Mitaka Series Release Notes


New Features

  • [bug 1540022] The auth_token middleware will now accept a conf setting named oslo_config_config. If this is set its value must be an existing oslo_config ConfigOpts. olso_config_config takes precedence over oslo_config_project. This feature is useful to applications that are instantiating the auth_token middleware themselves and wish to use an existing configuration.


Deprecation Notes

  • With the release of 4.2.0 of keystonemiddleware we no longer recommend using the in-process token cache. In-process caching may result in inconsistent validation, poor UX and race conditions. It is recommended that the memcached_servers option is set in the keystone_authtoken configuration section of the various services (e.g. nova, glance, …) with the endpoint of running memcached server(s). When the feature is removed, not setting the memcached_servers option will cause keystone to validate tokens more frequently, increasing load. In production, use of caching is highly recommended. This feature is deprecated as of 4.2.0 and is targeted for removal in keystonemiddleware 5.0.0 or in the O development cycle, whichever is later.


New Features

  • [bug 1490804] The auth_token middleware validates the token’s audit IDs during offline token validation if the Identity server includes audit IDs in the token revocation list.

Security Issues

  • [bug 1490804] [CVE-2015-7546] A bug is fixed where an attacker could avoid token revocation when the PKI or PKIZ token provider is used. The complete remediation for this vulnerability requires the corresponding fix in the Identity (keystone) project.

Bug Fixes

  • [bug 1523311] Do not list deprecated opts in sample config.

  • [bug 1333951] Add support for parsing AWS v4 for ec2.

  • [bug 1423973] Use oslo.config choices for config options.