[openstack-announce] [release][keystone] keystone 9.0.0 release (mitaka)

no-reply at openstack.org no-reply at openstack.org
Thu Apr 7 07:45:20 UTC 2016


We are satisfied to announce the release of:

keystone 9.0.0: OpenStack Identity

This release is part of the mitaka release series.

For more details, please see below.

9.0.0
^^^^^


New Features
************

* [blueprint domain-specific-roles
  (https://blueprints.launchpad.net/keystone/+spec/domain-specific-
  roles)] Roles can now be optionally defined as domain specific.
  Domain specific roles are not referenced in policy files, rather
  they can be used to allow a domain to build their own private
  inference rules with implied roles. A domain specific role can be
  assigned to a domain or project within its domain, and any subset of
  global roles it implies will appear in a token scoped to the
  respective domain or project. The domain specific role itself,
  however, will not appear in the token.

* [blueprint bootstrap
  (https://blueprints.launchpad.net/keystone/+spec/bootstrap)]
  keystone-manage now supports the bootstrap command on the CLI so
  that a keystone install can be initialized without the need of the
  admin_token filter in the paste-ini.

* [blueprint domain-config-default
  (https://blueprints.launchpad.net/keystone/+spec/domain-config-
  default)] The Identity API now supports retrieving the default
  values for the configuration options that can be overriden via the
  domain specific configuration API.

* [blueprint url-safe-naming
  (https://blueprints.launchpad.net/keystone/+spec/url-safe-naming)]
  The names of projects and domains can optionally be ensured to be
  url safe, to support the future ability to specify projects using
  hierarchical naming.

* [bug 1490804 (https://bugs.launchpad.net/keystone/+bug/1490804)]
  Audit IDs are included in the token revocation list.

* [bug 1519210 (https://bugs.launchpad.net/keystone/+bug/1519210)] A
  user may now opt-out of notifications by specifying a list of event
  types using the *notification_opt_out* option in *keystone.conf*.
  These events are never sent to a messaging service.

* [bug 1542417 (https://bugs.launchpad.net/keystone/+bug/1542417)]
  Added support for a *user_description_attribute* mapping to the LDAP
  driver configuration.

* [bug 1526462 (https://bugs.launchpad.net/keystone/+bug/1526462)]
  Support for posixGroups with OpenDirectory and UNIX when using the
  LDAP identity driver.

* [bug 1489061 (https://bugs.launchpad.net/keystone/+bug/1489061)]
  Caching has been added to catalog retrieval on a per user ID and
  project ID basis. This affects both the v2 and v3 APIs. As a result
  this should provide a performance benefit to fernet-based
  deployments.

* Keystone supports "$(project_id)s" in the catalog. It works the
  same as "$(tenant_id)s". Use of "$(tenant_id)s" is deprecated and
  catalog endpoints should be updated to use "$(project_id)s".

* [bug 1525317 (https://bugs.launchpad.net/keystone/+bug/1525317)]
  Enable filtering of identity providers based on *id*, and *enabled*
  attributes.

* [bug 1555830 (https://bugs.launchpad.net/keystone/+bug/1555830)]
  Enable filtering of service providers based on *id*, and *enabled*
  attributes.

* [blueprint federation-group-ids-mapped-without-domain-reference
  (https://blueprints.launchpad.net/keystone/+spec/federation-group-
  ids-mapped-without-domain-reference)] Enhanced the federation
  mapping engine to allow for group IDs to be referenced without a
  domain ID.

* [blueprint implied-roles
  (https://blueprints.launchpad.net/keystone/+spec/implied-roles)]
  Keystone now supports creating implied roles. Role inference rules
  can now be added to indicate when the assignment of one role implies
  the assignment of another. The rules are of the form *prior_role*
  implies *implied_role*. At token generation time, user/group
  assignments of roles that have implied roles will be expanded to
  also include such roles in the token. The expansion of implied roles
  is controlled by the *prohibited_implied_role* option in the
  *[assignment]* section of *keystone.conf*.

