Key New Features
- PKIZ is a new token provider available for users of PKI tokens, which simply adds zlib-based compression to traditional PKI tokens.
- Database migrations for releases prior to Havana have been dropped, meaning that you must upgrade to the Juno release from either a Havana or Icehouse deployment.
- Proxy methods from the identity backend to the assignment backend (created to provide backwards compatibility as a result of the split of the Assignment backend from the Identity backend), have been removed. This should only affect custom, out-of-tree API extensions.
- The hashing algorithm used for PKI tokens has been made configurable (the default is still MD5, but the Keystone team recommends that deployments migrate to SHA256).
- Identity-driver-configuration-per-domain now supports Internet domain names of arbitrary hierarchical complexity (for example,
customer.cloud.example.com
). - Service names were added to the v3 service catalog.
- The LDAP identity backend now supports
description
as an attribute of users. - The templated catalog backend now supports generating service catalogs for Identity API v3.
- In the case of multiple identity backends, Keystone can now map arbitrary resource IDs to arbitrary backends.
keystoneclient.middleware.auth_token
has been moved into it's own repository,keystonemiddleware.auth_token
.- Identity API v3 now supports a discrete call to retrieve a service catalog,
GET /v3/auth/catalog
. - LDAP configuration options that previously contained the deprecated
tenant
terminology have been superseded by options using the termproject
. - Federated authentication events and local role assignment operations now result in CADF (audit) notifications.
- Keystone can now associate a given policy blob with one or more endpoints.
- Keystone now provides JSON Home documents on the root API endpoints in response to
Accept: application/json-home
headers. - Hiding endpoints from client's service catalogs is now more easily manageable via
OS-EP-FILTER
. - The credentials collection API is now filterable per associated user (
GET /v3/crednetials?user_id={user_id}
). - Identity API v3 requests are now validated via JSON Schema.
- All
token_api
methods are now deprecated. - Loading authentication plugins solely by class name in
keystone.conf
is now deprecated in favor of loading them bycustom-method-name = custom_package.CustomClass
pairs, and then defining the sequence of authentication methods as a list (methods = custom-method-name, password
).
- All KVS backends besides the
token
driver have been formally deprecated. - New, generic API endpoints are available for retrieving authentication-related data, such as a service catalog, available project scopes, and available domain scopes.
- Keystone now supports mapping the user
enabled
attribute to thelock
attribute in LDAP (and inverting the corresponding boolean value accordingly). - Keystone now supports Keystone-to-Keystone federation, where one instance acts as an Identity Provider, and the other a Service Provider.
- Due to the simpler out-of-the-box experience, the default token provider is now UUID instead of PKI.
- A CA certificate file is now configurable for LDAPS connections.
- Services can now be filtered by name (
GET /v3/services?name={service_name}
).