#, fuzzy msgid "" msgstr "" "Project-Id-Version: Keystone Release Notes\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2024-11-25 11:20+0000\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #: ../../:298 msgid "'/' and ',' are not allowed to be in a tag" msgstr "" #: ../../:39 msgid "" "**Experimental** - Domain specific configuration options can be stored in " "SQL instead of configuration files, using the new REST APIs." msgstr "" #: ../../:43 msgid "" "**Experimental** - Keystone now supports tokenless authorization with X.509 " "SSL client certificate." msgstr "" #: ../../:68 msgid "10.0.0" msgstr "" #: ../../:53 msgid "10.0.1" msgstr "" #: ../../:5 msgid "10.0.3" msgstr "" #: ../../:107 msgid "11.0.0" msgstr "" #: ../../:89 msgid "11.0.1" msgstr "" #: ../../:49 msgid "11.0.3" msgstr "" #: ../../:5 msgid "11.0.4" msgstr "" #: ../../:220 msgid "12.0.0" msgstr "" #: ../../:162 msgid "12.0.1" msgstr "" #: ../../:145 msgid "12.0.2" msgstr "" #: ../../:128 msgid "12.0.3" msgstr "" #: ../../:5 msgid "12.0.3-9" msgstr "" #: ../../:250 msgid "13.0.0" msgstr "" #: ../../:233 msgid "13.0.1" msgstr "" #: ../../:216 msgid "13.0.2" msgstr "" #: ../../:166 msgid "13.0.3" msgstr "" #: ../../:5 msgid "13.0.4-9" msgstr "" #: ../../:330 msgid "14.0.0" msgstr "" #: ../../:306 msgid "14.0.1" msgstr "" #: ../../:249 msgid "14.1.0" msgstr "" #: ../../:175 msgid "14.2.0" msgstr "" #: ../../:5 msgid "14.2.0-7" msgstr "" #: ../../:284 msgid "15.0.0" msgstr "" #: ../../:48 msgid "15.0.1" msgstr "" #: ../../:5 msgid "15.0.1-9" msgstr "" #: ../../:330 msgid "16.0.0" msgstr "" #: ../../:134 msgid "16.0.1" msgstr "" #: ../../:58 msgid "16.0.2" msgstr "" #: ../../:5 msgid "16.0.2-9" msgstr "" #: ../../:127 msgid "17.0.0" msgstr "" #: ../../:51 msgid "17.0.1" msgstr "" #: ../../:5 msgid "17.0.1-11" msgstr "" #: ../../:144 msgid "18.0.0" msgstr "" #: ../../:73 msgid "18.1.0" msgstr "" #: ../../:5 msgid "18.1.0-11" msgstr "" #: ../../:99 msgid "19.0.0" msgstr "" #: ../../:67 msgid "19.0.1" msgstr "" #: ../../:5 msgid "19.0.1-10" msgstr "" #: ../../:78 msgid "20.0.0" msgstr "" #: ../../:60 msgid "20.0.1" msgstr "" #: ../../:5 msgid "20.0.1-7" msgstr "" #: ../../:5 msgid "2023.1-eom" msgstr "" #: ../../:72 msgid "21.0.0" msgstr "" #: ../../:22 msgid "21.0.1" msgstr "" #: ../../:5 msgid "21.0.1-4" msgstr "" #: ../../:65 msgid "22.0.0" msgstr "" #: ../../:22 msgid "22.0.1" msgstr "" #: ../../:5 msgid "22.0.2" msgstr "" #: ../../:94 msgid "23.0.0" msgstr "" #: ../../:76 msgid "23.0.1" msgstr "" #: ../../:59 msgid "23.0.2" msgstr "" #: ../../:59 msgid "24.0.0" msgstr "" #: ../../:5 msgid "24.0.0-15" msgstr "" #: ../../:59 msgid "25.0.0" msgstr "" #: ../../:5 msgid "25.0.0-8" msgstr "" #: ../../:5 msgid "26.0.0" msgstr "" #: ../../:5 current msgid "26.0.0-24" msgstr "" #: ../../:30 msgid "8.0.1" msgstr "" #: ../../:5 msgid "8.1.0" msgstr "" #: ../../:20 msgid "9.0.0" msgstr "" #: ../../:5 msgid "9.2.0" msgstr "" #: ../../:1318 msgid "" "A Federated user gets an entry in the shadow-users table. This entry has a " "unique ID. It was generated using a UUID. This fix changes to reuse the " "mechanism for LDAP, where the ID is generated from the domain ID + the local " "id of the user (an attribute that uniquely ids the user from the IdP). This " "generator is specified by the configuration file. Now Both LDAP and " "Federated Ids are generated the same way. It also means that Federated IDs " "can be kept in sync between two independtent Keystone servers." msgstr "" #: ../../:113 msgid "" "A new ``secure_proxy_ssl_header`` configuration option is available when " "running keystone behind a proxy." msgstr "" #: ../../:149 msgid "" "A new config option, `insecure_debug`, is added to control whether debug " "information is returned to clients. This used to be controlled by the " "`debug` option. If you'd like to return extra information to clients set the " "value to ``true``. This extra information may help an attacker." msgstr "" #: ../../:667 msgid "" "A new interface called `list_federated_users_info` is added to shadow " "backend. It's used to get the shadow user information internally. If you are " "maintaining any out-tree shadow backends, please implement this function for " "them as well." msgstr "" #: ../../:14 current msgid "" "A new module, ``keystone.wsgi``, has been added as a place to gather WSGI " "``application`` objects. This is intended to ease deployment by providing a " "consistent location for these objects. For example, if using uWSGI then " "instead of:" msgstr "" #: ../../:68 stable/2023.2>:74 stable/ussuri>:14 #: unmaintained/victoria>:14 unmaintained/wallaby>:14 unmaintained/xena>:14 #: unmaintained/yoga>:14 unmaintained/zed>:14 msgid "" "A new option 'randomize_urls' can be used to randomize the order in which " "keystone connects to the LDAP servers in [ldap] 'url' list. It is false by " "default." msgstr "" #: ../../:35 stable/2023.2>:35 stable/2024.1>:35 #: stable/2024.2>:47 msgid "" "A side-effect of this command is that it resets the amount of time that an " "unused account is active for. Unused accounts will remain active until the " "configured days have elapsed since the day the command is run." msgstr "" #: ../../:112 msgid "" "Add ``cache_on_issue`` flag to ``[token]`` section that enables placing " "issued tokens to validation cache thus reducing the first validation time as " "if token is already validated and token data cached." msgstr "" #: ../../:77 msgid "" "Add ``keystone-manage mapping_populate`` command, which should be used when " "domain-specific LDAP backend is used." msgstr "" #: ../../:108 msgid "" "Add ``keystone-manage mapping_populate`` command. This command will pre-" "populate a mapping table with all users from LDAP, in order to improve " "future query performance. It should be used when an LDAP is first " "configured, or after calling ``keystone-manage mapping_purge``, before any " "queries related to the domain are made. For more information see ``keystone-" "manage mapping_populate --help``" msgstr "" #: ../../:14 stable/2023.2>:14 stable/2024.1>:14 #: stable/2024.2>:14 msgid "" "Added a new command to the admin cli tool: `keystone-manage " "reset_last_active`. This new command updates the database to overwritet any " "NULL values in `last_active_at` in the user table to the current time. This " "is a necessary step to fix Bug #2074018. See launchpad for details." msgstr "" #: ../../:233 msgid "" "Added an option ``--check`` to ``keystone-manage db_sync``, the option will " "allow a user to check the status of rolling upgrades in the database." msgstr "" #: ../../:68 msgid "" "Added support for the ``bcrypt_sha256`` password hashing algorythm, which " "does workaround limitation on a password length BCrypt have by running the " "password through HMAC-SHA2-256 first." msgstr "" #: ../../:300 msgid "" "Adjust configuration tools as necessary, see the ``fixes`` section for more " "details on this change." msgstr "" #: ../../:745 msgid "" "All policies in ``policy.v3cloudsample.json`` that are redundant with the " "defaults in code have been removed. This improves maintainability and leaves " "the ``policy.v3cloudsample.json`` policy file with only overrides. These " "overrides will eventually be moved into code or new defaults in keystone " "directly. If you're using the policies removed from ``policy.v3cloudsample." "json`` please check to see if you can migrate to the new defaults or " "continue maintaining the policy as an override." msgstr "" #: ../../:423 msgid "" "Allow the creating of a domain with the additional, optional parameter of " "`explicit_domain_id` instead of auto-creating a domain_id from a uuid." msgstr "" #: ../../:206 msgid "" "Any auth methods that are not defined in ``keystone.conf`` in the ``[auth] " "methods`` option are ignored when the rules are processed. Empty rules are " "not allowed. If a rule is empty due to no-valid auth methods existing within " "it, the rule is discarded at authentication time. If there are no rules or " "no valid rules for the user, authentication occurs in the default manner: " "any single configured auth method is sufficient to receive a token." msgstr "" #: ../../:1529 msgid "" "Any middleware defined in Keystone's tree is no longer loaded via stevedore, " "and likewise the entry points were removed." msgstr "" #: ../../:69 msgid "" "Application credentials will also include all implied by the user roles upon " "their creation." msgstr "" #: ../../:21 stable/rocky>:413 msgid "" "As a performance improvement, the base mapping driver's method " "``get_domain_mapping_list`` now accepts an optional named argument " "``entity_type`` that can be used to get the mappings for a given entity type " "only. As this new call signature is already used in the ``identity.core`` " "module, authors/maintainers of out-of-tree custom mapping drivers are " "expected to update their implementations of ``get_domain_mapping_list`` " "method accordingly." msgstr "" #: ../../:10 origin/stable/mitaka>:255 #: origin/stable/newton>:27 origin/stable/newton>:166 origin/stable/ocata>:10 #: origin/stable/ocata>:71 origin/stable/ocata>:94 origin/stable/ocata>:396 #: stable/2023.1>:43 stable/2023.1>:81 stable/2023.2>:43 stable/2023.2>:93 #: stable/2024.1>:43 stable/2024.1>:132 stable/2024.2>:55 stable/pike>:87 #: stable/pike>:133 stable/pike>:150 stable/pike>:167 stable/pike>:367 #: stable/queens>:98 stable/queens>:171 stable/queens>:221 stable/queens>:238 #: stable/queens>:377 stable/rocky>:97 stable/rocky>:180 stable/rocky>:254 #: stable/rocky>:311 stable/rocky>:471 stable/stein>:10 stable/stein>:164 #: stable/stein>:1198 stable/train>:26 stable/train>:76 stable/train>:250 #: stable/train>:1314 stable/ussuri>:69 stable/ussuri>:333 #: unmaintained/victoria>:60 unmaintained/victoria>:91 #: unmaintained/victoria>:268 unmaintained/wallaby>:47 unmaintained/wallaby>:85 #: unmaintained/wallaby>:150 unmaintained/xena>:47 unmaintained/xena>:65 #: unmaintained/xena>:96 unmaintained/yoga>:52 unmaintained/yoga>:113 #: unmaintained/zed>:52 unmaintained/zed>:119 msgid "Bug Fixes" msgstr "" #: ../../:155 msgid "" "Certain deprecated methods from the assignment manager were removed in favor " "of the same methods in the [resource] and [role] manager." msgstr "" #: ../../:67 msgid "" "Certain variables in ``keystone.conf`` now have options, which determine if " "the user's setting is valid." msgstr "" #: ../../:124 msgid "" "Change the min value of pool_retry_max to 1. Setting this value to 0 caused " "the pool to fail before connecting to ldap, always raising " "MaxConnectionReachedError." msgstr "" #: ../../:47 msgid "Configuring per-Identity Provider WebSSO is now supported." msgstr "" #: ../../:376 stable/pike>:23 #: stable/queens>:34 stable/rocky>:23 stable/stein>:66 stable/train>:152 #: stable/ussuri>:226 unmaintained/victoria>:194 msgid "Critical Issues" msgstr "" #: ../../:109 msgid "" "Data migrations are now included in the expand phase and the ``--migrate`` " "option is now a no-op. It may be removed in a future release." msgstr "" #: ../../:42 current msgid "" "Dependency on abandoned library `passlib` has been dropped in favor of using " "`bcrypt` and `cryptography` directly. It was ensured that passwords hashed " "with `passlib` are still supported, but absence of cornercases can not be " "guaranteed. If users are not able to login using old password such password " "must be rotated." msgstr "" #: ../../:57 current origin/stable/mitaka>:167 #: origin/stable/newton>:152 origin/stable/ocata>:349 stable/2024.1>:121 #: stable/pike>:306 stable/queens>:354 stable/rocky>:441 stable/stein>:770 #: stable/train>:769 unmaintained/wallaby>:122 unmaintained/yoga>:96 msgid "Deprecation Notes" msgstr "" #: ../../:121 msgid "" "Domain name information can now be used in policy rules with the attribute " "``domain_name``." msgstr "" #: ../../:101 msgid "" "Domains are now represented as top level projects with the attribute " "`is_domain` set to true. Such projects will appear as parents for any " "previous top level projects. Projects acting as domains can be created, " "read, updated, and deleted via either the project API or the domain API (V3 " "only)." msgstr "" #: ../../:218 msgid "" "Dropping the Python2 support in OpenStack Ussuri according to `the TC " "deprecation timeline `_" msgstr "" #: ../../:196 msgid "" "Each list of methods specifies a rule. If the auth methods provided by a " "user match (or exceed) the auth methods in the list, that rule is used. The " "first rule found (rules will not be processed in a specific order) that " "matches will be used. If a user has the ruleset defined as ``[[\"password\", " "\"totp\"]]`` the user must provide both password and totp auth methods (and " "both methods must succeed) to receive a token. However, if a user has a " "ruleset defined as ``[[\"password\"], [\"password\", \"totp\"]]`` the user " "may use the ``password`` method on it's own but would be required to use " "both ``password`` and ``totp`` if ``totp`` is specified at all." msgstr "" #: ../../:299 msgid "Each project can have up to 100 tags" msgstr "" #: ../../:300 msgid "Each tag can be up to 255 characters" msgstr "" #: ../../:109 msgid "" "Features that were \"extensions\" in previous releases (OAuth delegation, " "Federated Identity support, Endpoint Policy, etc) are now enabled by default." "" msgstr "" #: ../../:47 stable/2023.2>:47 stable/2024.1>:47 #: stable/2024.2>:59 msgid "" "Fixed Bug #2074018: Changed the user model to always save the date of the " "last user activity in `last_active_at`. Previous to this change, the " "`last_active_at` field was only updated when the option for " "`[security_compliance] disable_user_account_days_inactive` was set. If your " "deployment is affected by this bug, you must run `keystone-manage " "reset_last_active` before setting the `disable_user_account_days_inactive` " "option." msgstr "" #: ../../:134 msgid "" "Fixes a bug related to the password create date. If you deployed master " "during Newton development, the password create date may be reset. This would " "only be apparent if you have security compliance features enabled." msgstr "" #: ../../:160 msgid "" "For additional details see: `event notifications `_" msgstr "" #: ../../:143 msgid "" "If PCI support is enabled, via the ``[security_compliance]`` configuration " "options, then the ``password_expires_at`` field will be populated with a " "timestamp. Otherwise, it will default to ``null``, indicating the password " "does not expire." msgstr "" #: ../../:155 msgid "" "If a password does not meet the specified criteria. See " "``[security_compliance] password_regex``." msgstr "" #: ../../:157 msgid "" "If a user attempts to change their password too often. See " "``[security_compliance] minimum_password_age``." msgstr "" #: ../../:149 msgid "" "If a user does not change their passwords at least once every X days. See " "``[security_compliance] password_expires_days``." msgstr "" #: ../../:151 msgid "" "If a user is locked out after many failed authentication attempts. See " "``[security_compliance] lockout_failure_attempts``." msgstr "" #: ../../:153 msgid "" "If a user submits a new password that was recently used. See " "``[security_compliance] unique_last_password_count``." msgstr "" #: ../../:265 msgid "" "If expiring user group memberships are enabled via the `[federation] " "default_authorization_ttl` configuration option, or on an idp by idp basis " "by setting `authorization_ttl`, there will be a lag between when a user is " "removed from a group in an identity provider, and when that will be " "reflected in keystone. That amount of time will be equal to the last time " "the user logged in + idp ttl." msgstr "" #: ../../:284 msgid "" "If performing rolling upgrades, set `[identity] " "rolling_upgrade_password_hash_compat` to `True`. This will instruct keystone " "to continue to hash passwords in a manner that older (pre Pike release) " "keystones can still verify passwords. Once all upgrades are complete, ensure " "this option is set back to `False`." msgstr "" #: ../../:44 stable/ussuri>:362 msgid "" "If you are affected by this bug, a fix in the keystone database will be " "needed so we recommend to dump the users' tables before doing this process:" msgstr "" #: ../../:157 stable/stein>:25 stable/train>:94 #: stable/ussuri>:87 unmaintained/victoria>:109 unmaintained/wallaby>:160 msgid "" "If you are affected by this bug, you must remove stale role assignments " "manually. The following is an example SQL statement you can use to fix the " "issue, but you should verify it's applicability to your deployment's SQL " "implementation and version." msgstr "" #: ../../:184 msgid "" "If you have a custom implementation for the shadow users backend, you will " "need to implement the new methods: ``delete_federated_object``, " "``create_federated_object``, ``get_federated_objects``. These methods are " "needed to support federated attributes via the user API." msgstr "" #: ../../:26 msgid "" "Improve configuration management for the out-of-tree identity drivers. When " "driver implements a special method it is being invoked before instantiating " "the driver when reading configuration from the database. Also 2 new " "`domain_config` section configuration options are added to allow such driver " "specific parameters to be managed using the API." msgstr "" #: ../../:147 msgid "" "In ``keystone-paste.ini``, using ``paste.filter_factory`` is deprecated in " "favor of the \"use\" directive, specifying an entrypoint." msgstr "" #: ../../:143 msgid "" "In the [resource] and [role] sections of the ``keystone.conf`` file, not " "specifying the driver and using the assignment driver is deprecated. In the " "Mitaka release, the resource and role drivers will default to the SQL driver." "" msgstr "" #: ../../:214 msgid "" "In the case a user should be exempt from MFA Rules, regardless if they are " "set, the User-Option ``multi_factor_auth_enabled`` may be set to ``False`` " "for that user via the user create and update API (``POST/PATCH /v3/users``) " "call. If this option is set to ``False`` the MFA rules will be ignored for " "the user. Any other value except ``False`` will result in the MFA Rules " "being processed; the option can only be a boolean (``True`` or ``False``) or " "\"None\" (which will result in the default behavior (same as ``True``) but " "the option will no longer be shown in the ``user[\"options\"]`` dictionary." msgstr "" #: ../../:138 msgid "" "In the policy.json file, we changed `identity:list_projects_for_groups` to " "`identity:list_projects_for_user`. Likewise, we changed `identity:" "list_domains_for_groups` to `identity:list_domains_for_user`. If you have " "customized the policy.json file, you will need to make these changes. This " "was done to better support new features around federation." msgstr "" #: ../../:1514 msgid "" "Included in this change is a removal of a legacy WSGI environment data " "holder calld `openstack.params`. The data holder was used exclusively for " "communicating data down the chain under paste-deploy. The data in `openstack." "params` was generally \"normalized\" in an odd way and unreferenced in the " "rest of the openstack code-base." msgstr "" #: ../../:460 msgid "" "It is no longer possible to, via the ``paste.ini`` file to inject middleware " "into the running keystone application. This reduces the attack surface area. " "While this is not a huge reduction in surface area, it is one less potential " "place that malicious code could be loaded. Malicious middleware historically " "could collect information and/or modify the requests and responses from " "Keystone." msgstr "" #: ../../:317 msgid "" "It is recommended to have the ``healthcheck`` middleware first in the " "pipeline::" msgstr "" #: ../../:1526 msgid "" "JSON Body and URL Normalizing middleware were move to a flask-native model." msgstr "" #: ../../:610 msgid "" "Keystone cache backends have been removed in favor of their `oslo.cache` " "counter-part. This affects:" msgstr "" #: ../../:1511 msgid "" "Keystone has been fully converted to run under flask. All of the APIs are " "now natively dispatched under flask." msgstr "" #: ../../:339 msgid "" "Keystone has historically used a custom rolled WSGI framework based loosely " "on [`webob `_] which was in turn loaded by " "the [`pythonpaste library `_]. The " "Keystone team has been planning to move away from the home-rolled solution " "and to a common framework for a number of release cycles. As of the Rocky " "release Keystone is moving to the ``Flask`` framework." msgstr "" #: ../../:401 msgid "" "Keystone no longer is loaded via ``paste.deploy`` and instead directly loads " "the ``Flask`` based application. If a deployment is relying on the entry-" "point generated wsgi files, it is important to get the newest ones. These " "new files have minor changes to support the new loading mechanisms. The " "files will be auto-generated via ``PBR`` and setup. The ``paste.ini`` file " "will now be ignored, but will remain on disk until the ``Stein`` release to " "ensure deployment tools are not inadvertently broken. The ``paste.ini`` file " "will have a comment added to indicate it is ignored." msgstr "" #: ../../:108 msgid "" "Keystone no longer substitute the following string interpolations in catalog " "information. Replace string interpolations by hard-coded strings before " "upgrade." msgstr "" #: ../../:146 msgid "" "Keystone now relies on pyldap instead of python-ldap. The pyldap library is " "a fork of python-ldap and is a drop-in replacement with modifications to be " "py3 compatible." msgstr "" #: ../../:435 msgid "" "Keystone now relies on python-ldap instead of pyldap. The pyldap library is " "a deprecated fork from python-ldap. Starting with python-ldap 3.0 release " "this has been merged and is maintained there." msgstr "" #: ../../:525 msgid "" "Keystone now supports authorizing a request token by providing a role name. " "A `role` in the `roles` parameter can include either a role name or role id, " "but not both." msgstr "" #: ../../:192 msgid "" "Keystone now supports being run under Python 3. The Python 3 and Python 3.4 " "classifiers have been added." msgstr "" #: ../../:142 msgid "" "Keystone now supports encrypted credentials at rest. In order to upgrade " "successfully to Newton, deployers must encrypt all credentials currently " "stored before contracting the database. Deployers must run `keystone-manage " "credential_setup` in order to use the credential API within Newton, or " "finish the upgrade from Mitaka to Newton. This will result in a service " "outage for the credential API where credentials will be read-only for the " "duration of the upgrade process. Once the database is contracted credentials " "will be writeable again. Database contraction phases only apply to rolling " "upgrades." msgstr "" #: ../../:161 msgid "" "Keystone now uses oslo.cache. Update the `[cache]` section of `keystone." "conf` to point to oslo.cache backends: ``oslo_cache.memcache_pool`` or " "``oslo_cache.mongo``. Refer to the sample configuration file for examples. " "See `oslo.cache `_ for " "additional documentation." msgstr "" #: ../../:65 msgid "" "Keystone supports ``$(project_id)s`` in the catalog. It works the same as " "``$(tenant_id)s``. Use of ``$(tenant_id)s`` is deprecated and catalog " "endpoints should be updated to use ``$(project_id)s``." msgstr "" #: ../../:173 msgid "" "Mappings can now specify \"whitelist\" and \"blacklist\" conditionals as " "regular expressions. Prior, only \"not_any_of\" and \"any_one_of\" " "conditionals supported regular expression matching." msgstr "" #: ../../:10 current origin/stable/liberty>:10 #: origin/stable/liberty>:35 origin/stable/mitaka>:25 origin/stable/newton>:58 #: origin/stable/newton>:88 origin/stable/ocata>:131 stable/2023.1>:10 #: stable/2023.1>:64 stable/2023.1>:99 stable/2023.2>:10 stable/2023.2>:64 #: stable/2024.1>:10 stable/2024.1>:64 stable/2024.2>:10 stable/pike>:225 #: stable/queens>:265 stable/rocky>:350 stable/stein>:300 stable/train>:351 #: stable/ussuri>:10 stable/ussuri>:132 unmaintained/victoria>:10 #: unmaintained/victoria>:149 unmaintained/wallaby>:10 unmaintained/xena>:10 #: unmaintained/yoga>:10 unmaintained/zed>:10 unmaintained/zed>:70 msgid "New Features" msgstr "" #: ../../:151 msgid "" "Not specifying a domain during a create user, group or project call, which " "relied on falling back to the default domain, is now deprecated and will be " "removed in the N release." msgstr "" #: ../../:286 stable/stein>:1482 msgid "Note that at a minimum python-ldappool 2.3.1 is required." msgstr "" #: ../../:100 msgid "" "OSprofiler support was added. This cross-project profiling library allows to " "trace various requests through all OpenStack services that support it. To " "initiate OpenStack request tracing `--profile ` option needs to be " "added to the CLI command. Configuration and usage details can be foung in " "[`OSProfiler documentation `_]" msgstr "" #: ../../:130 msgid "" "OSprofiler support was introduced. To allow its usage the keystone-paste.ini " "file needs to be modified to contain osprofiler middleware." msgstr "" #: ../../:1532 msgid "" "Original WSGI Framework (custom, home-rolled, based on WEBOB) has been " "removed from the codebase." msgstr "" #: ../../:127 origin/stable/mitaka>:281 #: origin/stable/newton>:184 origin/stable/ocata>:33 origin/stable/ocata>:495 #: stable/pike>:204 stable/pike>:474 stable/queens>:511 stable/rocky>:663 #: stable/stein>:1503 stable/train>:1518 msgid "Other Notes" msgstr "" #: ../../:581 msgid "" "PKI and PKIz token formats have been removed in favor of Fernet tokens." msgstr "" #: ../../:85 stable/2023.2>:97 #: unmaintained/victoria>:64 unmaintained/wallaby>:51 unmaintained/xena>:51 #: unmaintained/yoga>:56 unmaintained/zed>:56 msgid "" "Passwords that are hashed using bcrypt are now truncated properly to the " "maximum allowed length by the algorythm. This solves regression, when " "passwords longer then 54 symbols are getting invalidated after the Keystone " "upgrade." msgstr "" #: ../../:122 unmaintained/victoria>:39 #: unmaintained/wallaby>:26 unmaintained/xena>:26 unmaintained/yoga>:31 #: unmaintained/zed>:31 msgid "" "Passwords will now be automatically truncated if the max_password_length is " "greater than the allowed length for the selected password hashing algorithm. " "Currently only bcrypt has fixed allowed lengths defined which is 54 " "characters. A warning will be generated in the log if a password is " "truncated. This will not affect existing passwords, however only the first " "54 characters of existing bcrypt passwords will be validated." msgstr "" #: ../../:864 msgid "" "Please consider these new default if your deployment overrides domain " "policies." msgstr "" #: ../../:73 origin/stable/ocata>:112 #: stable/queens>:255 stable/rocky>:335 stable/stein>:289 stable/train>:335 msgid "Prelude" msgstr "" #: ../../:304 msgid "" "Project tags are implemented following the guidelines set by the `API " "Working Group `_" msgstr "" #: ../../:89 msgid "" "Python 3.6 & 3.7 support has been dropped. The minimum version of Python now " "supported is Python 3.8." msgstr "" #: ../../:50 current msgid "" "Python 3.8 support was dropped. The minimum version of Python now supported " "is Python 3.9." msgstr "" #: ../../:424 msgid "" "Remove token_auth from your keystone paste.ini file. Failure to remove these " "elements from your paste ini file will result in keystone to no longer start/" "run when the `token_auth` is removed in the Stein release." msgstr "" #: ../../:448 msgid "" "Replaced the usage of SQLAlchemy Inspector.from_engine() with the sqlalchemy." "inspect() call, within several Alembic migration files as well as a test " "suite. SQLAlchemy will be deprecating the former syntax, so this change " "allows forwads compatibility with the next series of SQLAlchemy." msgstr "" #: ../../:161 msgid "" "Restores the configurability of the resource driver, so it is now possible " "to create a custom resource driver if the built-in sql driver does not meet " "business requirements." msgstr "" #: ../../:598 msgid "" "Routes and SQL backends for the contrib extensions have been removed, they " "have been incorporated into keystone and are no longer optional. This " "affects:" msgstr "" #: ../../:131 msgid "" "Running keystone in eventlet remains deprecated and will be removed in the " "Mitaka release." msgstr "" #: ../../:234 msgid "" "SECURITY INFO: The MFA rules are only processed when authentication happens " "through the V3 authentication APIs. If V2 Auth is enabled it is possible to " "circumvent the MFA rules if the user can authenticate via V2 Auth API. It is " "recommended to disable V2 authentication for full enforcement of the MFA " "rules." msgstr "" #: ../../:163 stable/stein>:31 stable/train>:53 #: stable/train>:100 stable/ussuri>:93 stable/ussuri>:370 #: unmaintained/victoria>:115 unmaintained/wallaby>:166 msgid "SQL:" msgstr "" #: ../../:105 msgid "" "Schema downgrades via ``keystone-manage db_sync`` are no longer supported. " "Only upgrades are supported." msgstr "" #: ../../:20 origin/stable/mitaka>:237 #: origin/stable/newton>:10 origin/stable/ocata>:54 origin/stable/ocata>:386 #: stable/2023.1>:24 stable/2023.1>:118 stable/2023.2>:24 stable/2024.1>:24 #: stable/2024.2>:36 stable/pike>:46 stable/pike>:334 stable/queens>:57 #: stable/rocky>:46 stable/rocky>:456 stable/stein>:101 stable/stein>:1064 #: stable/train>:10 stable/train>:63 stable/train>:187 stable/train>:1190 #: stable/ussuri>:35 stable/ussuri>:56 stable/ussuri>:261 #: unmaintained/victoria>:35 unmaintained/victoria>:78 #: unmaintained/victoria>:217 unmaintained/wallaby>:22 #: unmaintained/wallaby>:137 unmaintained/xena>:22 unmaintained/yoga>:27 #: unmaintained/zed>:27 msgid "Security Issues" msgstr "" #: ../../:302 msgid "" "See `Project Tags `_" msgstr "" #: ../../:478 msgid "" "Set the following user attributes to ``True`` or ``False`` in an API request." " To mark a user as exempt from the PCI password lockout policy::" msgstr "" #: ../../:117 msgid "" "Several configuration options have been deprecated, renamed, or moved to new " "sections in the ``keystone.conf`` file." msgstr "" #: ../../:63 msgid "" "Several features were hardened, including Fernet tokens, federation, domain " "specific configurations from database and role assignments." msgstr "" #: ../../:626 msgid "" "Several token issuance methods from the abstract class ``keystone.token." "providers.base.Provider`` were removed (see below) in favor of a single " "method to issue tokens (``issue_token``). If using a custom token provider, " "updated the custom provider accordingly." msgstr "" #: ../../:618 msgid "" "Several token validation methods from the abstract class ``keystone.token." "providers.base.Provider`` were removed (see below) in favor of a single " "method to validate tokens (``validate_token``), that has the signature " "``validate_token(self, token_ref)``. If using a custom token provider, " "update the custom provider accordingly." msgstr "" #: ../../:298 msgid "" "Since the scope information is now available in the credential dictionary, " "we can just make use of it instead. Those who have custom policies must " "update their policy files accordingly." msgstr "" #: ../../:1486 msgid "Some bugs for unified limit APIs have been fixed, it includes:" msgstr "" #: ../../:1520 msgid "" "Some minor changes to the JSON Home document occured to make it consistent " "with the rest of our convensions (Technically an API contract break) but " "required for the more strict view the Keystone flask code takes on setting " "up the values for JSON Home. Notably \"application_credentials\" now has an " "appropriate entry for listing and creating new app creds." msgstr "" #: ../../:124 msgid "" "Support for writing to LDAP has been removed. See ``Other Notes`` for more " "details." msgstr "" #: ../../:267 msgid "" "Support has now been added to send notification events on user/group " "membership. When a user is added or removed from a group a notification will " "be sent including the identifiers of both the user and the group." msgstr "" #: ../../:59 msgid "" "Support was improved for out-of-tree drivers by defining stable driver " "interfaces." msgstr "" #: ../../:297 msgid "Tags are case sensitive" msgstr "" #: ../../:77 msgid "" "The EC2 token middleware, deprecated in Juno, is no longer available in " "keystone. It has been moved to the keystonemiddleware package." msgstr "" #: ../../:131 msgid "" "The LDAP driver now also maps the user description attribute after user " "retrieval from LDAP. If this is undesired behavior for your setup, please " "add `description` to the `user_attribute_ignore` LDAP driver config setting. " "The default mapping of the description attribute is set to `description`. " "Please adjust the LDAP driver config setting `user_description_attribute` if " "your LDAP uses a different attribute name (for instance to `displayName` in " "case of an AD backed LDAP). If your `user_additional_attribute_mapping` " "setting contains `description:description` you can remove this mapping, " "since this is now the default behavior." msgstr "" #: ../../:184 msgid "" "The MFA rules are set via the user create and update API (``POST/PATCH /v3/" "users``) call; the options allow an admin to force a user to use specific " "forms of authentication or combinations of forms of authentication to get a " "token. The rules are specified as follows::" msgstr "" #: ../../:121 msgid "" "The PKI and PKIz token format has been removed. See ``Other Notes`` for more " "details." msgstr "" #: ../../:231 msgid "" "The V8 Federation driver interface is deprecated in favor of the V9 " "Federation driver interface. Support for the V8 Federation driver interface " "is planned to be removed in the 'O' release of OpenStack." msgstr "" #: ../../:179 msgid "" "The V8 Resource driver interface is deprecated. Support for the V8 Resource " "driver interface is planned to be removed in the 'O' release of OpenStack." msgstr "" #: ../../:85 msgid "" "The XML middleware stub has been removed, so references to it must be " "removed from the ``keystone-paste.ini`` configuration file." msgstr "" #: ../../:81 msgid "" "The ``--extension`` option of ``keystone-manage db_sync`` has been " "deprecated since 10.0.0 (Newton) and raised an error when provided. It has " "now been removed entirely." msgstr "" #: ../../:363 msgid "" "The ``/OS-FEDERATION/projects`` and ``/OS-FEDERATION/domains`` APIs are " "deprecated in favor of the ``/v3/auth/projects`` and ``/v3/auth/domains`` " "APIs. These APIs were originally marked as deprecated during the Juno " "release cycle, but we never deprecated using ``versionutils`` from oslo. " "More information regarding this deprecation can be found in the `patch " "`_ that proposed the deprecation." msgstr "" #: ../../:633 msgid "" "The ``[DEFAULT] domain_id_immutable`` configuration option has been removed " "in favor of strictly immutable domain IDs." msgstr "" #: ../../:673 msgid "" "The ``[DEFAULT] domain_id_immutable`` option has been removed. This removes " "the ability to change the ``domain_id`` attribute of users, groups, and " "projects. The behavior was introduced to allow deployers to migrate entities " "from one domain to another by updating the ``domain_id`` attribute of an " "entity. This functionality was deprecated in the Mitaka release is now " "removed." msgstr "" #: ../../:61 current msgid "" "The ``[DEFAULT] max_param_size`` option has been deprecated. This option was " "used in identity v2 APU but identity v2 API was removed in 13.0.0 release." msgstr "" #: ../../:661 msgid "" "The ``[assignment] driver`` now defaults to ``sql``. Logic to determine the " "default assignment driver if one wasn't supplied through configuration has " "been removed. Keystone only supports one assignment driver and it shouldn't " "be changed unless you're deploying a custom assignment driver." msgstr "" #: ../../:637 msgid "" "The ``[endpoint_policy] enabled`` configuration option has been removed in " "favor of always enabling the endpoint policy extension." msgstr "" #: ../../:669 msgid "" "The ``[os_inherit] enabled`` config option has been removed, the `OS-" "INHERIT` extension is now always enabled." msgstr "" #: ../../:665 msgid "" "The ``[resource] driver`` now defaults to ``sql``. Logic to determine the " "default resource driver if one wasn't supplied through configuration has " "been removed. Keystone only supports one resource driver and it shouldn't be " "changed unless you're deploying a custom resource driver." msgstr "" #: ../../:495 msgid "" "The ``[security_compliance] password_expires_ignore_user_ids`` option has " "been removed. Each user that should ignore password expiry should have the " "value set to \"true\" in the user's ``options`` attribute (e.g. " "``user['options']['ignore_password_expiry'] = True``) with a user update " "call." msgstr "" #: ../../:81 msgid "" "The ``compute_port`` configuration option, deprecated in Juno, is no longer " "available." msgstr "" #: ../../:371 msgid "" "The ``enabled`` config option of the ``trust`` feature is deprecated and " "will be removed in the next release. Trusts will then always be enabled." msgstr "" #: ../../:649 msgid "" "The ``httpd/keystone.py`` file has been removed in favor of the ``keystone-" "wsgi-admin`` and ``keystone-wsgi-public`` scripts." msgstr "" #: ../../:355 msgid "" "The ``keystone-manage bootstrap`` command can now be used to update existing " "endpoints idempotently, which is useful in conjunction with configuration " "management tools that use this command for both initialization and lifecycle " "management of keystone." msgstr "" #: ../../:553 msgid "" "The ``keystone-manage bootstrap`` command will now update existing endpoints " "rather than skipping them if they already exist but are different from the " "values provided to the command. This is useful in conjunction with " "configuration management tools that use this command for both initialization " "and lifecycle management of keystone." msgstr "" #: ../../:97 msgid "" "The ``keystone.conf`` file now references entrypoint names for drivers. For " "example, the drivers are now specified as \"sql\", \"ldap\", \"uuid\", " "rather than the full module path. See the sample configuration file for " "other examples." msgstr "" #: ../../:653 msgid "" "The ``keystone/service.py`` file has been removed, the logic has been moved " "to the ``keystone/version/service.py``." msgstr "" #: ../../:645 msgid "" "The ``memcache`` and ``memcache_pool`` token persistence backends have been " "removed in favor of using Fernet tokens (which require no persistence)." msgstr "" #: ../../:358 msgid "" "The ``policies`` API is deprecated. Keystone is not a policy management " "service." msgstr "" #: ../../:228 msgid "" "The ``token`` auth method typically should not be specified in any MFA Rules." " The ``token`` auth method will include all previous auth methods for the " "original auth request and will match the appropriate ruleset. This is " "intentional, as the ``token`` method is used for rescoping/changing active " "projects." msgstr "" #: ../../:683 msgid "" "The `implied roles API `_ has been marked as stable. This API was originally " "implemented in Mitaka and marked as experimental. There haven't been any " "backwards incompatible updates since then. As a result, the API is being " "marked as stable." msgstr "" #: ../../:141 msgid "" "The `keystone-paste.ini` file must be updated to remove extension filters, " "and their use in ``[pipeline:api_v3]``. Remove the following filters: " "``[filter:oauth1_extension]``, ``[filter:federation_extension]``, ``[filter:" "endpoint_filter_extension]``, and ``[filter:revoke_extension]``. See the " "sample `keystone-paste.ini `_ file for guidance." msgstr "" #: ../../:145 msgid "" "The `keystone-paste.ini` file must be updated to remove extension filters, " "and their use in ``[pipeline:public_api]`` and ``[pipeline:admin_api]`` " "pipelines. Remove the following filters: ``[filter:user_crud_extension]``, " "``[filter:crud_extension]``. See the sample `keystone-paste.ini `_ file " "for guidance." msgstr "" #: ../../:219 msgid "" "The `os_inherit` configuration option is disabled. In the future, this " "option will be removed and this portion of the API will be always enabled." msgstr "" #: ../../:301 msgid "" "The ability to validate a trust-scoped token against the v2.0 API has been " "removed, in favor of using the version 3 of the API." msgstr "" #: ../../:245 msgid "" "The admin_token method of authentication was never intended to be used for " "any purpose other than bootstrapping an install. However many deployments " "had to leave the admin_token method enabled due to restrictions on editing " "the paste file used to configure the web pipelines. To minimize the risk " "from this mechanism, the `admin_token` configuration value now defaults to a " "python `None` value. In addition, if the value is set to `None`, either " "explicitly or implicitly, the `admin_token` will not be enabled, and an " "attempt to use it will lead to a failed authentication." msgstr "" #: ../../:764 msgid "" "The assignment driver interface has changed to use the named parameter " "'project_id' instead of 'tenant_id'." msgstr "" #: ../../:641 msgid "" "The auth plugin ``keystone.auth.plugins.saml2.Saml2`` has been removed in " "favor of the auth plugin ``keystone.auth.plugins.mapped.Mapped``." msgstr "" #: ../../:491 msgid "" "The catalog backend ``endpoint_filter.sql`` has been removed. It has been " "consolidated with the ``sql`` backend, therefore replace the " "``endpoint_filter.sql`` catalog backend with the ``sql`` backend." msgstr "" #: ../../:657 msgid "" "The check for admin token from ``build_auth_context`` middleware has been " "removed. If your deployment requires the use of `admin token`, update " "``keystone-paste.ini`` so that ``admin_token_auth`` is before " "``build_auth_context`` in the paste pipelines, otherwise remove the " "``admin_token_auth`` middleware from ``keystone-paste.ini`` entirely." msgstr "" #: ../../:1058 msgid "" "The commandline options `standard-threads, `pydev-debug-host` and `pydev-" "debug-port` are only used by Keystone eventlet model in Newton release " "before. They are deprecated now and will be removed in the next release." msgstr "" #: ../../:533 msgid "" "The config option ``rolling_upgrade_password_hash_compat`` is removed. It is " "only used for rolling-upgrade from Ocata release to Pike release." msgstr "" #: ../../:153 msgid "" "The configuration options for LDAP connection pooling, `[ldap] use_pool` and " "`[ldap] use_auth_pool`, are now both enabled by default. Only deployments " "using LDAP drivers are affected. Additional configuration options are " "available in the `[ldap]` section to tune connection pool size, etc." msgstr "" #: ../../:55 msgid "" "The credentials list call can now have its results filtered by credential " "type." msgstr "" #: ../../:94 msgid "" "The database migration engine has changed from `sqlalchemy-migrate`__ to " "`alembic`__. For most deployments, this should have minimal to no impact and " "the switch should be mostly transparent. The main user-facing impact is the " "change in schema versioning. While sqlalchemy-migrate used a linear, integer-" "based versioning scheme, which required placeholder migrations to allow for " "potential migration backports, alembic uses a distributed version control-" "like schema where a migration's ancestor is encoded in the file and branches " "are possible. The alembic migration files therefore use a arbitrary UUID-" "like naming scheme and the ``keystone-manage db_version`` command returns " "such a version." msgstr "" #: ../../:137 msgid "" "The default setting for the `os_inherit` configuration option is changed to " "True. If it is required to continue with this portion of the API disabled, " "then override the default setting by explicitly specifying the os_inherit " "option as False." msgstr "" #: ../../:116 msgid "The default token provider is now Fernet." msgstr "" #: ../../:108 msgid "" "The default value of ``[oslo_policy] policy_file`` config option has been " "changed from ``policy.json`` to ``policy.yaml``. Operators who are utilizing " "customized or previously generated static policy JSON files (which are not " "needed by default), should generate new policy files or convert them in YAML " "format. Use the `oslopolicy-convert-json-to-yaml `_ tool to " "convert a JSON to YAML formatted policy file in backward compatible way." msgstr "" #: ../../:93 msgid "" "The external authentication plugins ExternalDefault, ExternalDomain, " "LegacyDefaultDomain, and LegacyDomain, deprecated in Icehouse, are no longer " "available." msgstr "" #: ../../:99 msgid "" "The following command line options have been removed. These options were " "used by Keystone eventlet model which was removed in Newton release." msgstr "" #: ../../:80 msgid "" "The following deprecated options in the ``[memcache]`` section have been " "removed." msgstr "" #: ../../:90 msgid "The following options have been removed." msgstr "" #: ../../:100 msgid "" "The following options in the ``[memcache]`` section have been deprecated " "because these options have had no effect since Pike. Please use " "``memcache_*`` options in the ``[cache]`` section instead." msgstr "" #: ../../:209 msgid "" "The foreign key constraint between the ``user.domain_id`` column and the " "``project.id`` column and between the ``identity_provider.domain_id`` column " "and the ``project.id`` column will be dropped upon running the keystone " "db_sync contraction step. These constraints are enforced in code and do not " "need to be enforced by the database. This should have no impact on users." msgstr "" #: ../../:487 msgid "" "The functionality of the ``ADMIN_TOKEN`` remains, but has been incorporated " "into the main auth middleware (``keystone.middleware.auth." "AuthContextMiddleware``)." msgstr "" #: ../../:262 msgid "" "The identity backend driver interface has changed. A new method, " "`unset_default_project_id(project_id)`, was added to unset a user's default " "project ID for a given project ID. Custom backend implementations must " "implement this method." msgstr "" #: ../../:126 msgid "" "The identity backend driver interface has changed. We've added a new " "``change_password()`` method for self service password changes. If you have " "a custom implementation for the identity driver, you will need to implement " "this new method." msgstr "" #: ../../:465 msgid "" "The implementation for checking database state during an upgrade with the " "use of `keystone-manage db_sync --check` has been corrected. This allows " "users and automation to determine what step is next in a rolling upgrade " "based on logging and command status codes." msgstr "" #: ../../:279 stable/stein>:1475 msgid "" "The keystone LDAP backend is updated to adhere to this behavior by using " "bytes_mode=False for Python 2 and dropping UTF-8 encoding and decoding " "fields that are now represented as text in python-ldap." msgstr "" #: ../../:450 msgid "" "The keystone.middleware.core:TokenAuthMiddleware is deprecated for removal." msgstr "" #: ../../:86 msgid "" "The legacy ``sqlalchemy-migrate`` migrations, which have been deprecated " "since Zed, have been removed. There should be no end-user impact." msgstr "" #: ../../:87 msgid "" "The legacy migrations that existed before the split into separate expand " "schema, contract schema, and data migration migration have now been removed. " "These have been deprecated since 10.0.0 (Newton). This should have no user-" "facing impact." msgstr "" #: ../../:285 msgid "" "The list_project_ids_for_user(), list_domain_ids_for_user(), " "list_user_ids_for_project(), list_project_ids_for_groups(), " "list_domain_ids_for_groups(), list_role_ids_for_groups_on_project() and " "list_role_ids_for_groups_on_domain() methods have been removed from the V9 " "version of the Assignment driver." msgstr "" #: ../../:559 msgid "The method signature has changed from::" msgstr "" #: ../../:28 stable/2023.2>:28 stable/2024.1>:28 #: stable/2024.2>:40 msgid "" "The new `keystone-manage rest_last_active` command resets all NULL values in " "`last_active_at` in the user table to help fix Bug #2074018. Running this " "command may be necessary in environments that have been deployed for a long " "time and later decide to adopt the `[security_compliance " "disable_user_account_days_inactive = X` option. See Bug #2074018 for details." "" msgstr "" #: ../../:445 msgid "" "The option ``[token] infer_roles=False`` is being deprecated in favor of " "always expanding role implications during token validation. `Default roles " "`_ depend on a chain of implied role assignments, " "ex: an admin user will also have the reader and member role. Therefore by " "ensuring that all these roles will always appear on the token validation " "response, we can improve the simplicity and readability of policy files." msgstr "" #: ../../:292 stable/queens>:340 msgid "" "The resource backend cannot be configured to anything but SQL if the SQL " "Identity backend is being used. The resource backend must now be SQL which " "allows for the use of Foreign Keys to domains/projects wherever desired. " "This makes managing project relationships and such much more straight " "forward. The inability to configure non-SQL resource backends has been in " "Keystone since at least Ocata. This is eliminating some complexity and " "preventing the need for some really ugly back-port SQL migrations in favor " "of a better model. Resource is highly relational and should be SQL based." msgstr "" #: ../../:188 msgid "" "The response's content type for creating request token or access token is " "changed to `application/x-www-form-urlencoded`, the old value `application/x-" "www-urlformencoded` is invalid and will no longer be used." msgstr "" #: ../../:191 msgid "" "The rules are specified as a list of lists. The elements of the sub-lists " "must be strings and are intended to mirror the required authentication " "method names (e.g. ``password``, ``totp``, etc) as defined in the ``keystone." "conf`` file in the ``[auth] methods`` option." msgstr "" #: ../../:1176 msgid "" "The socket timeout configuration option for memcache of Keystone's " "definition isn't actually used anywhere [0], it would appear to be a broken " "knob. In fact oslo.cache has a duplicate option that appears to be used " "instead [1]. We can deprecate the keystone-specific option and point people " "to the oslo.cache option." msgstr "" #: ../../:125 msgid "" "The templated catalog driver has been deprecated and will be removed in a " "future release." msgstr "" #: ../../:428 msgid "" "The token provider API has removed the ``needs_persistence`` property from " "the abstract interface. Token providers are expected to handle persistence " "requirement if needed. This will require out-of-tree token providers to " "remove the unused property and handle token storage." msgstr "" #: ../../:344 msgid "" "The token_auth middleware functionality has been merged into the main auth " "middleware (keystone.middleware.auth.AuthContextMiddleware). " "`admin_token_auth` must be removed from the [pipeline:api_v3], [pipeline:" "admin_api], and [pipeline:public_api] sections of your paste ini file. The " "[filter:token_auth] block will also need to be removed from your paste ini " "file. Failure to remove these elements from your paste ini file will result " "in keystone to no longer start/run when the `token_auth` is removed in the " "Stein release." msgstr "" #: ../../:309 msgid "" "The token_formatter utility class has been moved from under fernet to the " "default token directory. This is to allow for the reuse of functionality " "with other token providers. Any deployments that are specifically using the " "fernet utils may be affected and will need to adjust accordingly." msgstr "" #: ../../:323 msgid "" "The trusts table now has an expires_at_int column that represents the " "expiration time as an integer instead of a datetime object. This will " "prevent rounding errors related to the way date objects are stored in some " "versions of MySQL. The expires_at column remains, but will be dropped in " "Rocky." msgstr "" #: ../../:349 msgid "" "The use of `sha512_crypt` is considered inadequate for password hashing in " "an application like Keystone. The use of bcrypt or scrypt is recommended to " "ensure protection against password cracking utilities if the hashes are " "exposed. This is due to Time-Complexity requirements for computing the " "hashes in light of modern hardware (CPU, GPU, ASIC, FPGA, etc). Keystone has " "moved to bcrypt as a default and no longer hashes new passwords (and " "password changes) with sha512_crypt. It is recommended passwords be changed " "after upgrade to Pike. The risk of password hash exposure is limited, but " "for the best possible protection against cracking the hash it is recommended " "passwords be changed after upgrade. The password change will then result in " "a more secure hash (bcrypt by default) being used to store the password in " "the DB." msgstr "" #: ../../:241 msgid "" "The use of admin_token filter is insecure compared to the use of a proper " "username/password. Historically the admin_token filter has been left enabled " "in Keystone after initialization due to the way CMS systems work. Moving to " "an out-of-band initialization using ``keystone-manage bootstrap`` will " "eliminate the security concerns around a static shared string that conveys " "admin access to keystone and therefore to the entire installation." msgstr "" #: ../../:698 msgid "" "The user API uses new default policies that make it more accessible to end " "users and administrators in a secure way. Please consider these new defaults " "if your deployment overrides user policies." msgstr "" #: ../../:1131 msgid "" "These new defaults automatically account for system-scope and support a read-" "only role, making it easier for system administrators to delegate subsets of " "responsibility with compromising security. Please consider these new " "defaults if your deployment overrides the project tag policies." msgstr "" #: ../../:917 msgid "" "These new defaults automatically account for system-scope and support a read-" "only role, making it easier for system administrators to delegate subsets of " "responsibility without compromising security. Please consider these new " "defaults if your deployment overrides the domain config policies." msgstr "" #: ../../:668 msgid "" "These policies are not being formally deprecated because the unified limits " "API is still considered experimental. These new default automatically " "account for system-scope. Please consider these new defaults if your " "deployment overrides the registered limit or limit policies." msgstr "" #: ../../:556 msgid "" "Third-party extensions that extend the abstract class " "(``ShadowUsersDriverBase``) should be updated according to the new parameter " "names." msgstr "" #: ../../:31 current msgid "" "This also simplifies deployment with other WSGI servers that expect module " "paths such as gunicorn." msgstr "" #: ../../:67 current msgid "" "This is the last release where passwords hashed using sha512_crypt algorithm " "are supported. Since even support of that is being dropped in python 3.13 it " "would be physically dropped from Keystone in the next release (`Epoxy`)." msgstr "" #: ../../:259 msgid "" "This release adds support for Application Credentials, a new way to allow " "applications and automated tooling to authenticate with keystone. Rather " "than storing a username and password in an application's config file, which " "can pose security risks, you can now create an application credential to " "allow an application to authenticate and acquire a preset scope and role " "assignments. This is especially useful for LDAP and federated users, who can " "now delegate their cloud management tasks to a keystone-specific resource, " "rather than share their externally managed credentials with keystone and " "risk a compromise of those external systems. Users can delegate a subset of " "their role assignments to an application credential, allowing them to " "strategically limit their application's access to the minimum needed. Unlike " "passwords, a user can have more than one active application credential, " "which means they can be rotated without causing downtime for the " "applications using them." msgstr "" #: ../../:293 stable/train>:344 msgid "" "This release leverages oslo.policy's policy-in-code feature to modify the " "default check strings and scope types for nearly all of keystone's API " "policies. These changes make the policies more precise than they were " "before, using