Ussuri Series Release Notes


Security Issues

  • Content of fernet keys and credential keys are now hidden from output, when these files are updated.


New Features

  • Adding the following configurable items for OpenID:

    • keystone::federation::openidc::openidc_pass_userinfo_as to set OIDCPassUserInfoAs

    • keystone::federation::openidc::openidc_pass_claim_as to set OIDCPassClaimsAs

  • Add TLS options to oslo.cache

  • Allow to specify drivername for postgres db

  • The new keystone::cron::trust_flush class was added to configure a cron job to purge expired or soft-deleted trusts.

  • The keystone::federation::ipenidc class now supports the new openidc_response_mode parameter, to customize mod_auth_openidc response mode.

Upgrade Notes

  • Since Ussuri release, identity service record is created by bootstrap instead of API call. Since current bootstrap doesn’t support service the value has been changed to “” from the previous value, “OpenStack Identity Service”, which was implemented in puppet-keystone.

Bug Fixes

  • Fixed a bug where the keystone::resource::authtoken resource would not install the proper python memcache bindings when using python3.

  • The default/public_endpiint parameter is no longer set by default because of known issue with different hosts/protocol used for each endpoints (especially for admin endpoint and public endpoint)


New Features

  • The new keystone::cache class was introduced to manage configurations for caching in keystone.

Upgrade Notes

  • Deprecated idle_timeout option has been removed.

Deprecation Notes

  • The following puppet variables are deprecated and staged for removal. Keystone removed LDAP support for projects and roles in Mitaka. Even if these options are set in keystone’s configuration file, they’re silently ignored. We will remove these options in a future release:

    • project_tree_dn

    • project_filter

    • project_objectclass

    • project_id_attribute

    • project_member_attribute

    • project_name_attribute

    • project_desc_attribute

    • project_enabled_attribute

    • project_domain_id_attribute

    • project_attribute_ignore

    • project_allow_create

    • project_allow_update

    • project_allow_delete

    • project_enabled_emulation

    • project_enabled_emulation_dn

    • project_additional_attribute_mapping

    • role_tree_dn

    • role_filter

    • role_objectclass

    • role_id_attribute

    • role_name_attribute

    • role_member_attribute

    • role_attribute_ignore

    • role_allow_create

    • role_allow_update

    • role_allow_delete

    • role_additional_attribute_map

    • credential_driver

    • assignment_driver

  • database_min_pool_size option is now deprecated for removal, the parameter has no effect.

  • The following parameters for managing cache are now deprecated because of the introduction of keystone::cache to manage cache configuration. The parameters in keystone::cache class instead.

    • keystone::cache_backend

    • keystone::cache_backend_argument

    • keystone::enabled

    • keystone::memcache_servers

    • keystone::debug_cache_backend

    • keystone::cache_config_prefix

    • keystone::cache_expiration_time

    • keystone::cache_proxies

    • keystone::token_caching

    • keystone::memcache_dead_retry

    • keystone::memcache_socket_timeout

    • keystone::memcache_pool_maxsize

    • keystone::memcache_pool_unused_timeout

    • keystone::memcache_pool_connection_get_timeout

    • keystone::manage_backend_package

Bug Fixes

  • Workers are raised to 2 x os_workers, so that we have as many workers as the one we had before we merged 2 keystone services(public and admin).


New Features

  • Added keystone::bootstrap class.

Upgrade Notes

  • Now that the keystone::endpoint and keystone::roles::admin classes is deprecated and has no effect deployments must define the new keystone::bootstrap class with the proper data that was earlier passed to those classes. Please go through the parameters in keystone::bootstrap carefully and define the class.

  • If you are using a multi-domain setup where you previously relied on keystone::endpoint and/or keystone::roles::admin to create your domains and domain scoped admin accounts the keystone::bootstrap does not do this and you need to ensure this is managed in your deployment using the keystone provider resources.

Deprecation Notes

  • The keystone::endpoint and keystone::roles::admin classes is now deprecated and has no effect. Please read the upgrade notes carefully!


New Features

  • Adds interface parameter to keystone::resource::authtoken allow services to configure the interface to use for the Identity API endpoint. Valid values are “public”, “internal” or “admin”.

Deprecation Notes

  • The service validation in keystone::service is deprecated so the following parameters in keystone::service has no effect anymore, validate, admin_token, admin_endpoint, retries, delay, insecure, cacert.

  • The service validation in ::keystone is deprecated so the following parameters has no effect validate_service, validate_insecure, validate_auth_url and validate_cacert.

  • The user_allow_create, user_allow_update, user_allow_delete, group_allow_create, group_allow_update and group_allow_delete parameters in keystone::ldap_backend is deprecated, has no effect and will be removed in a later release.