Liberty Series Release Notes¶
[bug 1490804] Audit IDs are included in the token revocation list.
Experimental - Domain specific configuration options can be stored in SQL instead of configuration files, using the new REST APIs.
Experimental - Keystone now supports tokenless authorization with X.509 SSL client certificate.
Configuring per-Identity Provider WebSSO is now supported.
openstack_project_domainattributes were added to SAML assertion in order to map user and project domains, respectively.
The credentials list call can now have its results filtered by credential type.
Support was improved for out-of-tree drivers by defining stable driver interfaces.
Several features were hardened, including Fernet tokens, federation, domain specific configurations from database and role assignments.
Certain variables in
keystone.confnow have options, which determine if the user’s setting is valid.
The EC2 token middleware, deprecated in Juno, is no longer available in keystone. It has been moved to the keystonemiddleware package.
compute_portconfiguration option, deprecated in Juno, is no longer available.
The XML middleware stub has been removed, so references to it must be removed from the
stats_monitoring and stats_reporting paste filters have been removed, so references to it must be removed from the
The external authentication plugins ExternalDefault, ExternalDomain, LegacyDefaultDomain, and LegacyDomain, deprecated in Icehouse, are no longer available.
keystone.conffile now references entrypoint names for drivers. For example, the drivers are now specified as “sql”, “ldap”, “uuid”, rather than the full module path. See the sample configuration file for other examples.
We now expose entrypoints for the
keystone-managecommand instead of a file.
Schema downgrades via
keystone-manage db_syncare no longer supported. Only upgrades are supported.
Features that were “extensions” in previous releases (OAuth delegation, Federated Identity support, Endpoint Policy, etc) are now enabled by default.
secure_proxy_ssl_headerconfiguration option is available when running keystone behind a proxy.
Several configuration options have been deprecated, renamed, or moved to new sections in the
Domain name information can now be used in policy rules with the attribute
Running keystone in eventlet remains deprecated and will be removed in the Mitaka release.
Using LDAP as the resource backend, i.e for projects and domains, is now deprecated and will be removed in the Mitaka release.
Using the full path to the driver class is deprecated in favor of using the entrypoint. In the Mitaka release, the entrypoint must be used.
In the [resource] and [role] sections of the
keystone.conffile, not specifying the driver and using the assignment driver is deprecated. In the Mitaka release, the resource and role drivers will default to the SQL driver.
paste.filter_factoryis deprecated in favor of the “use” directive, specifying an entrypoint.
Not specifying a domain during a create user, group or project call, which relied on falling back to the default domain, is now deprecated and will be removed in the N release.
Certain deprecated methods from the assignment manager were removed in favor of the same methods in the [resource] and [role] manager.