Yoga Series Release Notes¶
9.3.0¶
Upgrade Notes¶
[bug 1892852] [bug 1888394] [bug 1883659] Keystonemiddleware now using eventlet-safe implementation of
MemcacheClientPool
from oslo.cache’s library by default. Thekeystonemiddleware
implementation is now deprecated. For backwards compatibility, the[keystone_authtoken] memcache_use_advanced_pool
option can be set toFalse
config files of the various services (e.g. nova, glance, …) when memcached is used for token cache.
Notes dépréciées¶
We no longer recommend using the eventlet unsafe keystonemiddleware’s memcacheclientpool. This implementation may result in growing connections to memcached.
It is recommended that the
memcache_use_advanced_pool
option is set toTrue
in thekeystone_authtoken
configuration section of the various services (e.g. nova, glance, …) when memcached is used for token cache.
9.1.0¶
Prelude¶
Since the removal of the Identity API v2 Keystone no longer has any special functionality that requires using the admin endpoint for it. So this release changes the default endpoint being used from admin
to internal
, allowing deployments to work without an admin endpoint.
Upgrade Notes¶
[bug 1830002] The default Identity endpoint has been changed from
admin
tointernal
.
9.0.0¶
Upgrade Notes¶
Python 2.7 support has been dropped. Last release of keystonemiddleware to support python 2.7 is OpenStack Train. The minimum version of Python now supported is Python 3.6.
8.0.0¶
Upgrade Notes¶
[bug 1845539] [bug 1777177] keystonemiddleware no longer supports the keystone v2.0 api, all associated functionality has been removed.
Other Notes¶
[bug 1845539] The ec2 “url” config option now defaults to https://localhost:5000/v3/ec2tokens with the removal of ec2 v2.0 support. Keystonemiddleware no longer supports ec2tokens using the v2.0 API.
7.0.0¶
Nouvelles fonctionnalités¶
[spec] The auth_token middleware now has support for accepting or denying incoming requests based on access rules provided by users in their keystone application credentials.
6.1.0¶
Nouvelles fonctionnalités¶
[bug 1830002] In order to allow an installation to work without deploying an admin Identity endpoint, a new option interface has been added, allowing select the Identity endpoint that is being used when verifying auth tokens. It defaults to admin in order to replicate the old behaviour, but may be set to public or internal as needed.
6.0.0¶
Nouvelles fonctionnalités¶
[bug 1803940] Request ID and global request ID have been added to CADF notifications.
Upgrade Notes¶
[bug 1649735] Keystonemiddleware no longer supports PKI/PKIZ tokens, all associated offline validation has been removed. The configuration options signing_dir, and hash_algorithms have been removed, if they still exist in your configuration(s), they are now safe to remove. Please consider utilizing the newer fernet or JWS token formats.
Corrections de bugs¶
[bug 1649735] The auth_token middleware no longer attempts to retrieve the revocation list from the Keystone server. The deprecated options revocations_cache_time and check_revocations_for_cached have been removed. Keystone no longer issues PKI/PKIZ tokens and now keystonemiddleware’s Support for PKI/PKIZ and associated offline validation has been removed. This includes the deprecated config options signing_dir, and hash_algorithms.
[bug 1800017] Fix audit middleware service catalog parsing for the scenario where a service does not contain any endpoints. In that case, we should just skip over that service.
[bug 1809101] Fix req.context of Keystone audit middleware and Glance conflict with each other issue. The audit middleware now stores the admin context to req.environ[“audit.context”].
[bug 1813739] When admin identity endpoint is not created yet, keystonemiddleware emit EndpointNotFound exception. Even after admin identity endpoint created, auth_token middleware could not be notified of update since it does not invalidate existing auth. Add an invalidation step so that endpoint updates can be detected.
[bug 1797584] Fixed a bug where the audit code would select the wrong target service if the OpenStack service endpoints were not using unique TCP ports.
