CHANGES
=======

26.0.0
------

* Remove logic to support pysaml2<3.0.0
* Remove support-matrix.css
* Implement the Domain Manager Persona for Keystone
* Update hacking to latest version
* Enable hacking check in pre-commit
* Fix role statement in admin doc
* Replace deprecated in py312 datetime usages
* Add keystone-manage reset\_last\_active command
* Correct format for token expiration time
* Update OIDC Apache config to avoid masking Keystone API endpoint
* Enable mypy
* Enable non-voting OpenAPI build job
* Re-join the strings after re-formatting
* Move bandit to pre-commit
* Enable pyupgrade
* Enable black in pre-commit
* Add blackify commit to blame ignore
* Only log a small debug message for NotFound
* Blackify the keystone code base
* Add a release note to cover fix of implied role for application credentials
* Fix implied roles in the application credentials
* Fix bindep for py312 job
* Add pre-commit
* Replace use of testtools.testcase.TestSkipped
* Remove dependency on pytz
* Improve configuration of out-of-tree identity drivers
* do not use str(url) to stringify a URL for subsequent use
* Remove reference to devstack-gate
* reno: Update master for unmaintained/zed
* Make protection job voting again
* Allow domain users to manage credentials
* Allow domain admin to view roles
* Enable protection jobs
* Remove SQLAlchemy tips jobs
* Allow admin to access tokens and credentials
* Run Secure RBAC tests as project-admin
* reno: Update master for unmaintained/xena
* reno: Update master for unmaintained/wallaby
* reno: Update master for unmaintained/victoria
* Update master for stable/2024.1
* Add test with noauth for s3tokens and ec2tokens

25.0.0
------

* Deprecate templated catalog driver
* Update regex to detect closed branch
* Add ability to create users and projects from keystone-manage
* Remove unused old job templates and experimental jobs
* api-ref: Fix indentation
* sql: Fixup for invalid unique constraint on external\_id in access\_rule table
* Drop keystone-dsvm-functional-federation-opensuse15 jobs
* Fix operation order in role deletion
* Fix old arm64 job template
* Dont enforce when HTTP GET on s3tokens and ec2tokens
* Normalize policy checks for domain-scoped tokens
* Add domain scoping to list\_domains
* Fix federation mapping role jsonschema
* Pass initiator to delete user
* reno: Update master for unmaintained/yoga
* Drop unused pymongodb from requirements
* tox: Drop envdir
* Allow users with "admin" role to get projects
* Allow assignment of domain specific role to federated users
* Drop remaining references to eventlet options
* Replace CRLF by LF
* Fix policies for groups
* Consistent and Secure RBAC (Phase 1)
* Keystone to honor the "domain" attribute mapping rules
* Update python classifier in setup.cfg
* Improve application credential validation speed
* python 3.12: use raw string
* Remove babel.cfg
* Imported Translations from Zanata
* Propagate redirect exceptions to the client
* Clean up deprecated options for eventlet server
* Remove deprecated [memcache] options
* Drop compatibility code for Python 2.y
* Fix bindep.txt for python 3.11 job(Debian Bookworm)
* Check user existence before setting last\_active\_at
* Remove unnecessary shebang
* fix(federation): follow-up
* Stop pinning pep8 related packages
* Fix typo in cmd/status.py
* Update master for stable/2023.2

24.0.0
------

* Update keystone gates to use jammy
* Add default manager role support to bootstrap command
* Imported Translations from Zanata
* Respect cached tokens issued before upgrade
* Add support for bcrypt\_sha256 hasher
* Properly trimm bcrypt hashed passwords
* Use py3 as the default runtime for tox
* doc: Update the installtion guide for RHEL8/CentOS8 and RHEL9/CentOS9
* Imported Translations from Zanata
* Add a cache to check\_revocation
* doc: Correct typo
* Revoke list\_events: Add trust sql filter
* sql: Remove service\_provider.relay\_state\_prefix default
* docs: Clarify lack of LDAP assignment back end
* sql: Fix incorrect columns
* doc: Add minimal documentation on generating migrations
* Fix presentation of OAuth2.0 user guides
* sql: Delay importing SQL modules
* Add job to test with SQLAlchemy master (2.x)
* db: Don't rely on branched connections
* Imported Translations from Zanata
* Fix typo in openid federation diagram
* Add doc of OAuth2.0 Client Credentials Grant Flow
* sql: Remove duplicate constraints
* Fix outdated default catalog template
* Add default service role support to boostrap command
* Print a human readable error if tls certs are not provided
* [PooledLDAPHandler] Clean up the fix for result3()
* Don't forget to check if authorization fails
* Remove Dependency on Cryptography >=36.0.0
* sql: Fix incorrect constraints
* Update master for stable/2023.1

23.0.0
------

* OAuth 2.0 Mutual-TLS Support
* sql: Add support for auto-generation
* tests: Rework BannedDBSchemaOperations fixture
* Remove unnecessary removal of pyc files
* db: Remove legacy migrations
* db: Replace use of reverse cascades
* db: Replace use of Query.get()
* db: Don't pass strings to 'Connection.execute'
* db: Replace use of 'autoload' parameter
* db: Replace use of legacy select() calling style
* db: Remove use of 'bind' arguments
* tests: Enable SQLAlchemy 2.0 deprecation warnings
* Bump SQLAlchemy minimum version
* Force algo specific maximum length
* api-ref: Correct app credentials auth response
* Add oidc federation test setup
* Fix passenv syntax in tox and update python jobs
* [PooledLDAPHandler] Ensure result3() invokes message.clean()
* requirements: Bump linter requirements
* Limit token expiration to application credential expiration
* Remove authenticate.failed from the notification\_opt\_out list
* fix(federation): allow using numerical group names
* Add an option to randomize LDAP urls list
* Update master for stable/zed

22.0.0
------

* Imported Translations from Zanata
* Fix host:port handling
* remove unicode prefix from code
* Use TOX\_CONSTRAINTS\_FILE
* Imported Translations from Zanata
* Move fips job to centos-9
* docs: Update docs to reflect migration to Alembic
* sql: Integrate alembic
* tests: Don't monkeypatch functions
* sql: Don't create a new connection in migrations
* Ignore UserWarning for scope checks during test runs
* tox: Don't generate byte code
* OAuth2.0 Client Credentials Grant Flow Support
* Change error response status code in master branch
* Imported Translations from Zanata
* Changed minversion in tox to 3.18.0
* Fix typo in documentation
* Update python testing as per zed cycle teting runtime
* Drop lower-constraints.txt and its testing
* Add service\_type config info for access rules
* Remove the note of training-labs
* Fix delete a limit api doc
* typo fix in docstring
* Update TOTP example code for python 3
* Log the traceback in \_handle\_keystone\_exception
* trivial: Fix typo
* Update master for stable/yoga

