Bug Fixes¶

• Fixes missingget_auth_ref call for thenone andhttp_basicauthentication plugins. The implementation simply returnsNone.

Bug Fixes¶

• Fixesget_api_major_version for non-keystone authentication methodswhen the provided endpoint is not versioned.

New Features¶

• A newhttp_basic auth plugin is added which enables HTTP Basicauthentication for standalone services. Like thenoauth plugin, theendpoint needs to be specified explicitly, along with theusername andpassword.

Upgrade Notes¶

• Python 3.5 is no longer supported.

Bug Fixes¶

• [bug 1876317]The v3 authentication plugins now attempt to add /v3 to the token path ifit’s not present on the authentication URL.

Upgrade Notes¶

• Python 2.7 support has been dropped. Last release of keystoneauthto support python 2.7 is OpenStack Train. The minimum version of Python nowsupported is Python 3.6.

New Features¶

• [feature bug 1840235]Addsconnect_retries to Session.__init__(), that can then be usedby projects when creating session objects, to set the required number ofretries for new connection requests. This would specifically help avoida scalability issue that results in number of ConnectTimeout errors whendoing endpoint discovery and fetching roles using an auth plugin underheavy load. This still allows for it to be overridden per service withthe adapter interface.

Upgrade Notes¶

• If keystoneauth and openstacksdk are both in use and keystoneauthis upgraded to this releasebefore upgrading openstacksdk to0.36.1 or later, creation of ServerGroup objects with policiesand use of Ansible Inventory could be adversely affected. Seehttps://review.opendev.org/#/c/685999/ for more details.

Bug Fixes¶

• [bug 1838704] When consuming keystoneauth1.session.Session, if a requests session is not provided one is created. The Session used for requests may result in a ResourceWarning being generated if it is not properly closed. The code has been updated to close the session correctly when the Session object is deleted.

• Retry version discovery with auth token when the initial requestthrows 401 Unauthorized. There are some services that are erroneouslydefaulting to authenticated discovery, and this allows discoveryto work properly on them.

New Features¶

• [bug 1839748]Keystoneauth now supports MFA authentication and Auth Receipts.Responses from Keystone containing and auth receipt will nowraise aMissingAuthMethods exception which will contain theauth receipt itself, and information about the missing methods.There are now also ways to easily do more than one method whenauthenticating to Keystone and those have been documented.

New Features¶

• Allows configuring fixed retry delay for connection and status code retriesvia the new parametersconnect_retry_delay andstatus_code_retry_delay accordingly.

New Features¶

• Fix handling of HTTP error payloads that conform to the API SIG formatting guidelines.

• TheX-Openstack-Request-Id header can now be set per-request via aglobal_request_id kwarg toAdapter andSession request methods(request(),get(),put(), etc.)

• The Adapter parametersconnect_retries andstatus_code_retries cannow be set via configuration optionsconnect-retries andstatus-code-retries accordingly.

Bug Fixes¶

• Add logic to handle HTTP error responses that do not conform to a known schema.

• The retry interval for retries enabled byconnect_retries andstatus_code_retries is now limited at 60 seconds. Previously it wouldgrow exponentially.

New Features¶

• Support added for client-side rate limiting. Two new parameters nowexist forkeystoneauth1.adapter.Adapter.rate expresses amaximum rate at which to execute requests.parallel_limit allowsfor the creation of a semaphore to control the maximum number ofrequests that can be active at any one given point in time.Both default toNone which has the normal behavior or not limitingrequests in any manner.

Bug Fixes¶

• A workaround for misformed discovery documents was being applied toosoon causing ironic discovery documents to be mistakenly ignored.

Bug Fixes¶

• Fixed an issue wherehttps://example.com andhttps://example.com/ werebeing treated as different urls in the discovery cache resulting in asecond unneeded discovery call when someone sets anendpoint_overridethat didn’t match the trailing-slash form given by that service’sdiscovery document.

New Features¶

• Added ability to filter the results ofget_all_version_data byservice-type.

• Addedget_all_version_data toadapter.Adapter that uses theadapter’sservice_type to filter the version data fetched.

Bug Fixes¶

• Fixed support for detecting microversion ranges on older Ironicinstallations.

Bug Fixes¶

• [bug 1733052] Now the version discovery mechanism only fetches the version info from server side if the versioned url has been overrode. So that the request url’s path won’t be changed completely.

New Features¶

• Addes support for retrying certain HTTP status codes when doing requestsvia the newstatus_code_retries andretriable_status_codesparameters forSession andAdapter.

New Features¶

• Addedcollect_timing option tokeystoneauth1.session.Session.The option, which is off by default, causes theSession to collectAPI timing information for every call it makes. Methodsget_timingsandreset_timings have been added to allow getting and clearing thedata.

• Addedsplit-loggers option to the oslo.config Session options.

• Exposedkeystoneauth1.discover.version_between as a public functionthat can be used to determine if a given version is within a range.

Bug Fixes¶

• [bug 1766235]Fixed an issue where passing headers in as bytes rather than stringswould cause a sorting issue.

Bug Fixes¶

• The docstring forkeystoneauth1.session.Session.get_all_version_datacorrectly listed'public' as the default value, but the argument listhadNone. The default has been fixed to match the documented value.