the reader, member, and admin roles where previously only the " "admin role and a catch-all rule was available. The changes also take " "advantage of system, domain, and project scope, allowing you to create role " "assignments for your users that are appropriate to the actions they need to " "perform. Eventually this will allow you to set ``[oslo_policy]/enforce_scope=" "true`` in your keystone configuration, which simplifies access control " "management by ensuring that oslo.policy checks both the role and the scope " "on API requests. However, please be aware that not all policies have been " "converted in this release and some changes are still under development. " "During the transition phase, if you have not overridden a policy, the old " "default and the new default will be OR'd together. This means that, for " "example, where we have changed the policy rule from ``'rule:" "admin_required'`` to ``'role:reader and system_scope:all'``, both policy " "rules will be in effect. Please check your current policies and role " "assignments before upgrading to ensure the policies will not be too " "permissive for your deployment. To hide the deprecation warnings and opt " "into the less permissive rules, you can override the policy configuration to " "use the newer policy rule." msgstr "" #: ../../:483 msgid "To mark a user as exempt from the PCI password expiry policy::" msgstr "" #: ../../:487 msgid "To mark a user as exempt from the PCI reset policy::" msgstr "" #: ../../:224 msgid "To mark a user exempt from the MFA Rules::" msgstr "" #: ../../:296 msgid "To the properly written::" msgstr "" #: ../../:341 msgid "To::" msgstr "" #: ../../:323 msgid "" "Token persistence driver/code (SQL) is deprecated with this patch since it " "is only used by the UUID token provider.." msgstr "" #: ../../:82 msgid "Tokens can now be cached when issued." msgstr "" #: ../../:317 msgid "" "UUID token provider ``[token] provider=uuid`` has been deprecated in favor " "of Fernet tokens ``[token] provider=fernet``. With Fernet tokens becoming " "the default UUID tokens can be slated for removal in the R release. This " "also deprecates token-bind support as it was never implemented for fernet." msgstr "" #: ../../:38 current origin/stable/liberty>:73 #: origin/stable/mitaka>:123 origin/stable/newton>:118 origin/stable/ocata>:281 #: stable/2023.2>:82 stable/2024.1>:76 stable/pike>:10 stable/pike>:254 #: stable/queens>:10 stable/queens>:319 stable/rocky>:10 stable/rocky>:387 #: stable/stein>:53 stable/stein>:465 stable/train>:139 stable/train>:549 #: stable/ussuri>:22 stable/ussuri>:169 unmaintained/victoria>:22 #: unmaintained/victoria>:181 unmaintained/wallaby>:72 #: unmaintained/wallaby>:104 unmaintained/xena>:83 unmaintained/yoga>:77 #: unmaintained/zed>:85 msgid "Upgrade Notes" msgstr "" #: ../../:126 msgid "" "Use of JSON policy files was deprecated by the ``oslo.policy`` library " "during the Victoria development cycle. As a result, this deprecation is " "being noted in the Wallaby cycle with an anticipated future removal of " "support by ``oslo.policy``. As such operators will need to convert to YAML " "policy files. Please see the upgrade notes for details on migration of any " "custom policy files." msgstr "" #: ../../:187 msgid "" "Use of ``$(tenant_id)s`` in the catalog endpoints is deprecated in favor of " "``$(project_id)s``." msgstr "" #: ../../:135 msgid "" "Using LDAP as the resource backend, i.e for projects and domains, is now " "deprecated and will be removed in the Mitaka release." msgstr "" #: ../../:139 msgid "" "Using the full path to the driver class is deprecated in favor of using the " "entrypoint. In the Mitaka release, the entrypoint must be used." msgstr "" #: ../../:122 msgid "" "We have added the ``password_expires_at`` attribute to the user response " "object." msgstr "" #: ../../:101 msgid "" "We now expose entrypoints for the ``keystone-manage`` command instead of a " "file." msgstr "" #: ../../:427 msgid "" "When keeping two Keystone servers in sync, but avoiding Database " "replication, it was often necessary to hack the database to update the " "Domain ID so that entries match. Domain ID is then used for LDAP mapped IDs, " "and if they don't match, the user IDs are different. It should be possible " "to add a domain with an explicit ID, so that the two servers can match User " "IDs. The reason that the variable name is not simple `domain_id` is twofold: " "First to keep people from thinking that this is a required, or at least " "suggested field. Second, to prevent copy errors when creating a new domain, " "where the domain_id would be copied in from the old one, and having spurious " "failures, or undesirecd domain_id matching." msgstr "" #: ../../:105 msgid "" "When the ``keystone-manage db_sync`` command is run without options or with " "the ``--expand`` or ``--contract`` options, all remaining sqlalchemy-migrate-" "based migrations will be automatically applied." msgstr "" #: ../../:409 msgid "" "With the change to not load via ``paste.deploy`` it is no longer possible to " "inject custom middleware into the pipeline directly, it is recommended to " "wrap the entire stack if custom middleware is needed outside of what " "Keystone relies on. It is also possible to change/modify requests and " "responses via a smart proxy layer (e.g. ``HAProxy``)." msgstr "" #: ../../:405 msgid "" "With the change to not load via ``paste.deploy`` it is no longer possible to " "remove any elements from the pipeline that keystone relies on. This includes " "former extensions (``S3``, ``EC2``) or middleware. If these APIs must be " "disabled, it is recommended to utilize policy to deny access." msgstr "" #: ../../:585 msgid "" "Write support for the LDAP has been removed in favor of read-only support. " "The following operations are no longer supported for LDAP:" msgstr "" #: ../../:24 current msgid "You can now use:" msgstr "" #: ../../:117 msgid "" "[ `Bug 1897230 `_] Allows s3 tokens with " "service types sts and iam to authenticate. This is necessary when using " "assumed role features of Ceph object storage and keystone is providing the " "authentication service for Rados Gateway." msgstr "" #: ../../:154 stable/queens>:225 stable/rocky>:315 #: stable/stein>:1227 msgid "" "['bug 1753585 '_] LDAP " "attribute names are now matched case insensitively to comply with LDAP " "implementations." msgstr "" #: ../../:1183 msgid "" "[0] https://opendev.org/openstack/keystone/src/commit/" "a0aa21c237f7b42077fc945f157844deb77be5ef/keystone/conf/memcache.py#L26-L32 " "[1] https://opendev.org/openstack/oslo.cache/src/commit/" "a5023ba2754dd537c802d4a59290ff6378bd6285/oslo_cache/_opts.py#L85-L89" msgstr "" #: ../../:283 stable/stein>:1479 msgid "" "[1] More details about byte/str usage in python-ldap can be found at: http://" "www.python-ldap.org/en/latest/bytes_mode.html#bytes-mode" msgstr "" #: ../../:674 msgid "" "[`#openstack-tc IRC log `_] With " "Technical Comittee consensus the Keystone team is not wiring up the " "reminents of the V2.0 API that was maintained strictly due to a failure to " "copy/paste a direct deprecation notice on the controllers even though the V2." "0 API was deprecated in its entirety. This should have no meaningful impact " "on any user as the APIs (``ec2token``) have a v3 equivalent" msgstr "" #: ../../:275 msgid "" "[`Bug 1645487 `_] Added a " "new PCI-DSS feature that will require users to immediately change their " "password upon first use for new users and after an administrative password " "reset. The new feature can be enabled by setting [security_compliance] " "``change_password_upon_first_use`` to ``True``." msgstr "" #: ../../:461 msgid "" "[`Bug 1649446 `_] The " "default policy for listing revocation events has changed. Previously, any " "authenticated user could list revocation events; it is now, by default, an " "admin or service user only function. This can be changed by modifying the " "policy file being used by keystone." msgstr "" #: ../../:231 stable/stein>:221 stable/train>:261 #: stable/ussuri>:381 msgid "" "[`Bug 1856904 `_] The " "initiator object for CADF notifications now will always contain the username " "for the user who initated the action. Previously, the initator object only " "contained the user_id, which lead to issues mapping to users when using LDAP-" "backed identity providers. This also helps the initiator object better " "conform to the OpenStack standard for CADF." msgstr "" #: ../../:327 msgid "" "[`Community Goal `_] Support has been added for developers to write pre-upgrade " "checks. Operators can run these checks using ``keystone-status upgrade " "check``. This allows operators to be more confident when upgrading their " "deployments by having a tool that automates programmable checks against the " "deployment configuration or dataset." msgstr "" #: ../../:335 msgid "" "[`Related to Bug 1649446 `_] The ``identity:list_revoke_events`` rule has been changed in " "both sample policy files, ``policy.json`` and ``policy.v3cloudsample.json``. " "From::" msgstr "" #: ../../:135 msgid "" "[`blueprint allow-expired `_] An `allow_expired` flag is added to the token validation " "call (``GET/HEAD /v3/auth/tokens``) that allows fetching a token that has " "expired. This allows for validating tokens in long running operations." msgstr "" #: ../../:285 msgid "" "[`blueprint allow-expired `_] To allow long running operations to complete services must " "be able to fetch expired tokens via the ``allow_expired`` flag. The length " "of time a token is retrievable for beyond its traditional expiry is managed " "by the ``[token] allow_expired_window`` option and so the data must be " "retrievable for this about of time. When using fernet tokens this means that " "the key rotation period must exceed this time so that older tokens are still " "decrytable. Ensure that you do not rotate fernet keys faster than ``[token] " "expiration`` + ``[token] allow_expired_window`` seconds." msgstr "" #: ../../:273 msgid "" "[`blueprint application-credentials `_] Users can now create Application " "Credentials, a new keystone resource that can provide an application with " "the means to get a token from keystone with a preset scope and role " "assignments. To authenticate with an application credential, an application " "can use the normal token API with the 'application_credential' auth method." msgstr "" #: ../../:358 msgid "" "[`blueprint basic-default-roles `_] Support has been added for deploying two new " "roles during the bootstrap process, `reader` and `member`, in addition to " "the `admin` role." msgstr "" #: ../../:33 msgid "" "[`blueprint bootstrap `_] keystone-manage now supports the bootstrap command on the CLI " "so that a keystone install can be initialized without the need of the " "admin_token filter in the paste-ini." msgstr "" #: ../../:203 msgid "" "[`blueprint deprecated-as-of-mitaka `_] As of the Mitaka release, the PKI " "and PKIz token formats have been deprecated. They will be removed in the 'O' " "release. Due to this change, the `hash_algorithm` option in the `[token]` " "section of the configuration file has also been deprecated. Also due to this " "change, the ``keystone-manage pki_setup`` command has been deprecated as " "well." msgstr "" #: ../../:211 msgid "" "[`blueprint deprecated-as-of-mitaka `_] As of the Mitaka release, the " "auth plugin `keystone.auth.plugins.saml2.Saml2` has been deprecated. It is " "recommended to use `keystone.auth.plugins.mapped.Mapped` instead. The " "``saml2`` plugin will be removed in the 'O' release." msgstr "" #: ../../:215 msgid "" "[`blueprint deprecated-as-of-mitaka `_] As of the Mitaka release, the " "simple_cert_extension is deprecated since it is only used in support of the " "PKI and PKIz token formats. It will be removed in the 'O' release." msgstr "" #: ../../:207 msgid "" "[`blueprint deprecated-as-of-mitaka `_] As of the Mitaka release, write " "support for the LDAP driver of the Identity backend has been deprecated. " "This includes the following operations: create user, create group, delete " "user, delete group, update user, update group, add user to group, and remove " "user from group. These operations will be removed in the 'O' release." msgstr "" #: ../../:191 msgid "" "[`blueprint deprecated-as-of-mitaka `_] Deprecate the ``enabled`` option " "from ``[endpoint_policy]``, it will be removed in the 'O' release, and the " "extension will always be enabled." msgstr "" #: ../../:199 msgid "" "[`blueprint deprecated-as-of-mitaka `_] Deprecated all v2.0 APIs. The " "keystone team recommends using v3 APIs instead. Most v2.0 APIs will be " "removed in the 'Q' release. However, the authentication APIs and EC2 APIs " "are indefinitely deprecated and will not be removed in the 'Q' release." msgstr "" #: ../../:171 msgid "" "[`blueprint deprecated-as-of-mitaka `_] The V8 Assignment driver " "interface is deprecated. Support for the V8 Assignment driver interface is " "planned to be removed in the 'O' release of OpenStack." msgstr "" #: ../../:175 msgid "" "[`blueprint deprecated-as-of-mitaka `_] The V8 Role driver interface is " "deprecated. Support for the V8 Role driver interface is planned to be " "removed in the 'O' release of OpenStack." msgstr "" #: ../../:183 msgid "" "[`blueprint deprecated-as-of-mitaka `_] The ``admin_token_auth`` filter " "must now be placed before the ``build_auth_context`` filter in `keystone-" "paste.ini`." msgstr "" #: ../../:223 msgid "" "[`blueprint deprecated-as-of-mitaka `_] The file ``httpd/keystone.py`` " "has been deprecated in favor of ``keystone-wsgi-admin`` and ``keystone-wsgi-" "public`` and may be removed in the 'O' release." msgstr "" #: ../../:195 msgid "" "[`blueprint deprecated-as-of-mitaka `_] The token memcache and " "memcache_pool persistence backends have been deprecated in favor of using " "Fernet tokens (which require no persistence)." msgstr "" #: ../../:227 msgid "" "[`blueprint deprecated-as-of-mitaka `_] ``keystone.common.cache.backends." "memcache_pool``, ``keystone.common.cache.backends.mongo``, and ``keystone." "common.cache.backends.noop`` are deprecated in favor of oslo.cache backends. " "The keystone backends will be removed in the 'O' release." msgstr "" #: ../../:160 msgid "" "[`blueprint deprecated-as-of-newton `_] As of the Newton release, the " "class plugin `keystone.common.kvs.core.KeyValueStore` has been deprecated. " "It is recommended to use alternative backends instead. The ``KeyValueStore`` " "class will be removed in the 'P' release." msgstr "" #: ../../:360 msgid "" "[`blueprint deprecated-as-of-ocata `_] The catalog backend " "``endpoint_filter.sql`` has been deprecated in the `Ocata` release, it has " "been consolidated with the ``sql`` backend. It is recommended to replace the " "``endpoint_filter.sql`` catalog backend with the ``sql`` backend. The " "``endpoint_filter.sql`` backend will be removed in the `Pike` release." msgstr "" #: ../../:364 msgid "" "[`blueprint deprecated-as-of-ocata `_] Various KVS backends and config " "options have been deprecated and will be removed in the `Pike` release. This " "includes:" msgstr "" #: ../../:328 msgid "" "[`blueprint deprecated-as-of-pike `_] The v2.0 ``auth`` and ``ec2`` APIs were " "already maked as deprecated in the Mitaka release, although no removal " "release had yet been identified. These APIs will now be removed in the 'T' " "release. The v3 APIs should be used instead." msgstr "" #: ../../:156 msgid "" "[`blueprint domain-config-as-stable `_] Deprecated ``keystone-manage " "domain_config_upload``. The keystone team recommends setting domain config " "options via the API instead. The ``domain_config_upload`` command line " "option may be removed in the 'P' release." msgstr "" #: ../../:92 msgid "" "[`blueprint domain-config-as-stable `_] The domain config via API is now " "marked as stable." msgstr "" #: ../../:37 msgid "" "[`blueprint domain-config-default `_] The Identity API now supports retrieving the " "default values for the configuration options that can be overriden via the " "domain specific configuration API." msgstr "" #: ../../:454 msgid "" "[`blueprint domain-level-limit `_] Keystone now supports domain level unified " "limit. When creating a limit, users can specify a ``domain_id`` instead of " "``project_id``. For `flat` model, the domain limit is still non-hierarchical." " For `strict-two-level` model, the domain limit is now considered as the " "first level, so that the project limit is the second level and the project " "can't contain any child." msgstr "" #: ../../:29 msgid "" "[`blueprint domain-specific-roles `_] Roles can now be optionally defined as " "domain specific. Domain specific roles are not referenced in policy files, " "rather they can be used to allow a domain to build their own private " "inference rules with implied roles. A domain specific role can be assigned " "to a domain or project within its domain, and any subset of global roles it " "implies will appear in a token scoped to the respective domain or project. " "The domain specific role itself, however, will not appear in the token." msgstr "" #: ../../:77 msgid "" "[`blueprint federation-group-ids-mapped-without-domain-reference `_] Enhanced the federation mapping engine to allow for " "group IDs to be referenced without a domain ID." msgstr "" #: ../../:81 msgid "" "[`blueprint implied-roles `_] Keystone now supports creating implied roles. Role " "inference rules can now be added to indicate when the assignment of one role " "implies the assignment of another. The rules are of the form `prior_role` " "implies `implied_role`. At token generation time, user/group assignments of " "roles that have implied roles will be expanded to also include such roles in " "the token. The expansion of implied roles is controlled by the " "`prohibited_implied_role` option in the `[assignment]` section of `keystone." "conf`." msgstr "" #: ../../:310 msgid "" "[`blueprint json-web-tokens `_] Keystone now supports a JSON Web Signature (JWS) token " "provider in addition to fernet tokens. Fernet token remain the default token " "provider. Full details can be found in the `specification `_." msgstr "" #: ../../:96 msgid "" "[`blueprint manage-migration `_] Upgrading keystone to a new version can now be " "undertaken as a rolling upgrade using the `--expand`, `--migrate` and `--" "contract` options of the `keystone-manage db_sync` command." msgstr "" #: ../../:318 msgid "" "[`blueprint mfa-auth-receipt `_] Added support for auth receipts. Allows multi-" "step authentication for users with configured MFA Rules. Partial " "authentication with successful auth methods will return an auth receipt that " "can be consumed in subsequent auth attempts along with the missing auth " "methods to complete auth and be provided with a valid token." msgstr "" #: ../../:469 msgid "" "[`blueprint mfa-auth-receipt `_] Auth receipts share the same fernet mechanism as " "tokens and by default will share keys with tokens and work out of the box. " "If your fernet key directory is not the default, you will need to also " "configure the receipt key directory, but they can both point to the same " "location allowing key rotations to affect both safely. It is possible to " "split receipt and token keys and run rotatations separately for both if " "needed." msgstr "" #: ../../:289 msgid "" "[`blueprint move-extensions `_] If any extension migrations are run, for example: " "``keystone-manage db_sync --extension endpoint_policy`` an error will be " "returned. This is working as designed. To run these migrations simply run: " "``keystone-manage db_sync``. The complete list of affected extensions are: " "``oauth1``, ``federation``, ``endpoint_filter``, ``endpoint_policy``, and " "``revoke``." msgstr "" #: ../../:74 msgid "" "[`blueprint oauth2-client-credentials-ext `_] Users can now use the " "OAuth2.0 Access Token API to get an access token from the keystone identity " "server with application credentials. Then the users can use the access token " "to access the OpenStack APIs that use the keystone middleware to support " "OAuth2.0 client credentials authentication through the keystone identity " "server." msgstr "" #: ../../:139 msgid "" "[`blueprint password-expires-validation `_] Token responses will now have " "a ``password_expires_at`` field in the ``user`` object, this can be " "expressed briefly as::" msgstr "" #: ../../:147 msgid "" "[`blueprint pci-dss-notifications `_] CADF notifications now extend to PCI-DSS " "events. A ``reason`` object is added to the notification. A ``reason`` " "object has both a ``reasonType`` (a short description of the reason) and " "``reasonCode`` (the HTTP return code). The following events will be impacted:" "" msgstr "" #: ../../:164 msgid "" "[`blueprint pci-dss-password-requirements-api `_] Added a new API (``/" "v3/domains/{domain_id}/config/security_compliance``) to retrieve regular " "expression requirements for passwords. Specifically, ``[security_compliance] " "password_regex`` and ``[security_compliance] password_regex_description`` " "will be returned. Note that these options are only meaningful if PCI support " "is enabled, via various ``[security_compliance]`` configuration options." msgstr "" #: ../../:174 msgid "" "[`blueprint pci-dss-query-password-expired-users `_] Added " "a ``password_expires_at`` query to ``/v3/users`` and ``/v3/groups/{group_id}/" "users``. The ``password_expires_at`` query is comprised of two parts, an " "``operator`` (valid choices listed below) and a ``timestamp`` (of form " "``YYYY-MM-DDTHH:mm:ssZ``). The APIs will filter the list of users based on " "the ``operator`` and ``timestamp`` given." msgstr "" #: ../../:178 msgid "" "[`blueprint per-user-auth-plugin-reqs `_] Per-user Multi-Factor-Auth " "rules (MFA Rules) have been implemented. These rules define which auth " "methods can be used (e.g. Password, TOTP) and provides the ability to " "require multiple auth forms to successfully get a token." msgstr "" #: ../../:291 msgid "" "[`blueprint project-tags `_] Projects have a new property called tags. These tags are " "simple strings that can be used to allow projects to be filtered/searched. " "Project tags will have the following properties:" msgstr "" #: ../../:313 msgid "" "[`blueprint removed-as-of-mitaka `_] Notifications with event_type ``identity." "created.role_assignment`` and ``identity.deleted.role_assignment`` have been " "removed. The keystone team suggests listening for ``identity.role_assignment." "created`` and ``identity.role_assignment.deleted`` instead. This was " "deprecated in the Kilo release." msgstr "" #: ../../:321 msgid "" "[`blueprint removed-as-of-mitaka `_] Removed Catalog KVS backend (``keystone." "catalog.backends.sql.Catalog``). This was deprecated in the Icehouse release." "" msgstr "" #: ../../:337 msgid "" "[`blueprint removed-as-of-mitaka `_] Removed Revoke KVS backend (``keystone.revoke." "backends.kvs.Revoke``). This was deprecated in the Juno release." msgstr "" #: ../../:309 msgid "" "[`blueprint removed-as-of-mitaka `_] Removed ``RequestBodySizeLimiter`` from " "keystone middleware. The keystone team suggests using ``oslo_middleware." "sizelimit.RequestBodySizeLimiter`` instead. This was deprecated in the Kilo " "release." msgstr "" #: ../../:317 msgid "" "[`blueprint removed-as-of-mitaka `_] Removed ``check_role_for_trust`` from the " "trust controller, ensure policy files do not refer to this target. This was " "deprecated in the Kilo release." msgstr "" #: ../../:305 msgid "" "[`blueprint removed-as-of-mitaka `_] Removed ``extras`` from token responses. " "These fields should not be necessary and a well-defined API makes this field " "redundant. This was deprecated in the Kilo release." msgstr "" #: ../../:325 msgid "" "[`blueprint removed-as-of-mitaka `_] The LDAP backend for Assignment has been " "removed. This was deprecated in the Kilo release." msgstr "" #: ../../:329 msgid "" "[`blueprint removed-as-of-mitaka `_] The LDAP backend for Resource has been " "removed. This was deprecated in the Kilo release." msgstr "" #: ../../:333 msgid "" "[`blueprint removed-as-of-mitaka `_] The LDAP backend for Role has been removed. " "This was deprecated in the Kilo release." msgstr "" #: ../../:200 msgid "" "[`blueprint removed-as-of-newton `_] Removed ``[eventlet_server]`` and " "``[eventlet_server_ssl]`` sections from the `keystone.conf`." msgstr "" #: ../../:208 msgid "" "[`blueprint removed-as-of-newton `_] Removed support for generating SSL " "certificates." msgstr "" #: ../../:204 msgid "" "[`blueprint removed-as-of-newton `_] Removed support for running keystone under " "eventlet. It is recommended to run keystone in an HTTP server." msgstr "" #: ../../:196 msgid "" "[`blueprint removed-as-of-newton `_] Removed the backend and route from ``keystone." "contrib.endpoint_policy``. The package has been moved to ``keystone." "endpoint_policy``. This was deprecated in the Liberty release." msgstr "" #: ../../:212 msgid "" "[`blueprint removed-as-of-newton `_] The ``revoke_by_expiration`` method in " "``keystone.revoke.core`` has been removed. This was deprecated in the Juno " "release." msgstr "" #: ../../:478 msgid "" "[`blueprint removed-as-of-pike `_] All key-value-store code, options, and " "documentation has been removed as of the Pike release. The removed code " "included ``keystone.common.kvs`` configuration options for the KVS code, " "unit tests, and the KVS token persistence driver ``keystone.token." "persistence.backends.kvs``. All associated documentation has been removed." msgstr "" #: ../../:507 msgid "" "[`blueprint removed-as-of-pike `_] Direct import of drivers outside of their " "`keystone` namespace has been removed. Ex. identity drivers are loaded from " "the `keystone.identity` namespace and assignment drivers from the `keystone." "assignment` namespace. Loading drivers outside of their keystone namespaces " "was deprecated in the Liberty release." msgstr "" #: ../../:482 msgid "" "[`blueprint removed-as-of-pike `_] The ``admin_token_auth`` filter has been " "removed from all sample pipelines, specifically, the following section has " "been removed from ``keystone-paste.ini``::" msgstr "" #: ../../:503 msgid "" "[`blueprint removed-as-of-pike `_] The ``keystone-manage pki_setup`` was added to " "aid developer setup by hiding the sometimes cryptic openssl commands. This " "is no longer needed since keystone no longer supports PKI tokens and can no " "longer serve SSL. This was deprecated in the Mitaka release." msgstr "" #: ../../:499 msgid "" "[`blueprint removed-as-of-pike `_] The ``keystone.common.ldap`` module was removed " "from the code tree. It was deprecated in the Newton release in favor of " "using ``keystone.identity.backends.ldap.common`` which has the same " "functionality." msgstr "" #: ../../:541 msgid "" "[`blueprint removed-as-of-queens `_] Support for all Identity V2 APIs, with the " "exception of the EC2 v2 API, has been removed from keystone." msgstr "" #: ../../:537 msgid "" "[`blueprint removed-as-of-queens `_] The ``admin_token_auth`` middleware is " "removed now. The related doc is removed as well." msgstr "" #: ../../:696 msgid "" "[`blueprint removed-as-of-rocky `_] Removed support for direct import of " "authentication drivers. If you're using full path names for authentication " "methods in configuration, please update your configuration to use the " "corresponding namespaces." msgstr "" #: ../../:700 msgid "" "[`blueprint removed-as-of-rocky `_] Removed support for token bind operations, " "which were supported by the ``uuid``, ``pki``, and ``pkiz`` token providers. " "Support for this feature was deprecated in Pike." msgstr "" #: ../../:690 msgid "" "[`blueprint removed-as-of-rocky `_] The ``sql`` token driver and ``uuid`` token " "providers have been removed in favor of the ``fernet`` token provider." msgstr "" #: ../../:704 msgid "" "[`blueprint removed-as-of-rocky `_] The deprecated `enable` config option of the " "trust feature is removed. Trusts now is always enabled." msgstr "" #: ../../:1555 msgid "" "[`blueprint removed-as-of-stein `_] The ``keystone.conf [DEFAULT] " "secure_proxy_ssl_header`` configuration option was slated for removal in " "Pike and has now officially been removed. Please use ``oslo.middleware." "http_proxy_to_wsgi`` instead." msgstr "" #: ../../:1547 msgid "" "[`blueprint removed-as-of-stein `_] The deprecated config option `bind` is removed " "now." msgstr "" #: ../../:1551 msgid "" "[`blueprint removed-as-of-stein `_] The deprecated option `crypt_strength` is " "removed now. It was only useful for `sha512_crypt` password hashes which has " "been superseded by more secure hashing implementations." msgstr "" #: ../../:1543 msgid "" "[`blueprint removed-as-of-stein `_] The deprecated token_flush is removed now." msgstr "" #: ../../:1559 msgid "" "[`blueprint removed-as-of-stein `_] The interface ``create_arguments_apply`` in " "token formatter payload has been removed. The token payload now doesn't need " "to be force ordered any more." msgstr "" #: ../../:1537 msgid "" "[`blueprint removed-as-of-stein `_] The options ``member_role_id`` and " "``member_role_name`` which were deprecated in Queens and only used for V2 " "are removed now." msgstr "" #: ../../:242 msgid "" "[`blueprint shadow-mapping `_] The federated identity mapping engine now supports the " "ability to automatically provision ``projects`` for ``federated users``. A " "role assignment will automatically be created for the user on the specified " "project. If the project specified within the mapping does not exist, it will " "be automatically created in the ``domain`` associated with the ``identity " "provider``. This behavior can be triggered using a specific syntax within " "the ``local`` rules section of a mapping. For more information see: `mapping " "combinations `_" msgstr "" #: ../../:364 msgid "" "[`blueprint strict-two-level-model `_] A new limit enforcement model " "called `strict_two_level` is added. Change the value of the option " "`[unified_limit]/enforcement_model` to `strict_two_level` to enable it. In " "this [`model `_]: 1. The project " "depth is force limited to 2 level. 