[release-announce] keystone 15.0.0 (stein)
no-reply at openstack.org
no-reply at openstack.org
Wed Apr 10 12:38:45 UTC 2019
We are delighted to announce the release of:
keystone 15.0.0: OpenStack Identity
This release is part of the stein release series.
The source is available from:
https://git.openstack.org/cgit/openstack/keystone
Download the package from:
https://tarballs.openstack.org/keystone/
Please report issues through:
https://bugs.launchpad.net/keystone/+bugs
For more details, please see below.
15.0.0
^^^^^^
Prelude
*******
This release leverages oslo.policy's policy-in-code feature to modify
the default check strings and scope types for nearly all of keystone's
API policies. These changes make the policies more precise than they
were before, using the reader, member, and admin roles where
previously only the admin role and a catch-all rule was available. The
changes also take advantage of system, domain, and project scope,
allowing you to create role assignments for your users that are
appropriate to the actions they need to perform. Eventually this will
allow you to set "[oslo_policy]/enforce_scope=true" in your keystone
configuration, which simplifies access control management by ensuring
that oslo.policy checks both the role and the scope on API requests.
However, please be aware that not all policies have been converted in
this release and some changes are still under development. During the
transition phase, if you have not overridden a policy, the old default
and the new default will be OR'd together. This means that, for
example, where we have changed the policy rule from
"'rule:admin_required'" to "'role:reader and system_scope:all'", both
policy rules will be in effect. Please check your current policies and
role assignments before upgrading to ensure the policies will not be
too permissive for your deployment. To hide the deprecation warnings
and opt into the less permissive rules, you can override the policy
configuration to use the newer policy rule.
New Features
************
* [bug 1748027 (https://bugs.launchpad.net/keystone/+bug/1748027)]
The user API now supports the "admin", "member", and "reader"
default roles across system-scope, domain-scope, and project-scope.
* [bug 1750660 (https://bugs.launchpad.net/keystone/+bug/1750660)]
The project API now supports the "admin", "member", and "reader"
default roles across system-scope, domain-scope, and project-scope.
* [bug 1805368 (https://bugs.launchpad.net/keystone/+bug/1805368)]
[bug 1750669 (https://bugs.launchpad.net/keystone/+bug/1750669)] The
system assignment API now supports the "admin", "member", and
"reader" default roles across system-scope, domain-scope, and
project-scope. The grant API now supports the "admin", "member", and
"reader" default roles for system-scope.
* [bug 1750673 (https://bugs.launchpad.net/keystone/+bug/1750673)]
The role assignment API now supports the "admin", "member", and
"reader" default roles across system-scope, domain-scope, and
project-scope.
Upgrade Notes
*************
* [bug 1748027 (https://bugs.launchpad.net/keystone/+bug/1748027)]
The user API uses new default policies that make it more accessible
to end users and administrators in a secure way. Please consider
these new defaults if your deployment overrides user policies.
* [bug 1750660 (https://bugs.launchpad.net/keystone/+bug/1750660)]
The project API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides project
policies.
* [bug 1805368 (https://bugs.launchpad.net/keystone/+bug/1805368)]
[bug 1750669 (https://bugs.launchpad.net/keystone/+bug/1750669)] The
system assignment and grant APIs uses new default policies that make
it more accessible to end users and administrators in a secure way.
Please consider these new defaults if your deployment overrides
system assignment policies.
* [bug 1750673 (https://bugs.launchpad.net/keystone/+bug/1750673)]
The role assignment API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new policies if your deployment overrides role
assignment policies.
* [bug 1806762 (https://bugs.launchpad.net/keystone/+bug/1806762)]
The user policies defined in "policy.v3cloudsample.json" have been
removed. These policies are now obsolete after incorporating system-
scope, domain-scope, and project-scope into the user API and
implementing default roles.
* [bug 1804462 (https://bugs.launchpad.net/keystone/+bug/1804462)]
The group policies defined in "policy.v3cloudsample.json" have been
removed. These policies are now obsolete after incorporating system-
scope and domain-scope into the groups API and implementing default
roles.
Deprecation Notes
*****************
* [bug 1748027 (https://bugs.launchpad.net/keystone/+bug/1748027)]
The user policies have been deprecated. The "identity:get_user"
policy now uses "(role:reader and system_scope:all) or (role:reader
and token.domain.id:%(target.user.domain_id)s) or
user_id:%(target.user.id)s" instead of "rule:admin_or_owner". The
"identity:list_users" policy now uses "(role:reader and
system_scope:all) or (role:reader and
domain_id:%(target.domain_id)s)" instead of "rule:admin_required".
The "identity:create_user", "identity:update_user", and
"identity:delete_user" policies now use "(role:admin and
system_scope:all) or (role:admin and
token.domain.id:%(target.user.domain_id)s)" instead of
"rule:admin_required". These new defaults automatically include
support for a read-only role and allow for more granular access to
user APIs, making it easier for system and domain administrators to
delegate authorization, safely. Please consider these new defaults
if your deployment overrides user policies.
* [bug 1750660 (https://bugs.launchpad.net/keystone/+bug/1750660)]
The project policies have been deprecated. The
"identity:get_project" policy now uses "(role:reader and
system_scope:all) or (role:reader and
domain_id:%(target.project.domain_id)s) or
project_id:%(target.project.id)s" instead of "rule:admin_required or
project_id:%(target.project.id)s". The "identity:list_projects"
policy now uses "(role:reader and system_scope:all) or (role:reader
and domain_id:%(target.domain_id)s" instead of
"rule:admin_required". The "identity:list_user_projects" policy now
uses "(role:reader and system_scope:all) or (role:reader and
domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s"
instead of "rule:admin_or_owner". The "identity:create_project" now
uses "(role:admin and system_scope:all) or (role:admin and
domain_id:%(target.project.domain_id)s)" instead of
"rule:admin_required". These new defaults automatically include
support for a read-only role and allow for more granular access to
project APIs, making it easier for system and domain administrators
to delegate authorization, safely. Please consider these new
defaults if your deployment overrides the project policies.
* [bug 1805368 (https://bugs.launchpad.net/keystone/+bug/1805368)]
[bug 1750669 (https://bugs.launchpad.net/keystone/+bug/1750669)] The
system assignment and grant policies have been deprecated. The
"identity:list_system_grants_for_user",
"identity:check_system_grant_for_user",
"identity:list_system_grants_for_group", and
"identity:check_system_grant_for_group" policies now use
"role:reader and system_scope:all" instead of "rule:admin_required".
The "identity:create_system_grant_for_user",
"identity:revoke_system_grant_for_user",
"identity:create_system_grant_for_group", and
"identity:revoke_system_grant_for_group" policies now use
"role:admin and system_scope:all" instead of "rule:admin_required".
The "identity:check_grant" and "identity:list_grants" policies now
use "role:reader and system_scope:all" instead of
"rule:admin_required". The "identity:create_grant" and
"identity:revoke_grant" policies now use "role:admin and
system_scope:all" instead of "rule:admin_required". These new
defaults automatically include support for a read-only role and
allow for more granular access to the system assignment and grant
APIs, making it easier for administrators to delegate authorization,
safely. Please consider these new defaults if your deployment
overrides the system assignment APIs.
* [bug 1750673 (https://bugs.launchpad.net/keystone/+bug/1750673)]
The role assignment "identity:list_role_assignments" policy now uses
"(role:reader and system_scope:all) or (role:reader and
domain_id:%(target.domain.id)s)" instead of "rule:admin_required".
