[release-announce] keystone 26.0.0 (dalmatian)

2 Oct 2024

We are glad to announce the release of:

keystone 26.0.0

This release is part of the dalmatian release series.

The source is available from:

    https://opendev.org/openstack/keystone

Download the package from:

    https://tarballs.openstack.org/keystone/

Please report issues through:

    https://bugs.launchpad.net/keystone/+bugs

For more details, please see below.

Changes in keystone 25.0.0..26.0.0
----------------------------------

170d9f480 Remove logic to support pysaml2<3.0.0
637fb7534 Remove support-matrix.css
69d1897d0 Implement the Domain Manager Persona for Keystone
8c3113b51 Update hacking to latest version
0d293d5c7 Enable hacking check in pre-commit
112331d9e Fix role statement in admin doc
4dbcce303 Replace deprecated in py312 datetime usages
e9513f8e4 Add keystone-manage reset_last_active command
d01cde5a1 Correct format for token expiration time
7ac0c3cd3 Update OIDC Apache config to avoid masking Keystone API endpoint
80db93089 Enable mypy
aa95af38e Enable non-voting OpenAPI build job
8416b72bf Re-join the strings after re-formatting
204ea4223 Move bandit to pre-commit
aaf0cc8fa Enable pyupgrade
55e8c1e60 Enable black in pre-commit
5f66f8d4a Add blackify commit to blame ignore
d4695b318 Only log a small debug message for NotFound
a00839ca0 Blackify the keystone code base
09c57923f Add a release note to cover fix of implied role for application credentials
c3c6d9854 Fix implied roles in the application credentials
24113bb18 Fix bindep for py312 job
430bebe37 Add pre-commit
53d547fcb Replace use of testtools.testcase.TestSkipped
bc57ccbc8 Remove dependency on pytz
41ab96ba8 Improve configuration of out-of-tree identity drivers
7f0adbb01 do not use str(url) to stringify a URL for subsequent use
0e0082176 Remove reference to devstack-gate
44e76c620 reno: Update master for unmaintained/zed
af53770e6 Make protection job voting again
5ead95ffc Allow domain users to manage credentials
522627de3 Allow domain admin to view roles
7a6e1a0bd Enable protection jobs
fe8b89a79 Remove SQLAlchemy tips jobs
b31007e1b Allow admin to access tokens and credentials
a05012938 Run Secure RBAC tests as project-admin
9a11c0c46 reno: Update master for unmaintained/xena
8762253c5 reno: Update master for unmaintained/wallaby
7af1d49c2 reno: Update master for unmaintained/victoria
88fcb38ca Update master for stable/2024.1
bd70653a2 Add test with noauth for s3tokens and ec2tokens
90dcff07c sql: Fixup for invalid unique constraint on external_id in access_rule table
27bf2482c tox: Drop envdir
a989cd7f0 Replace CRLF by LF