21.0.0
------

* Fix bindep.txt for current RPM based distributions
* Fix API path in document
* Add Python3 xena unit tests
* Add Python3 wallaby unit tests
* sql: Prepare for alembic migration
* sql: Remove dead helpers
* Properly instantiate FernetUtils
* Fix issue with LDAP backend returning bytes instead of string
* sql: Add initial Yoga migration branches
* sql: Add additional changes to initial alembic migration
* sql: Populate initial alembic migration
* sql: Move test-only code to tests
* sql: Vendor 'oslo\_db.sqlalchemy.migration'
* sql: Move migrations to 'legacy\_migrations'
* sql: Remove dead code
* cmd: Remove deprecated '--extension' argument
* sql: Add initial alembic scaffolding
* sql: Reorder tables to reflect creation order
* sql: Squash ussuri migrations
* sql: Squash train migrations
* sql: Squash stein migrations
* sql: Squash rocky migrations
* sql: Squash queens migrations
* sql: Squash pike migrations
* sql: Squash ocata migrations
* sql: Squash newton migrations (part 2)
* sql: Remove duplicated constants
* sql: Remove 'get\_init\_version'
* Change the min value of pool\_retry\_max to 1
* Add generate schemas tool
* Add 'StandardLogging' fixture
* sql: Rename initial migrations
* sql: Remove legacy 'migrate\_repo' migration repo
* sql: Fold unique constraints into table definitions
* sql: Fold indexes into table defintions
* sql: Squash newton migrations (part 1)
* sql: Squash mitaka migrations
* Add 'WarningsFixture'
* sql: Squash liberty migrations
* sql: Trivial formatting changes
* Add support for pysaml2 >= 7.1.0
* tox: Random fixups
* using standard library secrets function token\_bytes to replace os.urandom
* Explicitly check policy name in policy warning tests
* Deprecate ineffective [memcache] options
* Fix response code of 'Revoke Token' in api-ref
* Accept STS and IAM services from Ceph Obj Gateway
* Fix oslo policy warning assert in unit tests
* Temporary exclude the common.sql.core.py from sphinx-apidoc target
* Remove broken tempest-full-py3-opensuse15 job
* Fix typos in application credential policies
* Fix typo in identity provider policies
* Update master for stable/xena
* Improve performance on trust deletion
* Replace deprecated assertDictContainsSubset

20.0.0
------

* Fix typos in ec2 credential policies
* Fix oslo policy DeprecatedRule warnings
* Update local\_id limit to 255 characters
* Add FIPS check job
* Replace deprecated import of ABCs from collections
* Moving IRC network reference to OFTC
* Update master for stable/wallaby
* Remove use of deprecated oslo.db options
* docs: Fix failing build
* Make DB queries compatible with SQLAlchemy 1.4.x
* fix get\_security\_compliance\_domain\_config policy rule typo
* Only log warnings about token length when length exceeds max\_token\_size
* setup.cfg: Replace dashes with underscores
* Hide AccountLocked exception from end users
* Retry update\_user when sqlalchemy raises StaleDataErrors
* Imported Translations from Zanata

19.0.0.0rc1
-----------

* Add job for keystone functional protection tests
* trivial: Update minor wording nit in RBAC persona documentation
* Clarify top-level personas in RBAC documentation
* Clarify \`\`reader\`\` role implementation in persona admin guide
* [goal] Deprecate the JSON formatted policy file
* Ignore oslo.db deprecating sqlalchemy-migrate warning
* Add openstack-python3-wallaby-jobs-arm64 job
* Add details to bootstrap docs for system role assignments
* Support bytes type in generate\_public\_ID()
* Imported Translations from Zanata
* Drop lower-constraints job
* fix E741 ambiguous variable name
* fix E225 missing whitespace around operator
* Use app cred user ID in policy enforcement
* Generalize release note for bug 1878938
* Use enforce\_new\_defaults when setting up keystone protection tests
* Implement more robust connection handling for asynchronous LDAP calls
* Imported Translations from Zanata
* Update master for stable/victoria
* Add vine to lower-constraints
* Simplify default config test
* Replace assertItemsEqual with assertCountEqual

18.0.0
------

* [goal] Migrate testing to ubuntu focal
* Fix gate by running l-c job on Bionic
* Write a symptom for checking memcache connections
* Bump pysaml2 requeriment to avoid CVE-2020-5390
* Fix user creation with GRANT in MySQL 8.0(Ubuntu Focal)
* Improve the update description for limits in api-ref
* Follow-up for bug-1891244
* Support format for msgpack < 1.0 in token formatter
* Skip tests to update u-c for PyMySql to 0.10.0
* Spelling Fix
* NIT: Spelling Fix
* Properly handle octet (byte) strings when converting LDAP responses
* Add support for functional RBAC tests
* Fix invalid assertTrue which should be assertEqual
* Delete system role assignments from system\_assignment table
* Fix api-ref for list endpoints
* Fix lower-constraint for PyMySQL
* Fix doc for package mod\_wsgi on Centos8/RHEL8
* requirements: Drop os-testr
* Fix "allow expired" feature for JWT
* Add ignore\_user\_inactivity user option
* Adding note for create a project without domain info
* Add "explicit\_domain\_id" to api-ref
* Run federation jobs on Ubuntu Focal
* Add an enhanced debug configuration technique to caching guide
* Remove an assignment from domain and project
* Imported Translations from Zanata
* New config option 'user\_limit' in credentials
* ldap: fix config option docs for \*\_tree\_dn
* Port the grenade multinode job to Zuul v3
* Stop to use the \_\_future\_\_ module
* NIT: Fix Spelling in auth\_context.py
* Update caching-layer.rst
* Cap jsonschema 3.2.0 as the minimal version
* Support regexes in whitelists/blacklists
* Switch to newer openstackdocstheme and reno versions
* Update keystone Making an API Change doc
* Update filtering-responsibilities and truncation
* Update doc id-manage.rst
* Update keystone architecture doc
* Disable EC2 credentials access\_id update
* Add service name filter to service list api-ref
* Bump hacking min version to 3.0.1
* Fix UserNotFound exception for expiring groups
* Switch to new grenade job name
* Fix security issues with EC2 credentials
* Ensure OAuth1 authorized roles are respected
* Check timestamp of signed EC2 token request
* Removes info about deleted function should\_cache\_fn
* Correct help for unified\_limits
* Imported Translations from Zanata
* Add Python3 victoria unit tests
* Update master for stable/ussuri

