- Due to the simpler out-of-the-box experience, the default token provider is now UUID instead of PKI.
- Database migrations for releases prior to Havana have been dropped, meaning that you must upgrade to the Juno release from either a Havana or Icehouse deployment.
- A comprehensive list of all updated, deprecated or removed options in Keystone can be found at: http://docs.openstack.org/trunk/config-reference/content/keystone-conf-changes-master.html
- All
token_api methods are now deprecated.
- LDAP configuration options that previously contained the deprecated
tenant terminology have been superseded by options using the term project.
- Proxy methods from the identity backend to the assignment backend (created to provide backwards compatibility as a result of the split of the Assignment backend from the Identity backend), have been removed. This should only affect custom, out-of-tree API extensions.
- Loading authentication plugins solely by class name in
keystone.conf is now deprecated in favor of loading them by custom-method-name = custom_package.CustomClass pairs, and then defining the sequence of authentication methods as a list (methods = custom-method-name, password).
- In-tree token drivers (
keystone.token.backends) have been moved to keystone.token.persistence.backends. Proxy objects exist to maintain compatibility. If a non-default value is used, it is recommended the value of the driver option in the [token] section of keystone.conf is updated to use the new location.
- All KVS backends besides the
token driver have been formally deprecated.
- LDAP/AD configuration: All configuration options containing the term "tenant" have been deprecated in favor of similarly named configuration options using the term "project" (for example,
tenant_id_attribute has been replaced by project_id_attribute).
