CHANGES
=======

* Claim \`Include invalid password details in audit messages\`
* Include invalid password details in audit messages
* Replace \`sphinxcontrib-\*diag\` with \`graphviz\`
* Add identity spec for Domain Manager persona
* Keystone identity mapping to support project definition as a JSON
* Add openapi spec
* Add schema version and support to "domain" attribute in mapping rules
* External OAuth2.0 Authorization Server Support
* OAuth 2.0 Mutual-TLS Support
* Describe the need for a default service role
* remove unicode from code
* Use TOX\_CONSTRAINTS\_FILE
* Disable auto-discovery for setuptools and update python testing
* Describe the need for a default manager role
* OAuth2.0 Client Credentials Grant Flow Support
* [spec] X-Project-Id Pass-through
* Switch to newer openstackdocstheme version
* Cleanup py27 support
* [ussuri][goal] Drop python 2.7 support
* Repropose federated attributes in the user API for Ussuri
* Repropose Expiring Group Membership for Ussuri
* Set up for Ussuri
* Update docstheme options
* Add Python 3 Train unit tests
* Sync sphinx requirement
* Use upper-constraints
* Correct style errors
* Expiring Group Membership Through Mapping Rules
* Update access rules spec with decisions from PTG
* Add spec for immutable resources
* Update tracking reference for federated attrs spec
* Combine policy roadmap documents
* Move unified model spec from ongoing to backlog
* Move SP endpoint filters spec to attic
* Add info resource-option-for-all spec
* Move the request-helpers spec for keystonemiddleware to attic
* Move 'functional testing' spec to attic
* Move Object Depencency Lifecycle spec to Rocky
* Move endpoint-enforcement-middleware spec to attic
* Add role implication note to basic-default-roles
* OpenDev Migration Patch
* Repropose federated attributes in the user API for Train
* NIT : Fix broken link
* Add resource-options-for-all specification
* Repropose unfinished Stein specs to Train
* Replace openstack.org git:// URLs with https://
* Update app cred capabilities spec
* Add note about boilerplate content
* Update template with guidance for bugs over bp
* Update inaccurate details in JWS specification
* Add a note about crypto-agility with JWT
* Change openstack-dev to openstack-discuss
* Add domain level limit support
* Delete the duplicate words in  multi-backend-uuids.rst
* fix wrong spelling of "configuration"
* Repropose JWT specification for Stein
* Update policy security roadmap
* Fix spelling in explicit domain id specification
* Clean up explicit domain IDs specification
* Explicit Domain Ids
* Update spec template
* fix misspelling of configuration
* Fix broken link to Stein roadmap
* fix tox python3 overrides
* Fix grammatical error in policy goals spec
* Run python 3.6
* import zuul job settings from project-config
* Move MFA receipt specification to Stein
* Repropose capability lists to Stein
* Switch to stestr
* Update the default roles spec to include Rocky details
* Update links in README
* Address follow-on comments in strict-two-level spec
* Strict Two-Level Limits Enforcement Model
* Update blueprint link in default roles specification
* Follow-up -- replace 'auditor' role with 'reader'
* Define a set of basic default roles
* Add capabilities to application credentials
* Log queens specifications with previous releases
* Add spec for MFA auth receipts
* OpenID Connect improved support
* Change keystone-specs webpage from oslosphinx to openstackdocstheme
* Fix typos in keystone-specs
* Fix the misspelling of "configuration"
* Limits API
* Fix line-too-long error
* Add policy roadmap for security
* Repropose application credentials to queens
* Address follow on comments for system-scope
* Remove role check from middleware from specs
* Specification for system roles
* Add link to Queens Roadmap
* Outline policy goals
* Clarify backlog instructions and add ideas dir
* Clarify details of json-web-tokens spec
* Propose JWT as a new token provider
* Update project-tags spec
* Update project-tags spec
* Create Queens directory for specs
* Move project-tags spec to backlog
* Bump support for federated attributes to backlog
* Bump application credentials to backlog
* Application Credentials for application authn
* Fix html\_last\_updated\_fmt for Python3
* Follow-on patch on project-tags spec
* Add Project tags
* Block sphinx 1.6.1
* Remove pbr warnerrors in favor of sphinx check
* Unified limits specification
* Remove policy default spec
* Add Policy Documentation
* Remove centralized policies fetch cache spec
* Clarify bits of the alembic backlogged spec
* Remove centralized policy delivery spec from backlog
* Remove the fernet key store spec from backlog
* Remove microversions spec from backlog
* Policy in code
* Fix typos and grammatical errors
* Move federated attributes spec to Pike
* move not implemented ocata specs to backlog
* Typo fix: foriegn => foreign
* Fix typo in role-check-from-middleware.rst
* Update shadow mapping spec
* Update per-user-MFA spec to represent new db table not column
* add a README file to the superseded spec folder
* Removes unnecessary utf-8 encoding
* Update shadow mapping details about domains
* Revert "add CONTRIBUTING.rst"
* add CONTRIBUTING.rst
* Versioned federation mappings
* Role Check from Middleware
* clean up approved specs for ocata
* Fix a spelling mistake in a PCI-DSS spec
* Expose password requirements through API
* Typo fixing
* Add security impact on per user auth plugin spec
* Specification for MFA support
* Fix python version to 2.7 for docs
* Extend user API to support federated attributes
* Show team and repo badges on README
* Fix a typo in identity-api-v3.rst
* Devstack Plugin for Keystone
* Fix typos in documents
* Add spec for native SAML2
* Optional MFA via password + TOTP auth plugin
* PCI-DSS Expired Password Users
* Target Fernet key store to Ocata
* Add reason to notifications for PCI-DSS events
* Changed the home-page link
* Allow retrieving an expired token
* Mapping shadow users into projects and roles
* move py3 spec from ongoing to newton
* prime the ocata release
* clean up the spec repo for newton
* Revert spec change for Microversions
* Simplify manage-migration spec by introducing database triggers
* Fix the name of the "manage-migration" spec
* Add rolling upgrade steps to keystone-manage
* Re-target unified delegations to O
* move old APIs to the attic
* PCI-DSS Adds password\_expires\_at to API specs
* Fixes token auth documentation for OS-FEDERATION
* LDAP preprocessing
* Drop Support for Driver Versioning
* Fix incorrect query example
* Fix versions blocks in Federation API Spec
* Credential Encryption
* Add spec for fernet key store backends
* Credential Encryption
* Microversions
* Document supported query option for list projects
* Correct Identity spec for versions response
* Cleanup 'implied roles' section of Identity API V3 spec
* Improve example of project acting as a domain
* Added missed double quote
* Correct Identity Auth API request for project by name
* keystone-manage doctor
* Add note about service provider fields
* Include blacklist and whitelist to mappings docs
* Shadow users: work item to relax mapping requirements
* PCI-DSS v3.1
* Reorder the specs repo
* Shadow users (continuation for newton)
* prep repo for newton release
* Remove extension from already core features
* Remove Service Providers API documentation
* Add note on conflict in idp handling
* ldap3 driver
* Revert "Fix cascade operations documentation"
* Fix cascade operations documentation
* Cleanup formatting
* Change token method
* clean up spec repo
* Time-based One-time Password
* Unified delegation
* Update Implied Role API
* Enable \`id\`, \`enabled\` filter for list IdP
* Fixes implied roles example
* Replace deprecated library function os.popen() with subprocess
* Fix incorrect links in OS-EP-FILTER docs
* Be consistent in how we give error codes in the Identity spec
* Clarify project hierarchy and parent usage within the API
* Document keystoneclient specs as implemented
* Bootstrap
* Fix Create Endpoint API Status Code
* Expand endpoint filters to service providers
* Online schema migration
* Redefine url-safe requirements for names to tolerate unicode
* Domain Specific Roles
* Shadow users: unified identity
* Move inheritance API spec into core Identity API