This new default automatically includes support for a read-only role
and allows for more granular access to the role assignment API.
Please consider this new default if your deployment overrides the
role assignment policies.
Security Issues
***************
* [bug 1748027 (https://bugs.launchpad.net/keystone/+bug/1748027)]
The user API now uses system-scope, domain-scope, project-scope and
default roles to provide better accessibility to users in a secure
way.
* [bug 1750660 (https://bugs.launchpad.net/keystone/+bug/1750660)]
The project API now uses system-scope, domain-scope, project-scope
and default roles to provide better accessibility to users in a
secure way.
* [bug 1805368 (https://bugs.launchpad.net/keystone/+bug/1805368)]
[bug 1750669 (https://bugs.launchpad.net/keystone/+bug/1750669)] The
system assignment API now uses system-scope, domain-scope, project-
scope, and default roles to provide better accessibility to users in
a secure way. The grant API now uses system-scope and default to
provide better accessbility to operators.
* [bug 1750673 (https://bugs.launchpad.net/keystone/+bug/1750673)]
The role assignment API now uses system-scope, domain-scope,
project- scope, and default roles to provide better accessbility to
users in a secure way.
Bug Fixes
*********
* [bug 1801873 (https://bugs.launchpad.net/keystone/+bug/1801873)]
This fixes an issue where an LDAP-backed domain could not be deleted
due to the existence of shadow users in the SQL database.
* [bug 1806762 (https://bugs.launchpad.net/keystone/+bug/1806762)]
The user policies in "policy.v3cloudsample.json" policy file have
been removed in favor of better defaults in code. These policies
weren't tested exhaustively and were misleading to users and
operators.
* [bug 1804462 (https://bugs.launchpad.net/keystone/+bug/1804462)]
The group policies in "policy.v3cloudsample.json" policy file have
been removed in favor of better defaults in code. These policies
weren't tested exhaustively and were misleading to users and
operators.
* [bug 1817313 (https://bugs.launchpad.net/keystone/+bug/1817313)]
Raise METHOD NOT ALLOWED for OS-Federation protocols creation if the
protocol_id is not in the URL. The corrective action was to split
the LIST from CRUD resources so that the routing regexes can work as
expected.
* [bug 1819036 (https://bugs.launchpad.net/keystone/+bug/1819036)]
Middleware that processes requests in front of keystone now caches
tokens per request, eliminating unnecessary round trips to validate
tokens on every request. This change doesn't require the usage of
any configuration options to take effect. The fix for this bug
improved performance ~20% during testing and impacts most of
keystone's API.
Changes in keystone 14.0.0.0rc1..15.0.0
---------------------------------------
c78581b46 DRY: Remove redundant policies from policy.v3cloudsample.json
2c102cad4 Remove redundant policies from v3cloudsample
2c00a6974 Add domain scope support for group policies
b86df692d Delete shadow users when domain is deleted
2727e837d Add release prelude about changing policies
95442b7dd Raise METHOD NOT ALLOWED instead of 500 error on protocol CRUD
7f257513f Consolidate user protection tests
933b7509a Make system admin policies consistent for grants
db3b293cd Implement system reader functionality for grants
6c1d53fd8 Replace URL name to the correct one in Keystone Docs
b7a64a931 Remove system assignment policies from policy.v3cloudsample.json
56e481279 Test domain and project users against group system assignment API
02eebfe57 Update group system grant policies for admins
1d8ac830a Update system group assignment policies for reader and member
de083009e Test project users against system assignment API
4ccb4c258 Test domain users against system assignment API
ad108dafe Update system grant policies for system admin
0786fde39 Update system grant policies for system member
fd08266ab Update system grant policies for system reader
570e47dbf Remove assignment policies from policy.v3cloudsample.json
10305cf72 Add role assignment testing for project users
8da74c175 Add explicit testing for project users and the user API
a5fbec6a0 Implement domain admin functionality for user API
3d3fa99a0 Remove project policies from policy.v3cloudsample.json
24c875fe7 Implement domain admin functionality for projects
2696c36f5 Add role assignment test coverage for domain admins
fb944086d Add role assignment test coverage for domain members
c56611ff5 Implement domain reader for role_assignments
86cf26310 Only validate tokens once per request
dd6da4cd4 Implement domain member functionality for user API
69868c6bf Implement domain reader functionality for user API
0f663420b Replace openstack.org git:// URLs with https://
04dc72a90 Implement domain member functionality for projects
6e4d06861 Pin Werkzeug in lower-constraints
d6df1dff3 PY3: Ensure LDAP searches use unicode attributes
05bb9b2db Use ForbiddenAction for invalid action instead of Forbidden
5bd12384f Add schema placeholders for Stein
65165e7e8 Implement domain reader functionality for projects
79be1dc10 Small refactor for create nonlocal user
9d366a528 Mention allow_expired_window in fernet FAQ
fd5da18bf Fix the incorrect release name of project guide
1edb5c3bb trivial: fix broken link in trust API reference
c90384804 Migrate keystone-dsvm-grenade-multinode job to Ubuntu Bionic
f0c2e798f Remove publish-loci post job
261eeaa19 Add hint for order of keys during distribution
87d6c019b Add service developer documentation for scopes
72bedeba7 Make system members the same as system readers for credentials
a022e2730 Drop py35 jobs
c83fcbc42 Remove service policies from policy.v3cloudsample.json
f475783f1 Switch federation check jobs to opensuse
e8aa678a2 Add driver support for app cred access rules
182524d97 Add SQL migrations for app cred access rules
02540b7de Add a permissive mode for access rules config
e1d31eda3 Add manager for access rules config
f028ca4ed Add JSON driver for access rules config
24b8db9e0 Remove protocol policies from v3cloudsample.json
537c6769e Add tests for project users interacting with services
6d756ad61 Remove role policies from policy.v3cloudsample.json
512f0b4f7 Add tests for project users interacting with roles
31eecfb2a Add tests for domain users interacting with roles
6c6c6049f Remove endpoint policies from policy.v3cloudsample.json
87e50c029 Remove domain policies from policy.v3cloudsample.json
321a8cb03 Add role assignment test coverage for system admin
b35fb58ea Add role assignment test coverage for system members
63c6e6c39 Reorganize role assignment tests for system users
ca835d913 Implement system reader for role_assignments
c0e6d4498 Remove idp policies from policy.v3cloudsample.json
76165b3f5 Add py37 tox env
875ecfb56 Add tests for domain users interacting with services
f377351ac Update service policies for system admin
f2b2ab11d Add shibboleth config to log output
4d2a219a3 Update introduction of external services doc
3111b8b9b Address follow-up comments in contributor guide for specs
c3d46e1c9 [api-ref] add domain level limit support
fdd3b9765 Release note for domain level limit
8667f42be Update project depth check
7e98d297a Add domain level support for strict-two-level-model
df173c7c9 Add domain level limit support - API
347269184 Add domain level limit support - Manager
65f76c172 Remove mapping policies from policy.v3cloudsample.json
e4e258a5d Add tests for project users interacting with mappings
ebad027f2 Deprecate cache_on_issue configuration option
950e7d1f6 Add JWS token provider documentation
32d92f801 Add OpenSUSE support in devstack federation plugin
22c08b546 Add experimental job for OpenSUSE
431e5a81b Fix mock for v2 test
833df8cd1 Add documentation for writing specifications
64e9b03b7 Remove unused sample token fixtures
9168127c7 Fix bindep for SUSE
579909e3f add python 3.7 unit test job
0931f08cd Correcting tests with project_id
4e72b95c6 Add domain_id column for limit
bc531229b [SQLite] Ensure change is addressed for limit table
1b7db4a06 Remove region policies from policy.v3cloudsample.json
bb8ebfd65 Add tests for project users interacting with regions
be83c6d71 Add tests for domain users interacting with regions
f3b69e4b4 Update region policies to use system admin
833b00e57 Add region tests for system member role
f62f73c54 Implement system admin role in groups API
