[blueprint domain-specific-roles] Roles can now be optionally defined as domain specific. Domain specific roles are not referenced in policy files, rather they can be used to allow a domain to build their own private inference rules with implied roles. A domain specific role can be assigned to a domain or project within its domain, and any subset of global roles it implies will appear in a token scoped to the respective domain or project. The domain specific role itself, however, will not appear in the token.
[blueprint bootstrap] keystone-manage now supports the bootstrap command on the CLI so that a keystone install can be initialized without the need of the admin_token filter in the paste-ini.
[blueprint domain-config-default] The Identity API now supports retrieving the default values for the configuration options that can be overriden via the domain specific configuration API.
[blueprint url-safe-naming] The names of projects and domains can optionally be ensured to be url safe, to support the future ability to specify projects using hierarchical naming.
[bug 1490804] Audit IDs are included in the token revocation list.
[bug 1519210] A user may now opt-out of notifications by specifying a list of event types using the notification_opt_out option in keystone.conf. These events are never sent to a messaging service.
[bug 1542417] Added support for a user_description_attribute mapping to the LDAP driver configuration.
[bug 1526462] Support for posixGroups with OpenDirectory and UNIX when using the LDAP identity driver.
[bug 1489061] Caching has been added to catalog retrieval on a per user ID and project ID basis. This affects both the v2 and v3 APIs. As a result this should provide a performance benefit to fernet-based deployments.
Keystone supports $(project_id)s in the catalog. It works the same as $(tenant_id)s. Use of $(tenant_id)s is deprecated and catalog endpoints should be updated to use $(project_id)s.
[bug 1525317] Enable filtering of identity providers based on id, and enabled attributes.
[bug 1555830] Enable filtering of service providers based on id, and enabled attributes.
[blueprint federation-group-ids-mapped-without-domain-reference] Enhanced the federation mapping engine to allow for group IDs to be referenced without a domain ID.
[blueprint implied-roles] Keystone now supports creating implied roles. Role inference rules can now be added to indicate when the assignment of one role implies the assignment of another. The rules are of the form prior_role implies implied_role. At token generation time, user/group assignments of roles that have implied roles will be expanded to also include such roles in the token. The expansion of implied roles is controlled by the prohibited_implied_role option in the [assignment] section of keystone.conf.
[bug 96869] A pair of configuration options have been added to the [resource] section to specify a special admin project: admin_project_domain_name and admin_project_name. If these are defined, any scoped token issued for that project will have an additional identifier is_admin_project added to the token. This identifier can then be checked by the policy rules in the policy files of the services when evaluating access control policy for an API. Keystone does not yet support the ability for a project acting as a domain to be the admin project. That will be added once the rest of the code for projects acting as domains is merged.
[bug 1515302] Two new configuration options have been added to the [ldap] section. user_enabled_emulation_use_group_config and project_enabled_emulation_use_group_config, which allow deployers to choose if they want to override the default group LDAP schema option.
[bug 1501698] Support parameter list_limit when LDAP is used as identity backend.
[bug 1479569] Names have been added to list role assignments (GET /role_assignments?include_names=True), rather than returning just the internal IDs of the objects the names are also returned.
Domains are now represented as top level projects with the attribute is_domain set to true. Such projects will appear as parents for any previous top level projects. Projects acting as domains can be created, read, updated, and deleted via either the project API or the domain API (V3 only).
[bug 1473042] Keystone’s S3 compatibility support can now authenticate using AWS Signature Version 4. 8
[blueprint totp-auth] Keystone now supports authenticating via Time-based One-time Password (TOTP). To enable this feature, add the totp auth plugin to the methods option in the [auth] section of keystone.conf. More information about using TOTP can be found in keystone’s developer documentation.
[blueprint x509-ssl-client-cert-authn] Keystone now supports tokenless client SSL x.509 certificate authentication and authorization.