Victoria Series Release Notes


Security Issues

  • Content of fernet keys and credential keys are now hidden from output, when these files are updated.


New Features

  • Adding the following configurable items for OpenID:

    • keystone::federation::openidc::openidc_pass_userinfo_as to set OIDCPassUserInfoAs

    • keystone::federation::openidc::openidc_pass_claim_as to set OIDCPassClaimsAs

  • Add TLS options to oslo.cache

  • The keystone::federation::ipenidc class now supports the new openidc_response_mode parameter, to customize mod_auth_openidc response mode.


New Features

  • Added the service_type parameter to keystone::resource::authtoken resource. This value should be set to the name or type of the service as it appears in the service catalog. This is used to validate tokens that have restricted access rules.

  • Add mysql_enable_ndb parameter to select mysql storage engine.

  • Allow to specify drivername for postgres db

Upgrade Notes

  • The deprecated cache related parameters in the keystone class is removed and the keystone::cache is no longer included by default. Deployments should explicitly include the keystone::cache class.

  • The deprecated parameters validate, admin_token, admin_endpoint, retries, delay, insecure and cacert in keystone::service is removed.

  • The deprecated parameters admin_bind_host, public_bind_host, admin_port, public_port, admin_workers and public_workers in the keystone init class is removed.

  • The deprecated parameters admin_port and main_port in the classes keystone::federation::mellon and keystone::federation::shibboleth is removed.

  • The deprecated parameter database_min_pool_size is removed in the keystone init class and keystone::db class.

  • The deprecated validate_service, validate_insecure, validate_auth_url and validate_cacert parameters in the keystone class is removed.

  • The deprecated parameter token_driver in keystone init class is removed.

Deprecation Notes

  • The keystone::resource::service_identity::ignore_default_tenant parameter has been deprecated and will be removed in a future. Actually this parameter has been ineffective for some releases.

Bug Fixes

  • The default/public_endpiint parameter is no longer set by default because of known issue with different hosts/protocol used for each endpoints (especially for admin endpoint and public endpoint)


New Features

  • The new keystone::cron::trust_flush class was added to configure a cron job to purge expired or soft-deleted trusts.

Upgrade Notes

  • The following deprecated options for PKI token have been removed.

    • keystone::cache_dir

    • keystone::resource::authtoken::hash_algorithms

    • keystone::resource::authtoken::check_revocations_for_cached

  • The classes keystone::endpoint and keystone::roles::admin is removed, use the new keystone::bootstrap class directly.

  • The password parameter in keystone::bootstrap is required and does not default to undef.

  • The deprecated parameters admin_token, admin_password and enable_bootstrap in the keystone class is removed.

Deprecation Notes

  • The keystone::cron::token_flush class has been deprcated and has no effect.

  • The use of keystone-public-keystone-admin for the keystone service name is deprecated, please use simply keystone instead.

  • The keystone::federation::mellon::trusted_dashboards has been removed.

Bug Fixes

  • Fixed a bug where the keystone::resource::authtoken resource would not install the proper python memcache bindings when using python3.