17.0.0.0rc1
-----------

* Enable groups testing for K2K scenarios
* Add schema placeholders for Ussuri
* Remove Babel as requirement
* Update hacking for Python3
* Remove a note related to UUID tokens from example configuration
* Update api-ref for federated objects in user
* Expiring Group Memberships API - Allow set idp authorization\_ttl
* Add federated support for updating a user
* Update contributors document keystone
* Add federated support for creating a user
* Stop configuring install\_command in tox
* Cleanup py27 support
* Add federated support for get user
* Add expiring user group memberships on mapped authentication
* Expiring Group Membership Driver - Add, List Groups
* Expiring User Group Membership Model
* Community goal: Adding contributing.rst
* Parse cli args in get\_enforcer
* Add openstack\_groups to assertion
* Change time faking for totp test
* Document the "immutable" resource option
* remove oslo-concurrency from requirements
* drop mock from test-requirements
* Correcting api-ref for users
* NIT: Fix spelling
* Copy shibboleth logs in federation jobs
* Ignore SQLAlchemy RemovedIn20Warning
* Switch from mock to unittest.mock use
* Refactor some ldap code to implement TODOs
* Doc Cleanup
* Tell reno to ignore the kilo branch
* Constraint dependencies for docs build
* Removing tempest-full from gate
* Check if content-type contains http, not equals
* Add docs about bootstrapping immutable roles
* Add domain admin grant test cases
* Default to bootstrapping roles as immutable
* Use inspect instead of Inspector.from\_engine()
* Remove six usage
* Updating tox -e all-plugin command
* Capture output from test run of policy generator
* Cleanup doc/requirements.txt
* Always have username in CADF initiator
* Fix duplicated words issue like "each each user\_id"
* Ensure bootstrap handles multiple roles with the same name
* Fix role\_assignments role.id filter
* Fix release note link formatting
* Fix token auth error if federated\_groups\_id is empty list
* Update OIDC documentation to handle bearer access token flow
* Imported Translations from Zanata
* Add docs for app cred access rules
* Remove python 2.7 specific library
* Add name in GET API of application credentials
* Stop adding entry in local\_user while updating ephemerals
* Fix api-ref roles response description
* Fix credential list for project members
* Fix application credential doc example
* Migrate grenade jobs to py3
* Start README.rst with a better title
* Drop old neutron-grenade job
* Stop testing Python 2
* Remove group deletion for non-sql driver when removing domains
* Refresh "how can I help?" doc
* Re-enable line-length linter
* Fix line-length PEP8 errors for c7fae97
* Add voting k2k tests
* Fix K2K auth flow diagram
* Stop explicitly requiring pycodestyle
* Add Source links to readme
* Switch to opensuse-15 nodeset
* Switch to official Ussuri jobs
* Revert "Resource backend is SQL only now"
* Drop project.id foreign keys
* Fix sql migrate repo prefix check
* Add schema placeholders for Train
* Overhaul the RBAC documentation for administrators
* Fix wrong interface description
* Import LDAP job into project
* Update getting started guide
* Remove legacy protection tests
* Update token definitions
* Remove policy.v3cloudsample.json
* Imported Translations from Zanata
* Fix misspell word
* Update master for stable/train