5.3.0¶
Corrections de bugs¶
[bug 1789351] Fixed the bug that when initialize AuthProtocol, it’ll raise « dictionary changed size during iteration » error if the input CONF object contains deprecated options.
When
delay_auth_decision
is enabled and a Keystone failure prevents a final decision about whether a token is valid or invalid, it will be marked invalid and the application will be responsible for a final auth decision. This is similar to what happens when a token is confirmed not valid. This allows a Keystone outage to only affect Keystone users in a multi-auth system.
5.1.0¶
Nouvelles fonctionnalités¶
[bug 1762362] The value of the header « WWW-Authenticate » in a 401 (Unauthorized) response now is double quoted to follow the RFC requirement.
Corrections de bugs¶
[bug 1766731] Keystonemiddleware now supports system scoped tokens. When a system-scoped token is parsed by auth_token middleware, it will set the
OpenStack-System-Scope
header accordingly.
5.0.0¶
Nouvelles fonctionnalités¶
[bug 1695038] The use_oslo_messaging configuration option is added for services such as Swift, which need the audit middleware to use the local logger instead of the oslo.messaging notifier regardless of whether the oslo.messaging package is present or not. Leave this option set to its default True value to keep the previous behavior unchanged - the audit middleware will use the oslo.messaging notifier if the oslo.messaging package is present, and the local logger otherwise. Services that rely on the local logger for audit notifications must set this option to False.
Corrections de bugs¶
[bug/1747655] When keystone is temporarily unavailable, keystonemiddleware correctly sends a 503 response to the HTTP client but was not identifying which service was down, leading to confusion on whether it was keystone or the service using keystonemiddleware that was unavailable. This change identifies keystone in the error response.
Other Notes¶
The
kwargs_to_fetch_token
setting was removed from theBaseAuthProtocol
class. Implementations of auth_token now assume kwargs will be passed to thefetch_token
method.
4.20.0¶
Corrections de bugs¶
[bug 1737115] Last release have accidentaly make python-memcached a hard dependency, this have changed back to an optional one.
[bug 1737119] If the application was not using the global cfg.CONF object, the configuration was not read from the configuration file. This have been fixed.
4.18.0¶
Notes dépréciées¶
The auth_uri parameter of keystone_authtoken is deprecated in favor of www_authenticate_uri. The auth_uri option was often confused with the auth_url parameter of the keystoneauth plugin, which was also effectively always required. The parameter refers to the WWW-Authenticate header that is returned when the user needs to be redirected to the Identity service for authentication.
4.16.0¶
Upgrade Notes¶
[bug 1677308] There is no upgrade impact when switching from
pycrypto
tocryptography
. All data will be encrypted and decrypted using identical blocksize, padding, algorithm (AES) and mode (CBC). Data previously encrypted usingpycrypto
can be decrypted using bothpycrypto
andcryptography
. The same is true of data encrypted usingcryptography
.
Corrections de bugs¶
[bug 1677308] Removes
pycrypto
dependency as the library is unmaintained, and replaces it with thecryptography
library.
4.12.0¶
Prelude¶
Fetching expired tokens when using a valid service token is now allowed. This will help with long running operations that must continue between services longer than the original expiry of the token.
Nouvelles fonctionnalités¶
AuthToken middleware will now allow fetching an expired token when a valid service token is present. This service token must contain any one of the roles specified in
service_token_roles
.
Service tokens are compared against a list of possible roles for validity. This will ensure that only services are submitting tokens as an
X-Service-Token
. For backwards compatibility, ifservice_token_roles_required
is not set, a warning will be emitted. To enforce the check properly, setservice_token_roles_required
toTrue
. It currently defaults toFalse
Upgrade Notes¶
Set the
service_token_roles
to a list of roles that services may have. The likely list isservice
oradmin
. Anyservice_token_roles
may apply to accept the service token. Ensure service users have one of these roles so interservice communication continues to work correctly. When verified, set theservice_token_roles_required
flag toTrue
to enforce this behaviour. This will become the default setting in future releases.