2. Any child project's limit can not " "exceed the parent's. Please ensure that the previous project and limit " "structure deployment in your Keystone won't break this model before starting " "to use it. If a newly created project results in a project tree depth " "greater than 2, a `403 Forbidden` error will be raised. When try to use this " "model but the project depth exceed 2 already, Keystone process will fail to " "start. Operators should choose another available model to fix the issue " "first." msgstr "" #: ../../:377 msgid "" "[`blueprint strict-two-level-model `_] The `include_limits` filter is " "added to `GET /v3/projects/{project_id}` API. This filter should be used " "together with `parents_as_list` or `subtree_as_list` filter to add parent/" "sub project's limit information the response body." msgstr "" #: ../../:373 msgid "" "[`blueprint strict-two-level-model `_] The `project_id` filter is added " "for listing limits. This filter is used for system-scoped request only to " "fetch the specified project limits. Non system-scoped request will get empty " "response body instead." msgstr "" #: ../../:246 msgid "" "[`blueprint support-federated-attr `_] Added new filters to the `list " "user` API (``GET /v3/users``) to support querying federated identity " "attributes: ``idp_id``, ``protocol_id``, and ``unique_id``." msgstr "" #: ../../:103 msgid "" "[`blueprint support-oauth2-mtls `_] Provide the option for users to proof-of-" "possession of OAuth 2.0 access token based on `RFC8705 OAuth 2.0 Mutual-TLS " "Client Authentication and Certificate-Bound Access Tokens`. Users can now " "use the OAuth 2.0 Access Token API to get an OAuth 2.0 certificate-bound " "access token from the keystone identity server with OAuth 2.0 credentials " "and Mutual-TLS certificates. Then users can use the OAuth 2.0 certificate-" "bound access token and the Mutual-TLS certificates to access the OpenStack " "APIs that use the keystone middleware to support OAuth 2.0 Mutual-TLS client " "authentication." msgstr "" #: ../../:282 msgid "" "[`blueprint system-scope `_] Keystone now supports the ability to assign roles to users " "and groups on the system. As a result, users and groups with system role " "assignment will be able to request system-scoped tokens. Additional logic " "has been added to ``keystone-manage bootstrap`` to ensure the administrator " "has a role on the project and system." msgstr "" #: ../../:113 msgid "" "[`blueprint totp-auth `_] Keystone now supports authenticating via Time-based One-time " "Password (TOTP). To enable this feature, add the ``totp`` auth plugin to the " "`methods` option in the `[auth]` section of `keystone.conf`. More " "information about using TOTP can be found in `keystone's developer " "documentation `_." msgstr "" #: ../../:269 msgid "" "[`blueprint unified-limit `_] Keystone now supports unified limits. Two resouces called " "``registered limit`` and ``limit`` are added and a batch of related APIs are " "supported as well. These APIs are experimental now. It means that they are " "not stable enough and may be changed without backward compatibility. Once " "unified limit feature are ready for consuming, the APIs will be marked as " "stable." msgstr "" #: ../../:41 msgid "" "[`blueprint url-safe-naming `_] The names of projects and domains can optionally be " "ensured to be url safe, to support the future ability to specify projects " "using hierarchical naming." msgstr "" #: ../../:339 stable/train>:362 msgid "" "[`blueprint whitelist-extension-for-app-creds `_] This release adds " "support for delegating fine-grained privileges to application credentials " "via access rules. Access rules act as a whitelist of APIs that an " "application credential is allowed to use. Regular RBAC is still enforced by " "oslo.policy. See the `API reference `_ for details." msgstr "" #: ../../:117 msgid "" "[`blueprint x509-ssl-client-cert-authn `_] Keystone now supports " "tokenless client SSL x.509 certificate authentication and authorization." msgstr "" #: ../../:499 msgid "" "[`bug 1017606 `_] The " "signature on the ``get_catalog`` and ``get_v3_catalog`` methods of " "``keystone.catalog.backends.base.CatalogDriverBase`` have been updated. " "Third-party extensions that extend the abstract class " "(``CatalogDriverBase``) should be updated according to the new parameter " "names. The method signatures have changed from::" msgstr "" #: ../../:396 msgid "" "[`bug 1291157 `_] Identity " "provider information is now validated in during token validation. If an " "identity provider is removed from a keystone service provider, tokens " "associated to that identity provider will be considered invalid." msgstr "" #: ../../:153 msgid "" "[`bug 1332058 `_] " "``keystone-manage doctor`` now checks that keystone can establish " "connections to Memcached, if configured." msgstr "" #: ../../:293 msgid "" "[`bug 1367113 `_] The " "\"get entity\" and \"list entities\" functionality for the KVS catalog " "backend has been reimplemented to use the data from the catalog template. " "Previously this would only act on temporary data that was created at runtime." " The create, update and delete entity functionality now raises an exception." msgstr "" #: ../../:109 msgid "" "[`bug 1473042 `_] " "Keystone's S3 compatibility support can now authenticate using AWS Signature " "Version 4." msgstr "" #: ../../:1507 msgid "" "[`bug 1473292 `_] If " "you're relying on a custom implementation of the trust backend, please be " "sure to implement the new method prior to upgrading." msgstr "" #: ../../:127 msgid "" "[`bug 1473553 `_] The " "`keystone-paste.ini` must be updated to put the ``admin_token_auth`` " "middleware before ``build_auth_context``. See the sample `keystone-paste." "ini` for the correct `pipeline` value. Having ``admin_token_auth`` after " "``build_auth_context`` is deprecated and will not be supported in a future " "release." msgstr "" #: ../../:97 msgid "" "[`bug 1479569 `_] Names " "have been added to list role assignments (GET /" "role_assignments?include_names=True), rather than returning just the " "internal IDs of the objects the names are also returned." msgstr "" #: ../../:275 msgid "" "[`bug 1480270 `_] " "Endpoints created when using v3 of the keystone REST API will now be " "included when listing endpoints via the v2.0 API." msgstr "" #: ../../:61 msgid "" "[`bug 1489061 `_] Caching " "has been added to catalog retrieval on a per user ID and project ID basis. " "This affects both the v2 and v3 APIs. As a result this should provide a " "performance benefit to fernet-based deployments." msgstr "" #: ../../:14 origin/stable/mitaka>:45 msgid "" "[`bug 1490804 `_] Audit " "IDs are included in the token revocation list." msgstr "" #: ../../:24 origin/stable/mitaka>:249 msgid "" "[`bug 1490804 `_] [`CVE-" "2015-7546 `_] A " "bug is fixed where an attacker could avoid token revocation when the PKI or " "PKIZ token provider is used. The complete remediation for this vulnerability " "requires the corresponding fix in the keystonemiddleware project." msgstr "" #: ../../:105 msgid "" "[`bug 1500222 `_] Added " "information such as: user ID, project ID, and domain ID to log entries. As a " "side effect of this change, both the user's domain ID and project's domain " "ID are now included in the auth context." msgstr "" #: ../../:93 origin/stable/newton>:104 msgid "" "[`bug 1501698 `_] Support " "parameter `list_limit` when LDAP is used as identity backend." msgstr "" #: ../../:89 msgid "" "[`bug 1515302 `_] Two new " "configuration options have been added to the `[ldap]` section. " "`user_enabled_emulation_use_group_config` and " "`project_enabled_emulation_use_group_config`, which allow deployers to " "choose if they want to override the default group LDAP schema option." msgstr "" #: ../../:263 msgid "" "[`bug 1516469 `_] " "Endpoints filtered by endpoint_group project association will be included in " "the service catalog when a project scoped token is issued and " "``endpoint_filter.sql`` is used for the catalog driver." msgstr "" #: ../../:49 msgid "" "[`bug 1519210 `_] A user " "may now opt-out of notifications by specifying a list of event types using " "the `notification_opt_out` option in `keystone.conf`. These events are never " "sent to a messaging service." msgstr "" #: ../../:371 msgid "" "[`bug 1523369 `_] Deleting " "a project will now cause it to be removed as a default project for users. If " "caching is enabled the changes may not be visible until the user's cache " "entry expires." msgstr "" #: ../../:400 msgid "" "[`bug 1524030 `_] During " "token validation we have reduced the number of revocation events returned, " "only returning a subset of events relevant to the token. Thus, improving " "overall token validation performance." msgstr "" #: ../../:403 msgid "" "[`bug 1524030 `_] " "Revocation records are no longer written to the ``revocation_event`` table " "when a domain or project is disabled. These records were only ever used " "during the token validation process. In favor of revocation events, the " "project or domain will be validated online when the token is validated. This " "results in less database bloat while maintaining security during token " "validation." msgstr "" #: ../../:513 msgid "" "[`bug 1524030 `_] The " "signature on the ``list_events`` method of ``keystone.revoke.backends.base." "RevokeDriverBase`` has been updated. Third-party extensions that extend the " "abstract class (``RevokeDriverBase``) should update their code according to " "the new parameter names. The method signature has changed from::" msgstr "" #: ../../:69 msgid "" "[`bug 1525317 `_] Enable " "filtering of identity providers based on `id`, and `enabled` attributes." msgstr "" #: ../../:57 msgid "" "[`bug 1526462 `_] Support " "for posixGroups with OpenDirectory and UNIX when using the LDAP identity " "driver." msgstr "" #: ../../:271 msgid "" "[`bug 1527759 `_] Reverted " "the change that eliminates the ability to get a V2 token with a user or " "project that is not in the default domain. This change broke real-world " "deployments that utilized the ability to authenticate via V2 API with a user " "not in the default domain or with a project not in the default domain. The " "deployer is being convinced to update code to properly handle V3 auth but " "the fix broke expected and tested behavior." msgstr "" #: ../../:259 msgid "" "[`bug 1535878 `_] " "Originally, to perform GET /projects/{project_id}, the provided policy files " "required a user to have at least project admin level of permission. They " "have been updated to allow it to be performed by any user who has a role on " "the project." msgstr "" #: ../../:157 msgid "" "[`bug 1541092 `_] Only " "database upgrades from Kilo and newer are supported." msgstr "" #: ../../:53 msgid "" "[`bug 1542417 `_] Added " "support for a `user_description_attribute` mapping to the LDAP driver " "configuration." msgstr "" #: ../../:237 msgid "" "[`bug 1543048 `_] [`bug " "1668503 `_] Keystone now " "supports multiple forms of password hashing. Notably bcrypt, scrypt, and " "pbkdf2_sha512. The options are now located in the `[identity]` section of " "the configuration file. To set the algorithm use `[identity] " "password_hash_algorithm`. To set the number of rounds (time-complexity, and " "memory-use in the case of scrypt) use `[identity] password_hash_rounds`. " "`scrypt` and `pbkdf2_sha512` have further tuning options available. Keystone " "now defaults to using `bcrypt` as the hashing algorithm. All passwords will " "continue to function with the old sha512_crypt hash, but new password hashes " "will be bcrypt." msgstr "" #: ../../:289 msgid "" "[`bug 1547684 `_] A minor " "change to the ``policy.v3cloudsample.json`` sample file was performed so the " "sample file loads correctly. The ``cloud_admin`` rule has changed from::" msgstr "" #: ../../:411 msgid "" "[`bug 1547684 `_] A typo " "in the ``policy.v3cloudsample.json`` sample file was causing `oslo.policy` " "to not load the file. See the ``upgrades`` section for more details." msgstr "" #: ../../:73 msgid "" "[`bug 1555830 `_] Enable " "filtering of service providers based on `id`, and `enabled` attributes." msgstr "" #: ../../:380 msgid "" "[`bug 1561054 `_] If " "upgrading to Fernet tokens, you must have a key repository and key " "distribution mechanism in place, otherwise token validation may not work. " "Please see the upgrade section for more details." msgstr "" #: ../../:305 msgid "" "[`bug 1561054 `_] The " "default token provider has switched from UUID to Fernet. Please note that " "Fernet requires a key repository to be in place prior to running Ocata, this " "can be done running ``keystone-manage fernet_setup``. Additionally, for " "multi-node deployments, it is imperative that a key distribution process be " "in use before upgrading. Once a key repository has been created it should be " "distributed to all keystone nodes in the deployment. This ensures that each " "keystone node will be able to validate tokens issued across the deployment. " "If you do not wish to switch token formats, you will need to explicitly set " "the token provider for each node in the deployment by setting ``[token] " "provider`` to ``uuid`` in ``keystone.conf``. Documentation can be found at " "`fernet-tokens `_." msgstr "" #: ../../:525 msgid "" "[`bug 1563101 `_] The " "token provider driver interface has moved from ``keystone.token.provider." "Provider`` to ``keystone.token.providers.base.Provider``. If implementing a " "custom token provider, subclass from the new location." msgstr "" #: ../../:47 origin/stable/ocata>:418 msgid "" "[`bug 1571878 `_] A valid " "``mapping_id`` is now required when creating or updating a federation " "protocol. If the ``mapping_id`` does not exist, a ``400 - Bad Request`` will " "be returned." msgstr "" #: ../../:529 msgid "" "[`bug 1582585 `_] A new " "method ``get_domain_mapping_list`` was added to ``keystone.identity." "mapping_backends.base.MappingDriverBase``. Third-party extensions that " "extend the abstract class (``MappingDriverBase``) should implement this new " "method. The method has the following signature::" msgstr "" #: ../../:170 msgid "" "[`bug 1590587 `_] When " "assigning Domain Specific Roles, the domain of the role and the domain of " "the project must match. This is now validated and the REST call will return " "a 403 Forbidden." msgstr "" #: ../../:14 origin/stable/newton>:174 msgid "" "[`bug 1594482 `_] When " "using list_limit config option, the GET /services?name={service_name} API " "was first truncating the list and afterwards filtering by name. The API was " "fixed to first filter by name and only afterwards truncate the result list " "to the desired limit." msgstr "" #: ../../:539 msgid "" "[`bug 1611102 `_] The " "methods ``list_endpoints_for_policy()`` and ``get_policy_for_endpoint()`` " "have been removed from the ``keystone.endpoint_policy.backends.base." "EndpointPolicyDriverBase`` abstract class, they were unused." msgstr "" #: ../../:178 msgid "" "[`bug 1613466 `_] " "Credentials update to ec2 type originally accepted credentials with no " "project ID set, this would lead to an error when trying to use such " "credential. This behavior has been blocked, so creating a non-ec2 credential " "with no project ID and updating it to ec2 without providing a project ID " "will fail with a `400 Bad Request` error." msgstr "" #: ../../:375 msgid "" "[`bug 1615014 `_] " "Migration order is now strictly enforced. The ensure upgrade process is done " "in the order it is officially documented and support, starting with " "`expand`, then `migrate`, and finishing with `contract`." msgstr "" #: ../../:422 msgid "" "[`bug 1616424 `_] Provide " "better exception messages when creating OAuth request tokens and OAuth " "access tokens via the ``/v3/OS-OAUTH1/request_token`` and ``/v3/OS-OAUTH1/" "access_token`` APIs, respectively." msgstr "" #: ../../:31 msgid "" "[`bug 1616424 `_] Python " "build-in exception was raised if create request token or access token " "request from client with invalid request parameters, invalid signature for " "example. The implementation is hardened by showing proper exception and " "displaying the failure reasons if existent." msgstr "" #: ../../:543 msgid "" "[`bug 1622310 `_] A new " "method ``delete_trusts_for_project`` has been added to ``keystone.trust." "backends.base.TrustDriverBase``. Third-party extensions that extend the " "abstract class (``TrustDriverBase``) should be updated according to the new " "parameter names. The signature for the new method is::" msgstr "" #: ../../:426 msgid "" "[`bug 1622310 `_] Trusts " "will now be invalidated if: the project to which the trust is scoped, or the " "user (trustor or trustee) for which the delegation is assigned, has been " "deleted." msgstr "" #: ../../:430 msgid "" "[`bug 1636950 `_] New " "option ``[ldap] connection_timeout`` allows a deployer to set a " "``OPT_NETWORK_TIMEOUT`` value to use with the LDAP server. This allows the " "LDAP server to return a ``SERVER_DOWN`` exception, if the LDAP URL is " "incorrect or if there is a connection failure. By default, the value for " "``[ldap] connection_timeout`` is -1, meaning it is disabled. Set a positive " "value (in seconds) to enable the option." msgstr "" #: ../../:250 msgid "" "[`bug 1638603 `_] Add " "support for nested groups in Active Directory. A new boolean option ``[ldap] " "group_ad_nesting`` has been added, it defaults to ``False``. Enable the " "option is using Active Directory with nested groups. This option will impact " "the ``list_users_in_group``, ``list_groups_for_user``, and " "``check_user_in_group`` operations." msgstr "" #: ../../:62 msgid "" "[`bug 1638603 `_] Support " "nested groups in Active Directory. A new boolean option ``[ldap] " "group_ad_nesting`` has been added, it defaults to ``False``. Enable the " "option is using Active Directory with nested groups. This option will impact " "the ``list_users_in_group``, ``list_groups_for_user``, and " "``check_user_in_group`` operations." msgstr "" #: ../../:136 msgid "" "[`bug 1641625 `_] The " "keystone configured as an identity provider now includes an additional " "attribute called `openstack_groups` in the assertion when generating SAML " "assertions." msgstr "" #: ../../:254 msgid "" "[`bug 1641645 `_] RBAC " "protection was removed from the `Self-service change user password` API (``/" "v3/user/$user_id/password``), meaning, a user can now change their password " "without a token specified in the ``X-Auth-Token`` header. This change will " "allow a user, with an expired password, to update their password without the " "need of an administrator." msgstr "" #: ../../:309 msgid "" "[`bug 1641654 `_] The " "``healthcheck`` middleware from `oslo.middleware` has been added to the " "keystone application pipelines by default. The following section has been " "added to ``keystone-paste.ini``::" msgstr "" #: ../../:263 msgid "" "[`bug 1641654 `_] The " "``healthcheck`` middleware from `oslo.middleware` has been added to the " "keystone application pipelines by default. This middleware provides a common " "method to check the health of keystone. Refer to the example paste provided " "in ``keystone-paste.ini`` to see how to include the ``healthcheck`` " "middleware." msgstr "" #: ../../:323 msgid "" "[`bug 1641660 `_] The " "default value for ``[DEFAULT] notification_format`` has been changed from " "``basic`` to ``cadf``. The CADF notifications have more information about " "the user that initiated the request." msgstr "" #: ../../:327 msgid "" "[`bug 1641660 `_] The " "default value for ``[DEFAULT] notification_opt_out`` has been changed to " "include: ``identity.authenticate.success``, ``identity.authenticate." "pending`` and ``identity.authenticate.failed``. If a deployment relies on " "these notifications, then override the default setting." msgstr "" #: ../../:267 msgid "" "[`bug 1641816 `_] The " "``[token] cache_on_issue`` option is now enabled by default. This option has " "no effect unless global caching and token caching are enabled." msgstr "" #: ../../:271 msgid "" "[`bug 1642348 `_] Added " "new option ``[security_compliance] lockout_ignored_user_ids`` to allow " "deployers to specify users that are exempt from PCI lockout rules." msgstr "" #: ../../:434 msgid "" "[`bug 1642457 `_] Handle " "disk write and IO failures when rotating keys for Fernet tokens. Rather than " "creating empty keys, properly catch and log errors when unable to write to " "disk." msgstr "" #: ../../:551 msgid "" "[`bug 1642687 `_] The " "signature on the ``create_federated_user`` method of ``keystone.identity." "shadow_backends.base.ShadowUsersDriverBase`` has been updated." msgstr "" #: ../../:331 msgid "" "[`bug 1642687 `_] Upon a " "successful upgrade, all existing ``identity providers`` will now be " "associated with a automatically created domain. Each ``identity provider`` " "that existed prior to the `Ocata` release will now have a ``domain_id`` " "field. The new domain will have an ``id`` (random UUID), a ``name`` (that " "will match the ``identity provider`` ID , and be ``enabled`` by default." msgstr "" #: ../../:445 msgid "" "[`bug 1642687 `_] Users " "that authenticate with an ``identity provider`` will now have a " "``domain_id`` attribute, that is associated with the ``identity provider``." msgstr "" #: ../../:441 msgid "" "[`bug 1642687 `_] When " "registering an ``identity provider`` via the OS-FEDERATION API, it is now " "recommended to include a ``domain_id`` to associate with the ``identity " "provider`` in the request. Federated users that authenticate with the " "``identity provider`` will now be associated with the ``domain_id`` " "specified. If no ``domain_id`` is specified, then a domain will be " "automatically created." msgstr "" #: ../../:451 msgid "" "[`bug 1642692 `_] When a " "`federation protocol` is deleted, all users that authenticated with the " "`federation protocol` will also be deleted." msgstr "" #: ../../:457 msgid "" "[`bug 1649138 `_] When " "using LDAP as an identity backend, the initial bind will now occur upon " "creation of a connection object, i.e. early on when performing LDAP queries, " "no matter whether the bind is authenticated or anonymous, so that any " "connection errors can be handled correctly and early." msgstr "" #: ../../:390 msgid "" "[`bug 1650676 `_] " "Authentication plugins now required ``AuthContext`` objects to be used. This " "has added security features to ensure information such as the ``user_id`` " "does not change between authentication methods being processed by the server." " The ``keystone.controllers.Auth.authenticate`` method now requires the " "argument ``auth_context`` to be an actual ``AuthContext`` object." msgstr "" #: ../../:404 msgid "" "[`bug 1651989 `_] Due to " "``bug 1547684``, when using the ``policy.v3cloudsample.json`` sample file, a " "domain admin token was being treated as a cloud admin. Since the " "``is_admin_project`` functionality only supports project-scoped tokens, we " "automatically set any domain scoped token to have the property " "``is_admin_project`` to ``False``." msgstr "" #: ../../:469 msgid "" "[`bug 1656076 `_] The " "various plugins under ``keystone.controllers.Auth.authenticate`` now require " "``AuthContext`` objects to be returned." msgstr "" #: ../../:569 msgid "" "[`bug 1659730 `_] The " "signature on the ``authenticate`` method of ``keystone.auth.plugins.base." "AuthMethodHandler`` has been updated. Third-party extensions that extend the " "abstract class (``AuthMethodHandler``) should update their code according to " "the new parameter names. The method signature has changed from::" msgstr "" #: ../../:473 msgid "" "[`bug 1659995 `_] New " "options have been made available via the user create and update API (``POST/" "PATCH /v3/users``) call, the options will allow an admin to mark users as " "exempt from certain PCI requirements via an API." msgstr "" #: ../../:353 msgid "" "[`bug 1659995 `_] The " "config option ``[security_compliance] password_expires_ignore_user_ids`` has " "been deprecated in favor of using the option value set, available via the " "user create and update API call" msgstr "" #: ../../:304 msgid "" "[`bug 1669080 `_] Added " "support for a ``description`` attribute for V3 Identity Roles, see API docs " "for details." msgstr "" #: ../../:388 msgid "" "[`bug 1670382 `_] The ldap " "config group_members_are_ids has been added to the whitelisted options " "allowing it to now be used in the domain config API and `keystone-manage " "domain_config_upload`" msgstr "" #: ../../:98 stable/pike>:451 msgid "" "[`bug 1674415 `_] Fixed " "issue with translation of keystone error messages which was not happening in " "case of any error messages from identity API with locale being set." msgstr "" #: ../../:392 msgid "" "[`bug 1676497 `_] `bindep` " "now correctly reports the `openssl-devel` binary dependency for rpm distros " "instead of `libssl-dev`." msgstr "" #: ../../:398 msgid "" "[`bug 1684994 `_] This " "catches the ldap.INVALID_CREDENTIALS exception thrown when trying to connect " "to an LDAP backend with an invalid username or password, and emits a message " "back to the user instead of the default 500 error message." msgstr "" #: ../../:41 origin/stable/ocata>:81 #: stable/pike>:406 msgid "" "[`bug 1687593 `_] Ensure " "that the URL used to make the request when creating OAUTH1 request tokens is " "also the URL that verifies the request token." msgstr "" #: ../../:80 stable/ussuri>:73 #: unmaintained/victoria>:95 unmaintained/wallaby>:89 unmaintained/xena>:100 msgid "" "[`bug 1688137 `_] Fixed " "the AccountLocked exception being shown to the end user since it provides " "some information that could be exploited by a malicious user. The end user " "will now see Unauthorized instead of AccountLocked, preventing user info " "oracle exploitation." msgstr "" #: ../../:458 msgid "" "[`bug 1688188 `_] When " "creating an IdP, if a domain was generated for it and a conflict was raised " "while effectively creating the IdP in the database, the auto-generated " "domain is now cleaned up." msgstr "" #: ../../:35 origin/stable/ocata>:75 #: stable/pike>:382 msgid "" "[`bug 1689616 `_] " "Significant improvements have been made when performing a token flush on " "massive data sets." msgstr "" #: ../../:412 msgid "" "[`bug 1696574 `_] All GET " "APIs within keystone now have support for HEAD, if not already implemented. " "All new HEAD APIs have the same response codes and headers as their GET " "counterparts. This aids in client-side processing, especially caching." msgstr "" #: ../../:420 msgid "" "[`bug 1700852 `_] Keystone " "now supports caching of the `GET|HEAD /v3/users/{user_id}/projects` API