Current Series Release Notes

12.0.0.0b2

New Features

    • [bug 1543048] [bug 1668503] Keystone now supports multiple forms of password hashing. Notably bcrypt, scrypt, and pbkdf2_sha512. The options are now located in the [identity] section of the configuration file. To set the algorithm use [identity] password_hash_algorithm. To set the number of rounds (time-complexity, and memory-use in the case of scrypt) use [identity] password_hash_rounds. scrypt and pbkdf2_sha512 have further tuning options available. Keystone now defaults to using bcrypt as the hashing algorithm. All passwords will continue to function with the old sha512_crypt hash, but new password hashes will be bcrypt.

Upgrade Notes

    • If performing rolling upgrades, set [identity] rolling_upgrade_password_hash_compat to True. This will instruct keystone to continue to hash passwords in a manner that older (pre Pike release) keystones can still verify passwords. Once all upgrades are complete, ensure this option is set back to False.

Deprecation Notes

    • [DEFAULT] crypt_strength is deprecated in favor of [identity] password_hash_rounds. Note that [DEFAULT] crypt_strength is still used when [identity] rolling_upgrade_password_hash_compat is set to True.

Security Issues

    • The use of sha512_crypt is considered inadequate for password hashing in an application like Keystone. The use of bcrypt or scrypt is recommended to ensure protection against password cracking utilities if the hashes are exposed. This is due to Time-Complexity requirements for computing the hashes in light of modern hardware (CPU, GPU, ASIC, FPGA, etc). Keystone has moved to bcrypt as a default and no longer hashes new passwords (and password changes) with sha512_crypt. It is recommended passwords be changed after upgrade to Pike. The risk of password hash exposure is limited, but for the best possible protection against cracking the hash it is recommended passwords be changed after upgrade. The password change will then result in a more secure hash (bcrypt by default) being used to store the password in the DB.

12.0.0.0b1

  • The default token provider is now Fernet.

New Features

  • [blueprint allow-expired] An allow_expired flag is added to the token validation call (GET/HEAD  /v3/auth/tokens) that allows fetching a token that has expired. This allows for validating tokens in long running operations.
  • [`blueprint policy-in-code] Keystone now supports the ability to register default policies in code. This makes policy file maintenance easier by allowing duplicated default policies to be removed from the policy file. The only policies that should exist within a deployments policy file after Pike should be policy overrides. To generate sample policy files from default values, prune default policies from existing policy files, or familiarize yourself with general policy usage, please see the usage documentation provided in oslo.policy.
  • [blueprint shadow-mapping] The federated identity mapping engine now supports the ability to automatically provision projects for federated users. A role assignment will automatically be created for the user on the specified project. If the project specified within the mapping does not exist, it will be automatically created in the domain associated with the identity provider. This behavior can be triggered using a specific syntax within the local rules section of a mapping. For more information see: mapping combinations
  • [blueprint support-federated-attr] Added new filters to the list user API (GET /v3/users) to support querying federated identity attributes: idp_id, protocol_id, and unique_id.
  • Added an option --check to keystone-manage db_sync, the option will allow a user to check the status of rolling upgrades in the database.
  • OSprofiler support was added. This cross-project profiling library allows to trace various requests through all OpenStack services that support it. To initiate OpenStack request tracing –profile <HMAC_KEY> option needs to be added to the CLI command. Configuration and usage details can be found in [OSProfiler documentation]

Upgrade Notes

  • [blueprint allow-expired] To allow long running operations to complete services must be able to fetch expired tokens via the allow_expired flag. The length of time a token is retrievable for beyond its traditional expiry is managed by the [token] allow_expired_window option and so the data must be retrievable for this amount of time. When using fernet tokens this means the key rotation period must exceed this time so older tokens are still decryptable. Ensure you do not rotate fernet keys faster than [token] expiration + [token] allow_expired_window seconds.
  • [`blueprint policy-in-code] Keystone now supports the ability to register default policies in code. This makes policy file maintenance easier by allowing duplicated default policies to be removed from the policy file. The only policies that should exist within a deployments policy file after Pike should be policy overrides. To generate sample policy files from default values, prune default policies from existing policy files, or familiarize yourself with general policy usage, please see the usage documentation provided in oslo.policy.
  • The identity backend driver interface has changed. A new method, unset_default_project_id(project_id), was added to unset a user’s default project ID for a given project ID. Custom backend implementations must implement this method.
  • [bug 1561054] The default token provider has switched from UUID to Fernet. Please note Fernet requires a key repository to be in place prior to running Ocata, this can be done by running keystone-manage fernet_setup. Additionally, for multi-node deployments, it is imperative a key distribution process be in use before upgrading. Once a key repository has been created it should be distributed to all keystone nodes in the deployment. This ensures each keystone node will be able to validate tokens issued across the deployment. If you do not wish to switch token formats, you will need to explicitly set the token provider for each node in the deployment by setting [token] provider to uuid in keystone.conf. Documentation can be found at fernet-tokens.
  • [bug 1642687] Upon a successful upgrade, all existing identity providers will now be associated with an automatically created domain. Each identity provider that existed prior to the Ocata release will now have a domain_id field. The new domain will have an id (random UUID), a name (that will match the identity provider ID , and be enabled by default.
  • OSprofiler support was introduced. To allow its usage the keystone-paste.ini file needs to be modified to contain osprofiler middleware.