* [bug 96869 (https://bugs.launchpad.net/keystone/+bug/968696)] A
  pair of configuration options have been added to the "[resource]"
  section to specify a special "admin" project:
  "admin_project_domain_name" and "admin_project_name".  If these are
  defined, any scoped token issued for that project will have an
  additional identifier "is_admin_project" added to the token. This
  identifier can then be checked by the policy rules in the policy
  files of the services when evaluating access control policy for an
  API. Keystone does not yet support the ability for a project acting
  as a domain to be the admin project.  That will be added once the
  rest of the code for projects acting as domains is merged.

* [bug 1515302 (https://bugs.launchpad.net/keystone/+bug/1515302)]
  Two new configuration options have been added to the *[ldap]*
  section. *user_enabled_emulation_use_group_config* and
  *project_enabled_emulation_use_group_config*, which allow deployers
  to choose if they want to override the default group LDAP schema
  option.

* [bug 1501698 (https://bugs.launchpad.net/keystone/+bug/1501698)]
  Support parameter *list_limit* when LDAP is used as identity
  backend.

* [bug 1479569 (https://bugs.launchpad.net/keystone/+bug/1479569)]
  Names have been added to list role assignments (GET
  /role_assignments?include_names=True), rather than returning just
  the internal IDs of the objects the names are also returned.

* Domains are now represented as top level projects with the
  attribute *is_domain* set to true. Such projects will appear as
  parents for any previous top level projects. Projects acting as
  domains can be created, read, updated, and deleted via either the
  project API or the domain API (V3 only).

* [bug 1500222 (https://bugs.launchpad.net/keystone/+bug/1500222)]
  Added information such as: user ID, project ID, and domain ID to log
  entries. As a side effect of this change, both the user's domain ID
  and project's domain ID are now included in the auth context.

* [bug 1473042 (https://bugs.launchpad.net/keystone/+bug/1473042)]
  Keystone's S3 compatibility support can now authenticate using AWS
  Signature Version 4.

* [blueprint totp-auth
  (https://blueprints.launchpad.net/keystone/+spec/totp-auth)]
  Keystone now supports authenticating via Time-based One-time
  Password (TOTP). To enable this feature, add the "totp" auth plugin
  to the *methods* option in the *[auth]* section of *keystone.conf*.
  More information about using TOTP can be found in keystone's
  developer documentation
  (http://docs.openstack.org/developer/keystone/auth-totp.html).

* [blueprint x509-ssl-client-cert-authn
  (https://blueprints.launchpad.net/keystone/+spec/x509-ssl-client-
  cert-authn)] Keystone now supports tokenless client SSL x.509
  certificate authentication and authorization.


Upgrade Notes
*************

* [bug 1473553 (https://bugs.launchpad.net/keystone/+bug/1473553)]
  The *keystone-paste.ini* must be updated to put the
  "admin_token_auth" middleware before "build_auth_context". See the
  sample *keystone- paste.ini* for the correct *pipeline* value.
  Having "admin_token_auth" after "build_auth_context" is deprecated
  and will not be supported in a future release.

* The LDAP driver now also maps the user description attribute after
  user retrieval from LDAP. If this is undesired behavior for your
  setup, please add *description* to the *user_attribute_ignore* LDAP
  driver config setting. The default mapping of the description
  attribute is set to *description*. Please adjust the LDAP driver
  config setting *user_description_attribute* if your LDAP uses a
  different attribute name (for instance to *displayName* in case of
  an AD backed LDAP). If your *user_additional_attribute_mapping*
  setting contains *description:description* you can remove this
  mapping, since this is now the default behavior.

* The default setting for the *os_inherit* configuration option is
  changed to True. If it is required to continue with this portion of
  the API disabled, then override the default setting by explicitly
  specifying the os_inherit option as False.

