Current Series Release Notes¶

New Features¶

• Add “Create Router” button to Admin/Network/Routers panel.

• With the fixes in Rocky that allow using Django’s recursive template inheritance we have added new blocks in our base.html template to allow a better means of customizing through your themes. For details see the customizing docs.

• [blueprint neutron-rbac-policies] This blueprint adds RBAC policies panel to the Admin Network group. This panel will be enabled by default when the RBAC extension is enabled. Remove this panel by setting “‘enable_rbac_policy’: False” in ‘local_settings.py’. RBAC policy supports the control of two resources: networks and qos policies, because qos policies is an extension function of neutron, need to enable this extension if wants to use it.

• [blueprint instance-rescue-horizon-support] Support instance rescue feature

• [bug 1792524] Modify the user detail view in a multi tabbed view, composed of:
  • Overview tab displaying general information about the user.
  • Roles assignments tab displaying all the roles that the users have on project or domain, directly or throw their membership to a group. When the role comes from a membership to a group this will be indicated into the role column.
  • Groups tab displaying all groups where the user is a membership to.

• New setting SESSION_REFRESH (defaults to True) that allows the user session expiry to be refreshed for every request until the token itself expires. SESSION_TIMEOUT acts as an idle timeout value now.

• [bug 1795851] Operators now can control whether the links of “Download OpenRC” and “Download clouds.yaml” are displayed or not via new settings SHOW_OPENRC_FILE and SHOW_OPENSTACK_CLOUDS_YAML. openrc and clouds.yaml files provided by horizon now assume the basic simple deployment and do not cover keystone authentication like saml2, openid and so on. The default openrc and clouds.yaml from horizon do not make sense for such environments.

Upgrade Notes¶

• To allow certain views to optionally disable analytics tracking when handling sensitive data, don’t use the custom_head_js block, or the now deprecated template horizon/_custom_head_js.html for analytics tracking. Please read the customizing docs and instead use the dedicated custom_analytics block so Horizon or its plugins can when needed disable tracking on a given view.

• PKI token support has been dropped from horizon. PKI token was removed from keystone in Ocata release which was released two years ago. It is a good timing to drop its support.

  OPENSTACK_TOKEN_HASH_ALGORITHM setting was removed because it was used only for PKI token check. Unless you use PKI token before upgrading, there is no affect and you can safely drop it from your local_settings.py.

• SESSION_TIMEOUT now by default acts as an idle timeout rather than a hard timeout limit. If you wish to retain the old hard timeout functionality set SESSION_REFRESH to False.

• The default value of SHOW_KEYSTONE_V2_RC setting is changed to False in favor of the deprecation of keystone v2 API support in horizon.

Deprecation Notes¶

• The customization override templates have been deprecated in favor of using recursive inheritance in your themes. The following templates have been deprecated and are slated for removal in the U release: * _footer.html' * _login_footer.html * _login_form_footer.html * horizon/_custom_head_js.html * horizon/_custom_meta.html

• Keystone v2 API support in horizon will be dropped in Train release. It was was removed from keystone in Queens release.

• Cinder consistency group support in horizon will be dropped in Train release or later. It was deprecated in Pike release in Cinder and was superseded by the generic group feature. Horizon supports the generic group since Rocky release.

• Volume v2 API support is now deprecated. The API has been marked as deprecated in cinder in favor of volume v3 API. Horizon will drop volume v2 API support in a same release where cinder drops it.

• Glance v1 API support is now deprecated and will be dropped in Train release at earliest. It was removed from glance in Rokcy release.

• Nova-network support will be dropped in Train release completely. Horizon dropped nova-network floating IP and security gruop supports in Queens release, but we still supports operations on server instances created with nova-network. This deprecation means such support will be dropped in the near future and horizon will assume neutron is deployed.

• SHOW_KEYSTONE_V2_RC setting is deprecated in favor of the deprecation of keystone v2 API support in horizon.

Bug Fixes¶

• Fixed a bug where non-admin users would be shown the “Change Password” button for users listed under the Identity panel.

New Features¶

• [blueprint mitigate-breach-attacks] Adding Django-debreach module to mitigate breach attacks. Enabling the RandomCommentMiddleware to counter breach attack by randomising the content length of each response.

• [bug 1785263] Modify the project detail view in a multi tabbed view, composed of:
  • Overview tab displaying general information about the project.
  • Users tab displaying all users which have roles on the project (and their roles on it), including users which have roles on the project throw their membership to a group.
  • Group tab displaying all groups which have roles on the project (and their roles on it).

• Added a new hide_create_volume setting under the LAUNCH_INSTANCE_DEFAULTS dict. This allows you to hide the “Create New Volume” option in the “Launch Instance” form and instead rely on the default value you select with create_volume is the best suitable option for your users.

• Adds the possibility to redirect the login to an identity provider by default. For that purpose the following variables have been added, WEBSSO_DEFAULT_REDIRECT, WEBSSO_DEFAULT_REDIRECT_PROTOCOL, WEBSSO_DEFAULT_REDIRECT_REGION and WEBSSO_DEFAULT_REDIRECT_LOGOUT.

Bug Fixes¶

• [bug 1544703] Add a new optional WEBSSO_KEYSTONE_URL property to facilitate WEBSSO deployments where network segmentation is used per security requirement. In this case, the controllers are not reachable from public network. Therefore, user’s browser will not be able to access OPENSTACK_KEYSTONE_URL if it is set to the internal endpoint.