Xena Series Release Notes

4.3.0

Bug Fixes

  • Fixes missing get_auth_ref call for the none and http_basic authentication plugins. The implementation simply returns None.

4.2.1

Bug Fixes

  • Fixes get_api_major_version for non-keystone authentication methods when the provided endpoint is not versioned.

4.2.0

New Features

  • A new http_basic auth plugin is added which enables HTTP Basic authentication for standalone services. Like the noauth plugin, the endpoint needs to be specified explicitly, along with the username and password.

Upgrade Notes

  • Python 3.5 is no longer supported.

4.1.0

Bug Fixes

  • [bug 1876317] The v3 authentication plugins now attempt to add /v3 to the token path if it’s not present on the authentication URL.

4.0.0

Upgrade Notes

  • Python 2.7 support has been dropped. Last release of keystoneauth to support python 2.7 is OpenStack Train. The minimum version of Python now supported is Python 3.6.

3.18.0

New Features

  • [feature bug 1840235] Adds connect_retries to Session.__init__(), that can then be used by projects when creating session objects, to set the required number of retries for new connection requests. This would specifically help avoid a scalability issue that results in number of ConnectTimeout errors when doing endpoint discovery and fetching roles using an auth plugin under heavy load. This still allows for it to be overridden per service with the adapter interface.

Upgrade Notes

  • If keystoneauth and openstacksdk are both in use and keystoneauth is upgraded to this release before upgrading openstacksdk to 0.36.1 or later, creation of ServerGroup objects with policies and use of Ansible Inventory could be adversely affected. See https://review.opendev.org/#/c/685999/ for more details.

Bug Fixes

  • [bug 1838704] When consuming keystoneauth1.session.Session, if a requests session is not provided one is created. The Session used for requests may result in a ResourceWarning being generated if it is not properly closed. The code has been updated to close the session correctly when the Session object is deleted.

  • Retry version discovery with auth token when the initial request throws 401 Unauthorized. There are some services that are erroneously defaulting to authenticated discovery, and this allows discovery to work properly on them.

3.17.0

New Features

  • [bug 1839748] Keystoneauth now supports MFA authentication and Auth Receipts. Responses from Keystone containing and auth receipt will now raise a MissingAuthMethods exception which will contain the auth receipt itself, and information about the missing methods. There are now also ways to easily do more than one method when authenticating to Keystone and those have been documented.

3.16.0

New Features

  • Allows configuring fixed retry delay for connection and status code retries via the new parameters connect_retry_delay and status_code_retry_delay accordingly.

3.15.0

New Features

  • Fix handling of HTTP error payloads that conform to the API SIG formatting guidelines.

  • The X-Openstack-Request-Id header can now be set per-request via a global_request_id kwarg to Adapter and Session request methods (request(), get(), put(), etc.)

  • The Adapter parameters connect_retries and status_code_retries can now be set via configuration options connect-retries and status-code-retries accordingly.

Bug Fixes

  • Add logic to handle HTTP error responses that do not conform to a known schema.

  • The retry interval for retries enabled by connect_retries and status_code_retries is now limited at 60 seconds. Previously it would grow exponentially.

3.13.0

New Features

  • Support added for client-side rate limiting. Two new parameters now exist for keystoneauth1.adapter.Adapter. rate expresses a maximum rate at which to execute requests. parallel_limit allows for the creation of a semaphore to control the maximum number of requests that can be active at any one given point in time. Both default to None which has the normal behavior or not limiting requests in any manner.

3.11.2

Bug Fixes

  • A workaround for misformed discovery documents was being applied too soon causing ironic discovery documents to be mistakenly ignored.

3.11.1

Bug Fixes

  • Fixed an issue where https://example.com and https://example.com/ were being treated as different urls in the discovery cache resulting in a second unneeded discovery call when someone sets an endpoint_override that didn’t match the trailing-slash form given by that service’s discovery document.

3.11.0

New Features

  • Added ability to filter the results of get_all_version_data by service-type.

  • Added get_all_version_data to adapter.Adapter that uses the adapter’s service_type to filter the version data fetched.

Bug Fixes

  • Fixed support for detecting microversion ranges on older Ironic installations.

3.10.0

Bug Fixes

  • [bug 1733052] Now the version discovery mechanism only fetches the version info from server side if the versioned url has been overrode. So that the request url’s path won’t be changed completely.

3.8.0

New Features

  • Addes support for retrying certain HTTP status codes when doing requests via the new status_code_retries and retriable_status_codes parameters for Session and Adapter.

3.7.0

New Features

  • Added collect_timing option to keystoneauth1.session.Session. The option, which is off by default, causes the Session to collect API timing information for every call it makes. Methods get_timings and reset_timings have been added to allow getting and clearing the data.

  • Added split-loggers option to the oslo.config Session options.

  • Exposed keystoneauth1.discover.version_between as a public function that can be used to determine if a given version is within a range.

3.6.2

Bug Fixes

  • [bug 1766235] Fixed an issue where passing headers in as bytes rather than strings would cause a sorting issue.

3.6.1

Bug Fixes

  • The docstring for keystoneauth1.session.Session.get_all_version_data correctly listed 'public' as the default value, but the argument list had None. The default has been fixed to match the documented value.

3.6.0

New Features

  • Added a ‘status’ field to the EndpointData object which contains a canonicalized version of the information in the status field of discovery documents.