1b261e8be populate request context with X.509 tokenless cred information
49ada37ce Fix wrong example for direct_maps
505fe2047 Fixes incorrect params
96adccd0e Implement JWS token provider
ab5fe081a Seperated CADF notifications tests for request_id
51a68525c Added request_id and global_request_id to basic notifications
96eb890a0 Converting the API tests to use flask's test_client
29fb7ae39 Implement system admin role in users API
4f724f2d9 Implement system member role user test coverage
40d3458fc Implement system reader role for users
4c84739e2 Replace 'tenant_id' with 'project_id'
e61991248 Add PyJWT as a requirement
3f4a8a117 Add test fixture for the JWS key repository
1abe8a2ec Add keystone-manage create_jws_keypair functionality
781aea619 Add configuration options for JWS provider
016861592 Test case for bad type user in assertion
b4e97a9c9 Adjust Indents to meet PEP8 E117
af3aef940 Handle special cases with msgpack and python3
0f52bafef Add experimental job for CentOS
12d566910 Add CentOS support in devstack federation plugin
6bac9930e Remove service provider policies from v3cloudsample.json
6564b4064 Add documentation for Auth Receipts and MFA
a011fb678 bump Keystone version for Stein
2c8f81af6 Allow project users to retrieve domains
def21c699 Fix wrong urls
09ade53c1 Optimize fernet token and receipts in cli.py
eca0829c4 PY3: switch to using unicode text values
f1501b99e Expose receipt_setup and receipt_rotate command
3db38cabc Clean up the create_arguments_apply methods
1d32de5fe Allow domain users to access the GET domain API
d27be745d Update doc for token_setup and token_rotate
f81afc7ce Fix nits
f8834bc9a Fix app_cred schema spell nit
1d4e40252 Update limit policies for system admin
7368e5c67 Do not use self in classmethod
1be7e4b42 Add tests for project users interacting with endpoints
56f9a218e Add tests for domain users interacting with endpoints
cdbdcf85f Update endpoint policies for system admin
7e028774a Add endpoint tests for system member role
dcf8a445e Update endpoint policies for system reader
ef529f290 Add tests for domain users interacting with mappings
e94dff934 Update mapping policies for system admin
57b3eb016 Add mapping tests for system member role
cc256054c Update mapping policies for system reader
774da554e Add tests for project users interacting with idps
caf147ad0 Add tests for domain users interacting with idps
a4c5d8043 Update idp policies for system admin
c347c4ff2 Add idp tests for system member role
27bf50d12 Update idp policies for system reader
fdf8cb1f0 Add region protection tests for system readers
2ca4836a9 Update role policies for system admin
d43736544 Reuse common system role definitions for roles API
532b9625d Add tests for project users interacting with protocols
c7cd4bcd5 Add tests for domain users interacting with protocols
87d93db90 Implement system admin role in protocol API
85b87fa47 Add protocol tests for system member role
a3c3a62a1 Update protocol policies for system reader
4cf85fcd5 Add limit tests for system member role
3fee23999 Add limit protection tests
7af769278 Remove registered limit policies from policy.v3cloudsample.json
bd2b7f3ed Add tests for project users interacting with registered limits
e29ff512b Allow domain users to access the registered limits API
5f1635ce8 Remove duplicated TOC in configuration guide
718d122fe Implement system admin role in project API
6037ac58d Implement system member role project test coverage
b35928d5d Implement system reader role for projects
ec7f8b95b Enhance the openidc guide
dcb9d8d08 Enhance the mellon guide
83c37f4a9 Enhance the shibboleth guide
069392fe9 Consolidate WebSSO guide into SP instructions
708d3f4d5 Add section on configuring protected auth paths
4d7bc6a36 Reorganize guide on configuring a keystone SP
3d6930e17 Clean up keystone-to-keystone section
fc3dcc807 Enhance authn sections in federation guide
bb30a5181 correct the description on domain re-enable
92ac35fe6 Add tests for project users interacting with sps
fba96a26a Add tests for domain users interacting with sps
7ce5e3e24 Update service provider policies for system admin
94b3ba631 Add prerequisites section to keystone-to-keystone
3bcd8968e Invalidate shadow_federated_user cache when deleting protocol
969fa5df6 Remove duplicate RBAC logging from enforcer
bc202f704 Update federation SP prerequisites section
5cc61bb64 Use samltest.id as an example sandbox IdP
9bc2b8875 Fix nits in code blocks in federation guide
40e0f5d97 Bring SP/IdP URLs closer to style guide guidance
131acacca Restructure federation guide
67ecc72a0 Update doc with samltest.id
e2df5e063 Clarify location for HTTPD instructions
16142d83c Use common system role definitions for registered limits
f66070995 Implement system member test coverage for groups
feb0d58df Implement system reader role for groups
e22bafa25 Add service provider tests for system member role
acd5d027e Update service provider policies for system reader
94d02c22e Add service tests for system member role
ae926e671 Update service policies for system reader
ee11306e9 Use renamed template 'integrated-gate-py3'
f4162e368 Add scope checks to common system role definitions
20f11eb88 Remove i18n.enable_lazy() translation
74c1d5aa3 Reorganize admin guide
652a8b39a Consolidate service catalog docs
c571c1180 Add irrelevant-files for grenade-py3 jobs
f4b006130 Delete outdated keystonemiddleware doc
05ff55e25 Remove example usage from admin guide
79165aa46 Split trusts docs between admin and user guide
46b30535c Move identity sources doc to admin guide
78566e828 Remove message about circular role inferences
d46f58fdd Remove Certificates for PKI guide
4a141fea5 Add introduction section to federation docs
ecfe59b1a Fix links to external-authentication
06a50907c Move list limit docs to admin guide
ccb3d340e Rename admin guide pages
151635e22 Consolidate tokenless X.509 docs
4f5e46284 Update registered limit policies for system admin
b3c89e8c3 Consolidate Keystone docs: admin/identity-external-authentication.rst
7fa424f1d Implement system admin role in domains API
d5a57414b Implement system member role domain test coverage
9e8849561 Implement system reader role in domains API
4ffdc6c65 Bump oslo.policy and oslo.context versions
0b29be330 Move supported clients section to user guide
8819bbec6 Use request_body_json function
4e39e2abe Move SSL recommendation to installation guide
c04756e0c Move "Public ID Generators" to relevant docs
fdf7a5b66 Consolidate Keystone docs: federated-identity.rst
dd9d06c63 Add role tests for system member role
fed5f52c8 Consolidate catalog management guide
567f305b4 Update role policies for system reader
6469f5c31 Change openstack-dev to openstack-discuss
8658011e4 Add registered limit tests for system member role
216a4d5fc Add registered limit protection tests
c3ee5e9ca Keep federation jobs running on Xenial
bc2f0d03b Clarify docstrings for domain flask refactor
cb5a1fe03 Move test utility to common location
e5d1eba02 Add missing translation import to common.auth.py
dec8c717c Move to password validation schema
5d1a97394 Don't emit a notification for the root domain
0dc5c4eda Pass context objects to policy enforcement
ed6366813 Consolidate identity-domain-specific-config.rst
dc3b8edaa Consolidate auth-totp.rst
3daeeb4f2 Consolidate event_notifications.rst
f1ad6654d Consolidate endpoint-policy.rst
53f0b62e8 Consolidate service-catalog.rst
58f7827ce Update contributor doc
090886902 Use pycodestyle in place of pep8
325d9eea3 Update api-ref to include user options
7f8c1a306 Document user options
a383867cd Add scope documentation for service developers
2fe483f27 Remove deprecated secure_proxy_ssl_header config
97279e342 Refactor flask domain config resources
b71bb438b Add missing ws seperator between words
e765a98dd Add the missing packages when install keystone
b4f0d0324 add request_id and global_request_id to cadf notifications
666f33a55 changed port in tools/sample_data.sh
5d6f3e7cc Move irrelevant-files to project definition
512687c25 Add tempest-full-py3 job to zuul file
dfe76c811 Remove the repetition words in identity-fernet-token-faq.rst
fe5ee0a36 Removing default_assigment_driver
bc6b2f1b0 Bump sqlalchemy minimum version to 1.1.0
69025b507 Drop the compatibility password column
4e9f22387 Remove "crypt_strength" option
8d0ad2c93 Correct HTTP OPTIONS method
d5eda9930 Update api-ref for set registered limits.