16.0.0.0rc1
-----------

* Remove limit policies from policy.v3cloudsample.json
* Add tests for project users interacting with limits
* Allow domain users to access the limit API
* Use immutable roles in tests
* Add missing ws between words in log messages
* Allow system/domain scope for assignment tree list
* Make policy deprecation reasons less verbose
* Readjust job timeouts
* Implement scope type checking for Project Endpoints
* Federation mapping debug should show direct\_maps values
* Consolidate policy deprecation warnings
* Add default roles and scope checking to project tags
* DRY up credential policies
* Move remaining protection tests
* Fix test case in policy associations
* Fix PostgreSQL specifc issue with credentials encoding
* Fix validation of role assignment subtree list
* Specify keystone is OS user for fernet and credential setup
* Add remote\_id definition in \_perform\_auth
* Use correct repo for initial version check
* Split protection unit tests into its own job
* Remove system EC2 credentials from policy.v3cloudsample.json
* Remove system Domain Config from policy.v3cloudsample.json
* Update API version for access rules
* Add access rules to token validation
* Expose access rules as its own API
* Remove obsolete grant policies from policy.v3cloudsample.json
* Alphabetize removed policies in tests
* Implement system admin for OAUTH1 consumers
* Implement system scope for domain role management
* Make system tokens work with domain-specific drivers
* Implement scope type checking for EC2 credentials
* Increase tox job timeouts to 90 minutes
* Add immutable roles status check
* Remove implied roles policies from v3cloudsample
* Implement system admin for implied roles
* Implement domain admin support for grants
* Implement domain reader support for grants
* Add Project User coverage for domain config API
* Add Domain User for security compliance domain config API
* Implement system admin for domain config API
* Implement system reader & member for domain config API
* Fix timeout Zuul changes
* Generate PDF documentation
* Add --immutable-roles flag to bootstrap command
* Add immutable option for roles and projects
* Bump timeout for lower-constraints job
* Implement resource options for roles and projects
* Implement system reader for OAUTH1 consumers
* Implement system reader for implied roles
* Remove system policy and its association from policy.v3cloudsample.json
* Override tox job timeouts
* Fix federation CI
* Fix oauthlib update errors
* Use raw formatting for mapping\_engine help text
* Add tests for project users for policy association
* Add tests for domain users for policy association
* Implement system admin for policy association
* Implement system reader & member for policy association
* Add tests for project users interacting with policies
* Add notifications for deleting app creds by user
* Add tests for domain users interacting with policies
* Clean up UserGroups target enforcement callback
* Fix relative links
* Add tests for project users interacting with endpoint\_groups
* Add tests for domain users interacting with endpoint\_groups
* Implement system\_admin for endpoint\_groups
* Implement system reader and member for endpoint\_groups
* Add retry for DBDeadlock in credential delete
* Fix translated response
* Implement system admin for trusts API
* Add tests for domain users for trusts
* Add tests for system member for trusts
* Implement system reader role for trusts API
* Move get\_role\_for\_trust enforcement to policies
* Move list\_roles\_for\_trust enforcement to policies
* Move get\_trust enforcement to default policies
* Move delete\_trust enforcement to default policies
* Move list\_trusts enforcement to default policies
* Add protection tests for trusts API
* Update broken link
* Update cli docs
* Implement system admin for policies
* Implement system reader and member for policies
* Add support for previous TOTP windows
* Honor group\_members\_are\_ids for user\_enabled\_emulation
* Update api-ref for revocation list OS-PKI
* Docs: Make robust with using real links
* Clean up irrelevant comment
* Fix list\_mappings deprecation warning message
* Allows to use application credentials through group membership
* Fix missing print format and missing ws between words
* Suppress policy deprecation warnings in unit tests
* Add API changes for app cred access rules
* Add manager support for app cred access rules
* Add user\_id, external\_id to access rules table
* Fix websso auth loop
* Deprecate keystone.conf.memcache socket\_timeout
* Fix typo: RBACKEnforcer -> RBACEnforcer
* Run 'tempest-ipv6-only' job in gate
* Followup for remove signing[config]
* Remove broken api-ref link
* doc: Fix broken links
* Fix python3 compatibility on LDAP search DN from id
* Deprecate identity:revocation\_list policy for removal
* Remove [signing] config
* Update api-ref location
* implement system scope for application credential
* Fixing dn\_to\_id function for cases were id is not in the DN
* Add new attribute to the federation protocol API
* Allow to filter endpoint groups by name
* update documentation for X.509 tokenless auth
* Deprecate [federation] federated\_domain\_name
* Allow JsonBlob to accommodate SQL NULL result sets
* Add exercises for intern applicants
* Fix keystone document
* nit: remove some useless code
* Drop limit columns
* token: consistently decode binary types
* Incorrect behavior of validate\_password method
* Update test cases for os-pki revoke API
* Blacklist sphinx 2.1.0 (autodoc bug)
* Bump openstackdocstheme to 1.20.0
* Remove redundant parameter passed to assertTrue
* Add Python 3 Train unit tests
* Switch order of precedence for unit test deps
* Don't call .c from select() objects
* Update misleading comment about fernet credential encryption
* Fix E731 flake8
* [api-ref] Fix nocatalog description for unscoped token
* Drop use opendev.org for tox deps
* Fix contributor doc of keystone
* Add link to describe Principle of Least Privilege
* Update the meaning of low-hanging-fruit
* Implement system scope and default roles for token API
* Update unified limit documentation
* Add cadf auditing to credentials
* Remove deprecated admin\_endpoint
* Revert "Exclude constants from autodoc"
* Revert "Ignore boilerplate constants in autodoc"
* Ignore boilerplate constants in autodoc
* Exclude constants from autodoc
* Report correct domain in federated user token
* Add flake8 ignore list to fast8 script
* Add application\_credential as a CADF type
* add raw format link to keystone config sample
* Update mission statement and vision reflection
* Add note about application credential ownership
* Revert "Add JSON driver for access rules config"
* Revert "Add manager for access rules config"
* Revert "Add a permissive mode for access rules config"
* Revert "Add manager support for app cred access rules"
* Revert "Add API for /v3/access\_rules\_config"
* Don't throw valueerror on bootstrap
* Remove [token]/ infer\_roles
* Pep8 environment to run on delta code only
* Add clarification for context in install guides
* Adds caching of credentials
* Cap sphinx for py2 to match global requirements
* Revert "Blacklist bandit 1.6.0"
* Fix documentation typo
* Blacklist bandit 1.6.0
* Update Python 3 test runtimes for Train
* [docs] remove deprecated ubuntu package from installation
* Fix for werkzeug > 0.15
* Replace git.openstack.org URLs with opendev.org URLs
* OpenDev Migration Patch
* Pass kwargs to exception to get better format of error message
* Replace support matrix ext with common library
* Uncap jsonschema
* Fix unscoped federated token formatter
* Use openstackdocstheme according to guide
* Make fetching all foreign keys in a join
* Support endpoint updates in bootstrap
* Add missing ws separator between words
* Move redelegation fields out of extras
* Replace dict.iteritems() with dict.items() in keystone
* Add release note for service token documentation
* Fix werkzeug imports for version 0.15.x
* Allow an explicit\_domain\_id parameter when creating a domain
* Update the min version of tox
* Convert user\_id back to string
* Add API for /v3/access\_rules\_config
* Ignore Stein-specific release notes
* Be more verbose in logging role grant on bootstrap
* Replace UUID with id\_generator for Federated users
* DRY: Remove redundant policies from policy.v3cloudsample.json
* Raise METHOD NOT ALLOWED instead of 500 error on protocol CRUD
* Remove redundant policies from v3cloudsample
* Add domain scope support for group policies
* Update broken links to dogpile.cache docs
* Add keystone's technical vision reflection
* Add release prelude about changing policies
* Consolidate user protection tests
* Replace URL name to the correct one in Keystone Docs
* Delete shadow users when domain is deleted
* Make system admin policies consistent for grants
* Remove assignment policies from policy.v3cloudsample.json
* Add role assignment testing for project users
* Replace openstack.org git:// URLs with https://
* Implement system reader functionality for grants
* Remove external-dev and consolidate to contributor
* Remove system assignment policies from policy.v3cloudsample.json
* Test domain and project users against group system assignment API
* Add role assignment test coverage for domain admins
* Add role assignment test coverage for domain members
* Implement domain reader for role\_assignments
* Add explicit testing for project users and the user API
* Update group system grant policies for admins
* Update system group assignment policies for reader and member
* Fix typo in docs section header
* Update master for stable/stein
* Test project users against system assignment API
* Test domain users against system assignment API
* Update system grant policies for system admin
* Update system grant policies for system member
* Update system grant policies for system reader