Notes dépréciées¶
For backwards compatibility the
service_token_roles_required
option in[keystone_authtoken]
was added. The option defaults toFalse
and has been immediately deprecated. This will allow the current behaviour that service tokens are validated but not checked for roles to continue. The option should be set toTrue
as soon as possible. The option will default toTrue
in a future release.
4.6.0¶
Prelude¶
Add the X_IS_ADMIN_PROJECT header.
Nouvelles fonctionnalités¶
[bug 1583690] For services such as Swift, which may not be utilizing oslo_config, we need to be able to determine the project name from local config. If project name is specified in both local config and oslo_config, the one in local config will be used instead. In case project is undetermined (i.e. not set), we use taxonomy.UNKNOWN as an indicator so operators can take corrective actions.
[bug 1540115] Optional dependencies can now be installed using extras. To install audit related libraries, use
pip install keystonemiddleware[audit_nofications]
. Refer to keystonemiddleware documentation for further information.
Added the X_IS_ADMIN_PROJECT header to authenticated headers. This has the string value of “True” or “False” and can be used to enforce admin project policies.
Corrections de bugs¶
[bug 1583699] Some service APIs (such as Swift list public containers) do not require a token. Therefore, there will be no identity or service catalog information available. In these cases, audit now fills in the default (i.e. taxonomy.UNKNOWN) for both initiator and target instead of raising an exception.
[bug 1583702] Some services such as Swift does not use Oslo (global) config. In that case, the options are conveyed via local config. This patch utilized an established pattern in auth_token middleware, which is to first look for the given option in local config, then Oslo global config.
4.5.0¶
Nouvelles fonctionnalités¶
[bug 1544840] Adding audit middleware specific notification related configuration to allow a different notification driver and transport for audit if needed.
A new configuration option for the s3token middleware called auth_uri can be used to set the URI to be used for authentication. This replaces auth_host, auth_port, and auth_protocol.
Notes dépréciées¶
The auth_host, auth_port, and auth_protocol configuration options to the s3token middleware are now deprecated.
4.3.0¶
Nouvelles fonctionnalités¶
[bug 1540022] The auth_token middleware will now accept a conf setting named
oslo_config_config
. If this is set its value must be an existing oslo_config ConfigOpts.oslo_config_config
takes precedence overoslo_config_project
. This feature is useful to applications that are instantiating the auth_token middleware themselves and wish to use an existing configuration.
4.2.0¶
Notes dépréciées¶
With the release of 4.2.0 of keystonemiddleware we no longer recommend using the in-process token cache. In-process caching may result in inconsistent validation, poor UX and race conditions. It is recommended that the memcached_servers option is set in the keystone_authtoken configuration section of the various services (e.g. nova, glance, …) with the endpoint of running memcached server(s). When the feature is removed, not setting the memcached_servers option will cause keystone to validate tokens more frequently, increasing load. In production, use of caching is highly recommended. This feature is deprecated as of 4.2.0 and is targeted for removal in keystonemiddleware 5.0.0 or in the O development cycle, whichever is later.
4.1.0¶
Nouvelles fonctionnalités¶
[bug 1490804] The auth_token middleware validates the token’s audit IDs during offline token validation if the Identity server includes audit IDs in the token revocation list.
Problèmes de sécurités¶
[bug 1490804] [CVE-2015-7546] A bug is fixed where an attacker could avoid token revocation when the PKI or PKIZ token provider is used. The complete remediation for this vulnerability requires the corresponding fix in the Identity (keystone) project.
Corrections de bugs¶
[bug 1523311] Do not list deprecated opts in sample config.
[bug 1333951] Add support for parsing AWS v4 for ec2.
[bug 1423973] Use oslo.config choices for config options.