df982016d Remove deprecated "bind" in token
5e26466b2 Update more info of vhost file
664914477 Refactor directory creation into a common place
ef331f46b Region update extra support
870428e1b Change __all__ list to tuple
e37c54c79 Remove redundant variables from context class
0abde0c35 Refresh admin doc
84dc0a290 Fixing nits
25e0e1474 Add abstract method in trusts base.py
e4fe2659c Switch devstack plugin to samltest.id
fb67da801 Clean up python3.5 usage in tox.ini
605da1015 Add py36 tox environment
604e9dff0 Remove unused lower constraints
0884b727e Replace usage of get_legacy_facade() with get_engine()
2a0d99094 Fix uwsgi --http flag
7fa62c823 Fix an issue with double fernet key rotation
9c38bb5bd Delete PKI middleware debugging section
9420fcca4 Fix developer config dir flask aftermath
733b37f24 Documentation fix - Port number
a14837736 Use port 5000, keystone-wsgi-public and --http-socket
028abcb59 Changed the port numbers
d9e6c1d4d Implement auth receipts spec
57c6f274a changed port in argument '--bootstrap-admin-url'
ee490d822 Unregister "Exception" from flask handler
f6ca78661 Add release note for unified limit APIs changing
62e2d9143 Deprecate eventlet related configuration
a214482da Remove compatability shim
7eec2c5de Remove check for disabled v3
7c129f1c7 Remove obsolete credential policies
427cab679 Delete "Preparing your environment" section
239bed09a Implement scope_type checking for credentials
9aea3c61f Fix spelling 'unnecessary'
9f4f0656d Remove custom auth middleware documentation
77d59635d Delete the external auth admin guide
49a34948d Remove useless use of :orphan:
8cc91845f Change port and version on v3 endpoints example
50e3fe5c9 Provide a Location on HTTP 300
230ae86a6 Set Default and resource limit as defined schema
a02a47a65 Emit CADF notifications on authentication for invalid users
914885fef Delete administrator federation guide
74446ab0a Update keystone-manage bootstrap port instructions
46b12eb29 Fix api-ref v3.9 release identifier
790f9685d Update third endpoint legacy port for Keystone v3 API
4385eb239 Remove unused logging module
e5def7c3a Remove useless "clean" file
6fc7eb7fd Trivial: Remove repeated if conditions
4f84fafbe Updating doc of unified limit
7e42d333c Adding 'date' for trust_flush
d465a58f0 Add caching on trust role validation to improve performance
8e9de8a51 Allow registered limit's region_id to be None
c3f590bc1 Add a test for idp and federated user cascade deleting
33295032d Fix example for getting system scoped token
708dbceef Remaining cases of MappingEngineTester
2e85dc47c Set min and max length for resource_name
6369796eb Implement scaffolding for upgrade checks
fc787bb4b Fixing update unified limit api-ref
48dcdb5ad Remove deprecated token_flush
906a1d3f6 Invalidate app cred AFTER deletion
0bac1d7e8 Update API version to 3.11
8df640096 Added test case update registered limit with region
708b775d4 Remove incorrect copyright notice.
ea6755a82 Remove paste-ini
184c84ae7 Remove pre-flask legacy code
5c70aef2d Make collection_key and member_key raise if unset
9c463ab40 Increment versioning with pbr instruction
1edcb35a4 Loosen the assertion for logging scope type warnings
9051d403a Expand implied roles in system-scoped tokens
6d7cfdb4b Add test case for expanding implied roles in system tokens
8543dbbc2 Move loadapp to a generic place
a394558dc Make policy file support in fixture optional
3c05956e6 Use tempest-pg-full
ce93950f4 Cleanup test_wsgi
8a6f17593 Flask comment/docstring cleanup
595967bba Move AuthContextMiddleware
848c8fa63 Convert Normalizing filter to flask native Middleware
18d597f8e Internally defined middleware don't use stevedore
1c05f5f88 Make Request Logging a little better
9b052e4c0 Register exceptions with a Flask Error Handler
e666839bc Cleanup keystone.server.flask.application
ee9b035cf Replace JSON Body middleware with flask-native func
35c9bb7ef Convert S3 and EC2 auth to flask native dispatching
0ab08e75b Remove skip for test_locked_out_user_sends_notification
46380baeb Convert projects API to Flask
86f968163 Convert /v3/users to flask native dispatching
ca2e817a5 add unit tests for healthcheck
4bd30c78f Replace openSUSE experimental check with newer version
54b6227c1 Auth flask conversion cleanup
d97832e8e Convert auth to flask native dispatching
f26efd719 Update notification tests to work with o-m 9.0.0
f4b6ae424 Don't mock internal implementation details of oslo
f39c28e44 Update log translation hacking check
104956c65 Don't quote {posargs} in tox.ini
012dac29b Enable foreign keys for unit test
3d43b0250 Update doc string for transform_to_group_ids
659ab0a84 Follow Zuul job rename
7c2a77d3c Add release names to api-ref
84e1b9ac1 Avoid using dict.get() in assertions
39a1f71c5 Clarify group-mapping example in docs
6aba78a7a Purge soft-deleted trusts
816b472a9 LDAP attribute names non-case-sensitive
fbd46e3ce Organize project tag api-ref by route
8697da7da Add build_target arguement to enforcer
1efecc92c Properly replace flask view args in links
94e6b2841 Adding test case for MappingEngineTester
a8e26936a Fix command to verify role removal in docs
826f037eb Add python3 functional test job
1a5bbb567 Convert legacy functional jobs to Zuul-v3-native
3c6a124fa Update auto-provisioning example to use reader
46a28313f Enable Foreign keys for sql backend unit test
4c09affde Add releasenote for bug fix 1789450
d6d3bf911 Comment out un-runnable tests
ee46f7353 Mapped Groups don't exist breaks WebSSO
d027dd2ba Add hint back
8232dabcf Implement Trust Flush via keystone-manage.
