- Keystone now has experimental support for Keystone-to-Keystone federation, where one instance acts as an Identity Provider, and the other a Service Provider.
- PKIZ is a new token provider available for users of PKI tokens, which simply adds zlib-based compression to traditional PKI tokens.
- The hashing algorithm used for PKI tokens has been made configurable (the default is still MD5, but the Keystone team recommends that deployments migrate to SHA256).
- Identity-driver-configuration-per-domain now supports Internet domain names of arbitrary hierarchical complexity (for example,
customer.cloud.example.com
).
- The LDAP identity backend now supports
description
as an attribute of users.
- Identity API v3 requests are now validated via JSON Schema.
- In the case of multiple identity backends, Keystone can now map arbitrary resource IDs to arbitrary backends.
-
keystoneclient.middleware.auth_token
has been moved into it's own repository, keystonemiddleware.auth_token
.
- Identity API v3 now supports a discrete call to retrieve a service catalog,
GET /v3/auth/catalog
.
- Federated authentication events and local role assignment operations now result in CADF (audit) notifications.
- Keystone can now associate a given policy blob with one or more endpoints.
- Keystone now provides JSON Home documents on the root API endpoints in response to
Accept: application/json-home
headers.
- Hiding endpoints from client's service catalogs is now more easily manageable via
OS-EP-FILTER
.
- The credentials collection API is now filterable per associated user (
GET /v3/credentials?user_id={user_id}
).
- New, generic API endpoints are available for retrieving authentication-related data, such as a service catalog, available project scopes, and available domain scopes.
- Keystone now supports mapping the user
enabled
attribute to the lock
attribute in LDAP (and inverting the corresponding boolean value accordingly).
- A CA certificate file is now configurable for LDAPS connections.
- The templated catalog backend now supports generating service catalogs for Identity API v3.
- Service names were added to the v3 service catalog.
- Services can now be filtered by name (
GET /v3/services?name={service_name}
).