in " "an effort to improve performance." msgstr "" #: ../../:426 stable/queens>:413 msgid "" "[`bug 1701324 `_] Token " "bodies now contain only unique roles in the authentication response." msgstr "" #: ../../:266 stable/queens>:331 msgid "" "[`bug 1702211 `_] Password " "`created_at` field under some versions/deployments of MySQL would lose sub-" "second precision. This means that it was possible for passwords to be " "returned out-of-order when changed within one second (especially common in " "testing). This change stores password `created_at` and `expires_at` as an " "integer instead of as a DATETIME data-type." msgstr "" #: ../../:14 origin/stable/ocata>:58 msgid "" "[`bug 1703369 `_] There " "was a typo for the identity:get_identity_provider rule in the default " "``policy.json`` file in previous releases. The default value for that rule " "was the same as the default value for the default rule (restricted to admin) " "so this typo was not readily apparent. Anyone customizing this rule should " "review their settings and confirm that they did not copy that typo. More " "context regarding the purpose of this backport can be found in the bug " "report." msgstr "" #: ../../:338 msgid "" "[`bug 1703369 `_] There " "was a typo for the identity:get_identity_provider rule in the default " "``policy.json`` file in previous releases. The default value for that rule " "was the same as the default value for the default rule (restricted to admin) " "so this typo was not readily apparent. Anyone customizing this rule should " "review their settings and confirm that they did not copy that typo. " "Particularly given that the default rule is being removed in Pike with the " "move of policy into code." msgstr "" #: ../../:475 msgid "" "[`bug 1703666 `_] Fixing " "multi-region support for the templated v3 catalog by making sure that the " "catalog contains only one definition per endpoint, and that each region is " "listed under that endpoint. Previously each region and endpoint would have " "had its own definition." msgstr "" #: ../../:14 stable/pike>:431 msgid "" "[`bug 1704205 `_] All " "users and groups are required to have a name. Prior to this fix, Keystone " "was not properly enforcing this for LDAP users and groups. Keystone will now " "ignore users and groups that do not have a value for the LDAP attribute " "which Keystone has been configured to use for that entity's name." msgstr "" #: ../../:440 msgid "" "[`bug 1705485 `_] A " "`previous change `_ removed policy " "from the self-service password API. Since a user is required to authenticate " "to change their password, protection via policy didn't necessarily make " "sense. This change removes the default policy from code, since it is no " "longer required or used by the service. Note that administrative password " "resets for users are still protected via policy through a separate endpoint." msgstr "" #: ../../:275 msgid "" "[`bug 1705485 `_] The " "`change_password` protection policy can be removed from file-based policies. " "This policy is no longer used to protect the self-service password change " "API since the logic was moved into code. Note that the administrative " "password reset functionality is still protected via policy on the " "`update_user` API." msgstr "" #: ../../:37 stable/pike>:208 #: stable/queens>:515 msgid "" "[`bug 1718747 `_] As part " "of solving a regression in the identity SQL backend that prevented domains " "containing users from being deleted, a notification callback was altered so " "that users would only be deleted if the identity backend is SQL. If you have " "a custom identity backend that is not read-only, deleting a domain in " "keystone will not delete the users in your backend unless your driver has an " "is_sql property that evaluates to true." msgstr "" #: ../../:23 stable/pike>:171 #: stable/queens>:418 msgid "" "[`bug 1718747 `_] Fixes a " "regression where deleting a domain with users in it caues a server error. " "This bugfix restores the previous behavior of deleting the users namespaced " "in the domain. This only applies when using the SQL identity backend." msgstr "" #: ../../:372 msgid "" "[`bug 1724645 `_] Adds a " "new attribute, ``remote_id_attribute``, to the federation protocol object, " "which allows WebSSO authentication to forward authentication requests " "through the right implementation for a federated protocol based on the " "remote ID attribute in the authentication headers." msgstr "" #: ../../:1329 msgid "" "[`bug 1724645 `_] Fixes an " "issue where multiple implementations of a federation protocol, such as " "Shibboleth and Mellon for the SAML2.0 protocol, could not be differentiated " "from one another because they had to share the same globally configured " "remote ID attribute. Now the remote ID attribute can be set on the protocol " "object itself." msgstr "" #: ../../:426 msgid "" "[`bug 1727099 `_] When " "users try to changes their password, the total number which includes the new " "password should not be greater or equal to the " "``unique_last_password_count`` config options. But the help and error " "messages for this scenario are not described clearly. Now the messges are " "updated to be more clear." msgstr "" #: ../../:179 stable/queens>:435 msgid "" "[`bug 1727726 `_] All " "users and groups are required to have a name. Prior to this fix, Keystone " "was allowing LDAP users and groups whose name has only empty white spaces. " "Keystone will now ignore users and groups that do have only white spaces as " "value for the LDAP attribute which Keystone has been configured to use for " "that entity's name." msgstr "" #: ../../:529 msgid "" "[`bug 1728690 `_] The " "``keystone-manage bootstrap`` command will only create the admin role and " "will no longer create a default member role. Please create any additional " "roles you need after running ``bootstrap`` by using the ``openstack role " "create`` command." msgstr "" #: ../../:367 msgid "" "[`bug 1728690 `_] The " "``member_role_id`` and ``member_role_name`` config options were used to " "create a default member role for keystone v2 role assignments, but with the " "removal of the v2 API it is no longer necessary to create this default role. " "This option is deprecated and will be removed in the S release. If you are " "depending on having a predictable role name and ID for this member role you " "will need to update your tooling." msgstr "" #: ../../:483 msgid "" "[`bug 1728907 `_] In some " "rare cases, an empty key file can get created within the fernet key " "repository. When keystone tries to load the keys from disk, it will fail " "with an invalid fernet key ValueError. Keystone now handles empty key files " "when loading and rotating keys. If an empty file exists, it will be ignored " "when loaded, reported as a warning in the log, and overwritten with a valid " "key upon rotation." msgstr "" #: ../../:1202 msgid "" "[`bug 1729933 `_] The " "Region Update API now correctly updates extra values. Previously adding any " "extra values to a region via the update API would discard any added values " "besides the default ones. Any extra values are now correctly added and " "returned. This fix was for consistency with other APIs in keystone that use " "'extra' and the use of 'extra' in keystone is highly discouraged." msgstr "" #: ../../:444 msgid "" "[`bug 1733754 `_] Keystone " "didn't validate the OS-TRUST:trust key of the authentication request is " "actually a dictionary. This results in a 500 Internal Server Error when it " "should really be a 400 Bad Request." msgstr "" #: ../../:451 msgid "" "[`bug 1734244 `_] Return a " "400 status code instead of a 500 when creating a trust with extra attributes " "in the roles parameter." msgstr "" #: ../../:1212 msgid "" "[`bug 1734244 `_] Users " "can't set password longer than 128 if Keystone using `Sqlalchemy` < 1.1.0. " "Update `Sqlalchemy` to a higher version can solve this problem. [`Related " "Sqlalchemy Changelog `_]." msgstr "" #: ../../:457 msgid "" "[`bug 1736875 `_] Add " "schema check to return a 400 status code instead of a 500 when authorize a " "request token with non-id attributes in the `roles` parameter." msgstr "" #: ../../:461 msgid "" "[`bug 1738895 `_] Fixed " "the bug that federated users can't be listed by `name` filter. Now when list " "users by `name`, Keystone will query both local user backend and shadow user " "backend." msgstr "" #: ../../:188 stable/queens>:468 msgid "" "[`bug 1740951 `_] A new " "method was added that made it so oslo.policy sample generation scripts can " "be used with keystone. The ``oslopolicy-policy-generator`` script will now " "generate a policy file containing overrides and defaults registered in code." msgstr "" #: ../../:1220 msgid "" "[`bug 1744195 `_] The SQL " "Foreign Key is enabled for Keystone unit tests now. This is not an end user " "impact fixed. But for the downstream teams, please take care of it for your " "private test code changes." msgstr "" #: ../../:493 msgid "" "[`bug 1746599 `_] Fixes " "user email being set for federated shadow users, when the rule contains " "email in user." msgstr "" #: ../../:476 msgid "" "[`bug 1747694 `_] The " "trust API reference declared support for ``page`` and ``per_page`` query " "parameters, when the actual trust API didn't support them. The API reference " "has been updated accordingly." msgstr "" #: ../../:336 stable/train>:380 msgid "" "[`bug 1748027 `_] The user " "API now supports the ``admin``, ``member``, and ``reader`` default roles " "across system-scope, domain-scope, and project-scope." msgstr "" #: ../../:1068 stable/train>:1194 msgid "" "[`bug 1748027 `_] The user " "API now uses system-scope, domain-scope, project-scope and default roles to " "provide better accessibility to users in a secure way." msgstr "" #: ../../:479 stable/train>:561 msgid "" "[`bug 1748027 `_] The user " "API uses new default policies that make it more accessible to end users and " "administrators in a secure way. Please consider these new defaults if your " "deployment overrides user policies." msgstr "" #: ../../:774 stable/train>:773 msgid "" "[`bug 1748027 `_] The user " "policies have been deprecated. The ``identity:get_user`` policy now uses " "``(role:reader and system_scope:all) or (role:reader and token.domain.id:" "%(target.user.domain_id)s) or user_id:%(target.user.id)s`` instead of ``rule:" "admin_or_owner``. The ``identity:list_users`` policy now uses ``(role:reader " "and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)`` " "instead of ``rule:admin_required``. The ``identity:create_user``, " "``identity:update_user``, and ``identity:delete_user`` policies now use " "``(role:admin and system_scope:all) or (role:admin and token.domain.id:" "%(target.user.domain_id)s)`` instead of ``rule:admin_required``. These new " "defaults automatically include support for a read-only role and allow for " "more granular access to user APIs, making it easier for system and domain " "administrators to delegate authorization, safely. Please consider these new " "defaults if your deployment overrides user policies." msgstr "" #: ../../:483 stable/rocky>:499 msgid "" "[`bug 1748970 `_] A bug " "was introduced in Queens that resulted in system role assignments being " "returned when querying the role assignments API for a specific role. The " "issue is fixed and the list of roles returned from ``GET /v3/" "role_assignments?role.id={role_id}`` respects system role assignments." msgstr "" #: ../../:492 stable/rocky>:508 msgid "" "[`bug 1749264 `_] A user's " "system role assignment will be removed when the user is deleted." msgstr "" #: ../../:497 stable/rocky>:513 msgid "" "[`bug 1749267 `_] A " "group's system role assignments are removed when the group is deleted." msgstr "" #: ../../:389 msgid "" "[`bug 1749268 `_] The " "``keystone-manage bootstrap`` command now ensures that an administrator has " "a system role assignment. This prevents the ability for operators to lock " "themselves out of system-level APIs." msgstr "" #: ../../:502 stable/rocky>:518 msgid "" "[`bug 1750415 `_] Fixes an " "implementation fault in application credentials where the application " "credential reference was not populated in the token data, causing problems " "with the token validation when caching was disabled." msgstr "" #: ../../:343 stable/train>:387 msgid "" "[`bug 1750660 `_] The " "project API now supports the ``admin``, ``member``, and ``reader`` default " "roles across system-scope, domain-scope, and project-scope." msgstr "" #: ../../:1074 stable/train>:1200 msgid "" "[`bug 1750660 `_] The " "project API now uses system-scope, domain-scope, project-scope and default " "roles to provide better accessibility to users in a secure way." msgstr "" #: ../../:487 stable/train>:569 msgid "" "[`bug 1750660 `_] The " "project API uses new default policies that make it more accessible to end " "users and administrators in a secure way. Please consider these new defaults " "if your deployment overrides project policies." msgstr "" #: ../../:794 stable/train>:793 msgid "" "[`bug 1750660 `_] The " "project policies have been deprecated. The ``identity:get_project`` policy " "now uses ``(role:reader and system_scope:all) or (role:reader and domain_id:" "%(target.project.domain_id)s) or project_id:%(target.project.id)s`` instead " "of ``rule:admin_required or project_id:%(target.project.id)s``. The " "``identity:list_projects`` policy now uses ``(role:reader and system_scope:" "all) or (role:reader and domain_id:%(target.domain_id)s`` instead of ``rule:" "admin_required``. The ``identity:list_user_projects`` policy now uses " "``(role:reader and system_scope:all) or (role:reader and domain_id:%(target." "user.domain_id)s) or user_id:%(target.user.id)s`` instead of ``rule:" "admin_or_owner``. The ``identity:create_project`` now uses ``(role:admin and " "system_scope:all) or (role:admin and domain_id:%(target.project." "domain_id)s)`` instead of ``rule:admin_required``. These new defaults " "automatically include support for a read-only role and allow for more " "granular access to project APIs, making it easier for system and domain " "administrators to delegate authorization, safely. Please consider these new " "defaults if your deployment overrides the project policies." msgstr "" #: ../../:359 stable/train>:403 msgid "" "[`bug 1750673 `_] The role " "assignment API now supports the ``admin``, ``member``, and ``reader`` " "default roles across system-scope, domain-scope, and project-scope." msgstr "" #: ../../:1089 stable/train>:1215 msgid "" "[`bug 1750673 `_] The role " "assignment API now uses system-scope, domain-scope, project-scope, and " "default roles to provide better accessbility to users in a secure way." msgstr "" #: ../../:504 stable/train>:586 msgid "" "[`bug 1750673 `_] The role " "assignment API uses new default policies that make it more accessible to end " "users and administrators in a secure way. Please consider these new policies " "if your deployment overrides role assignment policies." msgstr "" #: ../../:843 stable/train>:842 msgid "" "[`bug 1750673 `_] The role " "assignment ``identity:list_role_assignments`` policy now uses ``(role:reader " "and system_scope:all) or (role:reader and domain_id:%(target.domain.id)s)`` " "instead of ``rule:admin_required``. This new default automatically includes " "support for a read-only role and allows for more granular access to the role " "assignment API. Please consider this new default if your deployment " "overrides the role assignment policies." msgstr "" #: ../../:853 msgid "" "[`bug 1750676 `_] [`bug " "1818844 `_] The ``identity:" "check_token`` policy now uses ``(role:reader and system_scope:all) or rule:" "token_subject`` instead of ``rule:admin_required or rule:token_subject``. " "The ``identity:validate_token`` policy now uses ``(role:reader and " "system_scope:all) or rule:service_role or rule:token_subject`` instead or " "``rule:service_or_admin or rule:token_subject``. The ``identity:" "revoke_token`` policy now uses ``(role:admin and system_scope:all) or rule:" "token_subject`` instead of ``rule:admin_or_token_subject``. These new " "defaults automatically account for a read-only role by default and allow " "more granular access to the API. Please consider these new defaults if your " "deployment overrides the token policies." msgstr "" #: ../../:410 msgid "" "[`bug 1750676 `_] [`bug " "1818844 `_] The token API " "now supports the ``admin``, ``member``, and ``reader`` default roles." msgstr "" #: ../../:1222 msgid "" "[`bug 1750676 `_] [`bug " "1818844 `_] The token API " "now uses system-scope and default roles properly to provide more granular " "access to the token API." msgstr "" #: ../../:594 msgid "" "[`bug 1750676 `_] [`bug " "1818844 `_] The token API " "uses new default policies that make it easier for system users to delegate " "functionality in a secure way. Please consider the new policies if your " "deployment overrides the token policies." msgstr "" #: ../../:417 msgid "" "[`bug 1750678 `_] The EC2 " "credentials API now supports the ``admin``, ``member``, and ``reader`` " "default roles." msgstr "" #: ../../:1229 msgid "" "[`bug 1750678 `_] The EC2 " "credentials API now uses system-scope and default roles to provide better " "accessibility to users in a secure manner." msgstr "" #: ../../:602 msgid "" "[`bug 1750678 `_] The EC2 " "credentials API uses new default policies to make it more accessible to end " "users and administrators in a secure way. Please consider these new defaults " "if your deployment overrides EC2 credentials consumer policies." msgstr "" #: ../../:869 msgid "" "[`bug 1750678 `_] The EC2 " "credentials policies have been deprecated. The ``identity:" "ec2_get_credentials`` now use ``(role:reader and system_scope:all) or " "user_id:%(target.credential.user_id)s`` instead of ``rule:" "admin_required``and ``identity:ec2_list_credentials`` policies now use " "``role:reader and system_scope:all or rule:owner`` instead of ``rule:" "admin_required``. The ``identity:ec2_delete_credentials`` now use ``(role:" "admin and system_scope:all) or user_id:%(target.credential.user_id)s`` " "instead of ``rule:admin_required``and ``identity:ec2_create_credentials`` " "policies now use ``role:admin and system_scope:all or rule:owner`` instead " "of ``rule:admin_required``. These new defaults automatically account for " "system-scope and support a read-only role, making it easier for system " "administrators to delegate subsets of responsibility without compromising " "security. Please consider these new defaults if your deployment overrides " "the EC2 credentials policies." msgstr "" #: ../../:525 msgid "" "[`bug 1751045 `_] It is " "now possible to clean up role assignments for groups that don't exist in the " "identity backend. This is relevant to deployments that are backed by LDAP " "and groups are removed directly by LDAP and not through keystone." msgstr "" #: ../../:532 msgid "" "[`bug 1753584 `_] Fix " "formatting of ImportError when using a driver not found in the list of token " "providers." msgstr "" #: ../../:1338 msgid "" "[`bug 1754048 `_] The " "correct user domain is now reported when validating a federated token. " "Previously, the domain would always be validated as \"Federated.\"" msgstr "" #: ../../:649 msgid "" "[`bug 1754184 `_] The " "unified limit APIs has been refactored to align with the following API-WG " "guidelines: 1. POST unified limits no longer returns all the limits during " "create operations. It now only returns the newly created limits. 2. Support " "for updating multiple limits in a single request has been removed by " "implementing PATCH instead of PUT. Please note that the unified limits APIs " "is still experimental making it possible to include these improvements." msgstr "" #: ../../:354 msgid "" "[`bug 1754185 `_] " "Registered limits and project limits now support an optional, nullable " "property called `description`. Users can create/update a registered limit or " "project limit with `description` now." msgstr "" #: ../../:272 msgid "" "[`bug 1754677 `_] When you " "setup a user with a role assignment on a domain and then a role assignment " "on a project \"acting as a domain\", you can't actually remove them. This " "fixes it by filtering the query by \"type\" i.e either a USER_DOMAIN or a " "USER_PROJECT in role assignment table." msgstr "" #: ../../:538 msgid "" "[`bug 1755874 `_] Users " "now can have the resource option ``lock_password`` set which prevents the " "user from utilizing the self-service password change API. Valid values are " "``True``, ``False``, or \"None\" (where ``None`` clears the option)." msgstr "" #: ../../:546 msgid "" "[`bug 1756190 `_] When " "filtering projects based on tags, the filtering will now be performed by " "matching a subset containing the given tags against projects, rather than " "exact matching. Providing more tags when performing a search will yield more " "exact results while less will return any projects that match the given tags " "but could contain other tags as well." msgstr "" #: ../../:555 msgid "" "[`bug 1757022 `_] In " "previous releases, ``keystone-manage mapping_purge --type {user,group}`` " "command would purge all mapping incorrectly instead of only purging the " "specified type mappings. ``keystone-manage mapping_purge --type " "{user,group}`` now purges only specified type mappings as expected." msgstr "" #: ../../:1233 msgid "" "[`bug 1757151 `_] More " "thorough documentation has been added for authorization and token scopes, " "which helps users and developers understand the purpose of scope and why it " "can be a useful tool for resource isolation and API protection." msgstr "" #: ../../:563 msgid "" "[`bug 1759289 `_] The " "``keystone-manage token_flush`` command no longer establishes a connection " "to a database, or persistence backend. It's usage should be removed if " "you're using a supported non-persistent token format. If you're relying on " "external token providers that write tokens to disk and would like to " "maintain this functionality, please consider porting it to a separate tool." msgstr "" #: ../../:573 msgid "" "[`bug 1760205 `_] When " "deleting a shadow user, the related cache info is not invalidated so that " "Keystone will raise 404 UserNotFound error when authenticating with the " "previous federation info. This bug has been fixed now." msgstr "" #: ../../:580 msgid "" "[`bug 1760521 `_] Fixed " "the bug that the result count for ``domain list`` may lack one if the config " "option ``list_limit`` in [resource] is set." msgstr "" #: ../../:586 msgid "" "[`bug 1760809 `_] Identity " "providers registered to domains will now be cleaned up when the domain is " "deleted." msgstr "" #: ../../:196 stable/queens>:242 stable/rocky>:592 msgid "" "[`bug 1763824 `_] JSON " "Schema implementation ``nullable`` in keystone.common.validation now " "properly adds ``None`` to the enum if the enum exists." msgstr "" #: ../../:598 msgid "" "[`bug 1765193 `_] The " "unified limit API now exposes a deployment's configured enforcement model " "via the ``GET /limits/model`` endpoint." msgstr "" #: ../../:102 stable/rocky>:184 stable/stein>:168 #: stable/train>:1344 msgid "" "[`bug 1773967 `_] Fixes an " "issue where users who had role assignments only via a group membership and " "not via direct assignment could create but not use application credentials. " "It is important to note that federated users who only have role assignments " "via a mapped group membership still cannot create application credentials." msgstr "" #: ../../:604 msgid "" "[`bug 1774229 `_] The API " "reference for token management now includes more specific examples for " "different token scopes." msgstr "" #: ../../:610 msgid "" "[`bug 1778109 `_] " "Previously the token data for a trust-scoped token may have contained " "duplicate roles, when implied roles were present. This is no longer the " "case, for the sake of accuracy and to prevent the breaking of applications " "which may consume this role list." msgstr "" #: ../../:391 msgid "" "[`bug 1778945 `_] The " "pluggable interface for token providers has changed. If you're maintaining a " "custom token provider, you're going to be affected by these interface " "changes. Implementing the new interface will be required before using your " "custom token provider with the Rocky release of keystone. The new interface " "is more clear about the relationship and responsibilities between the token " "API and pluggable token providers." msgstr "" #: ../../:618 msgid "" "[`bug 1778945 `_] There " "were several improvements made to the token provider API and interface that " "simplify what external developers need to do and understand in order to " "provide their own token provider implementation. Please see the linked bug " "report for more details as to why these changes were made and the benefits " "they provide for both upstream and downstream developers." msgstr "" #: ../../:1353 msgid "" "[`bug 1779889 `_] Adds " "documentation about service tokens and configuring services to use service " "tokens for long running operations." msgstr "" #: ../../:381 msgid "" "[`bug 1779903 `_] When a " "project is deleted, the limits which belong to it will be deleted as well." msgstr "" #: ../../:627 msgid "" "[`bug 1780159 `_] Revoke " "the `role` cache when creating a project. This removes the delay before " "making it appear in the list when a user has inherited role on it." msgstr "" #: ../../:175 stable/rocky>:258 #: stable/stein>:1240 msgid "" "[`bug 1780503 `_] The " "notification wrapper now sets the initiator's id to the given user id. This " "fixes an issue where identity.authentication event would result in the " "initiator id being a random default UUID, rather than the user's id when " "said user would authenticate against keystone." msgstr "" #: ../../:633 msgid "" "[`bug 1782704 `_] Checking " "for non-existant configuration files is more robust to ensure proper logging " "to users when passing configuration information to ``keystone-manage``." msgstr "" #: ../../:183 stable/rocky>:193 stable/stein>:177 #: stable/train>:1359 msgid "" "[`bug 1782922 `_] Fixed " "the problem where Keystone indiscriminately return the first RDN as the user " "ID, regardless whether it matches the configured 'user_id_attribute' or not. " "This will break deployments where 'group_members_are_ids' are set to False " "and 'user_id_attribute' is not in the DN. This patch will perform a lookup " "by DN if the first RND does not match the configured 'user_id_attribute'." msgstr "" #: ../../:1248 msgid "" "[`bug 1784536 `_] Keystone " "now return `401 Unauthorized` correctly when issuing a project-scoped token " "but the input project id is a domain id." msgstr "" #: ../../:640 msgid "" "[`bug 1785164 `_] Setting " "resource limits on domains is explicitly unsupported. Previously, it was " "possible to set a limit on a domain and the response would include the " "domain ID as the project ID of the limit. This issue has been corrected by " "explicitly opting domains out of limit support. A later release may include " "functionality for domains to be associated to limit resources." msgstr "" #: ../../:512 msgid "" "[`bug 1787874 `_] Please " "note that the deployment which sets `unique_last_password_count = 1` in the " "config file should update the value to 0 to keep the same behavior as before." "" msgstr "" #: ../../:1252 msgid "" "[`bug 1787874 `_] The " "default value of the config option `unique_last_password_count` is changed " "from 1 to 0. Now `unique_last_password_count = 0` means password history " "check is disabled. `unique_last_password_count = 1` means when changing " "password, the new one should be different than the current one." msgstr "" #: ../../:1261 msgid "" "[`bug 1788415 `_] [`bug " "968696 `_] Improved self-" "service support has been implemented in the credential API. This means that " "end users have the ability to manage their own credentials as opposed to " "filing tickets to have deployment administrators manage credentials for " "users." msgstr "" #: ../../:1096 msgid "" "[`bug 1788415 `_] [`bug " "968696 `_] More granular " "policy checks have been applied to the credential API in order to make it " "more self-service for users. By default, end users will now have the ability " "to manage their credentials." msgstr "" #: ../../:519 msgid "" "[`bug 1788415 `_] [`bug " "968696 `_] Policies " "protecting