Diffstat (except docs and test files)
-------------------------------------

.git-blame-ignore-revs                             |    4 +
.gitignore                                         |    2 +
.pre-commit-config.yaml                            |   60 +
.zuul.yaml                                         |   27 +-
api-ref/source/conf.py                             |    2 +-
.../samples/OS-OAUTH2/token-create-response.json   |    8 +-
bindep.txt                                         |    3 +-
devstack/lib/scope.sh                              |    2 -
devstack/tools/oidc/setup_keycloak_client.py       |   11 +-
keystone/api/_shared/EC2_S3_Resource.py            |   45 +-
keystone/api/_shared/authentication.py             |  119 +-
keystone/api/_shared/implied_roles.py              |   19 +-
keystone/api/_shared/json_home_relations.py        |   72 +-
keystone/api/_shared/saml.py                       |   25 +-
keystone/api/auth.py                               |  191 +-
keystone/api/credentials.py                        |   73 +-
keystone/api/discovery.py                          |   49 +-
keystone/api/domains.py                            |  215 +-
keystone/api/ec2tokens.py                          |   13 +-
keystone/api/endpoints.py                          |   51 +-
keystone/api/groups.py                             |   78 +-
keystone/api/limits.py                             |   42 +-
keystone/api/os_ep_filter.py                       |  167 +-
keystone/api/os_federation.py                      |  151 +-
keystone/api/os_inherit.py                         |  359 +-
keystone/api/os_oauth1.py                          |  137 +-
keystone/api/os_oauth2.py                          |  309 +-
keystone/api/os_revoke.py                          |   23 +-
keystone/api/os_simple_cert.py                     |   21 +-
keystone/api/policy.py                             |   47 +-
keystone/api/projects.py                           |  226 +-
keystone/api/regions.py                            |   32 +-
keystone/api/registered_limits.py                  |   46 +-
keystone/api/role_assignments.py                   |  173 +-
keystone/api/role_inferences.py                    |   27 +-
keystone/api/roles.py                              |  120 +-
keystone/api/s3tokens.py                           |   26 +-
keystone/api/services.py                           |   15 +-
keystone/api/system.py                             |   90 +-
keystone/api/trusts.py                             |  153 +-
keystone/api/users.py                              |  374 ++-
keystone/application_credential/backends/base.py   |    7 +-
keystone/application_credential/backends/sql.py    |  130 +-
keystone/application_credential/core.py            |  115 +-
keystone/application_credential/schema.py          |   26 +-
keystone/assignment/backends/base.py               |   68 +-
keystone/assignment/backends/sql.py                |  223 +-
keystone/assignment/core.py                        |  637 ++--
keystone/assignment/role_backends/base.py          |    3 +-
.../assignment/role_backends/resource_options.py   |    1 -
keystone/assignment/role_backends/sql.py           |   48 +-
keystone/assignment/role_backends/sql_model.py     |   30 +-
keystone/assignment/schema.py                      |    6 +-
keystone/auth/core.py                              |  228 +-
keystone/auth/plugins/application_credential.py    |   14 +-
keystone/auth/plugins/base.py                      |    7 +-
keystone/auth/plugins/core.py                      |   77 +-
keystone/auth/plugins/external.py                  |   15 +-
keystone/auth/plugins/mapped.py                    |  228 +-
keystone/auth/plugins/oauth1.py                    |   17 +-
keystone/auth/plugins/password.py                  |   10 +-
keystone/auth/plugins/token.py                     |   31 +-
keystone/auth/plugins/totp.py                      |   35 +-
keystone/auth/schema.py                            |   91 +-
keystone/catalog/backends/base.py                  |   12 +-
keystone/catalog/backends/sql.py                   |  198 +-
keystone/catalog/backends/templated.py             |   66 +-
keystone/catalog/core.py                           |   73 +-
keystone/catalog/schema.py                         |   57 +-
keystone/cmd/bootstrap.py                          |  157 +-
keystone/cmd/cli.py                                |  956 ++++--
keystone/cmd/doctor/__init__.py                    |   13 +-
keystone/cmd/doctor/caching.py                     |    6 +-
keystone/cmd/doctor/credential.py                  |   19 +-
keystone/cmd/doctor/database.py                    |    4 +-
keystone/cmd/doctor/debug.py                       |    1 -
keystone/cmd/doctor/federation.py                  |    1 -
keystone/cmd/doctor/ldap.py                        |   43 +-
keystone/cmd/doctor/security_compliance.py         |    7 +-
keystone/cmd/doctor/tokens.py                      |    3 +-
keystone/cmd/doctor/tokens_fernet.py               |   15 +-
keystone/cmd/idutils.py                            |   33 +-
keystone/cmd/manage.py                             |   12 +-
keystone/cmd/status.py                             |   38 +-
keystone/common/cache/_context_cache.py            |   11 +-
keystone/common/cache/core.py                      |   26 +-
keystone/common/context.py                         |   10 +-
keystone/common/driver_hints.py                    |   29 +-
keystone/common/fernet_utils.py                    |  100 +-
keystone/common/json_home.py                       |   51 +-
keystone/common/jwt_utils.py                       |    4 +-
keystone/common/manager.py                         |   73 +-
keystone/common/password_hashing.py                |   42 +-
keystone/common/policies/access_rule.py            |   28 +-
keystone/common/policies/access_token.py           |   70 +-
keystone/common/policies/application_credential.py |   44 +-
keystone/common/policies/auth.py                   |   60 +-
keystone/common/policies/base.py                   |   71 +-
keystone/common/policies/consumer.py               |   52 +-
keystone/common/policies/credential.py             |   53 +-
keystone/common/policies/domain.py                 |   40 +-
keystone/common/policies/domain_config.py          |  141 +-
keystone/common/policies/ec2_credential.py         |   55 +-
keystone/common/policies/endpoint.py               |   59 +-
keystone/common/policies/endpoint_group.py         |  198 +-
keystone/common/policies/grant.py                  |  179 +-
keystone/common/policies/group.py                  |  163 +-
keystone/common/policies/identity_provider.py      |   59 +-
keystone/common/policies/implied_role.py           |  106 +-
keystone/common/policies/limit.py                  |   39 +-
keystone/common/policies/mapping.py                |   67 +-
keystone/common/policies/policy.py                 |   40 +-
keystone/common/policies/policy_association.py     |  238 +-
keystone/common/policies/project.py                |  166 +-
keystone/common/policies/project_endpoint.py       |   96 +-
keystone/common/policies/protocol.py               |   85 +-
keystone/common/policies/region.py                 |   47 +-
keystone/common/policies/registered_limit.py       |   46 +-
keystone/common/policies/revoke_event.py           |    4 +-
keystone/common/policies/role.py                   |  121 +-
keystone/common/policies/role_assignment.py        |   36 +-
keystone/common/policies/service.py                |   40 +-
keystone/common/policies/service_provider.py       |   87 +-
keystone/common/policies/token.py                  |   40 +-
keystone/common/policies/token_revocation.py       |    7 +-
keystone/common/policies/trust.py                  |  137 +-
keystone/common/policies/user.py                   |   94 +-
keystone/common/profiler.py                        |   25 +-
keystone/common/provider_api.py                    |   35 +-
keystone/common/rbac_enforcer/enforcer.py          |  211 +-
keystone/common/rbac_enforcer/policy.py            |    1 -
keystone/common/render_token.py                    |   48 +-
keystone/common/resource_options/core.py           |   80 +-
.../common/resource_options/options/immutable.py   |   35 +-
keystone/common/sql/core.py                        |  104 +-
keystone/common/sql/migrations/env.py              |    6 +-
..._federation_attribute_mapping_schema_version.py |   10 +-
.../versions/27e647c0fad4_initial_version.py       |   28 +-
.../c88cdce8f248_remove_duplicate_constraints.py   |    1 -
keystone/common/sql/upgrades.py                    |   21 +-
keystone/common/tokenless_auth.py                  |   75 +-
keystone/common/utils.py                           |   99 +-
keystone/common/validation/parameter_types.py      |   33 +-
keystone/common/validation/validators.py           |   31 +-
keystone/conf/__init__.py                          |   46 +-
keystone/conf/application_credential.py            |   29 +-
keystone/conf/assignment.py                        |   20 +-
keystone/conf/auth.py                              |   52 +-
keystone/conf/catalog.py                           |   36 +-
keystone/conf/constants.py                         |   10 +-
keystone/conf/credential.py                        |   50 +-
keystone/conf/default.py                           |   81 +-
keystone/conf/domain_config.py                     |   46 +-
keystone/conf/endpoint_filter.py                   |   15 +-
