[openstack-announce] [release][keystone] keystone 9.0.0 release (mitaka)
no-reply at openstack.org
no-reply at openstack.org
Thu Apr 7 07:45:20 UTC 2016
We are satisfied to announce the release of:
keystone 9.0.0: OpenStack Identity
This release is part of the mitaka release series.
For more details, please see below.
9.0.0
^^^^^
New Features
************
* [blueprint domain-specific-roles
(https://blueprints.launchpad.net/keystone/+spec/domain-specific-
roles)] Roles can now be optionally defined as domain specific.
Domain specific roles are not referenced in policy files, rather
they can be used to allow a domain to build their own private
inference rules with implied roles. A domain specific role can be
assigned to a domain or project within its domain, and any subset of
global roles it implies will appear in a token scoped to the
respective domain or project. The domain specific role itself,
however, will not appear in the token.
* [blueprint bootstrap
(https://blueprints.launchpad.net/keystone/+spec/bootstrap)]
keystone-manage now supports the bootstrap command on the CLI so
that a keystone install can be initialized without the need of the
admin_token filter in the paste-ini.
* [blueprint domain-config-default
(https://blueprints.launchpad.net/keystone/+spec/domain-config-
default)] The Identity API now supports retrieving the default
values for the configuration options that can be overriden via the
domain specific configuration API.
* [blueprint url-safe-naming
(https://blueprints.launchpad.net/keystone/+spec/url-safe-naming)]
The names of projects and domains can optionally be ensured to be
url safe, to support the future ability to specify projects using
hierarchical naming.
* [bug 1490804 (https://bugs.launchpad.net/keystone/+bug/1490804)]
Audit IDs are included in the token revocation list.
* [bug 1519210 (https://bugs.launchpad.net/keystone/+bug/1519210)] A
user may now opt-out of notifications by specifying a list of event
types using the *notification_opt_out* option in *keystone.conf*.
These events are never sent to a messaging service.
* [bug 1542417 (https://bugs.launchpad.net/keystone/+bug/1542417)]
Added support for a *user_description_attribute* mapping to the LDAP
driver configuration.
* [bug 1526462 (https://bugs.launchpad.net/keystone/+bug/1526462)]
Support for posixGroups with OpenDirectory and UNIX when using the
LDAP identity driver.
* [bug 1489061 (https://bugs.launchpad.net/keystone/+bug/1489061)]
Caching has been added to catalog retrieval on a per user ID and
project ID basis. This affects both the v2 and v3 APIs. As a result
this should provide a performance benefit to fernet-based
deployments.
* Keystone supports "$(project_id)s" in the catalog. It works the
same as "$(tenant_id)s". Use of "$(tenant_id)s" is deprecated and
catalog endpoints should be updated to use "$(project_id)s".
* [bug 1525317 (https://bugs.launchpad.net/keystone/+bug/1525317)]
Enable filtering of identity providers based on *id*, and *enabled*
attributes.
* [bug 1555830 (https://bugs.launchpad.net/keystone/+bug/1555830)]
Enable filtering of service providers based on *id*, and *enabled*
attributes.
* [blueprint federation-group-ids-mapped-without-domain-reference
(https://blueprints.launchpad.net/keystone/+spec/federation-group-
ids-mapped-without-domain-reference)] Enhanced the federation
mapping engine to allow for group IDs to be referenced without a
domain ID.
* [blueprint implied-roles
(https://blueprints.launchpad.net/keystone/+spec/implied-roles)]
Keystone now supports creating implied roles. Role inference rules
can now be added to indicate when the assignment of one role implies
the assignment of another. The rules are of the form *prior_role*
implies *implied_role*. At token generation time, user/group
assignments of roles that have implied roles will be expanded to
also include such roles in the token. The expansion of implied roles
is controlled by the *prohibited_implied_role* option in the
*[assignment]* section of *keystone.conf*.
* [bug 96869 (https://bugs.launchpad.net/keystone/+bug/968696)] A
pair of configuration options have been added to the "[resource]"
section to specify a special "admin" project:
"admin_project_domain_name" and "admin_project_name". If these are
defined, any scoped token issued for that project will have an
additional identifier "is_admin_project" added to the token. This
identifier can then be checked by the policy rules in the policy
files of the services when evaluating access control policy for an
API. Keystone does not yet support the ability for a project acting
as a domain to be the admin project. That will be added once the
rest of the code for projects acting as domains is merged.
* [bug 1515302 (https://bugs.launchpad.net/keystone/+bug/1515302)]
Two new configuration options have been added to the *[ldap]*
section. *user_enabled_emulation_use_group_config* and
*project_enabled_emulation_use_group_config*, which allow deployers
to choose if they want to override the default group LDAP schema
option.