c96c7fd03 Properly normalize domain ids in flask
ca5e38e8c Use templates for cover and lower-constraints
3c493437b Make OSA rolling upgrade test experimental
cbda685ea Rename v3-only functional zuul job
4b2c45669 Remove unused revoke_by_user_and_project
8696865b1 Address issues with flask conversion of os-federation
296f20f0a Convert domains api to flask
114cdeb7e Move use of constraints out of install_cmd
4975b79e8 Ensure view args is in policy dict
aebb568ef Rename py35 v3 only check
8c397fa72 Convert OS-INHERIT API to flask native dispatching
f62d98a08 Fix a translation of log
2a04d78db Convert groups API to flask native dispatching
22f5f7303 Fix RBACEnforcer get_member_from_driver mechanism
0a641462c Refactor ProviderAPIs object to better design pattern
94f8f103a Convert OS-FEDERATION to flask native dispatching
ac2b2160d Update the documentation bug tag
08390d4be api-ref: Remove broken link
430d7f765 Added support for a ``description`` attribute for Identity Roles
e41065849 Update the minimimum required version of oslo.log
67435147e Incorrect use of translation _()
0df5bb0d0 Update RDO install guide for v3
c838d93c3 Remove member_role_id/name
87a39635e Convert policy API to flask
f98080c9d Fix db model inconsistency for FederatedUser
f62a36e5d add python 3.6 unit test job
c1a03c7d4 switch documentation job to new PTI
160871090 import zuul job settings from project-config
8d72644c1 Use items() instead of iteritems()
c41dc6f03 Add details and clarify examples on casing
3003c1a6c Address nits
88cd89683 Re-Add scope.system to filters
4d3cdd5d2 Add placeholder migrations for Rocky
34609d557 Change unique_last_password_count default to 0
25a5d48d1 Trivial: Remove app_conf kwarg from testing setup
d3d618f69 Trivial: Add missing space in exception
41f23eed5 Move json_home "extension" rel functions
180f2ce5e Convert system (role) api to flask native dispatching
81fd50935 Do not log token string
665d5beda Convert role_assignments API to flask native dispatching
e1381fe3f Add safety to the inferred target extraction during enforcement
22c22f200 Use osc in k2k example
ec3fbf34e Fix a bug that issue token with project-scope gets error
0f5300ddb Convert role_inferences API to flask native dispatching
cfc5a730b Convert Roles API to flask native dispatching
56d9c30f8 Convert endpoints api to flask native dispatching
18c6e838b Convert services api to flask native dispatching
84c074f28 Convert regions API to flask native dispatching
ac210ce2a Remove unused util function
a0e059c20 Redundant parameters in api-ref:domain-config
4ec63548c Add callback action back in
fd8b5f320 Set initiator id as user_id for auth events
959052f97 Update reno for stable/rocky
1ff80e22e More accurate explanation in api-ref:application credentials
fe4956b19 Imported Translations from Zanata
72b59b0cc Allow wrap_member and wrap_collection to specify target
13897ef69 Pass path into full_url and base_url
44da48f01 Remove redundant get_project call
637990bf7 Convert OS-SIMPLE-CERT to flask dispatching
8eaf0854f Migrate OS-EP-FILTER to flask native dispatching
5b25f50c3 Update api-ref for unified limits
3831fe785 Expose a bug that issue token with project-scope gets error
91b400909 Unified code style nullable description parameter
db5d2bcf1 Remove get_catalog from manage layer
c69d3408c Update response codes for authentication API reference
32a4f410b Docs: Remove the TokenAuth middleware
Diffstat (except docs and test files)
-------------------------------------
.zuul.yaml | 241 ++--
api-ref/source/index.rst | 6 -
api-ref/source/v3-ext/trust.inc | 5 +-
api-ref/source/v3/application-credentials.inc | 4 +-
api-ref/source/v3/authenticate-v3.inc | 221 ++-
api-ref/source/v3/domains-config-v3.inc | 7 +-
api-ref/source/v3/index.rst | 83 +-
api-ref/source/v3/parameters.yaml | 187 ++-
api-ref/source/v3/project-tags.inc | 95 +-
api-ref/source/v3/projects.inc | 1 +
api-ref/source/v3/roles.inc | 6 +
.../admin/domain-specific-role-create-request.json | 1 +
.../admin/get-service-catalog-response.json | 2 +-
.../v3/samples/admin/limit-show-response.json | 3 +-
.../v3/samples/admin/limits-create-request.json | 2 +-
.../v3/samples/admin/limits-create-response.json | 6 +-
.../v3/samples/admin/limits-list-response.json | 4 +-
.../v3/samples/admin/limits-update-response.json | 1 +
.../admin/registered-limits-create-response.json | 2 +-
.../admin/registered-limits-list-response.json | 2 +-
.../v3/samples/admin/role-create-request.json | 1 +
.../v3/samples/admin/role-create-response.json | 1 +
.../v3/samples/admin/role-inferences-response.json | 6 +
.../v3/samples/admin/role-show-response.json | 1 +
.../v3/samples/admin/role-update-request.json | 1 +
.../v3/samples/admin/role-update-response.json | 1 +
.../v3/samples/admin/roles-list-response.json | 5 +
.../v3/samples/admin/user-create-request.json | 5 +-
.../v3/samples/admin/user-create-response.json | 3 +
.../v3/samples/admin/user-update-request.json | 5 +-
.../v3/samples/admin/user-update-response.json | 3 +
.../v3/samples/auth/requests/project-id-totp.json | 20 +
.../auth/responses/auth-receipt-password.json | 20 +
.../responses/project-scoped-password-totp.json | 67 +
api-ref/source/v3/status.yaml | 8 +
api-ref/source/v3/unified_limits.inc | 22 +-
api-ref/source/v3/users.inc | 4 +
bindep.txt | 10 +-
devstack/files/federation/attribute-map.xml | 3 +
devstack/lib/federation.sh | 63 +-
.../{advanced-topics => admin}/auth-totp.rst | 2 +
.../{identity-bootstrap.rst => bootstrap.rst} | 6 +-
...dentity-caching-layer.rst => caching-layer.rst} | 4 +-
...y-case-insensitive.rst => case-insensitive.rst} | 37 +-
.../admin/cli-manage-projects-users-and-roles.rst | 32 +-
.../configure_tokenless_x509.rst | 0
...al-encryption.rst => credential-encryption.rst} | 0
.../event_notifications.rst | 2 +-
.../external-authentication.rst} | 86 --
.../admin/federation/configure_federation.rst | 763 +++++++++++
.../federation/mapping_combinations.rst | 950 +++++++------
