Yoga Series Release Notes

9.3.0

Upgrade Notes

  • [bug 1892852] [bug 1888394] [bug 1883659] Keystonemiddleware now using eventlet-safe implementation of MemcacheClientPool from oslo.cache’s library by default. The keystonemiddleware implementation is now deprecated. For backwards compatibility, the [keystone_authtoken] memcache_use_advanced_pool option can be set to False config files of the various services (e.g. nova, glance, …) when Memcached is used for token cache.

Deprecation Notes

  • We no longer recommend using the eventlet unsafe keystonemiddleware’s memcacheclientpool. This implementation may result in growing connections to Memcached.

    It is recommended that the memcache_use_advanced_pool option is set to True in the keystone_authtoken configuration section of the various services (e.g. nova, glance, …) when Memcached is used for token cache.

9.1.0

Prelude

Since the removal of the Identity API v2 Keystone no longer has any special functionality that requires using the admin endpoint for it. So this release changes the default endpoint being used from admin to internal, allowing deployments to work without an admin endpoint.

Upgrade Notes

  • [bug 1830002] The default Identity endpoint has been changed from admin to internal.

9.0.0

Upgrade Notes

  • Python 2.7 support has been dropped. Last release of keystonemiddleware to support Python 2.7 is OpenStack Train. The minimum version of Python now supported is Python 3.6.

8.0.0

Upgrade Notes

  • [bug 1845539] [bug 1777177] keystonemiddleware no longer supports the Keystone v2.0 api, all associated functionality has been removed.

Other Notes

7.0.0

New Features

  • [spec] The auth_token middleware now has support for accepting or denying incoming requests based on access rules provided by users in their Keystone application credentials.

6.1.0

New Features

  • [bug 1830002] In order to allow an installation to work without deploying an admin Identity endpoint, a new option interface has been added, allowing select the Identity endpoint that is being used when verifying auth tokens. It defaults to admin in order to replicate the old behaviour, but may be set to public or internal as needed.

6.0.0

New Features

  • [bug 1803940] Request ID and global request ID have been added to CADF notifications.

Upgrade Notes

  • [bug 1649735] Keystonemiddleware no longer supports PKI/PKIZ tokens, all associated offline validation has been removed. The configuration options signing_dir, and hash_algorithms have been removed, if they still exist in your configuration(s), they are now safe to remove. Please consider utilizing the newer fernet or JWS token formats.

Bug Fixes

  • [bug 1649735] The auth_token middleware no longer attempts to retrieve the revocation list from the Keystone server. The deprecated options revocations_cache_time and check_revocations_for_cached have been removed. Keystone no longer issues PKI/PKIZ tokens and now keystonemiddleware’s Support for PKI/PKIZ and associated offline validation has been removed. This includes the deprecated config options signing_dir, and hash_algorithms.

  • [bug 1800017] Fix audit middleware service catalog parsing for the scenario where a service does not contain any endpoints. In that case, we should just skip over that service.

  • [bug 1809101] Fix req.context of Keystone audit middleware and Glance conflict with each other issue. The audit middleware now stores the admin context to req.environ[‘audit.context’].

  • [bug 1813739] When admin identity endpoint is not created yet, keystonemiddleware emit EndpointNotFound exception. Even after admin identity endpoint created, auth_token middleware could not be notified of update since it does not invalidate existing auth. Add an invalidation step so that endpoint updates can be detected.

  • [bug 1797584] Fixed a bug where the audit code would select the wrong target service if the OpenStack service endpoints were not using unique TCP ports.

5.3.0

Bug Fixes

  • [bug 1789351] Fixed the bug that when initialize AuthProtocol, it’ll raise “dictionary changed size during iteration” error if the input CONF object contains deprecated options.

  • When delay_auth_decision is enabled and a Keystone failure prevents a final decision about whether a token is valid or invalid, it will be marked invalid and the application will be responsible for a final auth decision. This is similar to what happens when a token is confirmed not valid. This allows a Keystone outage to only affect Keystone users in a multi-auth system.

5.1.0

New Features

  • [bug 1762362] The value of the header “WWW-Authenticate” in a 401 (Unauthorised) response now is double quoted to follow the RFC requirement.

Bug Fixes

  • [bug 1766731] Keystonemiddleware now supports system scoped tokens. When a system-scoped token is parsed by auth_token middleware, it will set the OpenStack-System-Scope header accordingly.

5.0.0

New Features

  • [bug 1695038] The use_oslo_messaging configuration option is added for services such as Swift, which need the audit middleware to use the local logger instead of the oslo.messaging notifier regardless of whether the oslo.messaging package is present or not. Leave this option set to its default True value to keep the previous behaviour unchanged - the audit middleware will use the oslo.messaging notifier if the oslo.messaging package is present, and the local logger otherwise. Services that rely on the local logger for audit notifications must set this option to False.

Bug Fixes

  • [bug/1747655] When keystone is temporarily unavailable, keystonemiddleware correctly sends a 503 response to the HTTP client but was not identifying which service was down, leading to confusion on whether it was keystone or the service using keystonemiddleware that was unavailable. This change identifies keystone in the error response.

Other Notes

  • The kwargs_to_fetch_token setting was removed from the BaseAuthProtocol class. Implementations of auth_token now assume kwargs will be passed to the fetch_token method.

4.20.0

Bug Fixes

  • [bug 1737115] Last release had accidentally made python-memcached a hard dependency, this has changed it back to an optional one.

