Current Series Release Notes¶

New Features¶

• [bug 1669080] Added support for a description attribute for V3 Identity Roles, see API docs for details.

• [Community Goal] Support has been added for developers to write pre-upgrade checks. Operators can run these checks using keystone-status upgrade check. This allows operators to be more confident when upgrading their deployments by having a tool that automates programmable checks against the deployment configuration or dataset.

Upgrade Notes¶

• [bug 1787874] Please note that the deployment which sets unique_last_password_count = 1 in the config file should update the value to 0 to keep the same behavior as before.

Bug Fixes¶

• [bug 1744195] The SQL Foreign Key is enabled for Keystone unit tests now. This is not an end user impact fixed. But for the downstream teams, please take care of it for your private test code changes.

• [‘bug 1753585 <https://bugs.launchpad.net/keystone/+bug/1753585>’_] LDAP attribute names are now matched case insensitively to comply with LDAP implementations.

• [bug 1780503] The notification wrapper now sets the initiator’s id to the given user id. This fixes an issue where identity.authentication event would result in the initiator id being a random default UUID, rather than the user’s id when said user would authenticate against keystone.

• [bug 1784536] Keystone now return 401 Unauthorized correctly when issuing a project-scoped token but the input project id is a domain id.

• [bug 1787874] The default value of the config option unique_last_password_count is changed from 1 to 0. Now unique_last_password_count = 0 means password history check is disabled. unique_last_password_count = 1 means when changing password, the new one should be different than the current one.

• [bug 1788694] System-scoped tokens now support expanding role assignments to include implied roles in token creation and validation responses.

• [bug 1789450] When a mapped group that does not exist in keystone is found, instead of throwing a 500 error, keystone will now log the instance and continue. This is expected behavior as an external IdP may specify a group that does not exist within keystone.

Other Notes¶

• [blueprint removed-as-of-stein] The options member_role_id and member_role_name which were deprecated in Queens and only used for V2 are removed now.

• [blueprint removed-as-of-stein] The deprecated token_flush is removed now.