Deprecation Notes

  • [bug 1659995] The config option [security_compliance] password_expires_ignore_user_ids has been deprecated in favor of using the option value set, available via the user create and update API call
    • UUID token provider [token] provider=uuid has been deprecated in favor of Fernet tokens [token] provider=fernet. With Fernet tokens becoming the default UUID tokens can be slated for removal in the R release. This also deprecates token-bind support as it was never implemented for fernet.
    • Token persistence driver/code (SQL) is deprecated with this patch since it is only used by the UUID token provider..
  • [blueprint deprecated-as-of-pike] The v2.0 auth and ec2 APIs were already maked as deprecated in the Mitaka release, although no removal release had yet been identified. These APIs will now be removed in the ‘T’ release. The v3 APIs should be used instead.

Critical Issues

  • [bug 1561054] If upgrading to Fernet tokens, you must have a key repository and key distribution mechanism in place, otherwise token validation may not work. Please see the upgrade section for more details.

Bug Fixes

  • [bug 1523369] Deleting a project will now cause it to be removed as a default project for users. If caching is enabled the changes may not be visible until the user’s cache entry expires.
  • [bug 1636950] New option [ldap] connection_timeout allows a deployer to set a OPT_NETWORK_TIMEOUT value to use with the LDAP server. This allows the LDAP server to return a SERVER_DOWN exception, if the LDAP URL is incorrect or if there is a connection failure. By default, the value for [ldap] connection_timeout is -1, meaning it is disabled. Set a positive value (in seconds) to enable the option.
  • [bug 1642687] When registering an identity provider via the OS-FEDERATION API, it is now recommended to include a domain_id to associate with the identity provider in the request. Federated users that authenticate with the identity provider will now be associated with the domain_id specified. If no domain_id is specified, then a domain will be automatically created.
  • [bug 1652012] Changes the token_model to return is_admin_project False if the attribute is not defined. Returning True for this has the potential to be dangerous and the given reason for keeping it True is backwards compatability..

  • [bug 1659995] New options have been made available via the user create and update API (POST/PATCH /v3/users) call, the options will allow an admin to mark users as exempt from certain PCI requirements via an API.

    Set the following user attributes to True or False in an API request. To mark a user as exempt from the PCI password lockout policy:

    user['options']['ignore_lockout_failure_attempts']

    To mark a user as exempt from the PCI password expiry policy:

    user['options']['ignore_password_expiry']

    To mark a user as exempt from the PCI reset policy:

    user['options']['ignore_change_password_upon_first_use']
  • [bug 1670382] The ldap config group_members_are_ids has been added to the whitelisted options allowing it to now be used in the domain config API and keystone-manage domain_config_upload
  • [bug 1676497] bindep now correctly reports the openssl-devel binary dependency for rpm distros instead of libssl-dev.
  • [bug 1674415] Fixed issue with translation of keystone error messages which was not happening in case of any error messages from identity API with locale being set.

Other Notes

  • [blueprint removed-as-of-pike] All key-value-store code, options, and documentation has been removed as of the Pike release. The removed code included keystone.common.kvs configuration options for the KVS code, unit tests, and the KVS token persistence driver keystone.token.persistence.backends.kvs. All associated documentation has been removed.

  • [blueprint removed-as-of-pike] The admin_token_auth filter has been removed from all sample pipelines, specifically, the following section has been removed from keystone-paste.ini:

    [filter:admin_token_auth]
use = egg:keystone#admin_token_auth

    The functionality of the ADMIN_TOKEN remains, but has been incorporated into the main auth middleware (keystone.middleware.auth.AuthContextMiddleware).

  • The catalog backend endpoint_filter.sql has been removed. It has been consolidated with the sql backend, therefore replace the endpoint_filter.sql catalog backend with the sql backend.
  • The [security_compliance] password_expires_ignore_user_ids option has been removed. Each user that should ignore password expiry should have the value set to “true” in the user’s options attribute (e.g. user['options']['ignore_password_expiry'] = True) with a user update call.
  • [blueprint removed-as-of-pike] The keystone.common.ldap module was removed from the code tree. It was deprecated in the Newton release in favor of using keystone.identity.backends.ldap.common which has the same functionality.
  • [blueprint removed-as-of-pike] The keystone-manage pki_setup was added to aid developer setup by hiding the sometimes cryptic openssl commands. This is no longer needed since keystone no longer supports PKI tokens and can no longer serve SSL. This was deprecated in the Mitaka release.
  • [blueprint removed-as-of-pike] Direct import of drivers outside of their keystone namespace has been removed. Ex. identity drivers are loaded from the keystone.identity namespace and assignment drivers from the keystone.assignment namespace. Loading drivers outside of their keystone namespaces was deprecated in the Liberty release.