* Allow url-safe project and domain names to be optionally enforced
* Enable retrieval of default values of domain config options
* move implied roles spec to mitaka and clean it up
* Create an attic for APIs we don't support
* Optionally return names in the list assignment API
* converted implied\_roles url segments
* Accepts Group IDs from the IdP without domain
* Implied  Roles
* Adding 'domain\_id' filter to list\_user\_projects()
* Fix the link root in identity-api-v3-os-inherit-ext
* Correct a few token examples
* Augment token to indicate if it is scoped to the admin project
* Add even more clarity to scope docs
* Improve get project query strings
* cleanup specs for mitaka release
* Clarify documentation about scope
* Clarify is\_domain project attribute in API version 3.5
* Align API spec for Liberty (3.5) with the changes that merged
* fix a simple typo "ì" -> "i"
* IDP specific websso
* Add region\_id filter in List Endpoints API
* Moves Dynamic Policy specs to Liberty dir
* Fix nits from Project Tree Deletion spec
* List credentials by type
* Remove KDS from the list of api extensions
* Centralized Policies Distribution Mechanism
* Centralized Policies Fetch and Cache
* Include groups in federated scoped tokens
* Project tree deletion
* Fix diagram representation in rst
* API changes for Reseller
* Enable listing of role assignments in a project hierarchy
* Add is\_domain to tokens for projects acting as a domain
* Cleanup and removal of StrictABC requirement
* Moved driver interface from backlog to liberty
* Groups are not included in federated scoped tokens
* Add side-by-side comparison of v2 and v3 APIs
* Support data driven test plans for role assignment testing
* v3 credentials project\_id is not optional for type=ec2
* fix wrong title for OS-INHERIT Extension spec
* Federated domain identified by \`\`id\`\` not \`\`name\`\`
* Fix assertion examples
* Default Policy
* Cleanup typos and work items
* Updated endpoint enforcement spec
* Revert "Provide ability to read default domain configuration options"
* environment setup for functional tests
* Materialized path for project hierarchy
* Targeting functional testing to Liberty
* Provide ability to read default domain configuration options
* Fix the klwt link
* Deprecations
* Add spec for request-helpers
* Add spec for 'stable keystone driver interfaces'
* Add spec for python-3 compatibility
* Move kilo specs to 'implemented' section
* Target Alembic for Liberty
* Do not add new 'db' command and subcommands for it
* Tokenless authz with X.509 SSL client cert
* New attributes for SAML assertion
* Remove saml2 comment in scoping federated token
* Add spec for decoupling auth from API versions to backlog
* Add parent\_id to GET /projects
* Move reseller spec for Liberty release
* Change ECP wrapped SAML assertion term in API
* Move specs that didn't land in Kilo to the backlog
* Update path for listing a project's endpoint groups
* Add a relay\_state\_prefix to the service provider resource
* Endpoint to generate ECP assertions
* Mark the domain-config API as experimental
* Add domain-config group/option resource relationships
* Adds a spec for fixing Keystone's DI
* Fix nits from 159922
* Add service\_providers to the documentation
* Correct the use of POST for domain configs
* Remove email from examples in Identity API
* Drop unnecessary sections from federation docs
* Keystone Lightweight Tokens (KLWT)
* Deprecate keystone CLI
* Correct rst
* Get service catalog should also support Service providers
* Alembic for SQL migrations
* Fix up federation rst headers
* Correct rst in federation
* Address style and formatting comments from 153114
* implement timestamp for Project, Role
* Removes confusing functional test tox example
* Provide option to disable storing of extra attributes in SQL
* Reseller
* Address federated domain comments from 149071
* Update doc for generating SAML2 assertion
* IDP ID registration and validation
* Remove URL field from regions
* Allow for direct mapping in federated authN
* Tokenless authorization with X.509 SSL client certificate
* Visual Page for WebSSO
* API changes for subtree\_as\_ids and parents\_as\_ids