* The *keystone-paste.ini* file must be updated to remove extension
  filters, and their use in "[pipeline:api_v3]". Remove the following
  filters: "[filter:oauth1_extension]",
  "[filter:federation_extension]",
  "[filter:endpoint_filter_extension]", and
  "[filter:revoke_extension]". See the sample keystone-paste.ini
  (https://git.openstack.org/cgit/openstack/keystone/tree/etc
  /keystone-paste.ini) file for guidance.

* The *keystone-paste.ini* file must be updated to remove extension
  filters, and their use in "[pipeline:public_api]" and
  "[pipeline:admin_api]" pipelines. Remove the following filters:
  "[filter:user_crud_extension]", "[filter:crud_extension]". See the
  sample keystone-paste.ini
  (https://git.openstack.org/cgit/openstack/keystone/tree/etc
  /keystone-paste.ini) file for guidance.

* A new config option, *insecure_debug*, is added to control whether
  debug information is returned to clients. This used to be controlled
  by the *debug* option. If you'd like to return extra information to
  clients set the value to "true". This extra information may help an
  attacker.

* The configuration options for LDAP connection pooling, *[ldap]
  use_pool* and *[ldap] use_auth_pool*, are now both enabled by
  default. Only deployments using LDAP drivers are affected.
  Additional configuration options are available in the *[ldap]*
  section to tune connection pool size, etc.

* [bug 1541092 (https://bugs.launchpad.net/keystone/+bug/1541092)]
  Only database upgrades from Kilo and newer are supported.

* Keystone now uses oslo.cache. Update the *[cache]* section of
  *keystone.conf* to point to oslo.cache backends:
  "oslo_cache.memcache_pool" or "oslo_cache.mongo". Refer to the
  sample configuration file for examples. See oslo.cache
  (http://docs.openstack.org/developer/oslo.cache) for additional
  documentation.


Deprecation Notes
*****************

* [blueprint deprecated-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
  mitaka)] The V8 Assignment driver interface is deprecated. Support
  for the V8 Assignment driver interface is planned to be removed in
  the 'O' release of OpenStack.

* [blueprint deprecated-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
  mitaka)] The V8 Role driver interface is deprecated. Support for the
  V8 Role driver interface is planned to be removed in the 'O' release
  of OpenStack.

* The V8 Resource driver interface is deprecated. Support for the V8
  Resource driver interface is planned to be removed in the 'O'
  release of OpenStack.

* [blueprint deprecated-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
  mitaka)] The "admin_token_auth" filter must now be placed before the
  "build_auth_context" filter in *keystone-paste.ini*.

* Use of "$(tenant_id)s" in the catalog endpoints is deprecated in
  favor of "$(project_id)s".

* [blueprint deprecated-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
  mitaka)] Deprecate the "enabled" option from "[endpoint_policy]", it
  will be removed in the 'O' release, and the extension will always be
  enabled.

* [blueprint deprecated-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
  mitaka)] The token memcache and memcache_pool persistence backends
  have been deprecated in favor of using Fernet tokens (which require
  no persistence).

* [blueprint deprecated-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
  mitaka)] Deprecated all v2.0 APIs. The keystone team recommends
  using v3 APIs instead. Most v2.0 APIs will be removed in the 'Q'
  release. However, the authentication APIs and EC2 APIs are
  indefinitely deprecated and will not be removed in the 'Q' release.

* [blueprint deprecated-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
  mitaka)] As of the Mitaka release, the PKI and PKIz token formats
  have been deprecated. They will be removed in the 'O' release. Due
  to this change, the *hash_algorithm* option in the *[token]* section
  of the configuration file has also been deprecated. Also due to this
  change, the "keystone-manage pki_setup" command has been deprecated
  as well.