15.0.0.0rc1
-----------

* trivial: correct spelling in test names
* Remove project policies from policy.v3cloudsample.json
* Implement domain admin functionality for projects
* Implement domain member functionality for projects
* Only validate tokens once per request
* Pin Werkzeug in lower-constraints
* Implement domain admin functionality for user API
* Implement domain member functionality for user API
* Implement domain reader functionality for user API
* Add documentation for service tokens
* Added keystone identity provider installation to Devstack plugin
* PY3: Ensure LDAP searches use unicode attributes
* Use ForbiddenAction for invalid action instead of Forbidden
* Add schema placeholders for Stein
* Implement domain reader functionality for projects
* Small refactor for create nonlocal user
* Mention allow\_expired\_window in fernet FAQ
* Fix the incorrect release name of project guide
* trivial: fix broken link in trust API reference
* Migrate keystone-dsvm-grenade-multinode job to Ubuntu Bionic
* Remove publish-loci post job
* Add hint for order of keys during distribution
* Add service developer documentation for scopes
* Make system members the same as system readers for credentials
* Drop py35 jobs
* Remove service policies from policy.v3cloudsample.json
* Switch federation check jobs to opensuse
* Add manager support for app cred access rules
* Add driver support for app cred access rules
* Add SQL migrations for app cred access rules
* Add a permissive mode for access rules config
* Add manager for access rules config
* Add JSON driver for access rules config
* Remove protocol policies from v3cloudsample.json
* Add tests for project users interacting with services
* Remove role policies from policy.v3cloudsample.json
* Add tests for project users interacting with roles
* Add tests for domain users interacting with roles
* Remove endpoint policies from policy.v3cloudsample.json
* Remove domain policies from policy.v3cloudsample.json
* Add role assignment test coverage for system admin
* Add role assignment test coverage for system members
* Reorganize role assignment tests for system users
* Implement system reader for role\_assignments
* Remove idp policies from policy.v3cloudsample.json
* Add py37 tox env
* Add tests for domain users interacting with services
* Update service policies for system admin
* Add shibboleth config to log output
* Update introduction of external services doc
* Address follow-up comments in contributor guide for specs
* [api-ref] add domain level limit support
* Release note for domain level limit
* Update project depth check
* Add domain level support for strict-two-level-model
* Add domain level limit support - API
* Add domain level limit support - Manager
* Remove mapping policies from policy.v3cloudsample.json
* Add tests for project users interacting with mappings
* Deprecate cache\_on\_issue configuration option
* Add JWS token provider documentation
* Add OpenSUSE support in devstack federation plugin
* Add experimental job for OpenSUSE
* Fix mock for v2 test
* Add documentation for writing specifications
* Remove unused sample token fixtures
* Fix bindep for SUSE
* add python 3.7 unit test job
* Correcting tests with project\_id
* Add domain\_id column for limit
* [SQLite] Ensure change is addressed for limit table
* Remove region policies from policy.v3cloudsample.json
* Add tests for project users interacting with regions
* Add tests for domain users interacting with regions
* Update region policies to use system admin
* Add region tests for system member role
* Implement system admin role in groups API
* populate request context with X.509 tokenless cred information
* Fix wrong example for direct\_maps
* Fixes incorrect params
* Implement JWS token provider
* Seperated CADF notifications tests for request\_id
* Added request\_id and global\_request\_id to basic notifications
* Converting the API tests to use flask's test\_client
* Implement system admin role in users API
* Implement system member role user test coverage
* Implement system reader role for users
* Replace 'tenant\_id' with 'project\_id'
* Add PyJWT as a requirement
* Add test fixture for the JWS key repository
* Add keystone-manage create\_jws\_keypair functionality
* Add configuration options for JWS provider
* Test case for bad type user in assertion
* Adjust Indents to meet PEP8 E117
* Handle special cases with msgpack and python3
* Add experimental job for CentOS
* Add CentOS support in devstack federation plugin
* Remove service provider policies from v3cloudsample.json
* Add documentation for Auth Receipts and MFA
* bump Keystone version for Stein
* Allow project users to retrieve domains
* Fix wrong urls
* Optimize fernet token and receipts in cli.py
* PY3: switch to using unicode text values
* Expose receipt\_setup and receipt\_rotate command
* Clean up the create\_arguments\_apply methods
* Allow domain users to access the GET domain API
* Update doc for token\_setup and token\_rotate
* Fix nits
* Fix app\_cred schema spell nit
* Update limit policies for system admin
* Do not use self in classmethod
* Add tests for project users interacting with endpoints
* Add tests for domain users interacting with endpoints
* Update endpoint  policies for system admin
* Add endpoint tests for system member role
* Update endpoint policies for system reader
* Add tests for domain users interacting with mappings
* Update mapping policies for system admin
* Add mapping tests for system member role
* Update mapping policies for system reader
* Add tests for project users interacting with idps
* Add tests for domain users interacting with idps
* Update idp policies for system admin
* Add idp tests for system member role
* Update idp policies for system reader
* Add region protection tests for system readers
* Update role policies for system admin
* Reuse common system role definitions for roles API
* Add tests for project users interacting with protocols
* Add tests for domain users interacting with protocols
* Implement system admin role in protocol API
* Add protocol tests for system member role
* Update protocol policies for system reader
* Add limit tests for system member role
* Add limit protection tests
* Remove registered limit policies from policy.v3cloudsample.json
* Add tests for project users interacting with registered limits
* Allow domain users to access the registered limits API
* Remove duplicated TOC in configuration guide
* Implement system admin role in project API
* Implement system member role project test coverage
* Implement system reader role for projects
* Enhance the openidc guide
* Enhance the mellon guide
* Enhance the shibboleth guide
* Consolidate WebSSO guide into SP instructions
* Add section on configuring protected auth paths
* Reorganize guide on configuring a keystone SP
* Clean up keystone-to-keystone section
* Enhance authn sections in federation guide
* correct the description on domain re-enable
* Add tests for project users interacting with sps
* Add tests for domain users interacting with sps
* Update service provider  policies for system admin
* Add prerequisites section to keystone-to-keystone
* Invalidate shadow\_federated\_user cache when deleting protocol
* Remove duplicate RBAC logging from enforcer
* Update federation SP prerequisites section
* Use samltest.id as an example sandbox IdP
* Fix nits in code blocks in federation guide
* Bring SP/IdP URLs closer to style guide guidance
* Restructure federation guide
* Update doc with samltest.id
* Clarify location for HTTPD instructions
* Use common system role definitions for registered limits
* Implement system member test coverage for groups
* Implement system reader role for groups
* Add service provider tests for system member role
* Update service provider policies for system reader
* Add service tests for system member role
* Update service policies for system reader
* Use renamed template 'integrated-gate-py3'
* Add scope checks to common system role definitions
* Remove i18n.enable\_lazy() translation
* Reorganize admin guide
* Consolidate service catalog docs
* Add irrelevant-files for grenade-py3 jobs
* Delete outdated keystonemiddleware doc
* Remove example usage from admin guide
* Split trusts docs between admin and user guide
* Move identity sources doc to admin guide
* Remove message about circular role inferences
* Remove Certificates for PKI guide
* Add introduction section to federation docs
* Fix links to external-authentication
* Move list limit docs to admin guide
* Rename admin guide pages
* Consolidate tokenless X.509 docs
* Update registered limit policies for system admin
* Consolidate Keystone docs: admin/identity-external-authentication.rst
* Implement system admin role in domains API
* Implement system member role domain test coverage
* Implement system reader role in domains API
