Newton Series Release Notes

10.0.1

New Features

  • [bug 1638603] Support nested groups in Active Directory. A new boolean option [ldap] group_ad_nesting has been added, it defaults to False. Enable the option is using Active Directory with nested groups. This option will impact the list_users_in_group, list_groups_for_user, and check_user_in_group operations.

10.0.0

Deprecated all v2.0 APIs. Most v2.0 APIs will be removed in the ‘Q’ release. However, the authentication APIs and EC2 APIs are indefinitely deprecated.

Deprecated the PKI and PKIz token formats. They will be removed in the ‘O’ release.

Add keystone-manage mapping_populate command, which should be used when domain-specific LDAP backend is used.

Tokens can now be cached when issued.

New Features

  • [blueprint manage-migration] Upgrading keystone to a new version can now be undertaken as a rolling upgrade using the –expand, –migrate and –contract options of the keystone-manage db_sync command.
  • OSprofiler support was added. This cross-project profiling library allows to trace various requests through all OpenStack services that support it. To initiate OpenStack request tracing –profile <HMAC_KEY> option needs to be added to the CLI command. Configuration and usage details can be foung in [OSProfiler documentation]
  • [bug 1501698] Support parameter list_limit when LDAP is used as identity backend.
  • Add keystone-manage mapping_populate command. This command will pre-populate a mapping table with all users from LDAP, in order to improve future query performance. It should be used when an LDAP is first configured, or after calling keystone-manage mapping_purge, before any queries related to the domain are made. For more information see keystone-manage mapping_populate --help
  • Add cache_on_issue flag to [token] section that enables placing issued tokens to validation cache thus reducing the first validation time as if token is already validated and token data cached.

Upgrade Notes

  • We have added the password_expires_at attribute to the user response object.
  • The identity backend driver interface has changed. We’ve added a new change_password() method for self service password changes. If you have a custom implementation for the identity driver, you will need to implement this new method.
  • OSprofiler support was introduced. To allow its usage the keystone-paste.ini file needs to be modified to contain osprofiler middleware.
  • Fixes a bug related to the password create date. If you deployed master during Newton development, the password create date may be reset. This would only be apparent if you have security compliance features enabled.
  • In the policy.json file, we changed identity:list_projects_for_groups to identity:list_projects_for_user. Likewise, we changed identity:list_domains_for_groups to identity:list_domains_for_user. If you have customized the policy.json file, you will need to make these changes. This was done to better support new features around federation.
  • Keystone now supports encrypted credentials at rest. In order to upgrade successfully to Newton, deployers must encrypt all credentials currently stored before contracting the database. Deployers must run keystone-manage credential_setup in order to use the credential API within Newton, or finish the upgrade from Mitaka to Newton. This will result in a service outage for the credential API where credentials will be read-only for the duration of the upgrade process. Once the database is contracted credentials will be writeable again. Database contraction phases only apply to rolling upgrades.
  • Keystone now relies on pyldap instead of python-ldap. The pyldap library is a fork of python-ldap and is a drop-in replacement with modifications to be py3 compatible.

Deprecation Notes

  • [blueprint domain-config-as-stable] Deprecated keystone-manage domain_config_upload. The keystone team recommends setting domain config options via the API instead. The domain_config_upload command line option may be removed in the ‘P’ release.
  • [blueprint deprecated-as-of-mitaka] Deprecated all v2.0 APIs. The keystone team recommends using v3 APIs instead. Most v2.0 APIs will be removed in the ‘Q’ release. However, the authentication APIs and EC2 APIs are indefinitely deprecated and will not be removed in the ‘Q’ release.
  • [blueprint deprecated-as-of-mitaka] As of the Mitaka release, the PKI and PKIz token formats have been deprecated. They will be removed in the ‘O’ release. Due to this change, the hash_algorithm option in the [token] section of the configuration file has also been deprecated. Also due to this change, the keystone-manage pki_setup command has been deprecated as well.
  • [blueprint deprecated-as-of-mitaka] As of the Mitaka release, write support for the LDAP driver of the Identity backend has been deprecated. This includes the following operations: create user, create group, delete user, delete group, update user, update group, add user to group, and remove user from group. These operations will be removed in the ‘O’ release.
  • [blueprint deprecated-as-of-mitaka] As of the Mitaka release, the auth plugin keystone.auth.plugins.saml2.Saml2 has been deprecated. It is recommended to use keystone.auth.plugins.mapped.Mapped instead. The saml2 plugin will be removed in the ‘O’ release.
  • [blueprint deprecated-as-of-mitaka] As of the Mitaka release, the simple_cert_extension is deprecated since it is only used in support of the PKI and PKIz token formats. It will be removed in the ‘O’ release.
  • [blueprint deprecated-as-of-newton] As of the Newton release, the class plugin keystone.common.kvs.core.KeyValueStore has been deprecated. It is recommended to use alternative backends instead. The KeyValueStore class will be removed in the ‘P’ release.

Bug Fixes

  • [bug 1590587] When assigning Domain Specific Roles, the domain of the role and the domain of the project must match. This is now validated and the REST call will return a 403 Forbidden.
  • [bug 1594482] When using list_limit config option, the GET /services?name={service_name} API was first truncating the list and afterwards filtering by name. The API was fixed to first filter by name and only afterwards truncate the result list to the desired limit.
  • [bug 1613466] Credentials update to ec2 type originally accepted credentials with no project ID set, this would lead to an error when trying to use such credential. This behavior has been blocked, so creating a non-ec2 credential with no project ID and updating it to ec2 without providing a project ID will fail with a 400 Bad Request error.

Other Notes

  • The response’s content type for creating request token or access token is changed to application/x-www-form-urlencoded, the old value application/x-www-urlformencoded is invalid and will no longer be used.
  • Keystone now supports being run under Python 3. The Python 3 and Python 3.4 classifiers have been added.
  • [blueprint removed-as-of-newton] Removed the backend and route from keystone.contrib.endpoint_policy. The package has been moved to keystone.endpoint_policy. This was deprecated in the Liberty release.