We exuberantly announce the release of: keystone 23.0.2: OpenStack Identity This release is part of the antelope release series. The source is available from: https://opendev.org/openstack/keystone Download the package from: https://tarballs.openstack.org/keystone/ Please report issues through: https://bugs.launchpad.net/keystone/+bugs For more details, please see below. 23.0.2 ^^^^^^ New Features * A new option 'randomize_urls' can be used to randomize the order in which keystone connects to the LDAP servers in [ldap] 'url' list. It is false by default. Changes in keystone 23.0.1..23.0.2 ---------------------------------- c725173cf Remove reference to devstack-gate c81bc1b29 Add domain scoping to list_domains b6c20d912 Allow domain admin to view roles 17da229f0 Allow domain users to manage credentials b449d86ee Allow admin to access tokens and credentials 9b2f7aa4b Add ability to create users and projects from keystone-manage 9ec8e7cca Fix old arm64 job template ee9a96672 Remove unused old job templates and experimental jobs 828519f46 Normalize policy checks for domain-scoped tokens 1c2d51788 Allow users with "admin" role to get projects f7892ce2c Fix policies for groups 658fd7d58 Consistent and Secure RBAC (Phase 1) ea8c8aa98 Don't forget to check if authorization fails a9d5e7eea Add an option to randomize LDAP urls list c1247a6a3 docs: Clarify lack of LDAP assignment back end Diffstat (except docs and test files) ------------------------------------- .zuul.yaml | 88 ++---------- keystone/api/domains.py | 15 +- keystone/api/role_assignments.py | 21 ++- keystone/cmd/cli.py | 72 +++++++++- keystone/cmd/idutils.py | 151 +++++++++++++++++++++ keystone/common/policies/application_credential.py | 6 +- keystone/common/policies/base.py | 13 +- keystone/common/policies/consumer.py | 20 +-- keystone/common/policies/credential.py | 20 +-- keystone/common/policies/domain.py | 25 ++-- keystone/common/policies/domain_config.py | 28 ++-- keystone/common/policies/ec2_credential.py | 8 +- keystone/common/policies/endpoint.py | 20 +-- keystone/common/policies/endpoint_group.py | 44 +++--- keystone/common/policies/grant.py | 63 +++++---- keystone/common/policies/group.py | 55 ++++---- keystone/common/policies/identity_provider.py | 20 +-- keystone/common/policies/implied_role.py | 24 ++-- keystone/common/policies/limit.py | 17 +-- keystone/common/policies/mapping.py | 26 ++-- keystone/common/policies/policy.py | 20 +-- keystone/common/policies/policy_association.py | 44 +++--- keystone/common/policies/project.py | 49 ++++--- keystone/common/policies/project_endpoint.py | 24 ++-- keystone/common/policies/protocol.py | 23 ++-- keystone/common/policies/region.py | 12 +- keystone/common/policies/registered_limit.py | 12 +- keystone/common/policies/revoke_event.py | 6 +- keystone/common/policies/role.py | 50 +++---- keystone/common/policies/role_assignment.py | 11 +- keystone/common/policies/service.py | 20 +-- keystone/common/policies/service_provider.py | 26 ++-- keystone/common/policies/token.py | 16 ++- keystone/common/policies/trust.py | 27 ++-- keystone/common/policies/user.py | 30 ++-- keystone/conf/ldap.py | 13 ++ keystone/identity/backends/ldap/common.py | 8 +- .../request_processing/middleware/auth_context.py | 4 +- .../unit/identity/backends/test_ldap_common.py | 27 ++++ .../notes/randomize_urls-c0c19f48b2bfa299.yaml | 6 + 47 files changed, 912 insertions(+), 502 deletions(-)