* Bump oslo.policy and oslo.context versions
* Move supported clients section to user guide
* Use request\_body\_json function
* Move SSL recommendation to installation guide
* Move "Public ID Generators" to relevant docs
* Consolidate Keystone docs: federated-identity.rst
* Add role tests for system member role
* Consolidate catalog management guide
* Update role policies for system reader
* Change openstack-dev to openstack-discuss
* Add registered limit tests for system member role
* Add registered limit protection tests
* Keep federation jobs running on Xenial
* Clarify docstrings for domain flask refactor
* Move test utility to common location
* Add missing translation import to common.auth.py
* Move to password validation schema
* Don't emit a notification for the root domain
* Pass context objects to policy enforcement
* Consolidate identity-domain-specific-config.rst
* Consolidate auth-totp.rst
* Consolidate event\_notifications.rst
* Consolidate endpoint-policy.rst
* Consolidate service-catalog.rst
* Update contributor doc
* Use pycodestyle in place of pep8
* Update api-ref to include user options
* Document user options
* Add scope documentation for service developers
* Remove deprecated secure\_proxy\_ssl\_header config
* Refactor flask domain config resources
* Add missing ws seperator between words
* Add the missing packages when install keystone
* add request\_id and global\_request\_id to cadf notifications
* changed port in tools/sample\_data.sh
* Move irrelevant-files to project definition
* Add tempest-full-py3 job to zuul file
* Remove the repetition words in  identity-fernet-token-faq.rst
* Removing default\_assigment\_driver
* Bump sqlalchemy minimum version to 1.1.0
* Drop the compatibility password column
* Remove "crypt\_strength" option
* Correct HTTP OPTIONS method
* Update api-ref for set registered limits
* Remove deprecated "bind" in token
* Update more info of vhost file
* Refactor directory creation into a common place
* Region update extra support
* Change \_\_all\_\_ list to tuple
* Remove redundant variables from context class
* Refresh admin doc
* Fixing nits
* Add abstract method in trusts base.py
* Switch devstack plugin to samltest.id
* Clean up python3.5 usage in tox.ini
* Add py36 tox environment
* Remove unused lower constraints
* Replace usage of get\_legacy\_facade() with get\_engine()
* Fix uwsgi --http flag
* Fix an issue with double fernet key rotation
* Delete PKI middleware debugging section
* Fix developer config dir flask aftermath
* Documentation fix - Port number
* Use port 5000, keystone-wsgi-public and --http-socket
* Changed the port numbers
* Implement auth receipts spec
* changed port in argument '--bootstrap-admin-url'
* Unregister "Exception" from flask handler
* Add release note for unified limit APIs changing
* Deprecate eventlet related configuration
* Remove compatability shim
* Remove check for disabled v3
* Remove obsolete credential policies
* Delete "Preparing your environment" section
* Implement scope\_type checking for credentials
* Fix spelling 'unnecessary'
* Remove custom auth middleware documentation
* Delete the external auth admin guide
* Remove useless use of :orphan:
* Change port and version on v3 endpoints example
* Provide a Location on HTTP 300
* Set Default and resource limit as defined schema
* Emit CADF notifications on authentication for invalid users
* Delete administrator federation guide
* Update keystone-manage bootstrap port instructions
* Fix api-ref v3.9 release identifier
* Update third endpoint legacy port for Keystone v3 API
* Remove unused logging module
* Remove useless "clean" file
* Trivial: Remove repeated if conditions
* Updating doc of unified limit
* Adding 'date' for trust\_flush
* Add caching on trust role validation to improve performance
* Allow registered limit's region\_id to be None
* Add a test for idp and federated user cascade deleting
* Fix example for getting system scoped token
* Remaining cases of MappingEngineTester
* Set min and max length for resource\_name
* Implement scaffolding for upgrade checks
* Fixing update unified limit api-ref
* Remove deprecated token\_flush
* Invalidate app cred AFTER deletion
* Update API version to 3.11
* Added test case update registered limit with region
* Remove incorrect copyright notice
* Remove paste-ini
* Remove pre-flask legacy code
* Make collection\_key and member\_key raise if unset
* Increment versioning with pbr instruction
* Loosen the assertion for logging scope type warnings
* Expand implied roles in system-scoped tokens
* Add test case for expanding implied roles in system tokens
* Move loadapp to a generic place
* Make policy file support in fixture optional
* Use tempest-pg-full
* Cleanup test\_wsgi
* Flask comment/docstring cleanup
* Move AuthContextMiddleware
* Convert Normalizing filter to flask native Middleware
* Internally defined middleware don't use stevedore
* Make Request Logging a little better
* Register exceptions with a Flask Error Handler
* Cleanup keystone.server.flask.application
* Replace JSON Body middleware with flask-native func
* Convert S3 and EC2 auth to flask native dispatching
* Remove skip for test\_locked\_out\_user\_sends\_notification
* Convert projects API to Flask
* Convert /v3/users to flask native dispatching
* add unit tests for healthcheck
* Replace openSUSE experimental check with newer version
* Auth flask conversion cleanup
* Convert auth to flask native dispatching
* Update notification tests to work with o-m 9.0.0
* Don't mock internal implementation details of oslo
* Update log translation hacking check
* Don't quote {posargs} in tox.ini
* Enable foreign keys for unit test
* Update doc string for transform\_to\_group\_ids
* Follow Zuul job rename
* Add release names to api-ref
* Avoid using dict.get() in assertions
* Clarify group-mapping example in docs
* Purge soft-deleted trusts
* LDAP attribute names non-case-sensitive
* Organize project tag api-ref by route
* Add build\_target arguement to enforcer
* Properly replace flask view args in links
* Adding test case for MappingEngineTester
* Fix command to verify role removal in docs
* Add python3 functional test job
* Convert legacy functional jobs to Zuul-v3-native
* Update auto-provisioning example to use reader
* Enable Foreign keys for sql backend unit test
* Add releasenote for bug fix 1789450
* Comment out un-runnable tests
* Mapped Groups don't exist breaks WebSSO
* Add hint back
* Implement Trust Flush via keystone-manage
* Properly normalize domain ids in flask
* Use templates for cover and lower-constraints
* Make OSA rolling upgrade test experimental
* Rename v3-only functional zuul job
* Remove unused revoke\_by\_user\_and\_project
* Address issues with flask conversion of os-federation
* Convert domains api to flask
* Move use of constraints out of install\_cmd
* Ensure view args is in policy dict
* Rename py35 v3 only check
* Convert OS-INHERIT API to flask native dispatching
* Fix a translation of log
* Convert groups API to flask native dispatching
* Fix RBACEnforcer get\_member\_from\_driver mechanism
* Refactor ProviderAPIs object to better design pattern
* Convert OS-FEDERATION to flask native dispatching
* Update the documentation bug tag
* api-ref: Remove broken link
* Added support for a \`\`description\`\` attribute for Identity Roles
* Update the minimimum required version of oslo.log
* Incorrect use of translation \_()
* Update RDO install guide for v3
* Remove member\_role\_id/name
* Convert policy API to flask
* Fix db model inconsistency for FederatedUser
* add python 3.6 unit test job
* switch documentation job to new PTI
* import zuul job settings from project-config
* Use items() instead of iteritems()
* Add details and clarify examples on casing
* Address nits
* Re-Add scope.system to filters
* Add placeholder migrations for Rocky
* Change unique\_last\_password\_count default to 0
* Trivial: Remove app\_conf kwarg from testing setup
* Trivial: Add missing space in exception
* Move json\_home "extension" rel functions
* Convert system (role) api to flask native dispatching
* Do not log token string
* Convert role\_assignments API to flask native dispatching
* Add safety to the inferred target extraction during enforcement
* Use osc in k2k example
* Fix a bug that issue token with project-scope gets error
* Convert role\_inferences API to flask native dispatching
* Convert Roles API to flask native dispatching
* Convert endpoints api to flask native dispatching
* Convert services api to flask native dispatching
* Convert regions API to flask native dispatching
* Remove unused util function
* Redundant parameters in api-ref:domain-config
* Add callback action back in
* Set initiator id as user\_id for auth events
* Update reno for stable/rocky
* More accurate explanation in api-ref:application credentials
* Imported Translations from Zanata