keystone/conf/endpoint_policy.py                   |    8 +-
keystone/conf/federation.py                        |   70 +-
keystone/conf/fernet_receipts.py                   |   15 +-
keystone/conf/fernet_tokens.py                     |   15 +-
keystone/conf/identity.py                          |   99 +-
keystone/conf/identity_mapping.py                  |   22 +-
keystone/conf/jwt_tokens.py                        |   20 +-
keystone/conf/ldap.py                              |  372 ++-
keystone/conf/oauth1.py                            |   22 +-
keystone/conf/oauth2.py                            |   19 +-
keystone/conf/opts.py                              |    7 +-
keystone/conf/policy.py                            |   15 +-
keystone/conf/receipt.py                           |   36 +-
keystone/conf/resource.py                          |   57 +-
keystone/conf/revoke.py                            |   32 +-
keystone/conf/role.py                              |   29 +-
keystone/conf/saml.py                              |  127 +-
keystone/conf/security_compliance.py               |   66 +-
keystone/conf/shadow_users.py                      |    8 +-
keystone/conf/token.py                             |   62 +-
keystone/conf/tokenless_auth.py                    |   22 +-
keystone/conf/totp.py                              |    7 +-
keystone/conf/trust.py                             |   22 +-
keystone/conf/unified_limit.py                     |   36 +-
keystone/conf/wsgi.py                              |    8 +-
keystone/credential/backends/base.py               |    8 +-
keystone/credential/backends/sql.py                |   17 +-
keystone/credential/core.py                        |   96 +-
keystone/credential/provider.py                    |    3 +-
keystone/credential/providers/core.py              |    2 +-
keystone/credential/providers/fernet/core.py       |   26 +-
keystone/credential/schema.py                      |   36 +-
keystone/endpoint_policy/backends/base.py          |   22 +-
keystone/endpoint_policy/backends/sql.py           |   60 +-
keystone/endpoint_policy/core.py                   |  192 +-
keystone/exception.py                              |  439 ++-
keystone/federation/backends/base.py               |    2 +-
keystone/federation/backends/sql.py                |   71 +-
keystone/federation/core.py                        |   36 +-
keystone/federation/idp.py                         |  264 +-
keystone/federation/schema.py                      |   55 +-
keystone/federation/utils.py                       |  414 +--
keystone/i18n.py                                   |    1 -
keystone/identity/backends/base.py                 |   37 +-
keystone/identity/backends/ldap/common.py          | 1120 ++++---
keystone/identity/backends/ldap/core.py            |  142 +-
keystone/identity/backends/ldap/models.py          |    9 +-
keystone/identity/backends/resource_options.py     |  116 +-
keystone/identity/backends/sql.py                  |  150 +-
keystone/identity/backends/sql_model.py            |  228 +-
keystone/identity/core.py                          |  746 +++--
keystone/identity/generator.py                     |    5 +-
keystone/identity/id_generators/sha256.py          |    1 +
keystone/identity/mapping_backends/base.py         |    3 +-
keystone/identity/mapping_backends/mapping.py      |    2 +-
keystone/identity/mapping_backends/sql.py          |   23 +-
keystone/identity/schema.py                        |   83 +-
keystone/identity/shadow_backends/base.py          |   19 +-
keystone/identity/shadow_backends/sql.py           |  111 +-
keystone/limit/backends/base.py                    |    3 +-
keystone/limit/backends/sql.py                     |  103 +-
keystone/limit/core.py                             |   44 +-
keystone/limit/models/base.py                      |   18 +-
keystone/limit/models/strict_two_level.py          |  114 +-
keystone/limit/schema.py                           |   90 +-
keystone/models/receipt_model.py                   |   12 +-
keystone/models/revoke_model.py                    |  109 +-
keystone/models/token_model.py                     |  122 +-
keystone/notifications.py                          |  426 ++-
keystone/oauth1/backends/base.py                   |    8 +-
keystone/oauth1/backends/sql.py                    |   69 +-
keystone/oauth1/core.py                            |   64 +-
keystone/oauth1/schema.py                          |   12 +-
keystone/oauth1/validator.py                       |   63 +-
keystone/oauth2/handlers.py                        |   19 +-
keystone/policy/backends/base.py                   |    3 +-
keystone/policy/backends/rules.py                  |    5 +-