  • Added support for service-type aliases as defined in the Service Types Authority when doing catalog lookups.

3.4.0

New Features

  • [blueprint application-credentials] Support for authentication via an application credential has been added. Keystoneauth can now be used to authenticate to Identity servers that support application credentials.

  • [blueprint system-scope] Keystoneauth now has the ability to authenticate for system-scoped tokens, which were implemented during the Queens development cycle. System-scoped tokens will eventually be required to separate system-level APIs from project-level APIs, allowing for better security via scoped RBAC.

3.2.0

New Features

  • A new none auth plugin is added with purpose to simplify loading clients from configuration file options. It does not accept any arguments and sets the token to ‘notused’. It does not have any endpoint/url associated with it, and thus must be used together with adapter.Adapter’s endpoint_override option to instantiate a session for client to a service that is deployed in noauth/standalone mode.

3.0.0

New Features

  • Added support for specifying a microversion to use on a given REST request. The microversion can be specified on session request calls and a default can be set on Adapter construction.

  • Added support for the API Working Group recommendations on service and version discovery. New methods on Session and Adapter, “get_endpoint_data” will return endpoint metadata including microversion information. Additionally, versions can be requested with a range and with the string “latest”, and interface values can be given as a list in case a user wants to express a ‘best available’ set of preferences.

2.21.0

Prelude

Allow setting EndpointReference in ADFSPassword

New Features

  • Add the ability to specify the WS-Policy EndpointReference used in the ADFSPassword plugin’s RequestSecurityToken message via the ‘service-provider-entity-id’ option. Also added ‘identity-provider-url’ option which was required, but missing from option list.

Bug Fixes

  • [bug 1689424] Allow setting EndpointReference in ADFSPassword.

2.19.0

New Features

  • A new flag allow_version_hack was added to identity plugins and the adapter which will allow a client to opt out of making guesses at the version url page of a service. This means that if a deployment is misconfigured and the service catalog contains a versioned endpoint that does not match the requested version the request will fail. This will be useful in beginning to require correctly deployed catalogs rather than continue to hide the problem.

2.17.0

Bug Fixes

  • [bug 1616105] Only log the response body when the Content-Type header is set to application/json. This avoids logging large binary objects (such as images). Other Content-Type will not be logged. Additional Content-Type strings can be added as required.

  • The X-Service-Token header value is now properly masked, and is displayed as a hash value, in the log.

2.14.0

Prelude

Allow adding client and application name and version to the session and adapter that will generate a userful user agent string.

New Features

  • You can specify a app_name and app_version when creating a session. This information will be encoded into the user agent.

  • You can specify a client_name and client_version when creating an adapter. This will be handled by client libraries and incluced into the user agent.

  • Libraries like shade that modify the way requests are made can add themselves to additional_user_agent and have their version reflected in the user agent string.

Deprecation Notes

  • We suggest you fill the name and version for the application and client instead of specifying a custom user_agent. This will then generate a standard user agent string.

2.12.0

Prelude

HTTP connections work under Windows Subsystem for Linux

Bug Fixes

  • [bug 1614688] HTTP connections were failing under Windows subsystem for Linux because TCP_KEEPCNT was being set and that environment does not support such override yet.

2.10.0

Prelude

Add the prompt parameter to loader Opts

Allow specifying additional_headers to the session and the adapter to add headers to all requests that pass through these objects.

New Features

  • Add support for the Client Credentials OpenID Connect grant type.

  • Add support for the OpenID Connect Discovery Document into the OpenID Connect related plugins. Now it is possible to only pass the discovery-url option and the plugins will try to fetch the required metadata from there.

  • The prompt parameter was added to the Opts provided by auth plugins. The presence of the prompt parameter on an Option will indicate to plugin loaders that it is ok to prompt the user for input for this parameter if none is provided initially. Actual implementation of this prompting mechanism will be handled by the individual loaders such as os-client-config.

  • Add the ability to provide additional_headers to the session and adapter object. This will allow clients particularly to provide additional ways to identify their requests. It will also hopefully provide an intermediate way to handle setting microversions until we support them directly with keystoneauth.

Bug Fixes

  • [bug 1583682] OpenID Connect plugins should support OpenID Connect Discovery.

2.9.0

New Features

  • [blueprint totp-auth] Add an auth plugin to handle Time-Based One-Time Password (TOTP) authentication via the totp method. This new plugin will accept the following identity options: - user-id: user ID - username: username - user-domain-id: user’s domain ID - user-domain-name: user’s domain name - passcode: passcode generated by TOTP app or device User is uniquely identified by either user-id or combination of username and user-domain-id or user-domain-name.

Bug Fixes

  • Fix passing scope parameters in Oidc* auth plugins. [Bug 1582774]

2.8.0

New Features

  • Added a new OidcAccessToken plugin, accessible via the ‘v3oidcaccesstoken’ entry point, making possible to authenticate using an existing OpenID Connect Access token.

Bug Fixes

  • [bug 1583780] OpenID connect support should include authenticating using directly an access token.

2.2.0

Bug Fixes

  • [bug 1527131] Do not provide socket values for OSX and Windows.

Other Notes

  • Added a betamax fixture for keystoneauth sessions.

  • Added a RFC 7231 compliant user agent string.