* [blueprint deprecated-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
  mitaka)] As of the Mitaka release, write support for the LDAP driver
  of the Identity backend has been deprecated. This includes the
  following operations: create user, create group, delete user, delete
  group, update user, update group, add user to group, and remove user
  from group. These operations will be removed in the 'O' release.

* [blueprint deprecated-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
  mitaka)] As of the Mitaka release, the auth plugin
  *keystone.auth.plugins.saml2.Saml2* has been deprecated. It is
  recommended to use *keystone.auth.plugins.mapped.Mapped* instead.
  The "saml2" plugin will be removed in the 'O' release.

* [blueprint deprecated-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
  mitaka)] As of the Mitaka release, the simple_cert_extension is
  deprecated since it is only used in support of the PKI and PKIz
  token formats.  It will be removed in the 'O' release.

* The *os_inherit* configuration option is disabled. In the future,
  this option will be removed and this portion of the API will be
  always enabled.

* [blueprint deprecated-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
  mitaka)] The file "httpd/keystone.py" has been deprecated in favor
  of "keystone-wsgi-admin" and "keystone-wsgi-public" and may be
  removed in the 'O' release.

* [blueprint deprecated-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-
  mitaka)] "keystone.common.cache.backends.memcache_pool",
  "keystone.common.cache.backends.mongo", and
  "keystone.common.cache.backends.noop" are deprecated in favor of
  oslo.cache backends. The keystone backends will be removed in the
  'O' release.

* The V8 Federation driver interface is deprecated in favor of the
  V9 Federation driver interface. Support for the V8 Federation driver
  interface is planned to be removed in the 'O' release of OpenStack.


Security Issues
***************

* The use of admin_token filter is insecure compared to the use of a
  proper username/password. Historically the admin_token filter has
  been left enabled in Keystone after initialization due to the way
  CMS systems work. Moving to an out-of-band initialization using
  "keystone-manage bootstrap" will eliminate the security concerns
  around a static shared string that conveys admin access to keystone
  and therefore to the entire installation.

* The admin_token method of authentication was never intended to be
  used for any purpose other than bootstrapping an install. However
  many deployments had to leave the admin_token method enabled due to
  restrictions on editing the paste file used to configure the web
  pipelines.  To minimize the risk from this mechanism, the
  *admin_token* configuration value now defaults to a python *None*
  value.  In addition, if the value is set to *None*, either
  explicitly or implicitly, the *admin_token* will not be enabled, and
  an attempt to use it will lead to a failed authentication.

* [bug 1490804 (https://bugs.launchpad.net/keystone/+bug/1490804)]
  [CVE-2015-7546 (http://cve.mitre.org/cgi-
  bin/cvename.cgi?name=CVE-2015-7546)] A bug is fixed where an
  attacker could avoid token revocation when the PKI or PKIZ token
  provider is used. The complete remediation for this vulnerability
  requires the corresponding fix in the keystonemiddleware project.


Bug Fixes
*********

* [bug 1535878 (https://bugs.launchpad.net/keystone/+bug/1535878)]
  Originally, to perform GET /projects/{project_id}, the provided
  policy files required a user to have at least project admin level of
  permission. They have been updated to allow it to be performed by
  any user who has a role on the project.

* [bug 1516469 (https://bugs.launchpad.net/keystone/+bug/1516469)]
  Endpoints filtered by endpoint_group project association will be
  included in the service catalog when a project scoped token is
  issued and "endpoint_filter.sql" is used for the catalog driver.

* Support has now been added to send notification events on
  user/group membership. When a user is added or removed from a group
  a notification will be sent including the identifiers of both the
  user and the group.

* [bug 1527759 (https://bugs.launchpad.net/keystone/+bug/1527759)]
  Reverted the change that eliminates the ability to get a V2 token
  with a user or project that is not in the default domain. This
  change broke real-world deployments that utilized the ability to
  authenticate via V2 API with a user not in the default domain or
  with a project not in the default domain. The deployer is being
  convinced to update code to properly handle V3 auth but the fix
  broke expected and tested behavior.