...y-fernet-token-faq.rst => fernet-token-faq.rst} | 20 +-
.../admin/identity-auth-token-middleware.rst | 74 -
.../admin/identity-domain-specific-config.rst | 69 -
.../admin/identity-external-authentication.rst | 41 -
.../admin/identity-keystone-usage-and-features.rst | 50 -
...grate-with-ldap.rst => integrate-with-ldap.rst} | 19 +-
...one-manage-services.rst => manage-services.rst} | 167 ++-
.../{identity-performance.rst => performance.rst} | 22 +-
...rity-compliance.rst => security-compliance.rst} | 65 +-
...i-protection.rst => service-api-protection.rst} | 0
.../{identity-tokens.rst => tokens-overview.rst} | 38 +-
...ntity-unified-limits.rst => unified-limits.rst} | 8 +-
.../{identity-upgrading.rst => upgrading.rst} | 0
...ity-url-safe-naming.rst => url-safe-naming.rst} | 1 -
.../federation/configure_federation.rst | 563 --------
.../federation/federated_identity.rst | 12 -
.../advanced-topics/federation/shibboleth.rst | 295 ----
.../identity-use-trusts.rst => user/trusts.rst} | 29 +-
etc/keystone-paste.ini | 94 --
etc/policy.v3cloudsample.json | 173 +--
.../__init__.py | 5 +-
.../backends}/__init__.py | 0
.../backends/base.py} | 25 +-
keystone/access_rules_config/backends/json.py | 162 +++
keystone/access_rules_config/core.py | 80 ++
keystone/api/__init__.py | 80 +-
keystone/api/_shared/EC2_S3_Resource.py | 125 ++
keystone/api/_shared/__init__.py | 9 +
keystone/api/_shared/authentication.py | 252 ++++
keystone/api/_shared/implied_roles.py | 50 +
keystone/api/_shared/json_home_relations.py | 87 ++
keystone/api/_shared/saml.py | 54 +
keystone/api/auth.py | 545 ++++++++
keystone/api/credentials.py | 65 +-
keystone/api/discovery.py | 78 +-
keystone/api/domains.py | 520 +++++++
keystone/api/ec2tokens.py | 91 ++
keystone/api/endpoints.py | 144 ++
keystone/api/groups.py | 248 ++++
keystone/api/limits.py | 20 +-
keystone/api/os_ep_filter.py | 298 ++++
keystone/api/os_federation.py | 530 ++++++++
keystone/api/os_inherit.py | 426 ++++++
keystone/api/os_oauth1.py | 17 +-
keystone/api/os_revoke.py | 10 +-
keystone/api/os_simple_cert.py | 74 +
keystone/api/policy.py | 276 ++++
keystone/api/projects.py | 559 ++++++++
keystone/api/regions.py | 103 ++
keystone/api/registered_limits.py | 2 +-
keystone/api/role_assignments.py | 377 ++++++
keystone/api/role_inferences.py | 70 +
keystone/api/roles.py | 297 ++++
keystone/api/s3tokens.py | 123 ++
keystone/api/services.py | 79 ++
keystone/api/system.py | 189 +++
keystone/api/trusts.py | 35 +-
keystone/api/users.py | 768 +++++++++++
keystone/application_credential/__init__.py | 1 -
keystone/application_credential/backends/sql.py | 52 +-
keystone/application_credential/controllers.py | 153 ---
keystone/application_credential/core.py | 7 +-
keystone/application_credential/routers.py | 55 -
keystone/application_credential/schema.py | 2 +-
keystone/assignment/__init__.py | 1 -
keystone/assignment/backends/base.py | 8 +-
keystone/assignment/backends/sql.py | 12 +-
keystone/assignment/controllers.py | 914 -------------
keystone/assignment/core.py | 67 +-
keystone/assignment/role_backends/sql.py | 4 +-
keystone/assignment/routers.py | 301 -----
keystone/assignment/schema.py | 3 +-
keystone/auth/__init__.py | 2 -
keystone/auth/controllers.py | 453 -------
keystone/auth/core.py | 33 +-
keystone/auth/plugins/application_credential.py | 3 +-
keystone/auth/plugins/base.py | 4 +-
keystone/auth/plugins/core.py | 31 +
keystone/auth/plugins/external.py | 34 +-
keystone/auth/plugins/mapped.py | 31 +-
keystone/auth/plugins/oauth1.py | 14 +-
keystone/auth/plugins/password.py | 3 +-
keystone/auth/plugins/token.py | 14 +-
keystone/auth/plugins/totp.py | 2 +-
keystone/auth/routers.py | 65 -
keystone/catalog/__init__.py | 1 -
keystone/catalog/backends/sql.py | 1 +
keystone/catalog/controllers.py | 459 -------
keystone/catalog/core.py | 25 +-
keystone/catalog/routers.py | 184 ---
keystone/catalog/schema.py | 4 +-
keystone/cmd/bootstrap.py | 2 +-
keystone/cmd/cli.py | 256 +++-
keystone/cmd/status.py | 33 +
keystone/common/authorization.py | 153 +--
keystone/common/clean.py | 87 --
keystone/common/context.py | 40 +-
keystone/common/controller.py | 621 ---------
keystone/common/dependency.py | 59 -
keystone/common/extension.py | 44 -
keystone/common/fernet_utils.py | 28 +-
keystone/common/json_home.py | 2 +
keystone/common/jwt_utils.py | 43 +
keystone/common/policies/base.py | 16 +
keystone/common/policies/credential.py | 99 +-
keystone/common/policies/domain.py | 75 +-
keystone/common/policies/endpoint.py | 61 +-
keystone/common/policies/grant.py | 137 +-
keystone/common/policies/group.py | 175 ++-
keystone/common/policies/identity_provider.py | 65 +-
keystone/common/policies/limit.py | 18 +-
keystone/common/policies/mapping.py | 65 +-
keystone/common/policies/project.py | 161 ++-
keystone/common/policies/protocol.py | 65 +-
keystone/common/policies/region.py | 48 +-
keystone/common/policies/registered_limit.py | 16 +-
keystone/common/policies/role.py | 65 +-
keystone/common/policies/role_assignment.py | 36 +-
keystone/common/policies/service.py | 65 +-
keystone/common/policies/service_provider.py | 65 +-
keystone/common/policies/user.py | 117 +-
keystone/common/provider_api.py | 141 +-
keystone/common/rbac_enforcer/enforcer.py | 96 +-
keystone/common/render_token.py | 145 ++
keystone/common/request.py | 137 --
keystone/common/router.py | 85 --
.../sql/contract_repo/versions/049_placeholder.py | 18 +
.../sql/contract_repo/versions/050_placeholder.py | 18 +
.../sql/contract_repo/versions/051_placeholder.py | 18 +
.../sql/contract_repo/versions/052_placeholder.py | 18 +
..._contract_add_role_description_to_role_table.py | 15 +
.../054_contract_drop_old_passoword_column.py | 21 +
.../versions/055_contract_add_domain_to_limit.py | 21 +
...act_add_application_credential_access_rules.py} | 6 +-
.../sql/contract_repo/versions/057_placeholder.py | 18 +
.../sql/contract_repo/versions/058_placeholder.py | 18 +