keystone/policy/core.py                            |    3 +-
keystone/policy/schema.py                          |   13 +-
keystone/receipt/__init__.py                       |    5 +-
keystone/receipt/handlers.py                       |   23 +-
keystone/receipt/provider.py                       |   44 +-
keystone/receipt/providers/base.py                 |    2 +-
keystone/receipt/providers/fernet/__init__.py      |    5 +-
keystone/receipt/providers/fernet/core.py          |   20 +-
keystone/receipt/receipt_formatters.py             |   37 +-
keystone/resource/backends/base.py                 |    3 +-
keystone/resource/backends/resource_options.py     |    1 -
keystone/resource/backends/sql.py                  |  113 +-
keystone/resource/backends/sql_model.py            |   52 +-
keystone/resource/config_backends/base.py          |    7 +-
keystone/resource/config_backends/sql.py           |   58 +-
keystone/resource/core.py                          |  749 +++--
keystone/resource/schema.py                        |   18 +-
keystone/revoke/backends/base.py                   |    6 +-
keystone/revoke/backends/sql.py                    |   47 +-
keystone/revoke/core.py                            |   83 +-
keystone/server/__init__.py                        |   20 +-
keystone/server/backends.py                        |   33 +-
keystone/server/flask/__init__.py                  |   14 +-
keystone/server/flask/application.py               |   33 +-
keystone/server/flask/common.py                    |  339 +-
keystone/server/flask/core.py                      |   86 +-
.../server/flask/request_processing/json_body.py   |   22 +-
.../request_processing/middleware/auth_context.py  |  190 +-
.../request_processing/middleware/url_normalize.py |    2 +-
.../server/flask/request_processing/req_logging.py |    1 -
keystone/server/wsgi.py                            |    3 +-
.../protection/v3/test_application_credential.py   |  373 ++-
.../application_credential/backends/test_sql.py    |   54 +-
.../unit/application_credential/test_backends.py   |  388 ++-
.../unit/assignment/role_backends/test_sql.py      |   73 +-
.../unit/common/test_resource_options_common.py    |   55 +-
.../unit/endpoint_policy/backends/test_base.py     |  123 +-
.../unit/endpoint_policy/backends/test_sql.py      |   14 +-
.../unit/identity/backends/test_ldap_common.py     |  350 +-
.../unit/identity/shadow_users/test_backend.py     |  100 +-
.../unit/receipt/test_receipt_serialization.py     |   12 +-
.../unit/resource/config_backends/test_sql.py      |   34 +-
.../test_associate_project_endpoint_extension.py   | 1095 +++---
keystone/token/provider.py                         |  118 +-
keystone/token/providers/base.py                   |    2 +-
keystone/token/providers/fernet/core.py            |   19 +-
keystone/token/providers/jws/core.py               |  102 +-
keystone/token/token_formatters.py                 |  659 +++-
keystone/trust/backends/base.py                    |   13 +-
keystone/trust/backends/sql.py                     |  112 +-
keystone/trust/core.py                             |  107 +-
keystone/trust/schema.py                           |   28 +-
.../notes/bug-1794376-53ce14528f00f01d.yaml        |    2 +-
.../notes/bug-2074018-28f7bbe8f28f5efe.yaml        |   29 +
.../domain-manager-persona-7921587ce2fab4fd.yaml   |   12 +
...credentials_implied_roles-b445fa56cb335a4d.yaml |    5 +
...rove-driver-donfiguration-ecedaf6ad0c3f9d2.yaml |    8 +
releasenotes/source/2024.1.rst                     |    6 +
releasenotes/source/conf.py                        |   32 +-
releasenotes/source/index.rst                      |    1 +
releasenotes/source/victoria.rst                   |    2 +-
releasenotes/source/wallaby.rst                    |    2 +-
releasenotes/source/xena.rst                       |    2 +-
releasenotes/source/zed.rst                        |    2 +-
requirements.txt                                   |    1 -
setup.py                                           |    4 +-
test-requirements.txt                              |    1 -
tox.ini                                            |   33 +-
459 files changed, 47426 insertions(+), 32405 deletions(-)


Requirements updates
--------------------

diff --git a/requirements.txt b/requirements.txt
index 0c68696cb..d67878709 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -41 +40,0 @@ osprofiler>=1.4.0 # Apache-2.0
-pytz>=2013.6 # MIT
diff --git a/test-requirements.txt b/test-requirements.txt
index dd1d531f6..896593f17 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -6 +5,0 @@ freezegun>=0.3.6 # Apache-2.0
-pytz>=2013.6 # MIT

    

[release-announce] keystone 26.0.0 (dalmatian)

no-reply＠openstack.org