Mitaka Series Release Notes

9.2.0

Bug Fixes

  • [bug 1594482] When using list_limit config option, the GET /services?name={service_name} API was first truncating the list and afterwards filtering by name. The API was fixed to first filter by name and only afterwards truncate the result list to the desired limit.

9.0.0

New Features

  • [blueprint domain-specific-roles] Roles can now be optionally defined as domain specific. Domain specific roles are not referenced in policy files, rather they can be used to allow a domain to build their own private inference rules with implied roles. A domain specific role can be assigned to a domain or project within its domain, and any subset of global roles it implies will appear in a token scoped to the respective domain or project. The domain specific role itself, however, will not appear in the token.

  • [blueprint bootstrap] keystone-manage now supports the bootstrap command on the CLI so that a keystone install can be initialized without the need of the admin_token filter in the paste-ini.

  • [blueprint domain-config-default] The Identity API now supports retrieving the default values for the configuration options that can be overriden via the domain specific configuration API.

  • [blueprint url-safe-naming] The names of projects and domains can optionally be ensured to be url safe, to support the future ability to specify projects using hierarchical naming.

  • [bug 1490804] Audit IDs are included in the token revocation list.

  • [bug 1519210] A user may now opt-out of notifications by specifying a list of event types using the notification_opt_out option in keystone.conf. These events are never sent to a messaging service.

  • [bug 1542417] Added support for a user_description_attribute mapping to the LDAP driver configuration.

  • [bug 1526462] Support for posixGroups with OpenDirectory and UNIX when using the LDAP identity driver.

  • [bug 1489061] Caching has been added to catalog retrieval on a per user ID and project ID basis. This affects both the v2 and v3 APIs. As a result this should provide a performance benefit to fernet-based deployments.

  • Keystone supports $(project_id)s in the catalog. It works the same as $(tenant_id)s. Use of $(tenant_id)s is deprecated and catalog endpoints should be updated to use $(project_id)s.

  • [bug 1525317] Enable filtering of identity providers based on id, and enabled attributes.

  • [bug 1555830] Enable filtering of service providers based on id, and enabled attributes.

  • [blueprint implied-roles] Keystone now supports creating implied roles. Role inference rules can now be added to indicate when the assignment of one role implies the assignment of another. The rules are of the form prior_role implies implied_role. At token generation time, user/group assignments of roles that have implied roles will be expanded to also include such roles in the token. The expansion of implied roles is controlled by the prohibited_implied_role option in the [assignment] section of keystone.conf.

  • [bug 96869] A pair of configuration options have been added to the [resource] section to specify a special admin project: admin_project_domain_name and admin_project_name. If these are defined, any scoped token issued for that project will have an additional identifier is_admin_project added to the token. This identifier can then be checked by the policy rules in the policy files of the services when evaluating access control policy for an API. Keystone does not yet support the ability for a project acting as a domain to be the admin project. That will be added once the rest of the code for projects acting as domains is merged.

  • [bug 1515302] Two new configuration options have been added to the [ldap] section. user_enabled_emulation_use_group_config and project_enabled_emulation_use_group_config, which allow deployers to choose if they want to override the default group LDAP schema option.

  • [bug 1501698] Support parameter list_limit when LDAP is used as identity backend.

  • [bug 1479569] Names have been added to list role assignments (GET /role_assignments?include_names=True), rather than returning just the internal IDs of the objects the names are also returned.

  • Domains are now represented as top level projects with the attribute is_domain set to true. Such projects will appear as parents for any previous top level projects. Projects acting as domains can be created, read, updated, and deleted via either the project API or the domain API (V3 only).

  • [bug 1500222] Added information such as: user ID, project ID, and domain ID to log entries. As a side effect of this change, both the user’s domain ID and project’s domain ID are now included in the auth context.

  • [bug 1473042] Keystone’s S3 compatibility support can now authenticate using AWS Signature Version 4.

  • [blueprint totp-auth] Keystone now supports authenticating via Time-based One-time Password (TOTP). To enable this feature, add the totp auth plugin to the methods option in the [auth] section of keystone.conf. More information about using TOTP can be found in keystone’s developer documentation.

Upgrade Notes

  • [bug 1473553] The keystone-paste.ini must be updated to put the admin_token_auth middleware before build_auth_context. See the sample keystone-paste.ini for the correct pipeline value. Having admin_token_auth after build_auth_context is deprecated and will not be supported in a future release.