* [bug 1480270 (https://bugs.launchpad.net/keystone/+bug/1480270)]
  Endpoints created when using v3 of the keystone REST API will now be
  included when listing endpoints via the v2.0 API.


Other Notes
***********

* The list_project_ids_for_user(), list_domain_ids_for_user(),
  list_user_ids_for_project(), list_project_ids_for_groups(),
  list_domain_ids_for_groups(), list_role_ids_for_groups_on_project()
  and list_role_ids_for_groups_on_domain() methods have been removed
  from the V9 version of the Assignment driver.

* [blueprint move-extensions
  (https://blueprints.launchpad.net/keystone/+spec/move-extensions)]
  If any extension migrations are run, for example: "keystone-manage
  db_sync --extension endpoint_policy" an error will be returned. This
  is working as designed. To run these migrations simply run:
  "keystone-manage db_sync". The complete list of affected extensions
  are: "oauth1", "federation", "endpoint_filter", "endpoint_policy",
  and "revoke".

* [bug 1367113 (https://bugs.launchpad.net/keystone/+bug/1367113)]
  The "get entity" and "list entities" functionality for the KVS
  catalog backend has been reimplemented to use the data from the
  catalog template. Previously this would only act on temporary data
  that was created at runtime. The create, update and delete entity
  functionality now raises an exception.

* "keystone-manage db_sync" will no longer create the Default
  domain. This domain is used as the domain for any users created
  using the legacy v2.0 API. A default domain is created by "keystone-
  manage bootstrap" and when a user or project is created using the
  legacy v2.0 API.

* The ability to validate a trust-scoped token against the v2.0 API
  has been removed, in favor of using the version 3 of the API.

* [blueprint removed-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
  mitaka)] Removed "extras" from token responses. These fields should
  not be necessary and a well-defined API makes this field redundant.
  This was deprecated in the Kilo release.

* [blueprint removed-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
  mitaka)] Removed "RequestBodySizeLimiter" from keystone middleware.
  The keystone team suggests using
  "oslo_middleware.sizelimit.RequestBodySizeLimiter" instead. This was
  deprecated in the Kilo release.

* [blueprint removed-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
  mitaka)] Notifications with event_type
  "identity.created.role_assignment" and
  "identity.deleted.role_assignment" have been removed. The keystone
  team suggests listening for "identity.role_assignment.created" and
  "identity.role_assignment.deleted" instead. This was deprecated in
  the Kilo release.

* [blueprint removed-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
  mitaka)] Removed "check_role_for_trust" from the trust controller,
  ensure policy files do not refer to this target. This was deprecated
  in the Kilo release.

* [blueprint removed-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
  mitaka)] Removed Catalog KVS backend
  ("keystone.catalog.backends.sql.Catalog"). This was deprecated in
  the Icehouse release.

* [blueprint removed-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
  mitaka)] The LDAP backend for Assignment has been removed. This was
  deprecated in the Kilo release.

* [blueprint removed-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
  mitaka)] The LDAP backend for Resource has been removed. This was
  deprecated in the Kilo release.

* [blueprint removed-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
  mitaka)] The LDAP backend for Role has been removed. This was
  deprecated in the Kilo release.

* [blueprint removed-as-of-mitaka
  (https://blueprints.launchpad.net/keystone/+spec/removed-as-of-
  mitaka)] Removed Revoke KVS backend
  ("keystone.revoke.backends.kvs.Revoke"). This was deprecated in the
  Juno release.

Changes in keystone 9.0.0.0rc2..9.0.0
-------------------------------------

3e5fca0 Update federated user display name with shadow_users_api

Diffstat (except docs and test files)
-------------------------------------

keystone/identity/core.py               |  4 ++--
2 files changed, 30 insertions(+), 2 deletions(-)






More information about the OpenStack-announce mailing list