* [bug 1501698 (https://bugs.launchpad.net/keystone/+bug/1501698)]
Support parameter *list_limit* when LDAP is used as identity
backend.
* [bug 1479569 (https://bugs.launchpad.net/keystone/+bug/1479569)]
Names have been added to list role assignments (GET
/role_assignments?include_names=True), rather than returning just
the internal IDs of the objects the names are also returned.
* Domains are now represented as top level projects with the
attribute *is_domain* set to true. Such projects will appear as
parents for any previous top level projects. Projects acting as
domains can be created, read, updated, and deleted via either the
project API or the domain API (V3 only).
* [bug 1500222 (https://bugs.launchpad.net/keystone/+bug/1500222)]
Added information such as: user ID, project ID, and domain ID to log
entries. As a side effect of this change, both the user's domain ID
and project's domain ID are now included in the auth context.
* [bug 1473042 (https://bugs.launchpad.net/keystone/+bug/1473042)]
Keystone's S3 compatibility support can now authenticate using AWS
Signature Version 4.
* [blueprint totp-auth
(https://blueprints.launchpad.net/keystone/+spec/totp-auth)]
Keystone now supports authenticating via Time-based One-time
Password (TOTP). To enable this feature, add the "totp" auth plugin
to the *methods* option in the *[auth]* section of *keystone.conf*.
More information about using TOTP can be found in keystone's
developer documentation
(http://docs.openstack.org/developer/keystone/auth-totp.html).
* [blueprint x509-ssl-client-cert-authn
(https://blueprints.launchpad.net/keystone/+spec/x509-ssl-client-
cert-authn)] Keystone now supports tokenless client SSL x.509
certificate authentication and authorization.
Upgrade Notes
*************
* [bug 1473553 (https://bugs.launchpad.net/keystone/+bug/1473553)]
The *keystone-paste.ini* must be updated to put the
"admin_token_auth" middleware before "build_auth_context". See the
sample *keystone- paste.ini* for the correct *pipeline* value.
Having "admin_token_auth" after "build_auth_context" is deprecated
and will not be supported in a future release.
* The LDAP driver now also maps the user description attribute after
user retrieval from LDAP. If this is undesired behavior for your
setup, please add *description* to the *user_attribute_ignore* LDAP
driver config setting. The default mapping of the description
attribute is set to *description*. Please adjust the LDAP driver
config setting *user_description_attribute* if your LDAP uses a
different attribute name (for instance to *displayName* in case of
an AD backed LDAP). If your *user_additional_attribute_mapping*
setting contains *description:description* you can remove this
mapping, since this is now the default behavior.
* The default setting for the *os_inherit* configuration option is
changed to True. If it is required to continue with this portion of
the API disabled, then override the default setting by explicitly
specifying the os_inherit option as False.
* The *keystone-paste.ini* file must be updated to remove extension
filters, and their use in "[pipeline:api_v3]". Remove the following
filters: "[filter:oauth1_extension]",
"[filter:federation_extension]",
"[filter:endpoint_filter_extension]", and
"[filter:revoke_extension]". See the sample keystone-paste.ini
(https://git.openstack.org/cgit/openstack/keystone/tree/etc
/keystone-paste.ini) file for guidance.
* The *keystone-paste.ini* file must be updated to remove extension
filters, and their use in "[pipeline:public_api]" and
"[pipeline:admin_api]" pipelines. Remove the following filters:
"[filter:user_crud_extension]", "[filter:crud_extension]". See the
sample keystone-paste.ini
(https://git.openstack.org/cgit/openstack/keystone/tree/etc
/keystone-paste.ini) file for guidance.
* A new config option, *insecure_debug*, is added to control whether
debug information is returned to clients. This used to be controlled
by the *debug* option. If you'd like to return extra information to
clients set the value to "true". This extra information may help an
attacker.
* The configuration options for LDAP connection pooling, *[ldap]
use_pool* and *[ldap] use_auth_pool*, are now both enabled by
default. Only deployments using LDAP drivers are affected.
Additional configuration options are available in the *[ldap]*
section to tune connection pool size, etc.
* [bug 1541092 (https://bugs.launchpad.net/keystone/+bug/1541092)]
Only database upgrades from Kilo and newer are supported.
* Keystone now uses oslo.cache. Update the *[cache]* section of
*keystone.conf* to point to oslo.cache backends:
"oslo_cache.memcache_pool" or "oslo_cache.mongo". Refer to the
sample configuration file for examples. See oslo.cache
(http://docs.openstack.org/developer/oslo.cache) for additional
documentation.
