo.db>=4.24.0 # Apache-2.0 -oslo.i18n!=3.15.2,>=2.1.0 # Apache-2.0 -oslo.log>=3.22.0 # Apache-2.0 -oslo.middleware>=3.27.0 # Apache-2.0 -oslo.policy>=1.23.0 # Apache-2.0 -oslo.serialization!=2.19.1,>=1.10.0 # Apache-2.0 -oslo.utils>=3.20.0 # Apache-2.0 -oauthlib>=0.6 # BSD -pysaml2<4.0.3,>=2.4.0 # Apache-2.0 +oslo.cache>=1.26.0 # Apache-2.0 +oslo.concurrency>=3.25.0 # Apache-2.0 +oslo.config>=5.1.0 # Apache-2.0 +oslo.context>=2.19.2 # Apache-2.0 +oslo.messaging>=5.29.0 # Apache-2.0 +oslo.db>=4.27.0 # Apache-2.0 +oslo.i18n>=3.15.3 # Apache-2.0 +oslo.log>=3.36.0 # Apache-2.0 +oslo.middleware>=3.31.0 # Apache-2.0 +oslo.policy>=1.30.0 # Apache-2.0 +oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 +oslo.utils>=3.33.0 # Apache-2.0 +oauthlib>=0.6.0 # BSD +pysaml2<4.0.3,>=4.0.2 # Apache-2.0 @@ -39 +39 @@ dogpile.cache>=0.6.2 # BSD -jsonschema!=2.5.0,<3.0.0,>=2.0.0 # MIT +jsonschema<3.0.0,>=2.6.0 # MIT @@ -41 +41 @@ pycadf!=2.0.0,>=1.1.0 # Apache-2.0 -msgpack-python>=0.4.0 # Apache-2.0 +msgpack>=0.4.0 # Apache-2.0 @@ -42,0 +43 @@ osprofiler>=1.4.0 # Apache-2.0 +pytz>=2013.6 # MIT diff --git a/test-requirements.txt b/test-requirements.txt index 88f0c44..c13260b 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -8,2 +8,2 @@ flake8-docstrings==0.2.1.post1 # MIT -bashate>=0.2 # Apache-2.0 -os-testr>=0.8.0 # Apache-2.0 +bashate>=0.5.1 # Apache-2.0 +os-testr>=1.0.0 # Apache-2.0 @@ -10,0 +11 @@ freezegun>=0.3.6 # Apache-2.0 +pytz>=2013.6 # MIT @@ -13 +14 @@ freezegun>=0.3.6 # Apache-2.0 -oslo.db[fixtures,mysql,postgresql]>=4.24.0 # Apache-2.0 +oslo.db[fixtures,mysql,postgresql]>=4.27.0 # Apache-2.0 @@ -20 +21 @@ fixtures>=3.0.0 # Apache-2.0/BSD -lxml!=3.7.0,>=2.3 # BSD +lxml!=3.7.0,>=3.4.1 # BSD @@ -22,7 +23,2 @@ lxml!=3.7.0,>=2.3 # BSD -mock>=2.0 # BSD -oslotest>=1.10.0 # Apache-2.0 -# required to build documentation -sphinx>=1.6.2 # BSD -os-api-ref>=1.0.0 # Apache-2.0 -# test wsgi apps without starting an http server -WebTest>=2.0 # MIT +mock>=2.0.0 # BSD +oslotest>=3.2.0 # Apache-2.0 @@ -30,3 +26,3 @@ WebTest>=2.0 # MIT -python-subunit>=0.0.18 # Apache-2.0/BSD -testrepository>=0.0.18 # Apache-2.0/BSD -testtools>=1.4.0 # MIT +os-api-ref>=1.4.0 # Apache-2.0 +# test wsgi apps without starting an http server +WebTest>=2.0.27 # MIT @@ -34,3 +30,2 @@ testtools>=1.4.0 # MIT -# For documentation -openstackdocstheme>=1.16.0 # Apache-2.0 -reno!=2.3.1,>=1.8.0 # Apache-2.0 +stestr>=1.0.0 # Apache-2.0 +testtools>=2.2.0 # MIT @@ -38 +33 @@ reno!=2.3.1,>=1.8.0 # Apache-2.0 -tempest>=16.1.0 # Apache-2.0 +tempest>=17.1.0 # Apache-2.0