the ``/v3/credentials`` API have changed defaults in order to " "make the credentials API more accessible for all users and not just " "operators or system administrator. Please consider these updates when using " "this version of keystone since it could affect API behavior in your " "deployment, especially if you're using a customized policy file." msgstr "" #: ../../:1270 msgid "" "[`bug 1788694 `_] System-" "scoped tokens now support expanding role assignments to include implied " "roles in token creation and validation responses." msgstr "" #: ../../:1276 msgid "" "[`bug 1789450 `_] When a " "mapped group that does not exist in keystone is found, instead of throwing a " "500 error, keystone will now log the instance and continue. This is expected " "behavior as an external IdP may specify a group that does not exist within " "keystone." msgstr "" #: ../../:1284 msgid "" "[`bug 1792026 `_] Formal " "documentation for user resource options has been added to the administrator " "guide and the API reference. This documentation helps describe how user " "options can improve user experience, namely for deployments looking to offer " "flexibility around PCI-DSS security requirements, among other things." msgstr "" #: ../../:366 msgid "" "[`bug 1794376 `_] The " "domain API now supports the ``admin``, ``member``, and ``reader`` default " "roles." msgstr "" #: ../../:1104 msgid "" "[`bug 1794376 `_] The " "domain API now uses system-scope and default roles to provide better " "accessibility to users in a secure way." msgstr "" #: ../../:529 msgid "" "[`bug 1794376 `_] The " "domain API uses new default policies that make it more accessible to end " "users and administrators in a secure way. Please consider these new defaults " "if your deployment overrides domain policies." msgstr "" #: ../../:854 msgid "" "[`bug 1794376 `_] The " "following domain policy check strings have been deprecated in favor of more " "clear and concise defaults:" msgstr "" #: ../../:1110 msgid "" "[`bug 1794864 `_] [`bug " "1794376 `_] The default " "policies that protect the domains API have been deprecated in favor of ones " "that are more secure and self-serviceable." msgstr "" #: ../../:537 stable/stein>:869 msgid "" "[`bug 1794864 `_] [`bug " "1794376 `_] The default " "policies that protect the domains API have been deprecated in favor of ones " "that are more secure and self-serviceable. If you're maintaining custom " "policies, please make sure you resolve your domain policies to work with the " "new default by adding the proper role assignments, or continue maintaining " "custom overrides. The new defaults allow for better protection of the " "domains API when giving the `admin` role to users on domains and projects." msgstr "" #: ../../:1293 msgid "" "[`bug 1794864 `_] [`bug " "1794376 `_] The default " "policies that protect the domains API have been deprecated in favor of ones " "that are more secure and self-serviceable. Users with roles on domains and " "projects are now able to call the ``GET /v3/domains/{domain_id}`` API if " "they use a token scoped to that domain or a token scoped to a project within " "that domain. System users are allowed to access the domain APIs in the same " "way legacy `admin` users were able to. This allows for better protection of " "the domain API when giving the `admin` role to users on domains and projects." "" msgstr "" #: ../../:321 stable/stein>:1306 msgid "" "[`bug 1796887 `_] Add " "caching on trust role validation to improve performance. Services relying " "heavily on trusts are impacted as the trusts are validated against the " "database. This adds caching on those operations to improve performance" msgstr "" #: ../../:1493 msgid "" "[`bug 1797876 `_] The " "`default_limit` of registered limit and the `resource_limit` of limit now " "are limited from `-1` to `2147483647` (integer). `-1` means no limit. " "`2147483647` is the max value for integer by default in SQL (4 bytes)." msgstr "" #: ../../:272 stable/stein>:1468 msgid "" "[`bug 1798184 `_] [`bug " "1820333 `_] In Python 3, " "python-ldap no longer allows bytes for some fields (DNs, RDNs, attribute " "names, queries). Instead, text values are represented as str, the Unicode " "text type. Compatibility support is provided for Python 2 by setting " "bytes_mode=False [1]." msgstr "" #: ../../:1490 msgid "" "[`bug 1798495 `_] The " "length of unified limit's `resource_name` now is limited from `1` to `255` " "(string)." msgstr "" #: ../../:1488 msgid "" "[`bug 1798716 `_] The " "`region_id` of registered limit now can be updated to `None`." msgstr "" #: ../../:372 msgid "" "[`bug 1801095 `_] Request " "ID and global request ID have been added to both basic and CADF " "notifications." msgstr "" #: ../../:137 stable/queens>:193 stable/rocky>:203 #: stable/stein>:1313 stable/train>:1369 msgid "" "[`bug 1801873 `_] This " "fixes an issue where an LDAP-backed domain could not be deleted due to the " "existence of shadow users in the SQL database." msgstr "" #: ../../:549 msgid "" "[`bug 1804292 `_] The " "region policies defined in ``policy.v3cloudsample.json`` have been removed. " "These policies are now obsolete after incorporating system-scope into the " "region API and implementing default roles." msgstr "" #: ../../:1319 msgid "" "[`bug 1804292 `_] The " "region policies in ``policy.v3cloudsample.json`` policy file have been " "removed in favor of better defaults in code. These policies weren't tested " "exhaustively and were misleading to users and operators." msgstr "" #: ../../:881 msgid "" "[`bug 1804446 `_] The " "``identity:create_region``, ``identity:update_region``, and ``identity:" "delete_region`` policies now use ``role:admin and system_scope:all`` instead " "of ``rule:admin_required``. These new defaults automatically account for " "system-scope and support a read-only role, making it easier for system " "administrators to delegate subsets of responsibility without compromising " "security. Please consider these new defaults if your deployment overrides " "the region policies." msgstr "" #: ../../:376 msgid "" "[`bug 1804446 `_] The " "regions API now supports the ``admin``, ``member``, and ``reader`` default " "roles." msgstr "" #: ../../:1117 msgid "" "[`bug 1804446 `_] The " "regions API now uses system-scope and default roles to provide better " "accessibility to users in a secure way." msgstr "" #: ../../:556 msgid "" "[`bug 1804446 `_] The " "regions API uses new default policies that make it more accessible to end " "users and administrators in a secure way. Please consider these new defaults " "if your deployment overrides region policies." msgstr "" #: ../../:727 stable/train>:691 msgid "" "[`bug 1804462 `_] The " "group policies defined in ``policy.v3cloudsample.json`` have been removed. " "These policies are now obsolete after incorporating system-scope and domain-" "scope into the groups API and implementing default roles." msgstr "" #: ../../:1389 stable/train>:1409 msgid "" "[`bug 1804462 `_] The " "group policies in ``policy.v3cloudsample.json`` policy file have been " "removed in favor of better defaults in code. These policies weren't tested " "exhaustively and were misleading to users and operators." msgstr "" #: ../../:564 msgid "" "[`bug 1804462 `_] The " "service policies defined in ``policy.v3cloudsample.json`` have been removed. " "These policies are now obsolete after incorporating system-scope into the " "service API and implementing default roles." msgstr "" #: ../../:1327 msgid "" "[`bug 1804462 `_] The " "service policies in ``policy.v3cloudsample.json`` policy file have been " "removed in favor of better defaults in code. These policies weren't tested " "exhaustively and were misleading to users and operators." msgstr "" #: ../../:893 msgid "" "[`bug 1804463 `_] The " "service policies have been deprecated. The ``identity:get_service`` and " "``identity:list_services`` policies now use ``(role:reader and system_scope:" "all)`` instead of ``rule:admin_required``. The ``identity:create_service``, " "``identity:update_service``, and ``identity:delete_service`` policies now " "use ``(role:admin and system_scope:all)`` instead of ``rule:admin_required``." " These new defaults automatically account for system-scope and support a " "read-only role, making it easier for system administrators to delegate " "subsets of responsibility without compromising security. Please consider " "these new defaults if your deployment overrides service policies." msgstr "" #: ../../:382 msgid "" "[`bug 1804463 `_] The " "services API now supports the ``admin``, ``member``, and ``reader`` default " "roles." msgstr "" #: ../../:1123 msgid "" "[`bug 1804463 `_] The " "services API now uses system-scope and default roles to provide better " "accessibility to users in a secure way." msgstr "" #: ../../:571 msgid "" "[`bug 1804463 `_] The " "services API uses new default policies that make it more accessible to end " "users and administrators in a secure way. Please consider these new defaults " "if your deployment overrides service policies." msgstr "" #: ../../:579 msgid "" "[`bug 1804482 `_] The " "endpoint policies defined in ``policy.v3cloudsample.json`` have been removed." " These policies are now obsolete after incorporating system-scope into the " "endpoint API and implementing default roles." msgstr "" #: ../../:1335 msgid "" "[`bug 1804482 `_] The " "endpoint policies in ``policy.v3cloudsample.json`` policy file have been " "removed in favor of better defaults in code. These policies weren't tested " "exhaustively and were misleading to users and operators." msgstr "" #: ../../:388 msgid "" "[`bug 1804483 `_] The " "endpoint API now supports the ``admin``, ``member``, and ``reader`` default " "roles." msgstr "" #: ../../:1129 msgid "" "[`bug 1804483 `_] The " "endpoint API now uses system-scope and default roles to provide better " "accessibility to users in a secure way." msgstr "" #: ../../:586 msgid "" "[`bug 1804483 `_] The " "endpoint API uses new default policies that make it more accessible to end " "users and administrators in a secure way. Please consider these new defaults " "if your deployment overrides endpoint policies." msgstr "" #: ../../:907 msgid "" "[`bug 1804483 `_] The " "endpoint policies have been deprecated. The ``identity:list_endpoints`` and " "``identity:get_endpoint`` policies now use ``role:reader and system_scope:" "all`` instead of ``rule:admin_required``. The ``identity:create_endpoint``, " "``identity:update_endpoint``, and ``identity:delete_endpoint`` policies now " "use ``role:admin and system_scope:all`` instead of ``rule:admin_required``. " "These new defaults automatically account for system-scope and support a read-" "only role, making it easier for system administrators to delegate subsets of " "responsibility without compromising security. Please consider these new " "defaults if your deployment overrides the endpoint policies." msgstr "" #: ../../:394 msgid "" "[`bug 1804516 `_] The " "federated identity provider API now supports the ``admin``, ``member``, and " "``reader`` default roles." msgstr "" #: ../../:1135 msgid "" "[`bug 1804516 `_] The " "federated identity provider API now uses system-scope and default roles to " "provide better accessibility to users in a secure way." msgstr "" #: ../../:594 msgid "" "[`bug 1804516 `_] The " "federated identity provider API uses new default policies that make it more " "accessible to end users and administrators in a secure way. Please consider " "these new defaults if your deployment overrides federated identity provider " "policies." msgstr "" #: ../../:921 msgid "" "[`bug 1804516 `_] The " "federated identity provider policies have been deprecated. The ``identity:" "list_identity_providers`` and ``identity:get_identity_provider`` policies " "now use ``role:reader and system_scope:all`` instead of ``rule:" "admin_required``. The ``identity:create_identity_provider``, ``identity:" "update_identity_provider``, ``identity:delete_identity_provider`` policies " "now use ``role:admin and system_scope:all`` instead of ``rule:" "admin_required``. These new defaults automatically account for system-scope " "and support a read-only role, making it easier for system administrators to " "delegate subsets of responsibility without compromising security. Please " "consider these new defaults if your deployment overrides the federated " "identity provider policies." msgstr "" #: ../../:602 msgid "" "[`bug 1804517 `_] The " "federated identity provider policies defined in ``policy.v3cloudsample." "json`` have been removed. These policies are now obsolete after " "incorporating system-scope into the identity provider API and implementing " "default roles." msgstr "" #: ../../:1343 msgid "" "[`bug 1804517 `_] The " "federated identity provider policies in ``policy.v3cloudsample.json`` policy " "file have been removed in favor of better defaults in code. These policies " "weren't tested exhaustively and were misleading to users and operators." msgstr "" #: ../../:610 msgid "" "[`bug 1804519 `_] The " "federated mapping policies defined in ``policy.v3cloudsample.json`` have " "been removed. These policies are now obsolete after incorporating system-" "scope into the mapping API and implementing default roles." msgstr "" #: ../../:1351 msgid "" "[`bug 1804519 `_] The " "federated mapping policies in ``policy.v3cloudsample.json`` policy file have " "been removed in favor of better defaults in code. These policies weren't " "tested exhaustively and were misleading to users and operators." msgstr "" #: ../../:617 msgid "" "[`bug 1804520 `_] The " "federated service provider policies defined in ``policy.v3cloudsample.json`` " "have been removed. These policies are now obsolete after incorporating " "system-scope into the service provider API and implementing default roles." msgstr "" #: ../../:1358 msgid "" "[`bug 1804520 `_] The " "federated service provider policies in ``policy.v3cloudsample.json`` policy " "file have been removed in favor of better defaults in code. These policies " "weren't tested exhaustively and were misleading to users and operators." msgstr "" #: ../../:400 msgid "" "[`bug 1804521 `_] The " "federated mapping API now supports the ``admin``, ``member``, and ``reader`` " "default roles." msgstr "" #: ../../:1141 msgid "" "[`bug 1804521 `_] The " "federated mapping API now uses system-scope and default roles to provide " "better accessibility to users in a secure way." msgstr "" #: ../../:624 msgid "" "[`bug 1804521 `_] The " "federated mapping API uses new default policies that make it more accessible " "to end users and administrators in a secure way. Please consider these new " "defaults if your deployment overrides federated mapping policies." msgstr "" #: ../../:937 msgid "" "[`bug 1804521 `_] The " "federated mapping policies have been deprecated. The ``identity:" "list_mappings`` and ``identity:get_mapping`` policies now use ``role:reader " "and system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "create_mapping``, ``identity:update_mapping``, and ``identity:" "delete_mapping`` policies now use ``role:admin and system_scope:all`` " "instead of ``rule:admin_required``. These new defaults automatically account " "for system-scope and support a read-only role, making it easier for system " "administrators to delegate subsets of responsibility without compromising " "security. Please consider these new defaults if your deployment overrides " "the federated mapping policies." msgstr "" #: ../../:406 msgid "" "[`bug 1804522 `_] The " "federated service provider API now supports the ``admin``, ``member``, and " "``reader`` default roles." msgstr "" #: ../../:1147 msgid "" "[`bug 1804522 `_] The " "federated service provider API now uses system-scope and default roles to " "provide better accessibility to users in a secure way." msgstr "" #: ../../:632 msgid "" "[`bug 1804522 `_] The " "federated service provider API uses new default policies that make it more " "accessible to end users and administrators. Please consider these new " "defaults if your deployment overrides federated service provider policies." msgstr "" #: ../../:952 msgid "" "[`bug 1804522 `_] The " "federated service provider policies have been deprecated. The ``identity:" "get_service_provider`` and ``identity:list_service_providers`` policies now " "use ``role:reader and system_scope:all`` instead of ``rule:admin_required``. " "The ``identity:create_service_provider``, ``identity:" "update_service_provider``, and ``identity:delete_service_provider`` policies " "now use ``role:admin and system_scope:all`` instead of ``rule:" "admin_required``. These new defaults automatically include support for a " "read-only role and allow for more granular access to service provider APIs, " "making it easier for system administrators to delegate authorization. Please " "consider these new defaults if your deployment overrides the federated " "service provider policies." msgstr "" #: ../../:412 msgid "" "[`bug 1804523 `_] The " "federated protocol API now supports the ``admin``, ``member``, and " "``reader`` default roles." msgstr "" #: ../../:1153 msgid "" "[`bug 1804523 `_] The " "federated protocol API now uses system-scope and default roles to provide " "better accessibility to users in a secure way." msgstr "" #: ../../:640 msgid "" "[`bug 1804523 `_] The " "federated protocol API uses new default policies that make it more " "accessible to end users and administrators. Please consider these new " "defaults if your deployment overrides federated protocol policies." msgstr "" #: ../../:969 msgid "" "[`bug 1804523 `_] The " "federated protocol policies have been deprecated. The ``identity:" "get_protocol`` and ``identity:list_protocols`` now use ``role:reader and " "system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "create_protocol``, ``identity:update_protocol``, and ``identity:" "delete_protocol`` policies now use ``role:admin and system_scope:all`` " "instead of ``rule:admin_required``. These new defaults automatically account " "for system-scope and support a read-only role, making it easier for system " "administrators to delegate subsets of responsibility without compromising " "security. Please consider these new defaults if your deployment overrides " "the federated protocol policies." msgstr "" #: ../../:444 msgid "" "[`bug 1805363 `_] The " "oauth1 consumer API now supports the ``admin``, ``member``, and ``reader`` " "default roles." msgstr "" #: ../../:1235 msgid "" "[`bug 1805363 `_] The " "oauth1 consumer API now uses system-scope and default roles to provide " "better accessibility to users in a secure manner." msgstr "" #: ../../:610 msgid "" "[`bug 1805363 `_] The " "oauth1 consumer API uses new default policies to make it more accessible to " "end users and administrators in a secure way. Please consider these new " "defaults if your deployment overrides oauth1 consumer policies." msgstr "" #: ../../:887 msgid "" "[`bug 1805363 `_] The " "oauth1 consumer policies have been deprecated. The ``identity:get_consumer`` " "and ``identity:list_consumers`` policies now use ``role:reader and " "system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "create_consumer``, ``identity:update_consumer``, and ``identity:" "delete_consumer`` policies now use ``role:admin and system_scope:all`` " "instead of ``rule:admin_required``. These new defaults automatically account " "for system-scope and support a read-only role, making it easier for system " "administrators to delegate subsets of responsibility without compromising " "security. Please consider these new defaults if your deployment overrides " "the oauth1 consumer policies." msgstr "" #: ../../:450 msgid "" "[`bug 1805366 `_] The " "Domain Config API now supports the ``admin``, ``member``, and ``reader`` " "default roles." msgstr "" #: ../../:901 msgid "" "[`bug 1805366 `_] The " "Domain Config API policies have been deprecated. The ``identity:" "get_domain_config`` policy now uses ``role:reader and system_scope:all`` " "instead of ``rule:admin_required``. The ``identity:" "get_domain_config_default`` policy now use ``role:reader and system_scope:" "all`` instead of ``rule:admin_required``.The ``identity:" "create_domain_config`` policy now use ``role:admin and system_scope:all`` " "instead of ``rule:admin_required``. The ``identity:update_domain_config`` " "policy now use ``role:admin and system_scope:all`` instead of ``rule:" "admin_required``. The ``identity:delete_domain_config`` policy now uses " "``role:admin and system_scope:all`` instead of ``rule:admin_required``." msgstr "" #: ../../:618 msgid "" "[`bug 1805366 `_] The " "Domain Config API uses new default policies to make it more accessible to " "end users and administrators in a secure way. Please consider these new " "defaults if your deployment overrides Domain Config policies." msgstr "" #: ../../:1241 msgid "" "[`bug 1805366 `_] The " "domain config API now uses system-scope and default roles to provide better " "accessibility to users in a secure manner." msgstr "" #: ../../:1247 msgid "" "[`bug 1805368 `_] [`bug " "1750669 `_] The grant API " "now supports domain-scoped default roles to provide better accessbility " "grants for domain users." msgstr "" #: ../../:456 msgid "" "[`bug 1805368 `_] [`bug " "1750669 `_] The grant API " "now supports the ``admin``, ``member``, and ``reader`` default roles for " "domain users (e.g., domain-scoped tokens)." msgstr "" #: ../../:626 msgid "" "[`bug 1805368 `_] [`bug " "1750669 `_] The grant APIs " "use new default policies that make it more accessible to domain users in a " "safe and secure way. Please consider these new defaults if your deployment " "overrides the grant APIs." msgstr "" #: ../../:924 msgid "" "[`bug 1805368 `_] [`bug " "1750669 `_] The grant " "policies have been deprecated and replaced with new policies that expose " "grant APIs to domain users. This allows deployments to delegate more " "functionality to domain owners by default. The ``identity:check_grant`` and " "``identity:list_grants`` policies now use ``(role:reader and system_scope:" "all) or (role:reader and domain_id:%(target.user.domain_id)s) or (role:" "reader and domain_id:%(target.group.domain_id)s)`` instead of ``role:reader " "and system_scope:all``. The ``identity:create_grant`` and ``identity:" "revoke_grant`` policies now use ``(role:admin and system_scope:all) or (role:" "admin and domain_id:%(target.user.domain_id)s) or (role:admin and domain_id:" "%(target.group.domain_id)s)`` instead of ``role:admin and system_scope:all``." " These new defaults automatically include support for domain reader and " "domain administrator roles, making it easier for system administrator to " "delegate functionality down to domain users to manage grants within their " "domains. Please consider these new defaults if your deployment overrides the " "grant APIs." msgstr "" #: ../../:350 stable/train>:394 msgid "" "[`bug 1805368 `_] [`bug " "1750669 `_] The system " "assignment API now supports the ``admin``, ``member``, and ``reader`` " "default roles across system-scope, domain-scope, and project-scope. The " "grant API now supports the ``admin``, ``member``, and ``reader`` default " "roles for system-scope." msgstr "" #: ../../:1080 stable/train>:1206 msgid "" "[`bug 1805368 `_] [`bug " "1750669 `_] The system " "assignment API now uses system-scope, domain-scope, project-scope, and " "default roles to provide better accessibility to users in a secure way. The " "grant API now uses system-scope and default to provide better accessbility " "to operators." msgstr "" #: ../../:495 stable/train>:577 msgid "" "[`bug 1805368 `_] [`bug " "1750669 `_] The system " "assignment and grant APIs uses new default policies that make it more " "accessible to end users and administrators in a secure way. Please consider " "these new defaults if your deployment overrides system assignment policies." msgstr "" #: ../../:815 stable/train>:814 msgid "" "[`bug 1805368 `_] [`bug " "1750669 `_] The system " "assignment and grant policies have been deprecated. The ``identity:" "list_system_grants_for_user``, ``identity:check_system_grant_for_user``, " "``identity:list_system_grants_for_group``, and ``identity:" "check_system_grant_for_group`` policies now use ``role:reader and " "system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "create_system_grant_for_user``, ``identity:revoke_system_grant_for_user``, " "``identity:create_system_grant_for_group``, and ``identity:" "revoke_system_grant_for_group`` policies now use ``role:admin and " "system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "check_grant`` and ``identity:list_grants`` policies now use ``role:reader " "and system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "create_grant`` and ``identity:revoke_grant`` policies now use ``role:admin " "and system_scope:all`` instead of ``rule:admin_required``. These new " "defaults automatically include support for a read-only role and allow for " "more granular access to the system assignment and grant APIs, making it " "easier for administrators to delegate authorization, safely. Please consider " "these new defaults if your deployment overrides the system assignment APIs." msgstr "" #: ../../:418 msgid "" "[`bug 1805369 `_] The " "group API now supports the ``admin``, ``member``, and ``reader`` default " "roles." msgstr "" #: ../../:1159 msgid "" "[`bug 1805369 `_] The " "group API now uses system-scope and default roles to provide better " "accessibility to users in a secure way." msgstr "" #: ../../:648 msgid "" "[`bug 1805369 `_] The " "group API uses new default policies that make it more accessible to end " "users and administrators in a secure way. Please consider these new defaults " "if your deployment overrides group policies." msgstr "" #: ../../:984 msgid "" "[`bug 1805369 `_] The " "group policies have been deprecated. The ``identity:get_group``, ``identity:" "list_groups``, ``identity:list_users_in_group``, and ``identity:" "check_user_in_group`` policies now use ``role:reader and system_scope:all or " "(role:reader and domain_id:%(target.group.domain_id)s)`` instead of ``rule:" "admin_required``. The ``identity:list_groups_for_user`` policy now uses " "``(role:reader and system_scope:all) or (role:reader and domain_id:%(target." "user.domain_id)s) or or user_id:%(user_id)s`` instead of ``rule:" "admin_or_owner``. The ``identity:create_group``, ``identity:update_group``, " "``identity:delete_group``, ``identity:remove_user_from_group``, and " "``identity:add_user_to_group`` policies now use ``role:admin and " "system_scope:all or (role:admin and domain_id:%(target.group.domain_id)s)`` " "instead of ``rule:admin_required``. These new defaults automatically account " "for system-scope and domain-scope and support a read-only role, making it " "easier for system administrators to delegate subsets of responsibility " "without compromising security. Please consider these new defaults if your " "deployment overrides group policies." msgstr "" #: ../../:1254 msgid "" "[`bug 1805371 `_] The " "implied role API now uses system-scope and default roles to provide better " "accessibility to users in a secure manner." msgstr "" #: ../../:463 msgid "" "[`bug 1805371 `_] The " "implied roles API now supports the ``admin``, ``member``, and ``reader`` " "default roles." msgstr "" #: ../../:634 msgid "" "[`bug 1805371 `_] The " "implied roles API uses new default policies to make it more accessible to " "end users and administrators in a secure way. Please consider these new " "defaults if your deployment overrides implied roles policies." msgstr "" #: ../../:944 msgid "" "[`bug 1805371 `_] The " "implied roles policies have been deprecated. The ``identity:" "get_implied_role``, ``identity:list_implied_roles``, ``identity:" "list_role_inference_rules``, and ``identity:check_implied_role`` policies " "now use ``role:reader and system_scope:all`` instead of ``rule:" "admin_required``. The ``identity:create_implied_role`` and ``identity:" "delete_implied_role`` policies now use ``role:admin and system_scope:all`` " "instead of ``rule:admin_required``. These new defaults automatically account " "for system-scope and support a read-only role, making it easier for system " "administrators to delegate subsets of responsibility without compromising " "security. Please consider these new defaults if your deployment overrides " "the implied roles policies." msgstr "" #: ../../:656 msgid "" "[`bug 1805372 `_] Several " "of the registered limit and limit policies have been deprecated. The " "following policies now use ``role:admin and system_scope:all`` instead of " "``rule:admin_required``:" msgstr "" #: ../../:430 msgid "" "[`bug 1805372 `_] The " "registered limit and limit API now support the ``admin``, ``member``, and " "``reader`` default roles." msgstr "" #: ../../:1172 msgid "" "[`bug 1805372 `_] The " "registered limit and limit APIs now uses system-scope and default roles to " "provide better accessibility to users in a secure way." msgstr "" #: ../../:1260 msgid "" "[`bug 1805400 `_] The " "domain role API now uses system-scope and default roles to provide better " "accessibility to users in a secure way." msgstr "" #: ../../:642 msgid "" "[`bug 1805400 `_] The " "domain role API uses new default policies that make it more accessible to " "end users and administrators in a secure way. Please consider these new " "defaults if your deployment overrides role policies." msgstr "" #: ../../:959 msgid "" "[`bug 1805400 `_] The " "domain role policies have been deprecated. The ``identity:get_domain_role`` " "and ``identity:list_domain_roles`` policies now use ``role:reader and " "system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "create_domain_role``, ``identity:update_domain_role``, and ``identity:" "delete_role`` policies now use ``role:admin and system_scope:all`` instead " "of ``rule:admin_required``. These new defaults automatically account for " "system-scope and support a read-only role, making it easier for system " "administrators to delegate subsets of responsibility without compromising " "security. Please consider these new defaults if your deployment overrides " "the domain role policies." msgstr "" #: ../../:469 msgid "" "[`bug 1805400 `_] The " "domain roles API now supports system scope using the ``admin``, ``member``, " "and ``reader`` default roles." msgstr "" #: ../../:436 msgid "" "[`bug 1805402 `_] The role " "API now supports the ``admin``, ``member``, and ``reader`` default roles." msgstr "" #: ../../:1178 msgid "" "[`bug 1805402 `_] The role " "API now uses system-scope and default roles to provide better accessibility " "to users in a secure way." msgstr "" #: ../../:676 msgid "" "[`bug 1805402 `_] The role " "API uses new default policies that make it more accessible to end users and " "administrators in a secure way. Please consider these new defaults if your " "deployment overrides role policies." msgstr "" #: ../../:1005 msgid "" "[`bug 1805402 `_] The role " "policies have been deprecated. The ``identity:get_role`` and ``identity:" "list_roles`` policies now use ``role:reader and system_scope:all`` instead " "of ``rule:admin_required``. The ``identity:create_role``, ``identity:" "update_role``, and ``identity:delete_role`` policies now use ``role:admin " "and system_scope:all`` instead of ``rule:admin_required``. These new " "defaults automatically account for system-scope and support a read-only " "role, making it easier for system administrators to delegate subsets of " "responsibility without compromising security. Please consider these new " "defaults if your deployment overrides the role policies." msgstr "" #: ../../:442 msgid "" "[`bug 1805403 `_] The " "project API now supports the ``admin``, ``member``, and ``reader`` default " "roles." msgstr "" #: ../../:1184 msgid "" "[`bug 1805403 `_] The " "project API now uses system-scope and default roles to provide better " "accessibility to users in a secure way." msgstr "" #: ../../:684 msgid "" "[`bug 1805403 `_] The " "project API uses new default policies that make it more accessible to end " "users and administrators in a secure way. Please consider these new defaults " "if your deployment overrides project policies." msgstr "" #: ../../:1019 msgid "" "[`bug 1805403 `_] The " "project policies have been deprecated. The ``identity:get_project`` policy " "now uses ``(role:reader and system_scope:all) or project_id:%(target.project." "id)s`` instead of ``rule:admin_required or project_id:%(target.project." "id)s``. The ``identity:list_projects`` policy now uses ``role:reader and " "system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "create_project``, ``identity:update_project``, and ``identity:" "delete_project`` policies now use ``role:admin and system_scope:all`` " "instead of ``rule:admin_required``. The ``identity:list_user_projects`` " "policy now uses ``(role:admin and system_scope:all) or user_id:%(target.user." "id)s`` instead of ``rule:admin_or_owner``. These new defaults automatically " "account for system-scope and support a read-only role, making it easier for " "system administrators to delegate subsets of responsibility without " "compromising security. Please consider these new defaults if your deployment " "overrides the project policies." msgstr "" #: ../../:692 msgid "" "[`bug 1805406 `_] The " "``GET /v3/users/{user_id`` API now properly returns an ``HTTP 403 " "Forbidden`` as opposed to ``HTTP 404 Not Found`` if the calling user doesn't " "have authorization to call the API. This applies consistent authorititive " "policy checks to the API." msgstr "" #: ../../:448 msgid "" "[`bug 1805406 `_] The user " "API now supports the ``admin``, ``member``, and ``reader`` default roles." msgstr "" #: ../../:1190 msgid "" "[`bug 1805406 `_] The user " "API now uses system-scope and default roles to provide better accessibility " "to users in a secure way." msgstr "" #: ../../:1039 msgid "" "[`bug 1805406 `_] The user " "policies have been deprecated. The ``identity:get_user`` now uses ``(role:" "reader and system_scope:all) or (role:reader and token.domain.id:%(target." "user.domain_id)s) or user_id:%(target.user.id)s`` instead of ``rule:" "admin_or_owner``. The ``identity:list_users`` policy now uses ``(role:reader " "and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)`` " "instead of ``rule:admin_required``. The ``identity:create_user``, ``identity:" "update_user``, and ``identity:delete_user`` policies now use ``(role:admin " "and system_scope:all) or (role:admin and token.domain.id:%(target.user." "domain_id)s)`` instead of ``rule:admin_required``. These new defaults " "automatically account for system-scope, domain-scope, and support a read-" "only role, making it easier for system and domain administrators to delegate " "subsets of responsibility without compromising security. Please consider " "these new defaults if your deployment overrides the user policies." msgstr "" #: ../../:475 msgid "" "[`bug 1805409 `_] The " "policy and policy associations API now supports the ``admin``, ``member``, " "and ``reader`` default roles." msgstr "" #: ../../:1266 msgid "" "[`bug 1805409 `_] The " "policy and policy associations API now uses system-scope and default roles " "to provide better accessibility to users in a secure manner." msgstr "" #: ../../:650 msgid "" "[`bug 1805409 `_] The " "policy and policy associations API uses new default policies to make it more " "accessible to end users and administrators in a secure way. Please consider " "these new defaults if your deployment overrides policy and policy " "associations policies." msgstr "" #: ../../:973 msgid "" "[`bug 1805409 `_] The " "policy and policy associations policies have been deprecated. The ``identity:" "get_policy`` policy now uses ``role:reader and system_scope:all`` instead of " "``rule:admin_required``. The ``identity:list_policies`` policy now uses " "``role:reader and system_scope:all`` instead of ``rule:admin_required``. The " "``identity:update_policy`` policy now use ``role:admin and system_scope:" "all`` instead of ``rule:admin_required``.The ``identity:create_policy`` " "policy now use ``role:admin and system_scope:all`` instead of ``rule:" "admin_required``. The ``identity:delete_policy`` policy now use ``role:admin " "and system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "check_policy_association_for_endpoint`` policy now uses ``role:reader and " "system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "check_policy_association_for_service`` policy now uses ``role:reader and " "system_scope:all`` instead of ``role:reader and system_scope:all``. The " "``identity:check_policy_association_for_region_and_service`` policy now uses " "``role:reader and system_scope:all`` instead of ``rule:admin_required``. The " "``identity:get_policy_for_endpoint`` policy now uses ``role:reader and " "system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "list_endpoints_for_policy`` policy now use ``role:reader and system_scope:" "all`` instead of ``rule:admin_required``. The ``identity:" "create_policy_association_for_endpoint`` policy now use ``role:admin and " "system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "delete_policy_association_for_endpoint`` policy now use ``role:admin and " "system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "create_policy_association_for_service`` policy now use ``role:admin and " "system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "delete_policy_association_for_service`` policy now use ``role:admin and " "system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "create_policy_association_for_region_and_service`` policy now use ``role:" "admin and system_scope:all`` instead of ``rule:admin_required``. The " "``identity:delete_policy_association_for_region_and_service`` policy now use " "``role:admin and system_scope:all`` instead of ``rule:admin_required``. " "These new defaults automatically account for system-scope and support a read-" "only role, making it easier for system administrators to delegate subsets of " "responsibility without compromising security. Please consider these new " "defaults if your deployment overrides the policy and policy associations " "policies." msgstr "" #: ../../:658 msgid "" "[`bug 1805880 `_] The " "limit policies defined in ``policy.v3cloudsample.json`` have been removed. " "These policies are now obsolete after incorporating system-scope into the " "limit API and implementing default roles." msgstr "" #: ../../:1375 msgid "" "[`bug 1805880 `_] The " "limit policies in ``policy.v3cloudsample.json`` policy file have been " "removed in favor of better defaults in code. These policies weren't tested " "exhaustively and were misleading to users and operators." msgstr "" #: ../../:705 msgid "" "[`bug 1805880 `_] The " "registered limit policies defined in ``policy.v3cloudsample.json`` have been " "removed. These policies are now obsolete after incorporating system-scope " "into the registered limit API and implementing default roles." msgstr "" #: ../../:1365 msgid "" "[`bug 1805880 `_] The " "registered limit policies in ``policy.v3cloudsample.json`` policy file have " "been removed in favor of better defaults in code. These policies weren't " "tested exhaustively and were misleading to users and operators." msgstr "" #: ../../:712 msgid "" "[`bug 1806713 `_] The role " "policies defined in ``policy.v3cloudsample.json`` have been removed. These " "policies are now obsolete after incorporating system-scope into the role API " "and implementing default roles." msgstr "" #: ../../:1373 msgid "" "[`bug 1806713 `_] The role " "policies in ``policy.v3cloudsample.json`` policy file have been removed in " "favor of better defaults in code. These policies weren't tested exhaustively " "and were misleading to users and operators." msgstr "" #: ../../:735 msgid "" "[`bug 1806762 `_] The " "domain policies defined in ``policy.v3cloudsample.json`` have been removed. " "These policies are now obsolete after incorporating system-scope into the " "domain API and implementing default roles. Additionally, the ``identity:" "get_domain`` policy in ``policy.v3cloudsample.json`` has been relaxed " "slightly to allow all users with role assignments on a domain to retrieve " "that domain, as opposed to only allowing users with the ``admin`` role to " "access that policy." msgstr "" #: ../../:1397 msgid "" "[`bug 1806762 `_] The " "domain policies in ``policy.v3cloudsample.json`` policy file have been " "removed in favor of better defaults in code. These policies weren't tested " "exhaustively and were misleading to users and operators." msgstr "" #: ../../:684 msgid "" "[`bug 1806762 `_] The " "grant policies defined in ``policy.v3cloudsample.json`` have been removed. " "These policies are now obsolete after incorporating system-scope and domain-" "scope into the grant API and implementing default roles." msgstr "" #: ../../:1402 msgid "" "[`bug 1806762 `_] The " "grant policies in ``policy.v3cloudsample.json`` policy file have been " "removed in favor of better defaults in code. These policies weren't tested " "exhaustively and were misleading to users and operators." msgstr "" #: ../../:719 stable/train>:676 msgid "" "[`bug 1806762 `_] The user " "policies defined in ``policy.v3cloudsample.json`` have been removed. These " "policies are now obsolete after incorporating system-scope, domain-scope, " "and project-scope into the user API and implementing default roles." msgstr "" #: ../../:1381 stable/train>:1394 msgid "" "[`bug 1806762 `_] The user " "policies in ``policy.v3cloudsample.json`` policy file have been removed in " "favor of better defaults in code. These policies weren't tested exhaustively " "and were misleading to users and operators." msgstr "" #: ../../:665 stable/train>:1383 #: stable/ussuri>:173 stable/ussuri>:337 msgid "" "[`bug 1806762 `_] [`bug " "1630434 `_] The entire " "``policy.v3cloudsample.json`` file has been removed. If you were using this " "policy file to supply overrides in your deployment, you should consider " "using the defaults in code and setting ``keystone.conf [oslo_policy] " "enforce_scope=True``. The new policy defaults are more flexible, they're " "tested extensively, and they solve all the problems the ``policy." "v3cloudsample.json`` file was trying to solve." msgstr "" #: ../../:1404 msgid "" "[`bug 1806762 `_] [`bug " "1804518 `_] The federated " "protocol policies in the ``policy.v3cloudsample.json`` policy file have been " "removed in favor of better defaults in code. These policies weren't tested " "exhaustively and were misleading to users and operators." msgstr "" #: ../../:755 msgid "" "[`bug 1806762 `_] [`bug " "1804518 `_] The protocol " "policies defined in the ``policy.v3cloudsample.json`` policy file have been " "removed. These policies are now obsolete after incorporating system-scope " "into the federated protocol API and implementing default roles." msgstr "" #: ../../:543 msgid "" "[`bug 1807751 `_] Keystone " "now implements the scaffolding for resource options in projects and roles. " "Functionally new options (such as \"immutable\" flags) will appear in " "returned JSON under the `options` field (dict) returned in the project, " "domain, and role structures. The `options` field will be empty until " "resource options are implemented for project, domain, and role." msgstr "" #: ../../:1165 msgid "" "[`bug 1808859 `_] The " "group API now supports using the ``domain`` scope for the reader, member, " "and admin role to provide better accessibility to users in a secure way." msgstr "" #: ../../:424 msgid "" "[`bug 1808859 `_] The " "group API now supports using the ``domain`` scope type for performing domain-" "specific actions on groups and group membership." msgstr "" #: ../../:143 msgid "" "[`bug 1809116 `_] It is " "now possible to have group memberships carried over through mapping persist " "for a limited time after a user authenticates using federation. The \"time " "to live\" of these memberships is specified via the configuration option " "`[federation] default_authorization_ttl` or for each identity provider by " "setting `authorization_ttl` on the identity provider. Every time a user " "authenticates carrying over that membership, it will be renewed." msgstr "" #: ../../:266 stable/stein>:1413 msgid "" "[`bug 1810393 `_] Now when " "an identity provider protocol is deleted, the cache info for the related " "federated users will be invalidated as well." msgstr "" #: ../../:290 msgid "" "[`bug 1810983 `_] With the " "removal of KeystoneToken from the token model, we longer have the ability to " "use the token data syntax in the policy rules. This change broke backward " "compatibility for anyone deploying customized Keystone policies. " "Unfortunately, we can't go back to KeystoneToken model as the change was " "tightly coupled with the other refactored authorization functionalities." msgstr "" #: ../../:1419 msgid "" "[`bug 1811605 `_] Fixes X." "509 tokenless auth by properly populating the request context with the " "necessary credential information. Since Stein release, RBAC has been using " "the credential information from the Keystone request context instead of the " "authentication context. Therefore, we'll need to populate the request " "context with the necessary credential information from the X.509 tokenless " "authentication context." msgstr "" #: ../../:1429 msgid "" "[`bug 1813085 `] " "Validation of federated domain-scoped tokens scoped to the ``default`` " "domain no longer results in an ``HTTP 404 Domain Not Found`` due to byte " "string conversion issues with msgpack in python 3." msgstr "" #: ../../:1436 msgid "" "[`bug 1814589 `_] Fixes " "incorrect parameters passed into keystone.federation.utils." "transform_to_group_ids() which resulted in HTTP 500 internal error." msgstr "" #: ../../:1417 msgid "" "[`bug 1815771 `_] Allows " "operators to cache credentials to avoid lookups on the database. This " "operation can be turned on/off through the configuration parameter of " "keystone.conf [credential] caching." msgstr "" #: ../../:1443 msgid "" "[`bug 1816927 `_] It was " "discovered that the order in which fernet keys are distributed after fernet " "key rotation has impact on keystone service. All operators are advised to " "ensure that during fernet key distribution the new primary fernet key (with " "largest number) is distributed first." msgstr "" #: ../../:1451 stable/train>:1424 msgid "" "[`bug 1817313 `_] Raise " "METHOD NOT ALLOWED for OS-Federation protocols creation if the protocol_id " "is not in the URL. The corrective action was to split the LIST from CRUD " "resources so that the routing regexes can work as expected." msgstr "" #: ../../:481 msgid "" "[`bug 1818725 `_] [`bug " "1750615 `_] The " "application credential API now supports the ``admin``, ``member``, and " "``reader`` default roles." msgstr "" #: ../../:1272 msgid "" "[`bug 1818725 `_] [`bug " "1750615 `_] The " "application credential API now uses system-scope and default roles to " "provide better accessibility to users in a secure manner." msgstr "" #: ../../:699 msgid "" "[`bug 1818725 `_] [`bug " "1750615 `_] The " "application credential API uses new default policies to make it more " "accessible to end users and administrators in a secure way. Please consider " "these new defaults if your deployment overrides application credential " "policies." msgstr "" #: ../../:1027 msgid "" "[`bug 1818725 `_] [`bug " "1750615 `_] The " "application credential policies have been deprecated. The ``identity:" "get_application_credential`` policy now uses ``(role:reader and system_scope:" "all) or user_id:%(user_id)s`` instead of ``rule:admin_required or user_id:" "%(user_id)s``. The ``identity:list_application_credentials`` policy now uses " "``(role:reader and system_scope:all) or user_id:%(user_id)s`` instead of " "``rule:admin_required or user_id:%(user_id)s``. The ``identity:" "delete_application_credential`` policy now use ``(role:admin and " "system_scope:all) or user_id:%(user_id)s`` instead of ``rule:admin_required " "or user_id:%(user_id)s``. These new defaults automatically account for " "system-scope and support a read-only role, making it easier for system " "administrators to delegate subsets of responsibility without compromising " "security. Please consider these new defaults if your deployment overrides " "the application credential policies." msgstr "" #: ../../:1279 msgid "" "[`bug 1818734 `_] The " "endpoint group API now uses system-scope and default roles to provide better " "accessibility to users in a secure manner." msgstr "" #: ../../:488 msgid "" "[`bug 1818734 `_] The " "endpoint groups API now supports the ``admin``, ``member``, and ``reader`` " "default roles." msgstr "" #: ../../:708 msgid "" "[`bug 1818734 `_] The " "endpoint groups API uses new default policies to make it more accessible to " "end users and administrators in a secure way. Please consider these new " "defaults if your deployment overrides endpoint groups policies." msgstr "" #: ../../:1047 msgid "" "[`bug 1818734 `_] The " "endpoint groups policies have been deprecated. The ``identity:" "list_endpoint_groups`` policy now uses ``role:reader and system_scope:all`` " "instead of ``rule:admin_required``. The ``identity:get_endpoint_group`` " "policy now uses ``role:reader and system_scope:all`` instead of ``rule:" "admin_required``. The ``identity:update_endpoint_group`` policy now use " "``role:admin and system_scope:all`` instead of ``rule:admin_required``.The " "``identity:create_endpoint_group`` policy now use ``role:admin and " "system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "delete_endpoint_group`` policy now use ``role:admin and system_scope:all`` " "instead of ``rule:admin_required``. The ``identity:" "list_projects_associated_with_endpoint_group`` policy now uses ``role:reader " "and system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "get_endpoint_group_in_project`` policy now uses ``role:reader and " "system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "list_endpoints_associated_with_endpoint_group`` policy now uses ``role:" "reader and system_scope:all`` instead of ``rule:admin_required``. The " "``identity:list_endpoint_groups_for_project`` policy now uses ``role:reader " "and system_scope:all`` instead of ``rule:admin_required``. The ``identity:" "add_endpoint_group_to_project`` policy now use ``role:admin and system_scope:" "all`` instead of ``rule:admin_required``. The ``identity:" "remove_endpoint_group_from_project`` policy now use ``role:admin and " "system_scope:all`` instead of ``rule:admin_required``. These new defaults " "automatically account for system-scope and support a read-only role, making " "it easier for system administrators to delegate subsets of responsibility " "without compromising security. Please consider these new defaults if your " "deployment overrides the endpoint group policies." msgstr "" #: ../../:716 msgid "" "[`bug 1818736 `_] The " "``identity:get_limit`` policy default check string has been changed to " "support domain scope. This policy are not being formally deprecated because " "the unified limits API is still considered experimental. These new default " "automatically account for domain scope in addition to system scope. Please " "consider these new defaults if your deployment overrides the limit policies." msgstr "" #: ../../:494 msgid "" "[`bug 1818736 `_] The " "``identity:get_limit``, ``identity:list_limits`` and ``identity:" "get_limit_model`` policies now support domain scope, so domain users are now " "able to get limit information on their own domains as well as see the limit " "model in effect." msgstr "" #: ../../:1086 msgid "" "[`bug 1818845 `_] The " "``identity:revocation_list`` policy has been deprecated for removal. This " "policy didn't actually protect the revocation list API since that API is " "unenforced and unprotected. It only returns an ``HTTP 410`` or ``HTTP 403`` " "depending on how keystone is configured. This policy can be safely removed." msgstr "" #: ../../:502 msgid "" "[`bug 1818846 `_] The " "trusts API now supports the ``admin``, ``member``, and ``reader`` default " "roles. System users can now audit and clean up trusts using the default " "policies." msgstr "" #: ../../:1095 msgid "" "[`bug 1818846 `_] [`bug " "1818850 `_] The trust " "policies have been deprecated. The ``identity:list_trusts`` policy now uses " "``(role:reader and system_scope:all)`` instead of ``rule_admin_required``. " "The ``identity:list_roles_for_trust``, ``identity:get_role_for_trust``, and " "``identity:get_trust`` policies now use ``(role:reader and system_scope:all) " "or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust." "trustee_user_id)s`` instead of``user_id:%(target.trust.trustor_user_id)s or " "user_id:%(target.trust.trustee_user_id)s``. The ``identity:delete_trust`` " "policy now uses ``(role:admin and system_scope:all) or user_id:%(target." "trust.trustor_user_id)s`` instead of ``user_id:%(target.trust." "trustor_user_id)s``. These new defaults automatically account for system-" "scope and support a read-only role, making it easier for system " "administrators to delegate subsets of responsibility without compromising " "security. Please consider these new defaults if your deployment overrides " "trust policies." msgstr "" #: ../../:1285 msgid "" "[`bug 1818846 `_] [`bug " "1818850 `_] The trusts API " "now uses system-scope and default roles to provide better accessibility to " "users in a secure way." msgstr "" #: ../../:726 msgid "" "[`bug 1818846 `_] [`bug " "1818850 `_] The trusts API " "uses new default policies that make it more accessible to end users and " "administrators in a secure way. Please consider these new defaults if your " "deployment overrides trust policies." msgstr "" #: ../../:1459 stable/train>:1432 msgid "" "[`bug 1819036 `_] " "Middleware that processes requests in front of keystone now caches tokens " "per request, eliminating unnecessary round trips to validate tokens on every " "request. This change doesn't require the usage of any configuration options " "to take effect. The fix for this bug improved performance ~20% during " "testing and impacts most of keystone's API." msgstr "" #: ../../:509 msgid "" "[`bug 1823258 `_] Adds " "support for an \"immutable\" resource option for roles, which when enabled " "prevents accidental harmful modification or deletion of roles. Also adds a " "new flag ``--immutable-roles`` to the ``keystone-manage bootstrap`` command " "to make the default roles (admin, member, and reader) immutable by default, " "as well as a check in the ``keystone-status upgrade check`` command to check " "that these roles have been made immutable. In a future release, these three " "roles will be immutable by default." msgstr "" #: ../../:192 msgid "" "[`bug 1823258 `_] The " "``keystone-manage bootstrap`` command now defaults to making the default " "roles (`admin`, `member`, and `reader`) immutable. This has the consequence " "that if the bootstrap command is re-run on an existing deployment, those " "roles will become immutable if they were not before. To opt out of this " "behavior, add the ``--no-immutable-roles`` flag to the bootstrap command." msgstr "" #: ../../:159 msgid "" "[`bug 1827431 `_] Added a " "new user option 'ignore_user_inactivity' (defaults to False). When set to " "True, it overrides disabling the user after being inactive for certain time " "as set in ``[security_compliance]disable_user_account_days_inactive`` option " "in Keystone configuration file." msgstr "" #: ../../:1510 msgid "" "[`bug 1828565 `_] Fixes " "endpoint group listing by name. This allows the openstackclient command to " "search endpoint groups by name." msgstr "" #: ../../:1527 msgid "" "[`bug 1829453 `_] The " "deprecated config option `admin_endpoint` is removed now." msgstr "" #: ../../:1522 msgid "" "[`bug 1829453 `_] The " "deprecated config option `infer_roles` is removed now." msgstr "" #: ../../:1531 msgid "" "[`bug 1829453 `_] The " "deprecated config options in `signing` are removed now." msgstr "" #: ../../:761 msgid "" "[`bug 1829453 `_] The os-" "simple-cert-api will return 410 due to the removal of config options signing " "[ca_certs] and signing [cert_file]." msgstr "" #: ../../:1169 msgid "" "[`bug 1829454 `_] The " "`[federation] federated_domain_name` option is deprecated. All users live in " "the identity provider's domain now, and the option is no longer used." msgstr "" #: ../../:111 stable/rocky>:101 stable/stein>:187 #: stable/train>:1441 msgid "" "[`bug 1831918 `_] " "Credentials now logs cadf audit messages." msgstr "" #: ../../:192 stable/train>:1446 msgid "" "[`bug 1832265 `_] Binary " "msgpack payload types are now consistently and correctly decoded when " "running Keystone under Python 3, avoiding any TypeErrors