  • The LDAP driver now also maps the user description attribute after user retrieval from LDAP. If this is undesired behavior for your setup, please add description to the user_attribute_ignore LDAP driver config setting. The default mapping of the description attribute is set to description. Please adjust the LDAP driver config setting user_description_attribute if your LDAP uses a different attribute name (for instance to displayName in case of an AD backed LDAP). If your user_additional_attribute_mapping setting contains description:description you can remove this mapping, since this is now the default behavior.

  • The default setting for the os_inherit configuration option is changed to True. If it is required to continue with this portion of the API disabled, then override the default setting by explicitly specifying the os_inherit option as False.

  • The keystone-paste.ini file must be updated to remove extension filters, and their use in [pipeline:api_v3]. Remove the following filters: [filter:oauth1_extension], [filter:federation_extension], [filter:endpoint_filter_extension], and [filter:revoke_extension]. See the sample keystone-paste.ini file for guidance.

  • The keystone-paste.ini file must be updated to remove extension filters, and their use in [pipeline:public_api] and [pipeline:admin_api] pipelines. Remove the following filters: [filter:user_crud_extension], [filter:crud_extension]. See the sample keystone-paste.ini file for guidance.

  • A new config option, insecure_debug, is added to control whether debug information is returned to clients. This used to be controlled by the debug option. If you’d like to return extra information to clients set the value to true. This extra information may help an attacker.

  • The configuration options for LDAP connection pooling, [ldap] use_pool and [ldap] use_auth_pool, are now both enabled by default. Only deployments using LDAP drivers are affected. Additional configuration options are available in the [ldap] section to tune connection pool size, etc.

  • [bug 1541092] Only database upgrades from Kilo and newer are supported.

  • Keystone now uses oslo.cache. Update the [cache] section of keystone.conf to point to oslo.cache backends: oslo_cache.memcache_pool or oslo_cache.mongo. Refer to the sample configuration file for examples. See oslo.cache for additional documentation.

Deprecation Notes

  • [blueprint deprecated-as-of-mitaka] The V8 Assignment driver interface is deprecated. Support for the V8 Assignment driver interface is planned to be removed in the ‘O’ release of OpenStack.

  • [blueprint deprecated-as-of-mitaka] The V8 Role driver interface is deprecated. Support for the V8 Role driver interface is planned to be removed in the ‘O’ release of OpenStack.

  • The V8 Resource driver interface is deprecated. Support for the V8 Resource driver interface is planned to be removed in the ‘O’ release of OpenStack.

  • Use of $(tenant_id)s in the catalog endpoints is deprecated in favor of $(project_id)s.

  • [blueprint deprecated-as-of-mitaka] Deprecate the enabled option from [endpoint_policy], it will be removed in the ‘O’ release, and the extension will always be enabled.

  • [blueprint deprecated-as-of-mitaka] The token memcache and memcache_pool persistence backends have been deprecated in favor of using Fernet tokens (which require no persistence).

  • [blueprint deprecated-as-of-mitaka] Deprecated all v2.0 APIs. The keystone team recommends using v3 APIs instead. Most v2.0 APIs will be removed in the ‘Q’ release. However, the authentication APIs and EC2 APIs are indefinitely deprecated and will not be removed in the ‘Q’ release.

  • [blueprint deprecated-as-of-mitaka] As of the Mitaka release, the PKI and PKIz token formats have been deprecated. They will be removed in the ‘O’ release. Due to this change, the hash_algorithm option in the [token] section of the configuration file has also been deprecated. Also due to this change, the keystone-manage pki_setup command has been deprecated as well.

  • [blueprint deprecated-as-of-mitaka] As of the Mitaka release, write support for the LDAP driver of the Identity backend has been deprecated. This includes the following operations: create user, create group, delete user, delete group, update user, update group, add user to group, and remove user from group. These operations will be removed in the ‘O’ release.

  • [blueprint deprecated-as-of-mitaka] As of the Mitaka release, the auth plugin keystone.auth.plugins.saml2.Saml2 has been deprecated. It is recommended to use keystone.auth.plugins.mapped.Mapped instead. The saml2 plugin will be removed in the ‘O’ release.

  • [blueprint deprecated-as-of-mitaka] As of the Mitaka release, the simple_cert_extension is deprecated since it is only used in support of the PKI and PKIz token formats. It will be removed in the ‘O’ release.

  • The os_inherit configuration option is disabled. In the future, this option will be removed and this portion of the API will be always enabled.

  • [blueprint deprecated-as-of-mitaka] The file httpd/keystone.py has been deprecated in favor of keystone-wsgi-admin and keystone-wsgi-public and may be removed in the ‘O’ release.

