Current Series Release Notes¶

New Features¶

• [bug 1669080] Added support for a description attribute for V3 Identity Roles, see API docs for details.

• [blueprint mfa-auth-receipt] Added support for auth receipts. Allows multi-step authentication for users with configured MFA Rules. Partial authentication with successful auth methods will return an auth receipt that can be consumed in subsequent auth attempts along with the missing auth methods to complete auth and be provided with a valid token.

• [Community Goal] Support has been added for developers to write pre-upgrade checks. Operators can run these checks using keystone-status upgrade check. This allows operators to be more confident when upgrading their deployments by having a tool that automates programmable checks against the deployment configuration or dataset.

• [bug 1794376] The domain API now supports the admin, member, and reader default roles.

• [bug 1805372] The registered limit API now supports the admin, member, and reader default roles.

• [bug 1805403] The project API now supports the admin, member, and reader default roles.

Upgrade Notes¶

• [blueprint mfa-auth-receipt] Auth receipts share the same fernet mechanism as tokens and by default will share keys with tokens and work out of the box. If your fernet key directory is not the default, you will need to also configure the receipt key directory, but they can both point to the same location allowing key rotations to affect both safely. It is possible to split receipt and token keys and run rotatations separately for both if needed.

• [bug 1787874] Please note that the deployment which sets unique_last_password_count = 1 in the config file should update the value to 0 to keep the same behavior as before.

• [bug 1788415] [bug 968696] Policies protecting the /v3/credentials API have changed defaults in order to make the credentials API more accessible for all users and not just operators or system administrator. Please consider these updates when using this version of keystone since it could affect API behavior in your deployment, especially if you’re using a customized policy file.

• [bug 1794376] The domain API uses new default policies that make it more accessible to end users and administrators in a secure way. Please consider these new defaults if your deployment overrides domain policies.

• [bug 1805372] The following registered limit policy check strings have changed in favor of more clear and concise defaults:

  • identity:create_registered_limits
  • identity:update_registered_limit
  • identity:delete_registered_limit

  These policies are not being formally deprecated because the unified limits API is still considered experiemental. Please consider these new defaults if your deployment overrides the registered limit policies.

• [bug 1805403] The project API uses new default policies that make it more accessible to end users and administrators in a secure way. Please consider these new defaults if your deployment overrides project policies.

• [bug 1805880] The registered limit policies defined in policy.v3cloudsample.json have been removed. These policies are now obsolete after incorporating system-scope into the registered limit API and implementing default roles.

Deprecation Notes¶

• [bug 1794376] The following domain policy check strings have been deprecated in favor of more clear and concise defaults:

  • identity:get_domain
  • identity:list_domains
  • identity:create_domain
  • identity:update_domain
  • identtity:delete_domain

  Please consider these new default if your deployment overrides domain policies.

• [bug 1805403] The project policies have been deprecated. The identity:get_project policy now uses (role:reader and system_scope:all) or project_id:%(target.project.id)s instead of rule:admin_required or project_id:%(target.project.id)s. The identity:list_projects policy now uses role:reader and system_scope:all instead of rule:admin_required. The identity:create_project, identity:update_project, and identity:delete_project policies now use role:admin and system_scope:all instead of rule:admin_required. The identity:list_user_projects policy now uses (role:admin and system_scope:all) or user_id:%(target.user.id)s instead of rule:admin_or_owner. These new defaults automatically account for system-scope and support a read-only role, making it easier for system administrators to delegate subsets of responsibility without compromising security. Please consider these new defaults if your deployment overrides the project policies.

• The commandline options standard-threads, `pydev-debug-host and pydev-debug-port are only used by Keystone eventlet model in Newton release before. They are deprecated now and will be removed in the next release.

Security Issues¶

• [bug 1788415] [bug 968696] More granular policy checks have been applied to the credential API in order to make it more self-service for users. By default, end users will now have the ability to manage their credentials.

• [bug 1794376] The domain API now uses system-scope and default roles to provide better accessibility to users in a secure way.

• [bug 1805372] The registered limit API now uses system-scope and default roles to provide better accessibility to users in a secure way.

• [bug 1805403] The project API now uses system-scope and default roles to provide better accessibility to users in a secure way.

Bug Fixes¶

• [bug 1729933] The Region Update API now correctly updates extra values. Previously adding any extra values to a region via the update API would discard any added values besides the default ones. Any extra values are now correctly added and returned. This fix was for consistency with other APIs in keystone that use ‘extra’ and the use of ‘extra’ in keystone is highly discouraged.

• [bug 1734244] Users can’t set password longer than 128 if Keystone using Sqlalchemy < 1.1.0. Update Sqlalchemy to a higher version can solve this problem. [Related Sqlalchemy Changelog].