when attempting to " "convert binary encoded strings into UUID's." msgstr "" #: ../../:1453 msgid "" "[`bug 1833739 `_] Fix " "PostgreSQL specifc issue with storing encrypted credentials. In Python 3 the " "psycopg2 module treats bytes strings as binary data. This causes issues when " "storing encrypted credentials in the Database. To fix this isseu the " "credentials sql backend is updated to encode the credential into a text " "string before handing it over to the database." msgstr "" #: ../../:1462 msgid "" "[`bug 1836568 `_ Addresses " "a side effect of the large series of policy migrations in which the volume " "of deprecation warnings that were emitted had become too massive to be " "helpful. Instead of emitting warnings for individual policy rules, the " "keystone server now emits a single warning indicating problematic rules were " "found. Operators can use oslopolicy-policy-generator and oslopolicy-policy-" "upgrade to find and resolve deprecated policies." msgstr "" #: ../../:14 stable/train>:1472 msgid "" "[`bug 1839133 `_] Makes " "user_enabled_emulation_use_group_config honor group_members_are_ids." msgstr "" #: ../../:520 msgid "" "[`bug 1839577 `_] TOTP now " "allows by default the code from the previous time window to be considered " "valid as part of auth. This can be disabled, or the extended up to ten " "previous windows." msgstr "" #: ../../:199 stable/rocky>:209 stable/stein>:199 #: stable/train>:1477 msgid "" "[`bug 1840291 `_] Adds " "retries for ``delete_credential_for_user`` method to avoid DBDeadlocks when " "deleting large number of credentials concurrently." msgstr "" #: ../../:1483 msgid "" "[`bug 1841486 `_] The " "``keystone-manage mapping_engine --engine-debug`` CLI tool now outputs " "useful information about the direct mappings from an assertion after " "processing mapping rules." msgstr "" #: ../../:205 stable/rocky>:215 stable/stein>:205 #: stable/train>:1490 msgid "" "[`bug 1843609 `] Fixed an " "issue where system-scoped tokens couldn't be used to list users and groups " "(e.g., GET /v3/users or GET /v3/groups) if ``keystone.conf [identity] " "domain_specific_drivers_enabled=True`` and the API would return an ``HTTP " "401 Unauthorized``. These APIs now recognize system-scoped tokens when using " "domain-specific drivers." msgstr "" #: ../../:1499 msgid "" "[`bug 1844157 `_] When " "performing `keystone-manage db_sync --check` if the legacy repo started at " "the same version number as the expand/contract/migrate repos the check to " "see if the db was under version control failed indicating that the db was up-" "to-date. This was due to the function `get_init_version` never receiving the " "path for the repo queried for version information. The fix is to ensure the " "repo path is always passed to get_init_version from the `keystone.common.sql." "upgrade.get_db_version` function." msgstr "" #: ../../:524 msgid "" "[`bug 1844194 `_] [`bug " "1844193 `_] The project " "tags API now supports the ``admin``, ``member``, and ``reader`` default " "roles." msgstr "" #: ../../:735 msgid "" "[`bug 1844194 `_] [`bug " "1844193 `_] The project " "tags API now uses new default policies that make it more accessible to end " "users and administrators in a secure way. Please consider these new defaults " "if your deployment overrides the project tags policies." msgstr "" #: ../../:1292 msgid "" "[`bug 1844194 `_] [`bug " "1844193 `_] The project " "tags API now uses system-scope and default roles to provide better " "accessibility to users in a secure way." msgstr "" #: ../../:1116 msgid "" "[`bug 1844194 `_] [`bug " "1844193 `_] The project " "tags API policies have been deprecated. The ``identity:get_project_tag`` and " "``identity:list_project_tags`` policies now use ``(role:reader and " "system_scope:all) or (role:reader and domain_id:%(target.project." "domain_id)s) or project_id:%(target.project.id)s`` instead of ``rule:" "admin_required or project_id:%(target.project.id)s``. The ``identity:" "update_project_tags``, ``identity:delete_project_tags``, ``identity:" "delete_project_tag``, and ``identity:create_project_tag`` policies now use " "``(role:admin and system_scope:all) or (role:admin and domain_id:%(target." "project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)`` " "instead of ``rule:admin_required``." msgstr "" #: ../../:1503 msgid "" "[`bug 1844207 `_] Fixes an " "issue with WebSSO auth where a server error was raised if a remote ID can't " "be found for the requested federation protocol, now correctly raises an " "Unauthorized client error." msgstr "" #: ../../:531 msgid "" "[`bug 1844461 `_] Listing " "role assignments for a project subtree is now allowed by system readers and " "domain readers in addition to project admins." msgstr "" #: ../../:1299 msgid "" "[`bug 1844461 `_] Listing " "role assignments for a project subtree now uses system-scope, domain-scope, " "project-scope, and default roles to provide better accessbility to users in " "a secure way." msgstr "" #: ../../:744 msgid "" "[`bug 1844461 `_] The " "``identity:list_role_assignments_for_subtree`` policy now allows system and " "domain readers to list role assignments for a project subtree and deprecates " "the old ``rule:admin_required`` policy check string. Please consider the " "new policies if your deployment overrides role assignment policies." msgstr "" #: ../../:1139 msgid "" "[`bug 1844461 `_] The role " "assignment ``identity:list_role_assignments_for_subtree`` policy now uses " "``(role:reader and system_scope:all) or (role:reader and domain_id:%(target." "project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)`` " "instead of ``rule:admin_required``. This new default automatically includes " "support for a read-only role and allows for more granular access to the role " "assignment API. Please consider this new default if your deployment " "overrides the role assignment policies." msgstr "" #: ../../:537 msgid "" "[`bug 1844664 `_] The " "Project Endpoints API now supports the ``admin``, ``member``, and ``reader`` " "default roles." msgstr "" #: ../../:1306 msgid "" "[`bug 1844664 `_] The " "Project Endpoints API now uses system-scope and default roles to provide " "better accessibility to users in a secure manner." msgstr "" #: ../../:753 msgid "" "[`bug 1844664 `_] The " "Project Endpoints API uses new default policies to make it more accessible " "to end users and administrators in a secure way. Please consider these new " "defaults if your deployment overrides Project Endpoints policies." msgstr "" #: ../../:1151 msgid "" "[`bug 1844664 `_] The " "Project Endpoints policies have been deprecated. The ``identity:" "list_projects_for_endpoint`` now use ``(role:reader and system_scope:all)`` " "``identity:check_endpoint_in_project`` policies now use ``role:reader and " "system_scope:all`` and ``identity:list_endpoints_for_project`` now use " "``(role:reader and system_scope:all)`` instead of ``rule:admin_required``. " "The ``identity:add_endpoint_to_project`` now use ``(role:admin and " "system_scope:all)`` instead of ``rule:admin_required``and ``identity:" "remove_endpoint_from_project`` policies now use ``role:admin and " "system_scope:all`` instead of ``rule:admin_required``. These new defaults " "automatically account for system-scope and support a read-only role, making " "it easier for system administrators to delegate subsets of responsibility " "without compromising security. Please consider these new defaults if your " "deployment overrides the Project Endpoints policies." msgstr "" #: ../../:348 msgid "" "[`bug 1848238 `_] Allow " "deleting a domain when using the ldap driver for a domain. There was an " "attempt to delete the group on the ldap whereas this one is read-only." msgstr "" #: ../../:36 stable/ussuri>:354 msgid "" "[`bug 1848342 `_] There " "was an inconsistency in the ephemeral user update flow. Every time a " "federated user logged in, keystone created an entry in the local_user table " "instead of just updating the entries in the user and federated_user tables, " "which caused duplicate entries when listing users. Now, the keystone will " "not create the entry in the local_user table while updating an ephemeral " "user." msgstr "" #: ../../:70 stable/stein>:105 stable/train>:156 #: stable/train>:191 stable/ussuri>:230 stable/ussuri>:274 msgid "" "[`bug 1855080 `_] An error " "in the policy target filtering inadvertently allowed any user to list any " "credential object with the /v3/credentials API when ``[oslo_policy]/" "enforce_scope`` was set to false, which is the default. This has been " "addressed: users with non-admin roles on a project may not list other users' " "credentials. However, users with the admin role on a project may still list " "any users credentials when ``[oslo_policy]/enforce_scope`` is false due to " "`bug 968696 `_." msgstr "" #: ../../:116 stable/rocky>:224 stable/stein>:214 #: stable/train>:254 stable/ussuri>:374 msgid "" "[`bug 1856881 `_] " "``keystone-manage bootstrap`` can be run in upgrade scenarios where pre-" "existing domain-specific roles exist named ``admin``, ``member``, and " "``reader``." msgstr "" #: ../../:270 stable/ussuri>:390 msgid "" "[`bug 1856962 `_] Fixes an " "issue where federated users could not authenticate if their mapped group " "membership was empty." msgstr "" #: ../../:240 stable/stein>:230 stable/train>:276 #: stable/ussuri>:396 msgid "" "[`bug 1858012 `_] Fixes a " "bug in the /v3/role_assignments filtering where the `role.id` query " "parameter didn't properly filter role assignments by role in cases where " "there were multiple system role assignments." msgstr "" #: ../../:169 msgid "" "[`bug 1872732 `_] " "'user_limit' is added to config file of credentials that allows user to set" msgstr "" #: ../../:27 stable/pike>:50 stable/pike>:91 #: stable/queens>:38 stable/queens>:61 stable/queens>:123 stable/rocky>:27 #: stable/rocky>:50 stable/rocky>:106 stable/stein>:82 stable/stein>:117 #: stable/stein>:237 stable/train>:168 stable/train>:203 stable/train>:283 #: stable/ussuri>:242 stable/ussuri>:286 stable/ussuri>:403 #: unmaintained/victoria>:198 unmaintained/victoria>:221 #: unmaintained/victoria>:276 msgid "" "[`bug 1872733 `_] Fixed a " "critical security issue in which an authenticated user could escalate their " "privileges by altering a valid EC2 credential." msgstr "" #: ../../:33 stable/pike>:56 stable/pike>:97 #: stable/queens>:44 stable/queens>:67 stable/queens>:129 stable/rocky>:33 #: stable/rocky>:56 stable/rocky>:112 stable/stein>:88 stable/stein>:123 #: stable/stein>:243 stable/train>:174 stable/train>:209 stable/train>:289 #: stable/ussuri>:248 stable/ussuri>:292 stable/ussuri>:409 #: unmaintained/victoria>:204 unmaintained/victoria>:227 #: unmaintained/victoria>:282 msgid "" "[`bug 1872735 `_] Fixed a " "security issue in which a trustee or an application credential user could " "create an EC2 credential or an application credential that would permit them " "to get a token that elevated their role assignments beyond the subset " "delegated to them in the trust or application credential. A new attribute " "``app_cred_id`` is now automatically added to the access blob of an EC2 " "credential and the role list in the trust or application credential is " "respected." msgstr "" #: ../../:14 stable/queens>:14 stable/rocky>:14 #: stable/stein>:57 stable/train>:143 stable/ussuri>:202 #: unmaintained/victoria>:185 msgid "" "[`bug 1872737 `_] Added a " "default TTL of 15 minutes for signed EC2 credential requests, where " "previously an EC2 signed token request was valid indefinitely. This change " "in behavior is needed to protect against replay attacks." msgstr "" #: ../../:67 stable/pike>:108 stable/queens>:78 #: stable/queens>:140 stable/rocky>:67 stable/rocky>:123 stable/stein>:134 #: stable/stein>:254 stable/train>:220 stable/train>:300 stable/ussuri>:303 #: stable/ussuri>:420 unmaintained/victoria>:238 unmaintained/victoria>:293 msgid "" "[`bug 1872737 `_] Fixed an " "incorrect EC2 token validation implementation in which the timestamp of the " "signed request was ignored, which made EC2 and S3 token requests vulnerable " "to replay attacks. The default TTL is 15 minutes but is configurable." msgstr "" #: ../../:301 msgid "" "[`bug 1872753 `_] Added " "validation to the EC2 credential API to prevent altering the ``access_id`` " "field in the blob attribute. This prevents accidentally orphaning an EC2 " "credential resource when an altered ``access_id`` no longer resolves to the " "credential's resource ID." msgstr "" #: ../../:75 stable/pike>:116 stable/queens>:86 #: stable/queens>:148 stable/rocky>:75 stable/rocky>:131 stable/stein>:142 #: stable/stein>:262 stable/train>:228 stable/train>:308 stable/ussuri>:311 #: stable/ussuri>:428 unmaintained/victoria>:246 unmaintained/victoria>:305 msgid "" "[`bug 1872755 `_] Added " "validation to the EC2 credentials update API to ensure the metadata labels " "'trust_id' and 'app_cred_id' are not altered by the user. These labels are " "used by keystone to determine the scope allowed by the credential, and " "altering these automatic labels could enable an EC2 credential holder to " "elevate their access beyond what is permitted by the application credential " "or trust that was used to create the EC2 credential." msgstr "" #: ../../:85 stable/rocky>:141 stable/stein>:152 #: stable/stein>:272 stable/train>:238 stable/train>:318 stable/ussuri>:321 #: stable/ussuri>:438 unmaintained/victoria>:256 unmaintained/victoria>:315 msgid "" "[`bug 1873290 `_] [`bug " "1872735 `_] Fixed the " "token model to respect the roles authorized OAuth1 access tokens. " "Previously, the list of roles authorized for an OAuth1 access token were " "ignored, so when an access token was used to request a keystone token, the " "keystone token would contain every role assignment the creator had for the " "project. This also fixed EC2 credentials to respect those roles as well." msgstr "" #: ../../:151 stable/stein>:19 stable/train>:88 #: stable/ussuri>:81 unmaintained/victoria>:103 unmaintained/wallaby>:154 msgid "" "[`bug 1878938 `_] " "Previously when a user used to have system role assignment and tries to " "delete the same role, the system role assignments still existed in " "system_assignment table. This causes keystone to return `HTTP 404 Not Found` " "errors when listing role assignments with names (e.g., `--names` or " "`?include_names`)." msgstr "" #: ../../:325 msgid "" "[`bug 1880252 `_] Regexes " "are not allowed in \"whitelist\" and \"blacklist\" conditionals" msgstr "" #: ../../:158 stable/rocky>:167 stable/stein>:35 #: stable/train>:104 stable/ussuri>:97 unmaintained/victoria>:119 #: unmaintained/wallaby>:170 unmaintained/xena>:108 msgid "" "[`bug 1885753 `_] " "Keystone's SQL identity backend now retries update user requests to safely " "handle stale data when two clients update a user at the same time." msgstr "" #: ../../:330 msgid "" "[`bug 1886017 `_] JWT " "validation now supports `allow_expired` query parameters." msgstr "" #: ../../:41 stable/train>:110 stable/ussuri>:103 #: unmaintained/victoria>:335 msgid "" "[`bug 1889936 `_] Properly " "decode octet strings, or byte arrays, returned from LDAP." msgstr "" #: ../../:115 stable/ussuri>:108 #: unmaintained/victoria>:125 unmaintained/wallaby>:176 msgid "" "[`bug 1896125 `_] " "Introduced more robust connection handling for asynchronous LDAP requests to " "address memory leaks fetching data from LDAP backends with low page sizes." msgstr "" #: ../../:67 stable/ussuri>:60 #: unmaintained/victoria>:82 unmaintained/wallaby>:141 msgid "" "[`bug 1901207 `_] Policy " "enforcement for application credentials has been updated to protect against " "invalid ownership checks resulting in unauthorized users being able to get " "and delete application credentials for other users." msgstr "" #: ../../:122 stable/ussuri>:115 #: unmaintained/victoria>:132 unmaintained/wallaby>:183 msgid "" "[`bug 1901654 `_] " "Previously, generate_public_ID() in sha256.py assumed the passed arguments " "is str data type. However, python-ldap 3.0 or later returns bytes data type " "for attribute values except fields of distinguished names, relative " "distinguished names, attribute names, queries. If keystone running on " "Python3 is integrated with LDAP and the LDAP server has local_id variable in " "its attribute, user login operations will fail due to the assumption and " "modifiation of python-ldap. By this fix, generate_public_ID() properly " "handles bytes data type in the parameter." msgstr "" #: ../../:58 unmaintained/xena>:69 #: unmaintained/yoga>:63 unmaintained/zed>:123 msgid "" "[`bug 1926483 `_] Keystone " "will only log warnings about token length for Fernet tokens when the token " "length exceeds the value of `keystone.conf [DEFAULT] max_token_size`." msgstr "" #: ../../:26 unmaintained/victoria>:26 #: unmaintained/wallaby>:76 unmaintained/xena>:87 msgid "" "[`bug 1929066 `_] Increase " "the length of the `local_id` column in the `id_mapping` table to accommodate " "LDAP group names that result in names greater than 64 characters." msgstr "" #: ../../:68 msgid "" "[`bug 1951632 `_] " "``Support has been added for deploying `service` role during the bootstrap " "process in addition to the `admin`, `member` and `reader` role.``" msgstr "" #: ../../:131 stable/train>:14 stable/ussuri>:39 #: unmaintained/victoria>:48 unmaintained/wallaby>:35 unmaintained/xena>:35 #: unmaintained/yoga>:40 unmaintained/zed>:40 msgid "" "[`bug 1992183 `_] [`CVE-" "2022-2447 `_] " "Tokens issued with application credentials will now have their expiration " "validated against that of the application credential. If the application " "credential expires before the token the token's expiration will be set to " "the same expiration as the application credential. Otherwise the token will " "use the configured value." msgstr "" #: ../../:22 msgid "" "[`bug 2045974 `_] The " "Domain Manager Persona has been added. This makes identity-related self-" "service capabilities for users within domains possible without requiring the " "'admin' role. Assigning the 'manager' role to users in domain scope now " "allows them to manage projects, groups, users and role assignments within " "the domain. This is subject to the following restriction: the roles that " "domain managers can assign and revoke are limited by a new " "``domain_managed_target_role`` policy rule which defaults to 'reader', " "'member' and 'manager'." msgstr "" #: ../../:136 msgid "" "[`bug 2052916 `_] Fixed a " "bug where a HTTP GET request against ``/v3/s3tokens`` or ``/v3/ec2tokens`` " "would return HTTP 500 instead of HTTP 405." msgstr "" #: ../../:85 msgid "" "[`bug 96869 `_] A pair of " "configuration options have been added to the ``[resource]`` section to " "specify a special ``admin`` project: ``admin_project_domain_name`` and " "``admin_project_name``. If these are defined, any scoped token issued for " "that project will have an additional identifier ``is_admin_project`` added " "to the token. This identifier can then be checked by the policy rules in the " "policy files of the services when evaluating access control policy for an " "API. Keystone does not yet support the ability for a project acting as a " "domain to be the admin project. That will be added once the rest of the " "code for projects acting as domains is merged." msgstr "" #: ../../:381 msgid "" "[`bug 968696 `_] The work " "to introduce `system-scope `_ in addition to associating `scope types `_ to operations with ``oslo.policy`` will give project developers the " "ability to fix `bug 968696 `_." msgstr "" #: ../../:30 msgid "" "[bug 1848238 ] Allow " "deleting a domain when using the ldap driver for a domain. There was an " "attempt to delete the group on the ldap whereas this one is read-only." msgstr "" #: ../../:154 msgid "" "`GET /v3/users/{user_id}` now returns a federated object associated with the " "user if any. `POST /v3/users` allows an operator to add a list of federated " "objects to associate with the user. `PATCH /v3/users` allows the operator to " "update a users associated federated objects." msgstr "" #: ../../:310 msgid "" "`[DEFAULT] crypt_strength` is deprecated in favor of `[identity] " "password_hash_rounds`. Note that `[DEFAULT] crypt_strength` is still used " "when `[identity] rolling_upgrade_password_hash_compat` is set to `True`." msgstr "" #: ../../:229 stable/pike>:258 msgid "" "`[`blueprint policy-in-code `_] Keystone now supports the ability to register default " "policies in code. This makes policy file maintenance easier by allowing " "duplicated default policies to be removed from the policy file. The only " "policies that should exist within a deployment's policy file after Pike " "should be policy overrides. Note that there is no longer a default value for " "the default rule. That rule is only checked when the more specific rule " "cannot be found, and with policy in code all rules should be found in code " "even if they are not in the policy file. To generate sample policy files " "from default values, prune default policies from existing policy files, or " "familiarize yourself with general policy usage, please see the `usage " "documentation `_ provided in oslo.policy." msgstr "" #: ../../:94 msgid "``[eventlet_server] public_admin_host``" msgstr "" #: ../../:95 msgid "``[eventlet_server] public_admin_port``" msgstr "" #: ../../:92 msgid "``[eventlet_server] public_bind_host``" msgstr "" #: ../../:93 msgid "``[eventlet_server] public_bind_port``" msgstr "" #: ../../:593 msgid "``add user to group``" msgstr "" #: ../../:588 msgid "``create group``" msgstr "" #: ../../:587 msgid "``create user``" msgstr "" #: ../../:83 unmaintained/yoga>:104 msgid "``dead_retry``" msgstr "" #: ../../:590 msgid "``delete group``" msgstr "" #: ../../:589 msgid "``delete user``" msgstr "" #: ../../:860 msgid "``identity:create_domain``" msgstr "" #: ../../:664 msgid "``identity:create_limits``" msgstr "" #: ../../:661 msgid "``identity:create_registered_limits``" msgstr "" #: ../../:666 msgid "``identity:delete_limit``" msgstr "" #: ../../:663 msgid "``identity:delete_registered_limit``" msgstr "" #: ../../:858 msgid "``identity:get_domain``" msgstr "" #: ../../:859 msgid "``identity:list_domains``" msgstr "" #: ../../:861 msgid "``identity:update_domain``" msgstr "" #: ../../:665 msgid "``identity:update_limit``" msgstr "" #: ../../:662 msgid "``identity:update_registered_limit``" msgstr "" #: ../../:862 msgid "``identtity:delete_domain``" msgstr "" #: ../../:628 msgid "``issue_v2_token``" msgstr "" #: ../../:629 msgid "``issue_v3_token``" msgstr "" #: ../../:297 msgid "" "``keystone-manage db_sync`` will no longer create the Default domain. This " "domain is used as the domain for any users created using the legacy v2.0 API." " A default domain is created by ``keystone-manage bootstrap`` and when a " "user or project is created using the legacy v2.0 API." msgstr "" #: ../../:366 msgid "``keystone.common.kvs.backends.inmemdb.MemoryBackend``" msgstr "" #: ../../:367 msgid "``keystone.common.kvs.backends.memcached.MemcachedBackend``" msgstr "" #: ../../:368 msgid "``keystone.token.persistence.backends.kvs.Token``" msgstr "" #: ../../:613 msgid "``keystone/common/cache/backends/memcache_pool``" msgstr "" #: ../../:612 msgid "``keystone/common/cache/backends/mongo``" msgstr "" #: ../../:614 msgid "``keystone/common/cache/backends/noop``" msgstr "" #: ../../:600 msgid "``keystone/contrib/admin_crud``" msgstr "" #: ../../:601 msgid "``keystone/contrib/endpoint_filter``" msgstr "" #: ../../:602 msgid "``keystone/contrib/federation``" msgstr "" #: ../../:603 msgid "``keystone/contrib/oauth1``" msgstr "" #: ../../:604 msgid "``keystone/contrib/revoke``" msgstr "" #: ../../:605 msgid "``keystone/contrib/simple_cert``" msgstr "" #: ../../:606 msgid "``keystone/contrib/user_crud``" msgstr "" #: ../../:51 msgid "" "``openstack_user_domain`` and ``openstack_project_domain`` attributes were " "added to SAML assertion in order to map user and project domains, " "respectively." msgstr "" #: ../../:86 unmaintained/yoga>:107 msgid "``pool_connection_get_timeout``" msgstr "" #: ../../:84 unmaintained/yoga>:105 msgid "``pool_maxsize``" msgstr "" #: ../../:85 unmaintained/yoga>:106 msgid "``pool_unused_timeout``" msgstr "" #: ../../:114 msgid "``public_admin_host``" msgstr "" #: ../../:115 msgid "``public_admin_port``" msgstr "" #: ../../:112 msgid "``public_bind_host``" msgstr "" #: ../../:113 msgid "``public_bind_port``" msgstr "" #: ../../:103 msgid "``pydev-debug-host``" msgstr "" #: ../../:104 msgid "``pydev-debug-port``" msgstr "" #: ../../:594 msgid "``remove user from group``" msgstr "" #: ../../:102 msgid "``standard-threads``" msgstr "" #: ../../:592 msgid "``update group``" msgstr "" #: ../../:591 msgid "``update user``" msgstr "" #: ../../:622 msgid "``validate_non_persistent_token``" msgstr "" #: ../../:620 msgid "``validate_v2_token``" msgstr "" #: ../../:621 msgid "``validate_v3_token``" msgstr "" #: ../../:369 msgid "all config options under ``[kvs]`` in `keystone.conf`" msgstr "" #: ../../:535 msgid "and will return a list of mappings for a given domain ID." msgstr "" #: ../../:52 stable/ussuri>:370 msgid "" "delete from local_user where user_id in (select user_id from " "federated_user);" msgstr "" #: ../../:163 stable/stein>:31 stable/train>:100 #: stable/ussuri>:93 unmaintained/victoria>:115 unmaintained/wallaby>:166 msgid "" "delete from system_assignment where role_id not in (select id from role);" msgstr "" #: ../../:173 msgid "eq - password expires at the timestamp" msgstr "" #: ../../:171 msgid "gt - password expires after the timestamp" msgstr "" #: ../../:172 msgid "gte - password expires at or after the timestamp" msgstr "" #: ../../:440 msgid "" "https://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/" "explicit-domains-ids.html" msgstr "" #: ../../:169 msgid "lt - password expires before the timestamp" msgstr "" #: ../../:170 msgid "lte - password expires at or before timestamp" msgstr "" #: ../../:169 msgid "maximum number of credentials a user is permitted to create." msgstr "" #: ../../:49 stable/ussuri>:367 msgid "" "mysql -h -D keystone -p -P -u keystone -e 'delete " "from local_user where user_id in (select user_id from federated_user);'" msgstr "" #: ../../:49 stable/ussuri>:367 msgid "mysql db example:" msgstr "" #: ../../:48 stable/ussuri>:366 msgid "" "mysqldump -h -p -P -u keystone keystone " "federated_user local_user user > user_tables.sql" msgstr "" #: ../../:174 msgid "neq - password expires not at the timestamp" msgstr "" #: ../../:89 msgid "" "stats_monitoring and stats_reporting paste filters have been removed, so " "references to it must be removed from the ``keystone-paste.ini`` " "configuration file." msgstr "" #: ../../:370 msgid "the config option ``[memcached] servers`` in `keystone.conf`" msgstr "" #: ../../:506 origin/stable/ocata>:519 #: origin/stable/ocata>:563 origin/stable/ocata>:575 msgid "to::" msgstr "" #: ../source/2023.1.rst:3 msgid "2023.1 Series Release Notes" msgstr "" #: ../source/2023.2.rst:3 msgid "2023.2 Series Release Notes" msgstr "" #: ../source/2024.1.rst:3 msgid "2024.1 Series Release Notes" msgstr "" #: ../source/2024.2.rst:3 msgid "2024.2 Series Release Notes" msgstr "" #: ../source/index.rst:16 msgid "Keystone Release Notes" msgstr "" #: ../source/liberty.rst:3 msgid "Liberty Series Release Notes" msgstr "" #: ../source/mitaka.rst:3 msgid "Mitaka Series Release Notes" msgstr "" #: ../source/newton.rst:3 msgid "Newton Series Release Notes" msgstr "" #: ../source/ocata.rst:3 msgid "Ocata Series Release Notes" msgstr "" #: ../source/pike.rst:3 msgid "Pike Series Release Notes" msgstr "" #: ../source/queens.rst:3 msgid "Queens Series Release Notes" msgstr "" #: ../source/rocky.rst:3 msgid "Rocky Series Release Notes" msgstr "" #: ../source/stein.rst:3 msgid "Stein Series Release Notes" msgstr "" #: ../source/train.rst:3 msgid "Train Series Release Notes" msgstr "" #: ../source/unreleased.rst:3 msgid "Current Series Release Notes" msgstr "" #: ../source/ussuri.rst:3 msgid "Ussuri Series Release Notes" msgstr "" #: ../source/victoria.rst:3 msgid "Victoria Series Release Notes" msgstr "" #: ../source/wallaby.rst:3 msgid "Wallaby Series Release Notes" msgstr "" #: ../source/xena.rst:3 msgid "Xena Series Release Notes" msgstr "" #: ../source/yoga.rst:3 msgid "Yoga Series Release Notes" msgstr "" #: ../source/zed.rst:3 msgid "Zed Series Release Notes" msgstr ""