New Features¶

• Added a ‘status’ field to theEndpointData object which contains acanonicalized version of the information in the status field of discoverydocuments.

• Added support for service-type aliases as defined in the Service TypesAuthority when doing catalog lookups.

New Features¶

• [blueprint application-credentials]Support for authentication via an application credential has been added.Keystoneauth can now be used to authenticate to Identity servers thatsupport application credentials.

• [blueprint system-scope]Keystoneauth now has the ability to authenticate for system-scoped tokens,which were implemented during the Queens development cycle. System-scopedtokens will eventually be required to separate system-level APIs fromproject-level APIs, allowing for better security via scoped RBAC.

New Features¶

• A newnone auth plugin is added with purpose to simplify loadingclients from configuration file options.It does not accept any arguments and sets the token to ‘notused’.It does not have any endpoint/url associated with it,and thus must be used together withadapter.Adapter’sendpoint_override option to instantiate a session for clientto a service that is deployed in noauth/standalone mode.

New Features¶

• Added support for specifying a microversion to use on a given REST request. The microversion can be specified on session request calls and a default can be set on Adapter construction.

• Added support for the API Working Group recommendations on service and version discovery. New methods on Session and Adapter, “get_endpoint_data” will return endpoint metadata including microversion information. Additionally, versions can be requested with a range and with the string “latest”, and interface values can be given as a list in case a user wants to express a ‘best available’ set of preferences.

Prelude¶

Allow setting EndpointReference in ADFSPassword

New Features¶

• Add the ability to specify the WS-Policy EndpointReference used in the ADFSPassword plugin’s RequestSecurityToken message via the ‘service-provider-entity-id’ option. Also added ‘identity-provider-url’ option which was required, but missing from option list.

Bug Fixes¶

• [bug 1689424] Allow setting EndpointReference in ADFSPassword.

New Features¶

• A new flagallow_version_hack was added to identity plugins and the adapter which will allow a client to opt out of making guesses at the version url page of a service. This means that if a deployment is misconfigured and the service catalog contains a versioned endpoint that does not match the requested version the request will fail. This will be useful in beginning to require correctly deployed catalogs rather than continue to hide the problem.

Bug Fixes¶

• [bug 1616105] Only log the response body when theContent-Type header is set toapplication/json. This avoids logging large binary objects (such as images). OtherContent-Type will not be logged. AdditionalContent-Type strings can be added as required.

• TheX-Service-Token header value is now properly masked, and isdisplayed as a hash value, in the log.

Prelude¶

Allow adding client and application name and version to the session and adapter that will generate a userful user agent string.

New Features¶

• You can specify aapp_name andapp_version when creating a session. This information will be encoded into the user agent.

• You can specify aclient_name andclient_version when creating an adapter. This will be handled by client libraries and incluced into the user agent.

• Libraries like shade that modify the way requests are made can add themselves to additional_user_agent and have their version reflected in the user agent string.

Deprecation Notes¶

• We suggest you fill the name and version for the application and client instead of specifying a customuser_agent. This will then generate a standard user agent string.

Prelude¶

HTTP connections work under Windows Subsystem for Linux

Bug Fixes¶

• [bug 1614688] HTTP connections were failing under Windows subsystem for Linux because TCP_KEEPCNT was being set and that environment does not support such override yet.

Prelude¶

Add the prompt parameter to loader Opts

Allow specifying additional_headers to the session and the adapter to add headers to all requests that pass through these objects.

New Features¶

• Add support for the Client Credentials OpenID Connect grant type.

• Add support for theOpenID Connect Discovery Document into the OpenID Connect related plugins. Now it is possible to only pass thediscovery-url option and the plugins will try to fetch the required metadata from there.

• The prompt parameter was added to the Opts provided by auth plugins. The presence of the prompt parameter on an Option will indicate to plugin loaders that it is ok to prompt the user for input for this parameter if none is provided initially. Actual implementation of this prompting mechanism will be handled by the individual loaders such as os-client-config.

• Add the ability to provide additional_headers to the session and adapter object. This will allow clients particularly to provide additional ways to identify their requests. It will also hopefully provide an intermediate way to handle setting microversions until we support them directly with keystoneauth.

Bug Fixes¶

• [bug 1583682] OpenID Connect plugins should support OpenID Connect Discovery.

New Features¶

• [blueprint totp-auth] Add an auth plugin to handle Time-Based One-Time Password (TOTP) authentication via thetotp method. This new plugin will accept the following identity options:-user-id: user ID -username: username -user-domain-id: user’s domain ID -user-domain-name: user’s domain name -passcode: passcode generated by TOTP app or deviceUser is uniquely identified by eitheruser-id or combination ofusername anduser-domain-id oruser-domain-name.

Bug Fixes¶

• Fix passing scope parameters in Oidc* auth plugins. [Bug1582774]

New Features¶

• Added a new OidcAccessToken plugin, accessible via the ‘v3oidcaccesstoken’ entry point, making possible to authenticate using an existing OpenID Connect Access token.

Bug Fixes¶

• [bug 1583780] OpenID connect support should include authenticating using directly an access token.

Bug Fixes¶

• [bug 1527131] Do not provide socket values for OSX and Windows.

Other Notes¶

• Added a betamax fixture for keystoneauth sessions.

• Added a RFC 7231 compliant user agent string.