  • [bug 1737119] If the application was not using the global cfg.CONF object, the configuration was not read from the configuration file. This have been fixed.

4.18.0

Deprecation Notes

  • The auth_uri parameter of keystone_authtoken is deprecated in favour of www_authenticate_uri. The auth_uri option was often confused with the auth_url parameter of the keystoneauth plugin, which was also effectively always required. The parameter refers to the WWW-Authenticate header that is returned when the user needs to be redirected to the Identity service for authentication.

4.16.0

Upgrade Notes

  • [bug 1677308] There is no upgrade impact when switching from pycrypto to cryptography. All data will be encrypted and decrypted using identical blocksize, padding, algorithm (AES) and mode (CBC). Data previously encrypted using pycrypto can be decrypted using both pycrypto and cryptography. The same is true of data encrypted using cryptography.

Bug Fixes

  • [bug 1677308] Removes pycrypto dependency as the library is unmaintained, and replaces it with the cryptography library.

4.12.0

Prelude

Fetching expired tokens when using a valid service token is now allowed. This will help with long running operations that must continue between services longer than the original expiry of the token.

New Features

  • AuthToken middleware will now allow fetching an expired token when a valid service token is present. This service token must contain any one of the roles specified in service_token_roles.

  • Service tokens are compared against a list of possible roles for validity. This will ensure that only services are submitting tokens as an X-Service-Token. For backwards compatibility, if service_token_roles_required is not set, a warning will be emitted. To enforce the check properly, set service_token_roles_required to True. It currently defaults to False

Upgrade Notes

  • Set the service_token_roles to a list of roles that services may have. The likely list is service or admin. Any service_token_roles may apply to accept the service token. Ensure service users have one of these roles so interservice communication continues to work correctly. When verified, set the service_token_roles_required flag to True to enforce this behaviour. This will become the default setting in future releases.

Deprecation Notes

  • For backwards compatibility the service_token_roles_required option in [keystone_authtoken] was added. The option defaults to False and has been immediately deprecated. This will allow the current behaviour that service tokens are validated but not checked for roles to continue. The option should be set to True as soon as possible. The option will default to True in a future release.

4.6.0

Prelude

  • Add the X_IS_ADMIN_PROJECT header.

New Features

  • [bug 1583690] For services such as Swift, which may not be utilising oslo_config, we need to be able to determine the project name from local config. If project name is specified in both local config and oslo_config, the one in local config will be used instead. In case project is undetermined (i.e. not set), we use taxonomy.UNKNOWN as an indicator so operators can take corrective actions.

  • [bug 1540115] Optional dependencies can now be installed using extras. To install audit related libraries, use pip install keystonemiddleware[audit_nofications]. Refer to keystonemiddleware documentation for further information.

  • Added the X_IS_ADMIN_PROJECT header to authenticated headers. This has the string value of ‘True’ or ‘False’ and can be used to enforce admin project policies.

Bug Fixes

  • [bug 1583699] Some service APIs (such as Swift list public containers) do not require a token. Therefore, there will be no identity or service catalogue information available. In these cases, audit now fills in the default (i.e. taxonomy.UNKNOWN) for both initiator and target instead of raising an exception.

  • [bug 1583702] Some services such as Swift does not use Oslo (global) config. In that case, the options are conveyed via local config. This patch utilized an established pattern in auth_token middleware, which is to first look for the given option in local config, then Oslo global config.

4.5.0

New Features

  • [bug 1544840] Adding audit middleware specific notification related configuration to allow a different notification driver and transport for audit if needed.

  • A new configuration option for the s3token middleware called auth_uri can be used to set the URI to be used for authentication. This replaces auth_host, auth_port, and auth_protocol.

Deprecation Notes

  • The auth_host, auth_port, and auth_protocol configuration options to the s3token middleware are now deprecated.

4.3.0

New Features

  • [bug 1540022] The auth_token middleware will now accept a conf setting named oslo_config_config. If this is set its value must be an existing oslo_config ConfigOpts. oslo_config_config takes precedence over oslo_config_project. This feature is useful to applications that are instantiating the auth_token middleware themselves and wish to use an existing configuration.

4.2.0

Deprecation Notes

  • With the release of 4.2.0 of keystonemiddleware we no longer recommend using the in-process token cache. In-process caching may result in inconsistent validation, poor UX and race conditions. It is recommended that the memcached_servers option is set in the keystone_authtoken configuration section of the various services (e.g. nova, glance, …) with the endpoint of running memcached server(s). When the feature is removed, not setting the memcached_servers option will cause keystone to validate tokens more frequently, increasing load. In production, use of caching is highly recommended. This feature is deprecated as of 4.2.0 and is targeted for removal in keystonemiddleware 5.0.0 or in the O development cycle, whichever is later.

4.1.0

New Features

  • [bug 1490804] The auth_token middleware validates the token’s audit IDs during offline token validation if the Identity server includes audit IDs in the token revocation list.

Security Issues

  • [bug 1490804] [CVE-2015-7546] A bug is fixed where an attacker could avoid token revocation when the PKI or PKIZ token provider is used. The complete remediation for this vulnerability requires the corresponding fix in the Identity (Keystone) project.

Bug Fixes

  • [bug 1523311] Do not list deprecated opts in sample config.

  • [bug 1333951] Add support for parsing AWS v4 for ec2.

  • [bug 1423973] Use oslo.config choices for config options.