14.0.0.0rc1
-----------

* Allow wrap\_member and wrap\_collection to specify target
* Pass path into full\_url and base\_url
* Allow for more robust config checking with keystone-manage
* Remove redundant get\_project call
* Convert OS-SIMPLE-CERT to flask dispatching
* Migrate OS-EP-FILTER to flask native dispatching
* Convert limits and registered limits to flask dispatching
* Add a release note for bug 1785164
* Error location of parameters in api-ref:project tags
* Code optimization of create application credential
* Do not allow create limits for domain
* Update api-ref for unified limits
* Fix json indentation of notification sample
* Convert OS-AUTH1 paths to flask dispatching
* Clean up token extra code
* Expose a bug that issue token with project-scope gets error
* Remove KeystoneToken object
* Convert OS-REVOKE to flask dispatching
* Address FIXMEs for listing revoked tokens
* Move unenforced\_api decorator to module function
* Remove direct calls to auth.controllers in some tests
* Move validate\_issue\_token\_auth from controllers
* Unified code style nullable description parameter
* Remove get\_catalog from manage layer
* Api-ref: Correct response code
* Adding missing comma in docs
* Expose random uuid bug in cadf notifications
* Boostrap CLI tests no longer call auth controller
* Implement "no-update" test for trusts
* Move trusts to flask native dispatching
* Address nits in strict-two-level implementation
* Remove get\_catalog usage from contrib

14.0.0.0b3
----------

* Deprecate [token] infer\_roles=False
* Reduce duplication in federated auth APIs
* Fix RBACEnforcer Comment
* Mirror self-link trust check from tempest
* Trusts do not implement patch
* Allow for 'extension' rel in json home
* Add pycadf initiator for flask resource
* Use oslo\_serialization.jsonutils
* Correctly pull input data for enforcement
* Delete project limits when deleting project
* Add project hierarchical tree check when Keystone start
* Update project depth check
* Add include\_limits filter
* Bump lower constraint for pysaml2 to 4.5.0
* Allow class-level definition of API URL Prefix
* Move Credentials API to Flask Native
* Add project\_id filter for listing limit
* Strict two level limit model
* Switch to python-ldap
* Add correct self-link
* Properly remove content-type on HTTP 204
* Increase test coverage of entity\_type id mapping query
* Cleanup keystone.token.providers.common
* Remove remnants of token bind
* Simplify the token provider API
* Add serialization for TokenModel object
* Introduce new TokenModel object
* Don't allow legacy and native flask to share paths
* Remove uuid token size check from doctor
* Do not use flask.g imported as g
* Fix keystone.common.rbac\_enforcer.\_\_init\_\_.py exporting
* Make keystone.server.flask more interesting for importing
* Flesh out and add testing for flask\_RESTful scaffolding
* Update pypi url to new url
* Invalidate 'computed assignments' cache when creating a project
* Filter project\_id for list limits
* Expose endpoint to return enforcement model
* Add docs for case-insensitivity in keystone
* Clarifications to API & Scenario Tests
* Remove enable config option of trust feature
* Fix keystone-manage saml\_idp\_metadata under python3
* Only upload SP metadata to testshib.org if IDP id is testshib
* Ignore .eggs dir as well
* Implement enforcement model logic in Manager
* Add registered\_limit\_id column for limit
* Add auto increase primary key for unified limit
* Address minor comments from initial impl RBACEnforcer
* Refactor \_handle\_shadow\_and\_local\_users
* Refactor \_set\_domain\_id\_and\_mapping functions
* Move keystone.server.common to keystone.server
* Add support for enforce\_call to set value on flask.g
* Refactor - remove extra for loop
* Remove token bind capabilities
* Address minor comments to 404 error detection
* Exposing ambiguity bug when querying role assignments
* pycrypto is not used by keystone
* Add new "How Can I Help?" contributor guide
* Added check to avoid keyerror "user['name']"
* Implement base for new RBAC Enforcer
* Refactor trust roles check
* Make it easy to identify a 404 from Flask
* Don't replace the whole app just the wsgi\_app backing
* Add support for before and after request functions
* Convert json\_home and version discovery to Flask
* Keystone adheres to public\_endpoint opt only
* Implement scaffolding for Flask-RESTful use
* Add Flask-RESTful and update flask minimum(s)
* Fix keystone-manage mapping\_purge with --type option
* Override oauthlib docstrings that fail with Sphinx 1.7.5
* Simple usage docs for implied roles
* Fix duplicate role names in trusts bug
* Expose duplicate role names bug in trusts
* Remove unclear wording in parameters
* Filter by entity\_type in get\_domain\_mapping\_list
* Migrate all password hashes to the new location if needed
* Add policy for limit model protection
* Api-ref: Refresh the Update APIs for limits
* Imported Translations from Zanata
* Remove a useless function
* Clarify complicated sentence in docs
* Unified limit update APIs Refactor
* Store JSON Home Resources off the composing router
* Ensure default roles created during bootstrap
* Add release notes link to README
* Remove duplicated test
* Expand on debug\_middleware option
* Update response codes for authentication API reference
* Clarify scope responses in authentication api ref
* fix tox python3 overrides
* Add Flaskification release-note
* Remove pastedeploy
* Flaskification cleanup
* Remove the rest of v2.0 legacy
* Add in ability to load DEBUG middleware
* Revert "Rename fernet\_utils to token\_utils"
* Convert Keystone to use Flask

