Current Series Release Notes¶

New Features¶

• The keystone-manage bootstrap command can now be used to update existing endpoints idempotently, which is useful in conjunction with configuration management tools that use this command for both initialization and lifecycle management of keystone.

• [bug 1750676] [bug 1818844] The token API now supports the admin, member, and reader default roles.

• Allow the creating of a domain with the additional, optional parameter of explicit_domain_id instead of auto-creating a domain_id from a uuid.

  When keeping two Keystone servers in sync, but avoiding Database replication, it was often necessary to hack the database to update the Domain ID so that entries match. Domain ID is then used for LDAP mapped IDs, and if they don’t match, the user IDs are different. It should be possible to add a domain with an explicit ID, so that the two servers can match User IDs. The reason that the variable name is not simple domain_id is twofold: First to keep people from thinking that this is a required, or at least suggested field. Second, to prevent copy errors when creating a new domain, where the domain_id would be copied in from the old one, and having spurious failures, or undesirecd domain_id matching.

  https://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/explicit-domains-ids.html

Upgrade Notes¶

• The keystone-manage bootstrap command will now update existing endpoints rather than skipping them if they already exist but are different from the values provided to the command. This is useful in conjunction with configuration management tools that use this command for both initialization and lifecycle management of keystone.

• [bug 1750676] [bug 1818844] The token API uses new default policies that make it easier for system users to delegate functionality in a secure way. Please consider the new policies if your deployment overrides the token policies.

Deprecation Notes¶

• [bug 1750676] [bug 1818844] The identity:check_token policy now uses (role:reader and system_scope:all) or rule:token_subject instead of rule:admin_required or rule:token_subject. The identity:validate_token policy now uses (role:reader and system_scope:all) or rule:service_role or rule:token_subject instead or rule:service_or_admin or rule:token_subject. The identity:revoke_token policy now uses (role:admin and system_scope:all) or rule:token_subject instead of rule:admin_or_token_subject. These new defaults automatically account for a read-only role by default and allow more granular access to the API. Please consider these new defaults if your deployment overrides the token policies.

Security Issues¶

• [bug 1750676] [bug 1818844] The token API now uses system-scope and default roles properly to provide more granular access to the token API.

Bug Fixes¶

• A Federated user gets an entry in the shadow-users table. This entry has a unique ID. It was generated using a UUID. This fix changes to reuse the mechanism for LDAP, where the ID is generated from the domain ID + the local id of the user (an attribute that uniquely ids the user from the IdP). This generator is specified by the configuration file. Now Both LDAP and Federated Ids are generated the same way. It also means that Federated IDs can be kept in sync between two independtent Keystone servers.

• [bug 1754048] The correct user domain is now reported when validating a federated token. Previously, the domain would always be validated as “Federated.”

• [bug 1779889] Adds documentation about service tokens and configuring services to use service tokens for long running operations.

• [bug 1815771] Allows operators to cache credentials to avoid lookups on the database. This operation can be turned on/off through the configuration parameter of keystone.conf [credential] caching.

• [bug 1831918] Credentials now logs cadf audit messages.

Other Notes¶

• [bug 1829453] The deprecated config option infer_roles is removed now.

• [bug 1829453] The deprecated config option admin_endpoint is removed now.