  • [blueprint deprecated-as-of-mitaka] keystone.common.cache.backends.memcache_pool, keystone.common.cache.backends.mongo, and keystone.common.cache.backends.noop are deprecated in favor of oslo.cache backends. The keystone backends will be removed in the ‘O’ release.

  • The V8 Federation driver interface is deprecated in favor of the V9 Federation driver interface. Support for the V8 Federation driver interface is planned to be removed in the ‘O’ release of OpenStack.

Security Issues

  • The use of admin_token filter is insecure compared to the use of a proper username/password. Historically the admin_token filter has been left enabled in Keystone after initialization due to the way CMS systems work. Moving to an out-of-band initialization using keystone-manage bootstrap will eliminate the security concerns around a static shared string that conveys admin access to keystone and therefore to the entire installation.

  • The admin_token method of authentication was never intended to be used for any purpose other than bootstrapping an install. However many deployments had to leave the admin_token method enabled due to restrictions on editing the paste file used to configure the web pipelines. To minimize the risk from this mechanism, the admin_token configuration value now defaults to a python None value. In addition, if the value is set to None, either explicitly or implicitly, the admin_token will not be enabled, and an attempt to use it will lead to a failed authentication.

  • [bug 1490804] [CVE-2015-7546] A bug is fixed where an attacker could avoid token revocation when the PKI or PKIZ token provider is used. The complete remediation for this vulnerability requires the corresponding fix in the keystonemiddleware project.

Bug Fixes

  • [bug 1535878] Originally, to perform GET /projects/{project_id}, the provided policy files required a user to have at least project admin level of permission. They have been updated to allow it to be performed by any user who has a role on the project.

  • [bug 1516469] Endpoints filtered by endpoint_group project association will be included in the service catalog when a project scoped token is issued and endpoint_filter.sql is used for the catalog driver.

  • Support has now been added to send notification events on user/group membership. When a user is added or removed from a group a notification will be sent including the identifiers of both the user and the group.

  • [bug 1527759] Reverted the change that eliminates the ability to get a V2 token with a user or project that is not in the default domain. This change broke real-world deployments that utilized the ability to authenticate via V2 API with a user not in the default domain or with a project not in the default domain. The deployer is being convinced to update code to properly handle V3 auth but the fix broke expected and tested behavior.

  • [bug 1480270] Endpoints created when using v3 of the keystone REST API will now be included when listing endpoints via the v2.0 API.

Other Notes

  • The list_project_ids_for_user(), list_domain_ids_for_user(), list_user_ids_for_project(), list_project_ids_for_groups(), list_domain_ids_for_groups(), list_role_ids_for_groups_on_project() and list_role_ids_for_groups_on_domain() methods have been removed from the V9 version of the Assignment driver.

  • [blueprint move-extensions] If any extension migrations are run, for example: keystone-manage db_sync --extension endpoint_policy an error will be returned. This is working as designed. To run these migrations simply run: keystone-manage db_sync. The complete list of affected extensions are: oauth1, federation, endpoint_filter, endpoint_policy, and revoke.

  • [bug 1367113] The “get entity” and “list entities” functionality for the KVS catalog backend has been reimplemented to use the data from the catalog template. Previously this would only act on temporary data that was created at runtime. The create, update and delete entity functionality now raises an exception.

  • keystone-manage db_sync will no longer create the Default domain. This domain is used as the domain for any users created using the legacy v2.0 API. A default domain is created by keystone-manage bootstrap and when a user or project is created using the legacy v2.0 API.

  • The ability to validate a trust-scoped token against the v2.0 API has been removed, in favor of using the version 3 of the API.

  • [blueprint removed-as-of-mitaka] Removed extras from token responses. These fields should not be necessary and a well-defined API makes this field redundant. This was deprecated in the Kilo release.

  • [blueprint removed-as-of-mitaka] Removed RequestBodySizeLimiter from keystone middleware. The keystone team suggests using oslo_middleware.sizelimit.RequestBodySizeLimiter instead. This was deprecated in the Kilo release.

  • [blueprint removed-as-of-mitaka] Notifications with event_type identity.created.role_assignment and identity.deleted.role_assignment have been removed. The keystone team suggests listening for identity.role_assignment.created and identity.role_assignment.deleted instead. This was deprecated in the Kilo release.

  • [blueprint removed-as-of-mitaka] Removed check_role_for_trust from the trust controller, ensure policy files do not refer to this target. This was deprecated in the Kilo release.