We are amped to announce the release of: keystonemiddleware 4.12.0: Middleware for OpenStack Identity This release is part of the ocata release series. The source is available from: http://git.openstack.org/cgit/openstack/keystonemiddleware Download the package from: https://pypi.python.org/pypi/keystonemiddleware Please report issues through launchpad: http://bugs.launchpad.net/keystonemiddleware For more details, please see below. 4.12.0 ^^^^^^ Fetching expired tokens when using a valid service token is now allowed. This will help with long running operations that must continue between services longer than the original expiry of the token. New Features ************ * AuthToken middleware will now allow fetching an expired token when a valid service token is present. This service token must contain any one of the roles specified in "service_token_roles". * Service tokens are compared against a list of possible roles for validity. This will ensure that only services are submitting tokens as an "X-Service-Token". For backwards compatibility, if "service_token_roles_required" is not set, a warning will be emitted. To enforce the check properly, set "service_token_roles_required" to "True". It currently defaults to "False" Upgrade Notes ************* * Set the "service_token_roles" to a list of roles that services may have. The likely list is "service" or "admin". Any "service_token_roles" may apply to accept the service token. Ensure service users have one of these roles so interservice communication continues to work correctly. When verified, set the "service_token_roles_required" flag to "True" to enforce this behaviour. This will become the default setting in future releases. Deprecation Notes ***************** * For backwards compatibility the "service_token_roles_required" option in "[keystone_authtoken]" was added. The option defaults to "False" and has been immediately deprecated. This will allow the current behaviour that service tokens are validated but not checked for roles to continue. The option should be set to "True" as soon as possible. The option will default to "True" in a future release. Changes in keystonemiddleware 4.11.0..4.12.0 -------------------------------------------- 4c6282f Pass ?allow_expired 7924f5d Updated from global requirements 1d930a2 clean up a few doc building warnings 29a879c Add docutils contraint on 0.13.1 to fix building 3dab9e2 Updated from global requirements f637eee Updated from global requirements 69fcd5f Updated from global requirements Diffstat (except docs and test files) ------------------------------------- keystonemiddleware/auth_token/__init__.py | 101 +++++++++---- keystonemiddleware/auth_token/_identity.py | 17 ++- keystonemiddleware/auth_token/_opts.py | 13 ++ .../unit/auth_token/test_auth_token_middleware.py | 157 ++++++++++++++++++--- .../notes/allow-expired-5ddbabcffc5678af.yaml | 30 ++++ requirements.txt | 6 +- setup.cfg | 2 +- test-requirements.txt | 1 + 12 files changed, 285 insertions(+), 65 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index 736c3e4..cdadc0f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5 +5 @@ -keystoneauth1>=2.14.0 # Apache-2.0 +keystoneauth1>=2.16.0 # Apache-2.0 @@ -14,2 +14,2 @@ pycadf!=2.0.0,>=1.1.0 # Apache-2.0 -python-keystoneclient>=3.6.0 # Apache-2.0 -requests>=2.10.0 # Apache-2.0 +python-keystoneclient>=3.8.0 # Apache-2.0 +requests!=2.12.2,>=2.10.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index ee49232..e95235b 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -8,0 +9 @@ coverage>=4.0 # Apache-2.0 +docutils>=0.11,!=0.13.1 # OSI-Approved Open Source, Public Domain