• [bug 1744195] The SQL Foreign Key is enabled for Keystone unit tests now. This is not an end user impact fixed. But for the downstream teams, please take care of it for your private test code changes.

• [‘bug 1753585 <https://bugs.launchpad.net/keystone/+bug/1753585>’_] LDAP attribute names are now matched case insensitively to comply with LDAP implementations.

• [bug 1757151] More thorough documentation has been added for authorization and token scopes, which helps users and developers understand the purpose of scope and why it can be a useful tool for resource isolation and API protection.

• [bug 1780503] The notification wrapper now sets the initiator’s id to the given user id. This fixes an issue where identity.authentication event would result in the initiator id being a random default UUID, rather than the user’s id when said user would authenticate against keystone.

• [bug 1784536] Keystone now return 401 Unauthorized correctly when issuing a project-scoped token but the input project id is a domain id.

• [bug 1787874] The default value of the config option unique_last_password_count is changed from 1 to 0. Now unique_last_password_count = 0 means password history check is disabled. unique_last_password_count = 1 means when changing password, the new one should be different than the current one.

• [bug 1788415] [bug 968696] Improved self-service support has been implemented in the credential API. This means that end users have the ability to manage their own credentials as opposed to filing tickets to have deployment administrators manage credentials for users.

• [bug 1788694] System-scoped tokens now support expanding role assignments to include implied roles in token creation and validation responses.

• [bug 1789450] When a mapped group that does not exist in keystone is found, instead of throwing a 500 error, keystone will now log the instance and continue. This is expected behavior as an external IdP may specify a group that does not exist within keystone.

• [bug 1792026] Formal documentation for user resource options has been added to the administrator guide and the API reference. This documentation helps describe how user options can improve user experience, namely for deployments looking to offer flexibility around PCI-DSS security requirements, among other things.

• [bug 1796887] Add caching on trust role validation to improve performance. Services relying heavily on trusts are impacted as the trusts are validated against the database. This adds caching on those operations to improve performance

• [bug 1805880] The registered limit policies in policy.v3cloudsample.json policy file have been removed in favor of better defaults in code. These policies weren’t tested exhaustively and were misleading to users and operators.

• [bug 1810393] Now when an identity provider protocol is deleted, the cache info for the related federated users will be invalidated as well.

• Some bugs for unified limit APIs have been fixed, it includes:

  • [bug 1798716] The region_id of registered limit now can be updated to None.
  • [bug 1798495] The length of unified limit’s resource_name now is limited from 1 to 255 (string).
  • [bug 1797876] The default_limit of registered limit and the resource_limit of limit now are limited from -1 to 2147483647 (integer). -1 means no limit. 2147483647 is the max value for integer by default in SQL (4 bytes).

Other Notes¶

• [bug 1473292] If you’re relying on a custom implementation of the trust backend, please be sure to implement the new method prior to upgrading.

• Keystone has been fully converted to run under flask. All of the APIs are now natively dispatched under flask.

  Included in this change is a removal of a legacy WSGI environment data holder calld openstack.params. The data holder was used exclusively for communicating data down the chain under paste-deploy. The data in openstack.params was generally “normalized” in an odd way and unreferenced in the rest of the openstack code-base.

  Some minor changes to the JSON Home document occured to make it consistent with the rest of our convensions (Technically an API contract break) but required for the more strict view the Keystone flask code takes on setting up the values for JSON Home. Notably “application_credentials” now has an appropriate entry for listing and creating new app creds.

  JSON Body and URL Normalizing middleware were move to a flask-native model.

  Any middleware defined in Keystone’s tree is no longer loaded via stevedore, and likewise the entry points were removed.

  Original WSGI Framework (custom, home-rolled, based on WEBOB) has been removed from the codebase.

• [blueprint removed-as-of-stein] The options member_role_id and member_role_name which were deprecated in Queens and only used for V2 are removed now.

• [blueprint removed-as-of-stein] The deprecated token_flush is removed now.

• [blueprint removed-as-of-stein] The deprecated config option bind is removed now.

• [blueprint removed-as-of-stein] The deprecated option crypt_strength is removed now. It was only useful for sha512_crypt password hashes which has been superseded by more secure hashing implementations.

• [blueprint removed-as-of-stein] The keystone.conf [DEFAULT] secure_proxy_ssl_header configuration option was slated for removal in Pike and has now officially been removed. Please use oslo.middleware.http_proxy_to_wsgi instead.

• [blueprint removed-as-of-stein] The interface create_arguments_apply in token formatter payload has been removed. The token payload now doesn’t need to be force ordered any more.