Skip to content

Instantly share code, notes, and snippets.

@dolph

dolph/release-notes.md

Last active August 29, 2015 14:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dolph/03fe48f940409b801ea2 to your computer and use it in GitHub Desktop.
Save dolph/03fe48f940409b801ea2 to your computer and use it in GitHub Desktop.
Download ZIP
Keystone Juno release notes
Raw
release-notes.md

Key New Features

  • PKIZ is a new token provider available for users of PKI tokens, which simply adds zlib-based compression to traditional PKI tokens.
  • Database migrations for releases prior to Havana have been dropped, meaning that you must upgrade to the Juno release from either a Havana or Icehouse deployment.
  • Proxy methods from the identity backend to the assignment backend (created to provide backwards compatibility as a result of the split of the Assignment backend from the Identity backend), have been removed. This should only affect custom, out-of-tree API extensions.
  • The hashing algorithm used for PKI tokens has been made configurable (the default is still MD5, but the Keystone team recommends that deployments migrate to SHA256).
  • Identity-driver-configuration-per-domain now supports Internet domain names of arbitrary hierarchical complexity (for example, customer.cloud.example.com).
  • Service names were added to the v3 service catalog.
  • The LDAP identity backend now supports description as an attribute of users.
  • The templated catalog backend now supports generating service catalogs for Identity API v3.
  • In the case of multiple identity backends, Keystone can now map arbitrary resource IDs to arbitrary backends.
  • keystoneclient.middleware.auth_token has been moved into it's own repository, keystonemiddleware.auth_token.
  • Identity API v3 now supports a discrete call to retrieve a service catalog, GET /v3/auth/catalog.
  • LDAP configuration options that previously contained the deprecated tenant terminology have been superseded by options using the term project.
  • Federated authentication events and local role assignment operations now result in CADF (audit) notifications.
  • Keystone can now associate a given policy blob with one or more endpoints.
  • Keystone now provides JSON Home documents on the root API endpoints in response to Accept: application/json-home headers.
  • Hiding endpoints from client's service catalogs is now more easily manageable via OS-EP-FILTER.
  • The credentials collection API is now filterable per associated user (GET /v3/crednetials?user_id={user_id}).
  • Identity API v3 requests are now validated via JSON Schema.
  • All token_api methods are now deprecated.
  • Loading authentication plugins solely by class name in keystone.conf is now deprecated in favor of loading them by custom-method-name = custom_package.CustomClass pairs, and then defining the sequence of authentication methods as a list (methods = custom-method-name, password).
  • All KVS backends besides the token driver have been formally deprecated.
  • New, generic API endpoints are available for retrieving authentication-related data, such as a service catalog, available project scopes, and available domain scopes.
  • Keystone now supports mapping the user enabled attribute to the lock attribute in LDAP (and inverting the corresponding boolean value accordingly).
  • Keystone now supports Keystone-to-Keystone federation, where one instance acts as an Identity Provider, and the other a Service Provider.
  • Due to the simpler out-of-the-box experience, the default token provider is now UUID instead of PKI.
  • A CA certificate file is now configurable for LDAPS connections.
  • Services can now be filtered by name ( GET /v3/services?name={service_name}).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment