Difference between revisions of "ReleaseNotes/Havana"
(→Key New Features) |
(→Key New Features) |
||
Line 74: | Line 74: | ||
** Aggregated role assignments API | ** Aggregated role assignments API | ||
** External authentication providers can now embed a binding reference into tokens such that remote services may optionally validate the identity of the user presenting the token against an presented external authentication mechanism. Currently, only <code>kerberos</code> is supported. | ** External authentication providers can now embed a binding reference into tokens such that remote services may optionally validate the identity of the user presenting the token against an presented external authentication mechanism. Currently, only <code>kerberos</code> is supported. | ||
− | ** | + | ** Endpoints may now be explicitly mapped to projects, effectively preventing certain endpoints from appearing in the service catalog for certain based on the project scope of a token. This does not prevent end users from accessing or using endpoints they are aware of through some other means. |
* Event notifications emitted for user and project/tenant create, update, and delete operations | * Event notifications emitted for user and project/tenant create, update, and delete operations |
Revision as of 18:39, 3 October 2013
Contents
- 1 OpenStack 2013.2 (Havana) Release Notes
- 1.1 General Upgrade Notes
- 1.2 OpenStack Object Storage (Swift)
- 1.3 OpenStack Compute (Nova)
- 1.4 OpenStack Image Service (Glance)
- 1.5 OpenStack Dashboard (Horizon)
- 1.6 OpenStack Identity (Keystone)
- 1.7 OpenStack Network Service (Neutron)
- 1.8 OpenStack Block Storage (Cinder)
- 1.9 OpenStack Metering (Ceilometer)
- 1.10 OpenStack Orchestration (Heat)
OpenStack 2013.2 (Havana) Release Notes
General Upgrade Notes
tbd
OpenStack Object Storage (Swift)
Key New Features
Known Issues
None
Upgrade Notes
OpenStack Compute (Nova)
Key New Features
Known Issues
Upgrade Notes
- Note that periodic tasks will now run more often than before. The frequency of periodic task runs has always been configurable. However, the timer for when to run the task again was previously started after the last run of the task completed. The tasks now run at a constant frequency, regardless of how long a given run takes. This makes it much more clear for when tasks are supposed to run. However, the side effect is that tasks will now run a bit more often by default. (https://review.openstack.org/#/c/26448/)
- The security_groups_handler option has been removed from nova.conf. It was added for Quantum and is no longer needed. (https://review.openstack.org/#/c/28384/)
- This change should not affect upgrades, but it is a change in behavior for all new deployments. Previous versions created the default m1.tiny flavor with a disk size of 0. The default value is now 1. 0 means not to do any disk resizing and just use whatever disk size is set up in the image. 1 means to impose a 1 GB limit. The special value of 0 is still supported if you would like to create or modify flavors to use it. (https://review.openstack.org/#/c/27991/).
- https://review.openstack.org/#/c/33595
- https://review.openstack.org/#/c/33143
- https://review.openstack.org/#/c/35264/
- https://review.openstack.org/#/c/28750/
- https://review.openstack.org/#/c/27160
- https://review.openstack.org/#/c/35425/
- https://review.openstack.org/#/c/33996/
- https://review.openstack.org/#/c/43268/ - the vmware configuration variable 'vnc_password' is now deprecated. A user will no longer be required to enter as password to have VNC access. This now works like all other virt drivers.
OpenStack Image Service (Glance)
Key New Features
Known Issues
Upgrade Notes
OpenStack Dashboard (Horizon)
Key New Features
Known Issues
Upgrade Notes
OpenStack Identity (Keystone)
Key New Features
- Improved deployment flexibility
- Authorization data (tenants/projects, roles, role assignments; e.g. SQL) can now be stored in a separate backend, as determined by the "assignments" driver, from authentication data (users, groups; e.g. LDAP), as determined by the "identity" driver
- Credentials (e.g. ec2 tokens) can now be stored in a separate backend, as determined by the "credentials" driver, from authentication data
- Ability to specify more granular RBAC policy rules (for example, based on attributes in the API request / response body)
- Pluggable handling of external authentication using
REMOTE_USER
- Token generation, which is currently either UUID or PKI based, is now pluggable and separated from token persistence. Deployers can write a custom implementation of the
keystone.token.provider.Provider
interface and configure keystone to use it with[token] provider
. As a result,[signing] token_format
is now deprecated in favor of this new configuration option. - First-class support for deployment behind Apache httpd
- New deployment features
- Ability to cache the results of driver calls in a key-value store (for example, memcached or redis)
-
keystone-manage token_flush
command to help purge expired tokens
- New API features
- Delegated role-based authorization to arbitrary consumers using OAuth 1.0a
- API clients can now opt out of the service catalog being included in a token response
- Unicode i18n support for API error messages based on HTTP Accept-Language headers
- Domain role assignments can now be inherited by that domain's projects
- Aggregated role assignments API
- External authentication providers can now embed a binding reference into tokens such that remote services may optionally validate the identity of the user presenting the token against an presented external authentication mechanism. Currently, only
kerberos
is supported. - Endpoints may now be explicitly mapped to projects, effectively preventing certain endpoints from appearing in the service catalog for certain based on the project scope of a token. This does not prevent end users from accessing or using endpoints they are aware of through some other means.
- Event notifications emitted for user and project/tenant create, update, and delete operations
- General performance improvements
- The v2 and v3 API now use the same logic for computing the list of roles assigned to a user-project pair during authentication, based on user+project, group+project, user+domain-inherited, and group+domain-inherited role assignments (where domain-inherited role assignments allow a domain-level role assignment to apply to all projects owned by that domain). The v3 API now uses a similar approach for computing user+domain role assignments for domain-scoped tokens.
- Logs are handled using a common logging implementation from Oslo-incubator, consistent with other OpenStack projects
- SQL migrations for extensions can now be managed independently from the primary migration repository using
keystone-manage db_sync --extension=«extension-name»
.
Known Issues
Upgrade Notes
OpenStack Network Service (Neutron)
Key New Features
Known Issues
None yet.
Upgrade Notes
- Changes to neutron-dhcp-agent require you to first upgrade your dhcp-agents. Then wait untill the dhcp_lease time has expired. After waiting at least dhcp_lease time, update neutron-server. Failure to do this may lead to cases where an instance is deleted and the dnsmasq process has not released the lease and neturon allocates that ip to a new port. (https://review.openstack.org/#/c/37580/)
OpenStack Block Storage (Cinder)
Key New Features
Known Issues
None yet
Upgrade Notes
- None yet
- TODO: note about ThinLVM https://review.openstack.org/#/c/48336/
OpenStack Metering (Ceilometer)
Key New Features
Known Issues
None yet
Upgrade Notes
None yet
OpenStack Orchestration (Heat)
Key New Features
Known Issues
None yet
Upgrade Notes
None yet