Deprecation Notes
*****************
* [blueprint deprecated-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
mitaka)] The V8 Assignment driver interface is deprecated. Support
for the V8 Assignment driver interface is planned to be removed in
the 'O' release of OpenStack.
* [blueprint deprecated-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
mitaka)] The V8 Role driver interface is deprecated. Support for the
V8 Role driver interface is planned to be removed in the 'O' release
of OpenStack.
* The V8 Resource driver interface is deprecated. Support for the V8
Resource driver interface is planned to be removed in the 'O'
release of OpenStack.
* [blueprint deprecated-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
mitaka)] The "admin_token_auth" filter must now be placed before the
"build_auth_context" filter in *keystone-paste.ini*.
* Use of "$(tenant_id)s" in the catalog endpoints is deprecated in
favor of "$(project_id)s".
* [blueprint deprecated-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
mitaka)] Deprecate the "enabled" option from "[endpoint_policy]", it
will be removed in the 'O' release, and the extension will always be
enabled.
* [blueprint deprecated-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
mitaka)] The token memcache and memcache_pool persistence backends
have been deprecated in favor of using Fernet tokens (which require
no persistence).
* [blueprint deprecated-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
mitaka)] Deprecated all v2.0 APIs. The keystone team recommends
using v3 APIs instead. Most v2.0 APIs will be removed in the 'Q'
release. However, the authentication APIs and EC2 APIs are
indefinitely deprecated and will not be removed in the 'Q' release.
* [blueprint deprecated-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
mitaka)] As of the Mitaka release, the PKI and PKIz token formats
have been deprecated. They will be removed in the 'O' release. Due
to this change, the *hash_algorithm* option in the *[token]* section
of the configuration file has also been deprecated. Also due to this
change, the "keystone-manage pki_setup" command has been deprecated
as well.
* [blueprint deprecated-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
mitaka)] As of the Mitaka release, write support for the LDAP driver
of the Identity backend has been deprecated. This includes the
following operations: create user, create group, delete user, delete
group, update user, update group, add user to group, and remove user
from group. These operations will be removed in the 'O' release.
* [blueprint deprecated-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
mitaka)] As of the Mitaka release, the auth plugin
*keystone.auth.plugins.saml2.Saml2* has been deprecated. It is
recommended to use *keystone.auth.plugins.mapped.Mapped* instead.
The "saml2" plugin will be removed in the 'O' release.
* [blueprint deprecated-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
mitaka)] As of the Mitaka release, the simple_cert_extension is
deprecated since it is only used in support of the PKI and PKIz
token formats. It will be removed in the 'O' release.
* The *os_inherit* configuration option is disabled. In the future,
this option will be removed and this portion of the API will be
always enabled.
* [blueprint deprecated-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
mitaka)] The file "httpd/keystone.py" has been deprecated in favor
of "keystone-wsgi-admin" and "keystone-wsgi-public" and may be
removed in the 'O' release.
* [blueprint deprecated-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
mitaka)] "keystone.common.cache.backends.memcache_pool",
"keystone.common.cache.backends.mongo", and
"keystone.common.cache.backends.noop" are deprecated in favor of
oslo.cache backends. The keystone backends will be removed in the
'O' release.
* The V8 Federation driver interface is deprecated in favor of the
V9 Federation driver interface. Support for the V8 Federation driver
interface is planned to be removed in the 'O' release of OpenStack.
Security Issues
***************
* The use of admin_token filter is insecure compared to the use of a
proper username/password. Historically the admin_token filter has
been left enabled in Keystone after initialization due to the way
CMS systems work. Moving to an out-of-band initialization using
"keystone-manage bootstrap" will eliminate the security concerns
around a static shared string that conveys admin access to keystone
and therefore to the entire installation.
* The admin_token method of authentication was never intended to be
used for any purpose other than bootstrapping an install. However
many deployments had to leave the admin_token method enabled due to
restrictions on editing the paste file used to configure the web
pipelines. To minimize the risk from this mechanism, the
*admin_token* configuration value now defaults to a python *None*
value. In addition, if the value is set to *None*, either
explicitly or implicitly, the *admin_token* will not be enabled, and
an attempt to use it will lead to a failed authentication.
* [bug 1490804 (https://bugs.launchpad.net/keystone/+bug/1490804)]
[CVE-2015-7546 (http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2015-7546)] A bug is fixed where an
attacker could avoid token revocation when the PKI or PKIZ token
provider is used. The complete remediation for this vulnerability
requires the corresponding fix in the keystonemiddleware project.
