Current Series Release Notes

16.0.0.0rc1-38

New Features

  • Restores the configurability of the resource driver, so it is now possible to create a custom resource driver if the built-in sql driver does not meet business requirements.

Upgrade Notes

  • [bug 1806762] [bug 1630434] The entire policy.v3cloudsample.json file has been removed. If you were using this policy file to supply overrides in your deployment, you should consider using the defaults in code and setting keystone.conf [oslo_policy] enforce_scope=True. The new policy defaults are more flexible, they’re tested extensively, and they solve all the problems the policy.v3cloudsample.json file was trying to solve.

  • The foreign key constraint between the user.domain_id column and the project.id column and between the identity_provider.domain_id column and the project.id column will be dropped upon running the keystone db_sync contraction step. These constraints are enforced in code and do not need to be enforced by the database. This should have no impact on users.

Critical Issues

  • [bug 1855080] An error in the policy target filtering inadvertently allowed any user to list any credential object with the /v3/credentials API when [oslo_policy]/enforce_scope was set to false, which is the default. This has been addressed: users with non-admin roles on a project may not list other users’ credentials. However, users with the admin role on a project may still list any users credentials when [oslo_policy]/enforce_scope is false due to bug 968696.

Security Issues

  • [bug 1855080] An error in the policy target filtering inadvertently allowed any user to list any credential object with the /v3/credentials API when [oslo_policy]/enforce_scope was set to false, which is the default. This has been addressed: users with non-admin roles on a project may not list other users’ credentials. However, users with the admin role on a project may still list any users credentials when [oslo_policy]/enforce_scope is false due to bug 968696.

Bug Fixes

  • [bug 1806762] [bug 1630434] The entire policy.v3cloudsample.json file has been removed. If you were using this policy file to supply overrides in your deployment, you should consider using the defaults in code and setting keystone.conf [oslo_policy] enforce_scope=True. The new policy defaults are more flexible, they’re tested extensively, and they solve all the problems the policy.v3cloudsample.json file was trying to solve.

  • [bug 1848238] Allow deleting a domain when using the ldap driver for a domain. There was an attempt to delete the group on the ldap whereas this one is read-only.

  • [bug 1856881] keystone-manage bootstrap can be run in upgrade scenarios where pre-existing domain-specific roles exist named admin, member, and reader.

  • [bug 1856962] Fixes an issue where federated users could not authenticate if their mapped group membership was empty.