Pike Series Release Notes



Bug Fixes



New Features

  • The following Cinder volume attributes are now available through Congress driver for cinder. encrypted, availability_zone, replication_status, multiattach, snapshot_id, source_volid, consistencygroup_id, migration_status, attachments.

  • The Cinder schema version is set to 2.1, backward compatible with policy rules written under the previous Cinder driver data schema.

Upgrade Notes

  • A new config option encryption_key_path has been added to the DEFAULT section to specify the path to the directory containing encryption keys for encrypting secret fields in datasource config. The default value (/etc/congress/keys) works for most deployments. A new key will be automatically generated and placed in the directory specified by the config option.

  • In keystonev3_driver (experimental) users table, the columns description and email have been removed because they are not present in keystone V3 API response. These columns should be removed from existing policy rules referring to the users table. The project_id column has been replaced by default_project_id because the previous column name was incorrect. Named column reference should be similarly replaced in existing policy rules referring to the users table.

  • A new config option policy_library_path is added to the [DEFAULT] section. The string option specifies the directory from which Congress will load pre-written policies for easy activation later by an administrator. This option can be ignored if you do not want Congress to load pre-written policies from files.

  • A new database table library_policies is added; alembic migration scripts included.

  • In Nova driver, the floating_IPs table is removed because nova networking had been deprecated and is now removed from nova client. Workaround: replace in policy rules all references to the Nova floating_IPs table by the Neutron floating_IPs table.

Security Issues

  • Secret fields in datasource configuration are now encrypted using Fernet (AES-128 CBC; HMAC-SHA256). Existing datasources are unaffected. To encrypt the secret fields of existing datasources, simply delete and re-add after Congress upgrade.