.../sql/contract_repo/versions/059_placeholder.py | 18 +
.../sql/contract_repo/versions/060_placeholder.py | 18 +
.../sql/contract_repo/versions/061_placeholder.py | 18 +
keystone/common/sql/core.py | 2 +-
.../versions/049_placeholder.py | 18 +
.../versions/050_placeholder.py | 18 +
.../versions/051_placeholder.py | 18 +
.../versions/052_placeholder.py | 18 +
...3_migrate_add_role_description_to_role_table.py | 15 +
.../054_migrate_drop_old_passoword_column.py | 15 +
.../versions/055_migrate_add_domain_to_limit.py | 15 +
...rate_add_application_credential_access_rules.py | 17 +
.../versions/057_placeholder.py | 18 +
.../versions/058_placeholder.py | 18 +
.../versions/059_placeholder.py | 18 +
.../versions/060_placeholder.py | 18 +
.../versions/061_placeholder.py | 18 +
...and_add_registered_limit_id_column_for_limit.py | 14 +
.../sql/expand_repo/versions/049_placeholder.py | 18 +
.../sql/expand_repo/versions/050_placeholder.py | 18 +
.../sql/expand_repo/versions/051_placeholder.py | 18 +
.../sql/expand_repo/versions/052_placeholder.py | 18 +
...53_expand_add_role_description_to_role_table.py | 23 +
.../054_expand_drop_old_passoword_column.py | 15 +
.../versions/055_expand_add_domain_to_limit.py | 34 +
...pand_add_application_credential_access_rules.py | 44 +
.../sql/expand_repo/versions/057_placeholder.py | 18 +
.../sql/expand_repo/versions/058_placeholder.py | 18 +
.../sql/expand_repo/versions/059_placeholder.py | 18 +
.../sql/expand_repo/versions/060_placeholder.py | 18 +
.../sql/expand_repo/versions/061_placeholder.py | 18 +
keystone/common/tokenless_auth.py | 2 +-
keystone/common/utils.py | 55 +-
keystone/common/wsgi.py | 703 ----------
keystone/conf/__init__.py | 32 +-
keystone/conf/access_rules_config.py | 78 ++
keystone/conf/default.py | 85 --
keystone/conf/fernet_receipts.py | 71 +
keystone/conf/jwt_tokens.py | 58 +
keystone/conf/opts.py | 11 -
keystone/conf/receipt.py | 86 ++
keystone/conf/security_compliance.py | 8 +-
keystone/conf/token.py | 40 +-
keystone/contrib/ec2/controllers.py | 334 -----
keystone/contrib/ec2/core.py | 34 -
keystone/contrib/ec2/routers.py | 60 -
keystone/contrib/s3/core.py | 119 --
keystone/credential/providers/fernet/core.py | 13 +-
keystone/endpoint_policy/controllers.py | 173 ---
keystone/endpoint_policy/routers.py | 87 --
keystone/exception.py | 45 +-
keystone/federation/controllers.py | 549 --------
keystone/federation/core.py | 15 +
keystone/federation/idp.py | 22 +-
keystone/federation/routers.py | 267 ----
keystone/federation/utils.py | 42 +-
keystone/identity/__init__.py | 1 -
keystone/identity/backends/base.py | 5 -
keystone/identity/backends/ldap/common.py | 149 +-
keystone/identity/backends/ldap/core.py | 6 +-
keystone/identity/backends/sql.py | 10 +-
keystone/identity/backends/sql_model.py | 31 +-
keystone/identity/controllers.py | 205 ---
keystone/identity/core.py | 51 +-
keystone/identity/routers.py | 76 --
keystone/identity/schema.py | 31 +-
keystone/identity/shadow_backends/sql.py | 18 +-
keystone/limit/backends/base.py | 2 -
keystone/limit/backends/sql.py | 31 +-
keystone/limit/core.py | 13 +-
keystone/limit/models/strict_two_level.py | 99 +-
keystone/limit/schema.py | 56 +-
keystone/locale/de/LC_MESSAGES/keystone.po | 23 +-
keystone/locale/en_GB/LC_MESSAGES/keystone.po | 73 +-
keystone/locale/es/LC_MESSAGES/keystone.po | 25 +-
keystone/locale/fr/LC_MESSAGES/keystone.po | 22 +-
keystone/locale/it/LC_MESSAGES/keystone.po | 22 +-
keystone/locale/ja/LC_MESSAGES/keystone.po | 22 +-
keystone/locale/ko_KR/LC_MESSAGES/keystone.po | 21 +-
keystone/locale/pt_BR/LC_MESSAGES/keystone.po | 21 +-
keystone/locale/ru/LC_MESSAGES/keystone.po | 22 +-
keystone/locale/tr_TR/LC_MESSAGES/keystone.po | 17 +-
keystone/locale/zh_CN/LC_MESSAGES/keystone.po | 20 +-
keystone/locale/zh_TW/LC_MESSAGES/keystone.po | 20 +-
keystone/middleware/core.py | 87 --
keystone/models/receipt_model.py | 150 +++
keystone/models/token_model.py | 87 +-
keystone/notifications.py | 78 +-
keystone/oauth1/controllers.py | 143 --
keystone/oauth1/core.py | 15 +-
keystone/oauth1/routers.py | 101 --
keystone/policy/__init__.py | 1 -
keystone/policy/controllers.py | 79 --
keystone/{contrib/ec2 => receipt}/__init__.py | 12 +-
keystone/receipt/handlers.py | 74 +
keystone/receipt/provider.py | 176 +++
keystone/receipt/providers/__init__.py | 0
keystone/receipt/providers/base.py | 54 +
keystone/receipt/providers/fernet/__init__.py | 20 +
keystone/receipt/providers/fernet/core.py | 66 +
keystone/receipt/receipt_formatters.py | 303 +++++
keystone/resource/__init__.py | 1 -
keystone/resource/backends/sql.py | 72 +-
keystone/resource/controllers.py | 338 -----
keystone/resource/core.py | 25 +-
keystone/resource/routers.py | 133 --
keystone/revoke/core.py | 4 -
keystone/server/backends.py | 9 +-
keystone/server/flask/__init__.py | 3 +-
keystone/server/flask/application.py | 270 ++--
keystone/server/flask/common.py | 375 ++++--
keystone/server/flask/core.py | 37 +-
.../server/flask/request_processing/__init__.py | 0
.../server/flask/request_processing/json_body.py | 69 +
.../request_processing/middleware/__init__.py | 0
.../request_processing/middleware/auth_context.py} | 255 +++-
.../request_processing/middleware/url_normalize.py | 38 +
.../server/flask/request_processing/req_logging.py | 29 +
.../unit/access_rules_config/backends/__init__.py | 0
.../unit/access_rules_config/backends/test_json.py | 84 ++
.../unit/access_rules_config/test_backends.py | 69 +
.../application_credential/backends/test_sql.py | 12 +
.../unit/application_credential/test_backends.py | 48 +-
.../unit/identity/backends/test_ldap_common.py | 9 +-
.../unit/identity/shadow_users/test_backend.py | 16 +-
.../unit/protection/v3/test_identity_providers.py | 390 ++++++
.../unit/protection/v3/test_registered_limits.py | 422 ++++++
.../unit/protection/v3/test_service_providers.py | 421 ++++++
.../unit/protection/v3/test_system_assignments.py | 640 +++++++++
