Liberty Series Release Notes


New Features

  • [bug 1490804] Audit IDs are included in the token revocation list.

Security Issues

  • [bug 1490804] [CVE-2015-7546] A bug is fixed where an attacker could avoid token revocation when the PKI or PKIZ token provider is used. The complete remediation for this vulnerability requires the corresponding fix in the keystonemiddleware project.


New Features

  • Experimental - Domain specific configuration options can be stored in SQL instead of configuration files, using the new REST APIs.

  • Experimental - Keystone now supports tokenless authorization with X.509 SSL client certificate.

  • Configuring per-Identity Provider WebSSO is now supported.

  • openstack_user_domain and openstack_project_domain attributes were added to SAML assertion in order to map user and project domains, respectively.

  • The credentials list call can now have its results filtered by credential type.

  • Support was improved for out-of-tree drivers by defining stable driver interfaces.

  • Several features were hardened, including Fernet tokens, federation, domain specific configurations from database and role assignments.

  • Certain variables in keystone.conf now have options, which determine if the user’s setting is valid.

Upgrade Notes

  • The EC2 token middleware, deprecated in Juno, is no longer available in keystone. It has been moved to the keystonemiddleware package.

  • The compute_port configuration option, deprecated in Juno, is no longer available.

  • The XML middleware stub has been removed, so references to it must be removed from the keystone-paste.ini configuration file.

  • stats_monitoring and stats_reporting paste filters have been removed, so references to it must be removed from the keystone-paste.ini configuration file.

  • The external authentication plugins ExternalDefault, ExternalDomain, LegacyDefaultDomain, and LegacyDomain, deprecated in Icehouse, are no longer available.

  • The keystone.conf file now references entrypoint names for drivers. For example, the drivers are now specified as “sql”, “ldap”, “uuid”, rather than the full module path. See the sample configuration file for other examples.

  • We now expose entrypoints for the keystone-manage command instead of a file.

  • Schema downgrades via keystone-manage db_sync are no longer supported. Only upgrades are supported.

  • Features that were “extensions” in previous releases (OAuth delegation, Federated Identity support, Endpoint Policy, etc) are now enabled by default.

  • A new secure_proxy_ssl_header configuration option is available when running keystone behind a proxy.

  • Several configuration options have been deprecated, renamed, or moved to new sections in the keystone.conf file.

  • Domain name information can now be used in policy rules with the attribute domain_name.

Other Notes

  • Running keystone in eventlet remains deprecated and will be removed in the Mitaka release.

  • Using LDAP as the resource backend, i.e for projects and domains, is now deprecated and will be removed in the Mitaka release.

  • Using the full path to the driver class is deprecated in favor of using the entrypoint. In the Mitaka release, the entrypoint must be used.

  • In the [resource] and [role] sections of the keystone.conf file, not specifying the driver and using the assignment driver is deprecated. In the Mitaka release, the resource and role drivers will default to the SQL driver.

  • In keystone-paste.ini, using paste.filter_factory is deprecated in favor of the “use” directive, specifying an entrypoint.

  • Not specifying a domain during a create user, group or project call, which relied on falling back to the default domain, is now deprecated and will be removed in the N release.

  • Certain deprecated methods from the assignment manager were removed in favor of the same methods in the [resource] and [role] manager.