Current Series Release Notes

Current Series Release Notes

15.0.0.0rc1-71

New Features

  • The keystone-manage bootstrap command can now be used to update existing endpoints idempotently, which is useful in conjunction with configuration management tools that use this command for both initialization and lifecycle management of keystone.

  • Allow the creating of a domain with the additional, optional parameter of explicit_domain_id instead of auto-creating a domain_id from a uuid.

    When keeping two Keystone servers in sync, but avoiding Database replication, it was often necessary to hack the database to update the Domain ID so that entries match. Domain ID is then used for LDAP mapped IDs, and if they don’t match, the user IDs are different. It should be possible to add a domain with an explicit ID, so that the two servers can match User IDs. The reason that the variable name is not simple domain_id is twofold: First to keep people from thinking that this is a required, or at least suggested field. Second, to prevent copy errors when creating a new domain, where the domain_id would be copied in from the old one, and having spurious failures, or undesirecd domain_id matching.

    https://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/explicit-domains-ids.html

Upgrade Notes

  • The keystone-manage bootstrap command will now update existing endpoints rather than skipping them if they already exist but are different from the values provided to the command. This is useful in conjunction with configuration management tools that use this command for both initialization and lifecycle management of keystone.

Bug Fixes

  • A Federated user gets an entry in the shadow-users table. This entry has a unique ID. It was generated using a UUID. This fix changes to reuse the mechanism for LDAP, where the ID is generated from the domain ID + the local id of the user (an attribute that uniquely ids the user from the IdP). This generator is specified by the configuration file. Now Both LDAP and Federated Ids are generated the same way. It also means that Federated IDs can be kept in sync between two independtent Keystone servers.

  • [bug 1779889] Adds documentation about service tokens and configuring services to use service tokens for long running operations.

Other Notes

  • [bug 1829453] The deprecated config option infer_roles is removed now.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.