Jump to: navigation, search

Difference between revisions of "ReleaseNotes/Icehouse"

(OpenStack Identity (Keystone))
(Upgrade Notes)
Line 86: Line 86:
 
=== Upgrade Notes ===
 
=== Upgrade Notes ===
  
* The v2 API has been prepared for deprecation (which will likely occur during the Juno release cycle).
+
* The v2 API has been prepared for deprecation, but remains stable in the Icehouse release. It may be formally deprecated during the Juno release pending widespread support for the v3 API.
 
* Backwards compatibility for <code>keystone.middleware.auth_token</code> has been removed. <code>auth_token</code> middleware module is no longer provided by Keystone itself, and must be imported from <code>keystoneclient.middleware.auth_token</code> instead.
 
* Backwards compatibility for <code>keystone.middleware.auth_token</code> has been removed. <code>auth_token</code> middleware module is no longer provided by Keystone itself, and must be imported from <code>keystoneclient.middleware.auth_token</code> instead.
 
* The <code>s3_token</code> middleware module is no longer provided by Keystone itself, and must be imported from <code>keystoneclient.middleware.s3_token</code> instead. Backwards compatibility for <code>keystone.middleware.s3_token</code> will be removed in Juno.
 
* The <code>s3_token</code> middleware module is no longer provided by Keystone itself, and must be imported from <code>keystoneclient.middleware.s3_token</code> instead. Backwards compatibility for <code>keystone.middleware.s3_token</code> will be removed in Juno.

Revision as of 19:19, 27 March 2014

OpenStack 2014.1 (Icehouse) Release Notes

General Upgrade Notes

tbd

OpenStack Object Storage (Swift)

Key New Features

Known Issues

None

Upgrade Notes

OpenStack Compute (Nova)

Key New Features

Known Issues

  • Document which other OpenStack APIs we support
    • Only support Keystone V2 (not V3)
    • Cinder?
    • Glance?

Upgrade Notes

  • https://review.openstack.org/50668
  • https://review.openstack.org/#/c/54290/ ... and check for other deprecated options that have been removed, and document them here
  • The PowerVM driver has been removed: https://review.openstack.org/#/c/57774/
  • https://review.openstack.org/#/c/27160
  • https://review.openstack.org/#/c/54290/
  • The keystone_authtoken defaults changed in nova.conf: https://review.openstack.org/#/c/62815/
  • libvirt lvm names changed from using instance_name_template to instance uuid (https://review.openstack.org/#/c/76968). Possible manual cleanup required if using a non default instance_name_template.
  • rbd disk names changed from using instance_name_template to instance uuid. Manual cleanup required of old virtual disks after the transition. (TBD find review)
  • Icehouse brings libguestfs as a requirement. Installing icehouse dependencies on a system currently running havana may cause the havana node to begin using libguestfs and break unexpectedly. It is recommended that libvirt_inject_partition=-2 be set on havana nodes prior to starting an upgrade of packages on the system if the nova packages will be updated last.
  • Creating a private flavor now adds access to the tenant automatically. This was the documented behavior in Havana, but the actual mplementation in Havana and previous versions of Nova did not add the tenant automatically to private flavors.
  • Nova previously included a nova.conf.sample. This file was automatically generated and is no longer included directly. If you are packaging Nova and wish to include the sample config file, see etc/nova/README.nova.conf for instructions on how to generate the file at build time.

OpenStack Image Service (Glance)

Key New Features

Known Issues

Upgrade Notes

OpenStack Dashboard (Horizon)

Key New Features

Known Issues

Upgrade Notes

OpenStack Identity (Keystone)

