Newton Series Release Notes


Security Issues

  • [bug 1703369] There was a typo for the identity:get_identity_provider rule in the default policy.json file in previous releases. The default value for that rule was the same as the default value for the default rule (restricted to admin) so this typo was not readily apparent. Anyone customizing this rule should review their settings and confirm that they did not copy that typo. More context regarding the purpose of this backport can be found in the bug report.

Bug Fixes

  • [bug 1616424] Python build-in exception was raised if create request token or access token request from client with invalid request parameters, invalid signature for example. The implementation is hardened by showing proper exception and displaying the failure reasons if existent.

  • [bug 1689616] Significant improvements have been made when performing a token flush on massive data sets.

  • [bug 1687593] Ensure that the URL used to make the request when creating OAUTH1 request tokens is also the URL that verifies the request token.

  • [bug 1571878] A valid mapping_id is now required when creating or updating a federation protocol. If the mapping_id does not exist, a 400 - Bad Request will be returned.


New Features

  • [bug 1638603] Support nested groups in Active Directory. A new boolean option [ldap] group_ad_nesting has been added, it defaults to False. Enable the option is using Active Directory with nested groups. This option will impact the list_users_in_group, list_groups_for_user, and check_user_in_group operations.



Add keystone-manage mapping_populate command, which should be used when domain-specific LDAP backend is used.

Tokens can now be cached when issued.

New Features

  • [blueprint manage-migration] Upgrading keystone to a new version can now be undertaken as a rolling upgrade using the –expand, –migrate and –contract options of the keystone-manage db_sync command.

  • OSprofiler support was added. This cross-project profiling library allows to trace various requests through all OpenStack services that support it. To initiate OpenStack request tracing –profile <HMAC_KEY> option needs to be added to the CLI command. Configuration and usage details can be foung in [OSProfiler documentation]

  • [bug 1501698] Support parameter list_limit when LDAP is used as identity backend.

  • Add keystone-manage mapping_populate command. This command will pre-populate a mapping table with all users from LDAP, in order to improve future query performance. It should be used when an LDAP is first configured, or after calling keystone-manage mapping_purge, before any queries related to the domain are made. For more information see keystone-manage mapping_populate --help

  • Add cache_on_issue flag to [token] section that enables placing issued tokens to validation cache thus reducing the first validation time as if token is already validated and token data cached.

Upgrade Notes

  • We have added the password_expires_at attribute to the user response object.

  • The identity backend driver interface has changed. We’ve added a new change_password() method for self service password changes. If you have a custom implementation for the identity driver, you will need to implement this new method.

  • OSprofiler support was introduced. To allow its usage the keystone-paste.ini file needs to be modified to contain osprofiler middleware.

  • Fixes a bug related to the password create date. If you deployed master during Newton development, the password create date may be reset. This would only be apparent if you have security compliance features enabled.

  • In the policy.json file, we changed identity:list_projects_for_groups to identity:list_projects_for_user. Likewise, we changed identity:list_domains_for_groups to identity:list_domains_for_user. If you have customized the policy.json file, you will need to make these changes. This was done to better support new features around federation.

  • Keystone now supports encrypted credentials at rest. In order to upgrade successfully to Newton, deployers must encrypt all credentials currently stored before contracting the database. Deployers must run keystone-manage credential_setup in order to use the credential API within Newton, or finish the upgrade from Mitaka to Newton. This will result in a service outage for the credential API where credentials will be read-only for the duration of the upgrade process. Once the database is contracted credentials will be writeable again. Database contraction phases only apply to rolling upgrades.

  • Keystone now relies on pyldap instead of python-ldap. The pyldap library is a fork of python-ldap and is a drop-in replacement with modifications to be py3 compatible.

Deprecation Notes

  • [blueprint domain-config-as-stable] Deprecated keystone-manage domain_config_upload. The keystone team recommends setting domain config options via the API instead. The domain_config_upload command line option may be removed in the ‘P’ release.

  • [blueprint deprecated-as-of-newton] As of the Newton release, the class plugin keystone.common.kvs.core.KeyValueStore has been deprecated. It is recommended to use alternative backends instead. The KeyValueStore class will be removed in the ‘P’ release.

Bug Fixes

  • [bug 1590587] When assigning Domain Specific Roles, the domain of the role and the domain of the project must match. This is now validated and the REST call will return a 403 Forbidden.

  • [bug 1594482] When using list_limit config option, the GET /services?name={service_name} API was first truncating the list and afterwards filtering by name. The API was fixed to first filter by name and only afterwards truncate the result list to the desired limit.

  • [bug 1613466] Credentials update to ec2 type originally accepted credentials with no project ID set, this would lead to an error when trying to use such credential. This behavior has been blocked, so creating a non-ec2 credential with no project ID and updating it to ec2 without providing a project ID will fail with a 400 Bad Request error.

Other Notes

  • The response’s content type for creating request token or access token is changed to application/x-www-form-urlencoded, the old value application/x-www-urlformencoded is invalid and will no longer be used.

  • Keystone now supports being run under Python 3. The Python 3 and Python 3.4 classifiers have been added.

  • [blueprint removed-as-of-newton] Removed the backend and route from keystone.contrib.endpoint_policy. The package has been moved to keystone.endpoint_policy. This was deprecated in the Liberty release.