* Reorder parameters in federation API docs
* Enable the storing of domain specific configuration in SQL
* Improve list role assignments filters performance
* functional testing support
* Endpoint enforcement in Keystone Middleware
* New query params to retrieve the project hierarchy
* Fix MD to RST formatting
* Fixes role inheritance API inconsistency
* Service Provider for K2K
* Remove old-style role metadata structures from assignment
* Specify default values for identity providers
* HMT API spec cleanup
* Update work items and assignees for no-more-extensions spec
* Standardize federated scoping process
* Replace the concept of extensions in Keystone
* Remove XML references from API documentation
* API changes for explicit unscoped
* Trust redelegation documentation
* Fix RST formatting issues
* API doc for Inherited Role Assignments to Projects
* Mapping enhancements - direct groups mapping
* Fix 'heirarchy' typo on 'Get project'
* Workflow documentation is now in infra-manual
* Scope federated tokens with \`\`token\`\` auth method
* Fixes link to spec blueprint
* Add requirement for APIImpact flag
* IETF ABFAB federation protocol
* Token Provider Cleanup Spec
* Fix enable/disable projects behaviour for HM
* Update headers slightly for API specification(s)
* Adds v2.0 files for api spec
* Add warning about milestone 2 deadline
* Add project documentation links to index
* Add small comment for partially implemented specs in backlog
* Backlog
* Split up assignments, making role-assignments pluggable
* API documentation for Hierarchical Multitenancy
* Add REMOTE\_USER mapping info in federation docs
* rescope tokens unscoped to scoped only
* Prep to add Identity API v2.0 files
* Create a seperate page for old specs
* Clean up the comments in CADF everywhere spec
* Add a catalog to an unscoped token
* Publish the Identity v3 API specs
* add v3 API documentation
* Create specification for CADF everywhere
* add doc8 validation
* Enable tests on non-SQLite databases
* Add a new section that lists implemented specs for middleware
* Remove deprecated items from the Kilo release
* Stop using intersphinx
* Updated from global requirements
* Use the current date for the copyright statement
* Remove templates from toctrees
* Add RSS feed
* Remove docutils pin
* Move explicit unscoped token to Kilo
* Move trust redelegation to Kilo
* Update blueprint text value for filter credentials
* Fix minor RST and spelling errors in hierarchical multitenancy
* Updated from global requirements
* Add deprecation tasks to auth-specific-data
* Fix rst issues in hierarchical multitenancy
* Hierarchical Multitenacy
* Role assignment notifications
* Endpoint policy extension
* Move openID Connect support to Kilo release
* Update JSON Home for docs location
* Remove an unused import from conf.py
* Enable filtering of credentials by user ID
* Rename contents to template
* Fixes a typo
* Explicity request an unscoped token
* Auth Specific Data
* generic-mapping-federation
* Specification for OpenID Connect
* Federating multiple Keystones
* Updated from global requirements
* revert the "stop here" split spec approach
* standalone service catalog
* move audit middleware to keystonemiddleware repo
* keystone: bind endpoint with region in db
* remove sections from spec template
* Endpoint Grouping
* Spec for trusts redelegation
* divide spec in half, on problem description
* JSON Home
* Service Tokens are really a middleware specification
* Update pbr version
* Service Token Composite Authorization Specification
* Propose Specification for non-persistent-tokens
* Always use a hash based Public ID for cross backend identifiers
* problem description justifies \*why\* there should be a solution
* do not specify implementation details
* create keystonemiddleware repo
* Remove template from juno approved specs
* Audit support for federation spec
* Propose api-validation blueprint
* Cross Backend Unique Identifiers for User and Group Entities
* use double backticks on literals in README
* Template cleanup - RST docs
* Fix minor formatting in template
* Updated gitreview file for repo rename
* Initial Commit for Identity-specs repo
* Added .gitreview