Bug Fixes
*********
* [bug 1535878 (https://bugs.launchpad.net/keystone/+bug/1535878)]
Originally, to perform GET /projects/{project_id}, the provided
policy files required a user to have at least project admin level of
permission. They have been updated to allow it to be performed by
any user who has a role on the project.
* [bug 1516469 (https://bugs.launchpad.net/keystone/+bug/1516469)]
Endpoints filtered by endpoint_group project association will be
included in the service catalog when a project scoped token is
issued and "endpoint_filter.sql" is used for the catalog driver.
* Support has now been added to send notification events on
user/group membership. When a user is added or removed from a group
a notification will be sent including the identifiers of both the
user and the group.
* [bug 1527759 (https://bugs.launchpad.net/keystone/+bug/1527759)]
Reverted the change that eliminates the ability to get a V2 token
with a user or project that is not in the default domain. This
change broke real-world deployments that utilized the ability to
authenticate via V2 API with a user not in the default domain or
with a project not in the default domain. The deployer is being
convinced to update code to properly handle V3 auth but the fix
broke expected and tested behavior.
* [bug 1480270 (https://bugs.launchpad.net/keystone/+bug/1480270)]
Endpoints created when using v3 of the keystone REST API will now be
included when listing endpoints via the v2.0 API.
Other Notes
***********
* The list_project_ids_for_user(), list_domain_ids_for_user(),
list_user_ids_for_project(), list_project_ids_for_groups(),
list_domain_ids_for_groups(), list_role_ids_for_groups_on_project()
and list_role_ids_for_groups_on_domain() methods have been removed
from the V9 version of the Assignment driver.
* [blueprint move-extensions
(https://blueprints.launchpad.net/keystone/+spec/move-extensions)]
If any extension migrations are run, for example: "keystone-manage
db_sync --extension endpoint_policy" an error will be returned. This
is working as designed. To run these migrations simply run:
"keystone-manage db_sync". The complete list of affected extensions
are: "oauth1", "federation", "endpoint_filter", "endpoint_policy",
and "revoke".
* [bug 1367113 (https://bugs.launchpad.net/keystone/+bug/1367113)]
The "get entity" and "list entities" functionality for the KVS
catalog backend has been reimplemented to use the data from the
catalog template. Previously this would only act on temporary data
that was created at runtime. The create, update and delete entity
functionality now raises an exception.
* "keystone-manage db_sync" will no longer create the Default
domain. This domain is used as the domain for any users created
using the legacy v2.0 API. A default domain is created by "keystone-
manage bootstrap" and when a user or project is created using the
legacy v2.0 API.
* The ability to validate a trust-scoped token against the v2.0 API
has been removed, in favor of using the version 3 of the API.
* [blueprint removed-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
mitaka)] Removed "extras" from token responses. These fields should
not be necessary and a well-defined API makes this field redundant.
This was deprecated in the Kilo release.
* [blueprint removed-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
mitaka)] Removed "RequestBodySizeLimiter" from keystone middleware.
The keystone team suggests using
"oslo_middleware.sizelimit.RequestBodySizeLimiter" instead. This was
deprecated in the Kilo release.
* [blueprint removed-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
mitaka)] Notifications with event_type
"identity.created.role_assignment" and
"identity.deleted.role_assignment" have been removed. The keystone
team suggests listening for "identity.role_assignment.created" and
"identity.role_assignment.deleted" instead. This was deprecated in
the Kilo release.
* [blueprint removed-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
mitaka)] Removed "check_role_for_trust" from the trust controller,
ensure policy files do not refer to this target. This was deprecated
in the Kilo release.
* [blueprint removed-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
mitaka)] Removed Catalog KVS backend
("keystone.catalog.backends.sql.Catalog"). This was deprecated in
the Icehouse release.
* [blueprint removed-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
mitaka)] The LDAP backend for Assignment has been removed. This was
deprecated in the Kilo release.
* [blueprint removed-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
mitaka)] The LDAP backend for Resource has been removed. This was
deprecated in the Kilo release.
* [blueprint removed-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
mitaka)] The LDAP backend for Role has been removed. This was
deprecated in the Kilo release.
* [blueprint removed-as-of-mitaka
(https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
mitaka)] Removed Revoke KVS backend
("keystone.revoke.backends.kvs.Revoke"). This was deprecated in the
Juno release.
Changes in keystone 9.0.0.0rc2..9.0.0
-------------------------------------
3e5fca0 Update federated user display name with shadow_users_api
Diffstat (except docs and test files)
-------------------------------------
keystone/identity/core.py | 4 ++--
2 files changed, 30 insertions(+), 2 deletions(-)
More information about the OpenStack-announce
mailing list