Key New Features

  • New API features
    • POST /v3/users/{user_id}/password allows API users to update their own passwords
    • GET v3/auth/token?nocatalog allows API users to opt-out of receiving the service catalog when performing online token validation
    • /v3/regions provides a public interface for describing multi-region deployments.
    • /v3/OS-SIMPLECERT/ now publishes the certificates used for PKI token validation.
    • /v3/OS-FEDERATION/ allows Keystone to consume federated authentication via Shibboleth for multiple Identity Providers, and mapping federated attributes into OpenStack group-based role assignments.
  • /v3/OS-TRUST/trusts is now capable of providing limited-use delegation via the remaining_uses attribute of trusts.
  • The assignments backend (the source of authorization data) has now been completely separated from the identity backend (the source of authentication data). This means that you can now back your deployment's identity data to LDAP, and your authorization data to SQL, for example.
  • Keystone's driver interfaces are now implemented as Abstract Base Classes (ABCs) to make it easier to track compatibility of custom driver implementations across releases.
  • Keystone's default etc/policy.json has been rewritten in an easier to read format.
  • Notifications are now emitted in response to create, update and delete events on roles, groups, and trusts.
  • Custom extensions and driver implementations may now subscribe to internal-only event notifications, including disable events (which are only exposed externally as part of update events).
  • Additional plugins are provided to handle external authentication via REMOTE_USER with respect to single-domain versus multi-domain deployments.
  • policy.json can now perform enforcement on the target domain in a domain-aware operationusing, for example, %(target.{entity}.domain_id)s.
  • KVS drivers are now capable of writing to persistent Key-Value stores such as Redis, Cassandra, or MongoDB.
  • The LDAP driver for the assignment backend now supports group-based role assignment operations.
  • Keystone now publishes token revocation events in addition to providing continued support for token revocation lists. Token revocation events are designed to consume much less overhead (when compared to token revocation lists) and will enable Keystone eliminate token persistence during the Juno release.
  • Deployers can now define arbitrary limits on the size of collections in API responses (for example, GET /v3/users might be configured to return only 100 users, rather than 10,000). Clients will be informed when truncation has occurred.
  • Lazy translation has been enabled to translating responses according to the requested Accept-Language header.
  • Keystone now emits i18n-ready log messages.
  • Collection filtering is now performed in the driver layer, where possible.
  • Keystone now emits Cloud Audit Data Federation (CADF) event notifications in response to authentication events.

Known Issues

  • Bug 1291157: If using the OS-FEDERATION extension, deleting an Identity Provider or Protocol does not result in previously-issued tokens being revoked. This will not be fixed in the stable/icehouse branch.

Upgrade Notes

  • The v2 API has been prepared for deprecation, but remains stable in the Icehouse release. It may be formally deprecated during the Juno release pending widespread support for the v3 API.
  • Backwards compatibility for keystone.middleware.auth_token has been removed. auth_token middleware module is no longer provided by Keystone itself, and must be imported from keystoneclient.middleware.auth_token instead.
  • The s3_token middleware module is no longer provided by Keystone itself, and must be imported from keystoneclient.middleware.s3_token instead. Backwards compatibility for keystone.middleware.s3_token will be removed in Juno.
  • The default token duration has been reduced from 24 hours to just 1 hour. This effectively reduces the number of tokens that must be persisted at any one time, and (for PKI deployments) reduces the overhead of the token revocation list.
  • keystone.contrib.access.core.AccessLogMiddleware has been deprecated in favor of either the eventlet debug access log or Apache httpd access log and may be removed in the K release.
  • keystone.contrib.stats.core.StatsMiddleware has been deprecated in favor of external tooling and may be removed in the K release.
  • keystone.middleware.XmlBodyMiddleware has been deprecated in favor of support for "application/json" only and may be removed in the K release.

OpenStack Network Service (Neutron)

Key New Features

Known Issues

None yet.

Upgrade Notes

OpenStack Block Storage (Cinder)

Key New Features

Known Issues

None yet

Upgrade Notes

OpenStack Metering (Ceilometer)

Key New Features

Known Issues

https://bugs.launchpad.net/ceilometer/+bug/1297528

Upgrade Notes

None yet

OpenStack Orchestration (Heat)

Key New Features

Known Issues

None yet

Upgrade Notes

None yet

OpenStack Documentation

Key New Features

Known Issues

Upgrade Notes

None yet