Newton Series Release Notes

Newton Series Release Notes

4.6.0

Prelude

  • Add the X_IS_ADMIN_PROJECT header.

New Features

  • [bug 1583690] For services such as Swift, which may not be utilizing oslo_config, we need to be able to determine the project name from local config. If project name is specified in both local config and oslo_config, the one in local config will be used instead. In case project is undetermined (i.e. not set), we use taxonomy.UNKNOWN as an indicator so operators can take corrective actions.
  • [bug 1540115] Optional dependencies can now be installed using extras. To install audit related libraries, use pip install keystonemiddleware[audit_nofications]. Refer to keystonemiddleware documentation for further information.
  • Added the X_IS_ADMIN_PROJECT header to authenticated headers. This has the string value of ‘True’ or ‘False’ and can be used to enforce admin project policies.

Bug Fixes

  • [bug 1583699] Some service APIs (such as Swift list public containers) do not require a token. Therefore, there will be no identity or service catalog information available. In these cases, audit now fills in the default (i.e. taxonomy.UNKNOWN) for both initiator and target instead of raising an exception.
  • [bug 1583702] Some services such as Swift does not use Oslo (global) config. In that case, the options are conveyed via local config. This patch utilized an established pattern in auth_token middleware, which is to first look for the given option in local config, then Oslo global config.

4.5.0

New Features

  • [bug 1544840] Adding audit middleware specific notification related configuration to allow a different notification driver and transport for audit if needed.
  • A new configuration option for the s3token middleware called auth_uri can be used to set the URI to be used for authentication. This replaces auth_host, auth_port, and auth_protocol.

Deprecation Notes

  • The auth_host, auth_port, and auth_protocol configuration options to the s3token middleware are now deprecated.

4.3.0

New Features

  • [bug 1540022] The auth_token middleware will now accept a conf setting named oslo_config_config. If this is set its value must be an existing oslo_config ConfigOpts. oslo_config_config takes precedence over oslo_config_project. This feature is useful to applications that are instantiating the auth_token middleware themselves and wish to use an existing configuration.

4.2.0

Deprecation Notes

  • With the release of 4.2.0 of keystonemiddleware we no longer recommend using the in-process token cache. In-process caching may result in inconsistent validation, poor UX and race conditions. It is recommended that the memcached_servers option is set in the keystone_authtoken configuration section of the various services (e.g. nova, glance, …) with the endpoint of running memcached server(s). When the feature is removed, not setting the memcached_servers option will cause keystone to validate tokens more frequently, increasing load. In production, use of caching is highly recommended. This feature is deprecated as of 4.2.0 and is targeted for removal in keystonemiddleware 5.0.0 or in the O development cycle, whichever is later.

4.1.0

New Features

  • [bug 1490804] The auth_token middleware validates the token’s audit IDs during offline token validation if the Identity server includes audit IDs in the token revocation list.

Security Issues

  • [bug 1490804] [CVE-2015-7546] A bug is fixed where an attacker could avoid token revocation when the PKI or PKIZ token provider is used. The complete remediation for this vulnerability requires the corresponding fix in the Identity (keystone) project.

Bug Fixes

  • [bug 1523311] Do not list deprecated opts in sample config.
  • [bug 1333951] Add support for parsing AWS v4 for ec2.
  • [bug 1423973] Use oslo.config choices for config options.
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.