Liberty Series Release Notes¶
8.1.0¶
New Features¶
[bug 1490804] Audit IDs are included in the token revocation list.
Security Issues¶
[bug 1490804] [CVE-2015-7546] A bug is fixed where an attacker could avoid token revocation when the PKI or PKIZ token provider is used. The complete remediation for this vulnerability requires the corresponding fix in the keystonemiddleware project.
8.0.1¶
New Features¶
Experimental - Domain specific configuration options can be stored in SQL instead of configuration files, using the new REST APIs.
Experimental - Keystone now supports tokenless authorisation with X.509 SSL client certificate.
Configuring per-Identity Provider WebSSO is now supported.
openstack_user_domain
andopenstack_project_domain
attributes were added to SAML assertion in order to map user and project domains, respectively.
The credentials list call can now have its results filtered by credential type.
Support was improved for out-of-tree drivers by defining stable driver interfaces.
Several features were hardened, including Fernet tokens, federation, domain specific configurations from database and role assignments.
Certain variables in
keystone.conf
now have options, which determine if the user’s setting is valid.
Upgrade Notes¶
The EC2 token middleware, deprecated in Juno, is no longer available in Keystone. It has been moved to the keystonemiddleware package.
The
compute_port
configuration option, deprecated in Juno, is no longer available.
The XML middleware stub has been removed, so references to it must be removed from the
keystone-paste.ini
configuration file.
stats_monitoring and stats_reporting paste filters have been removed, so references to it must be removed from the
keystone-paste.ini
configuration file.
The external authentication plugins ExternalDefault, ExternalDomain, LegacyDefaultDomain, and LegacyDomain, deprecated in Icehouse, are no longer available.
The
keystone.conf
file now references entrypoint names for drivers. For example, the drivers are now specified as “sql”, “ldap”, “uuid”, rather than the full module path. See the sample configuration file for other examples.
We now expose entrypoints for the
keystone-manage
command instead of a file.
Schema downgrades via
keystone-manage db_sync
are no longer supported. Only upgrades are supported.
Features that were “extensions” in previous releases (OAuth delegation, Federated Identity support, Endpoint Policy, etc) are now enabled by default.
A new
secure_proxy_ssl_header
configuration option is available when running keystone behind a proxy.
Several configuration options have been deprecated, renamed, or moved to new sections in the
keystone.conf
file.
Domain name information can now be used in policy rules with the attribute
domain_name
.
Other Notes¶
Running Keystone in eventlet remains deprecated and will be removed in the Mitaka release.
Using LDAP as the resource backend, i.e for projects and domains, is now deprecated and will be removed in the Mitaka release.
Using the full path to the driver class is deprecated in favour of using the entrypoint. In the Mitaka release, the entrypoint must be used.
In the [resource] and [role] sections of the
keystone.conf
file, not specifying the driver and using the assignment driver is deprecated. In the Mitaka release, the resource and role drivers will default to the SQL driver.
In
keystone-paste.ini
, usingpaste.filter_factory
is deprecated in favour of the “use” directive, specifying an entrypoint.
Not specifying a domain during a create user, group or project call, which relied on falling back to the default domain, is now deprecated and will be removed in the N release.
Certain deprecated methods from the assignment manager were removed in favour of the same methods in the [resource] and [role] manager.