.../unit/receipt/test_receipt_serialization.py | 61 +
keystone/token/_simple_cert.py | 74 -
keystone/token/provider.py | 4 +-
keystone/token/providers/fernet/core.py | 25 +
.../routers.py => token/providers/jws/__init__.py} | 5 +-
keystone/token/providers/jws/core.py | 196 +++
keystone/token/token_formatters.py | 115 +-
keystone/trust/backends/base.py | 16 +
keystone/trust/backends/sql.py | 22 +
keystone/version.py | 2 +-
lower-constraints.txt | 99 +-
.../keystone-dsvm-functional-v3-only/post.yaml | 15 -
.../keystone-dsvm-functional-v3-only/run.yaml | 60 -
.../legacy/keystone-dsvm-functional/post.yaml | 15 -
playbooks/legacy/keystone-dsvm-functional/run.yaml | 57 -
.../keystone-dsvm-grenade-multinode/run.yaml | 4 +-
.../post.yaml | 15 -
.../keystone-dsvm-py35-functional-v3-only/run.yaml | 68 -
.../add-description-to-role-88ab5bb8a96cc002.yaml | 6 +
.../notes/bp-json-web-tokens-37ce3bcd1356cf1b.yaml | 8 +
.../bp-mfa-auth-receipt-8b459431c1f360ce.yaml | 18 +
.../notes/bp-upgrade-checks-0dc692a392a96879.yaml | 9 +
.../notes/bug-1473292-c21481e6aec29ec2.yaml | 25 +
.../notes/bug-1729933-4a09201e9dface2a.yaml | 10 +
.../notes/bug-1735250-b60332a7f288cf94.yaml | 8 +
.../notes/bug-1744195-a7154ac2e8556efc.yaml | 7 +
.../notes/bug-1748027-decc2e11154b97cf.yaml | 39 +
.../notes/bug-1750660-e2a360ddd6790fc4.yaml | 39 +
.../notes/bug-1750669-dfce859550126f03.yaml | 52 +
.../notes/bug-1750673-b53f74944d767ae9.yaml | 30 +
.../notes/bug-1753585-7e11213743754999.yaml | 6 +
.../notes/bug-1757151-43eb3baaa175f904.yaml | 7 +
...stone-conversion-to-flask-372a5654a55675c6.yaml | 26 +
.../notes/bug-1780503-70ca1ba3f428dd41.yaml | 8 +
.../notes/bug-1784536-9d1d1e149c605a1d.yaml | 6 +
.../notes/bug-1787874-13499ec227b8e26c.yaml | 16 +
.../notes/bug-1788415-3190279e9c900f76.yaml | 25 +
.../notes/bug-1788694-4dc8b3ec47fc6084.yaml | 6 +
.../notes/bug-1789450-9dec1383ffd3de01.yaml | 8 +
.../notes/bug-1792026-2de8345a89e2256b.yaml | 9 +
.../notes/bug-1794376-53ce14528f00f01d.yaml | 32 +
.../notes/bug-1794864-3116bf165a146be6.yaml | 41 +
.../notes/bug-1796887-eaea84e3f9a8ff9f.yaml | 7 +
.../notes/bug-1801095-6e28d7a86719da74.yaml | 6 +
.../notes/bug-1801873-0eb9a5ec3e801190.yaml | 6 +
.../notes/bug-1804292-0107869c7029f79e.yaml | 14 +
.../notes/bug-1804446-1a281eadbb044070.yaml | 29 +
.../notes/bug-1804462-59ad43f98242dea0.yaml | 14 +
.../notes/bug-1804463-74537652166cf656.yaml | 31 +
.../notes/bug-1804482-aa95619320d098fa.yaml | 15 +
.../notes/bug-1804483-1d9ccfcb24f25f51.yaml | 31 +
.../notes/bug-1804516-24b0b10ed6fe0589.yaml | 32 +
.../notes/bug-1804517-a351aec088fee066.yaml | 16 +
.../notes/bug-1804519-8384a9ead261d4c2.yaml | 14 +
.../notes/bug-1804520-d124599967923052.yaml | 13 +
.../notes/bug-1804521-3c0d9f567e8f532f.yaml | 31 +
.../notes/bug-1804522-00df902cd2d74ee3.yaml | 34 +
.../notes/bug-1804523-d1768909b13b167e.yaml | 32 +
.../notes/bug-1805369-ed98d3fcfafb5c43.yaml | 47 +
.../notes/bug-1805372-af4ebf4b19500b72.yaml | 30 +
.../notes/bug-1805402-75d0d93f31af620f.yaml | 32 +
.../notes/bug-1805403-c003627a64768716.yaml | 37 +
.../notes/bug-1805406-252b45d443af20b3.yaml | 41 +
.../notes/bug-1805880-3fc6b30309a4370f.yaml | 14 +
.../notes/bug-1806713-cf5feab23fc78a23.yaml | 16 +
.../notes/bug-1806762-09f414995924db23.yaml | 15 +
.../notes/bug-1806762-2092fee9f6c87dc3.yaml | 15 +
.../notes/bug-1806762-c3bfc71cb9bb94f3.yaml | 26 +
.../notes/bug-1806762-daed3e27f58f0f6d.yaml | 17 +
.../notes/bug-1810393-5a7d379842c51d9b.yaml | 6 +
.../notes/bug-1811605-9d23080d7e949c25.yaml | 10 +
.../notes/bug-1813085-cf24b204e95fd7f5.yaml | 7 +
.../notes/bug-1814589-f3e7f554bee1c317.yaml | 7 +
.../notes/bug-1816927-e17f4e596e611380.yaml | 8 +
.../notes/bug-1817313-c11481e6eed29ec2.yaml | 8 +
.../notes/bug-1819036-e2d24655c70d0aad.yaml | 9 +
.../notes/bug-1820333-356dcc8bf9f73fed.yaml | 18 +
.../deprecated-as-of-stein-0166965502cb3be2.yaml | 7 +
...omain-level-limit-support-60e1e330d06227ed.yaml | 9 +
.../removed-as-of-stein-5eb23253b72ab54e.yaml | 27 +
.../scope-and-default-roles-a733c235731bb558.yaml | 25 +
.../tenant_id_to_project_id-42d95d93011785cb.yaml | 5 +
...fied-limit-api-improvment-b34d18769d18a0a7.yaml | 15 +
releasenotes/source/index.rst | 1 +
.../locale/en_GB/LC_MESSAGES/releasenotes.po | 178 ++-
releasenotes/source/rocky.rst | 6 +
requirements.txt | 15 +-
setup.cfg | 20 +-
test-requirements.txt | 3 +-
tools/sample_data.sh | 2 +-
tox.ini | 31 +-
567 files changed, 36893 insertions(+), 17332 deletions(-)
Requirements updates
--------------------
diff --git a/requirements.txt b/requirements.txt
index 355f4c256..e3de1c6df 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -11 +10,0 @@ WebOb>=1.7.1 # MIT
-Routes>=2.3.1 # MIT
@@ -16 +15 @@ six>=1.10.0 # MIT
-SQLAlchemy!=1.1.5,!=1.1.6,!=1.1.7,!=1.1.8,>=1.0.10 # MIT
+SQLAlchemy>=1.1.0 # MIT
@@ -21 +20 @@ python-keystoneclient>=3.8.0 # Apache-2.0
-keystonemiddleware>=4.17.0 # Apache-2.0
+keystonemiddleware>=5.1.0 # Apache-2.0
@@ -27 +26 @@ oslo.config>=5.2.0 # Apache-2.0
-oslo.context>=2.21.0 # Apache-2.0
+oslo.context>=2.22.0 # Apache-2.0
@@ -31 +30 @@ oslo.i18n>=3.15.3 # Apache-2.0
-oslo.log>=3.36.0 # Apache-2.0
+oslo.log>=3.38.0 # Apache-2.0
@@ -33 +32 @@ oslo.middleware>=3.31.0 # Apache-2.0
-oslo.policy>=1.30.0 # Apache-2.0
+oslo.policy>=1.43.1 # Apache-2.0
@@ -34,0 +34 @@ oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
+oslo.upgradecheck>=0.1.0 # Apache-2.0
@@ -37,0 +38 @@ pysaml2>=4.5.0
+PyJWT>=1.6.1 # MIT
@@ -41 +42 @@ pycadf!=2.0.0,>=1.1.0 # Apache-2.0
-msgpack>=0.4.0 # Apache-2.0
+msgpack>=0.5.0 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index 1e29765cf..a86a1fa44 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -5 +5 @@
-hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
+hacking>=1.1.0,<1.2.0 # Apache-2.0
@@ -6,0 +7 @@ pep257==0.7.0 # MIT License
+pycodestyle>=2.0.0 # MIT License
More information about the Release-announce
mailing list