14.0.0.0b2
----------

* Docs: Remove the TokenAuth middleware
* Correct test\_v3\_oauth1.test\_deleting\_project\_also\_invalidates\_tokens
* Correct test\_v3\_oauth1.test\_change\_user\_password\_also\_deletes\_tokens
* Correct test\_v3\_oauth1.test\_bad\_authorizing\_roles\_id
* Correct test\_v3\_oauth1.test\_bad\_authorizing\_roles\_name
* Fix warnings in documentation
* fix rally docs url
* Decouple bootstrap from cli module
* Handle empty token key files
* Remove some unused functions
* Update tests to work with WebOb 1.8.1
* Consolidate oauth1.rst
* Remove the TokenAuth middleware
* Remove token driver configuration
* Fix the test for unique IdP
* Consolidate health-check-middleware.rst
* Limit description support
* The migration script to add description for limit
* Update IdP sql model
* Remove dead dependency injection code
* Remove unused assertions from test\_v3.py
* Remove dead code in token provider
* Remove unused exception
* Do not return all the limits for POST request
* Add configuration option for enforcement models
* Use the provider\_api module in limit controller
* Fix the outdated URL
* Remove policy service from architecture.rst
* Invalidate the shadow user cache when deleting a user
* Add conceptual overview of the service catalog
* Trivial: Update pypi url to new url
* Update the RDO installation guide to use port 5000
* Update keystone functional tests

14.0.0.0b1
----------

* Remove the sample .conf file
* Allow blocking users from self-service password change
* Add prerequisite package note to Keystone install guide
* Update auth\_uri option to www\_authenticate\_uri
* Fix json schema nullable to add None to ENUM
* Use consistent role schema in token response validation
* Corrects spelling of MacOS
* Fix 500 error when deleting domain
* Allow cleaning up non-existant group assignments
* Follow the new PTI for document build
* Use the new pysaml2 constraints
* Fix incompatible requirement in lower-constraints
* Update install guides
* Fix mispelling of accommodate in install docs
* Fix list\_limit doesn't work correctly for domain
* Expose a bug that list\_limit doesn't work correctly
* Log warning when using token\_flush
* Removal of deprecated direct driver loading
* Make tags filter match subset rather than exact
* Updated from global requirements
* Update RDO install guide for v3
* Remove admin interface in sample Apache file
* add lower-constraints job
* Fix integer -> method conversion for python3
* Fix user email in federated shadow users
* Remove references to v2.0 from external developer doc
* Remove references to UUID from token documentation
* Add logging for xmlsec1 installation
* Updated from global requirements
* Mark the implied role API as stable
* Add note to keystone-manage bootstrap doc
* Fix assert test error under py3.6
* Fix api-ref for project tag create
* Updated from global requirements
* Fixing multi-region support in templated v3 catalog
* Update links in README
* Use different labels for user and project names
* Imported Translations from Zanata
* Add user documentation for JSON Home
* Fix formatting of ImportError
* Imported Translations from Zanata
* Updated from global requirements
* Imported Translations from Zanata
* Remove @expression from tags
* Work around deprecations for opportunistic tests
* Api-ref: fix resource\_limit format
* Correct typo in identity API reference
* Imported Translations from Zanata
* Consolidate identity-token-binding.rst
* Consolidate identity-service-api-protection.rst
* Add new setup commands for token keys
* Consolidate endpoint-filtering.rst
* Remove unnecessary config overrides from fernet tests
* Make assertValidFernetKey assertion more robust
* Update 3.10 versioning to limits and system scope
* Remove v2.0 policies
* Populate application credential data in token
* Imported Translations from Zanata
* Simplify federation and oauth token callbacks
* Simplify token persistence callbacks
* Refactor token cache invalidation callbacks
* Remove needs\_persistence property from token providers
* Imported Translations from Zanata
* Use OSC in application credential documentation
* Add docs for application credentials
* Force SQLite to properly deal with foreign keys
* Remove unused class variables from token provider
* Imported Translations from Zanata
* Grant admin a role on the system during bootstrap
* Fix querying role\_assignment with system roles
* Delete system role assignments when deleting groups
* Expose bug in system assignment when deleting groups
* Delete system role assignments when deleting users
* Expose bug in system assignment when deleting users
* Expose bug in /role\_assignments API with system-scope
* Remove the sql token driver and uuid token provider
* Imported Translations from Zanata
* Update reno for stable/queens
* Imported Translations from Zanata

13.0.0.0rc1
-----------

* Add placeholder migrations for Queens
* Delete SQL users before deleting domain
* Reorganize api-ref: v3-ext federation mapping.inc
* Update OBS install docs for v2 removal
* Reorganize api-ref: v3-ext federation service-provider
* Reorganize api-ref: v3-ext oauth.inc
* Replace port 35357 with 5000 for ubuntu guide
* Reorganize api-ref: v3 os-pki
* Reorganize api-ref: v3-ext federation identity-provider
* Reorganize api-ref: v3-ext trust.inc
* Remove v2.0 from documentation guides
* Remove v2.0 extension documentation
* Update curl request documentation to remove v2.0
* Remove v2 and v2-admin API documentation
* Remove all v2.0 APIs except the ec2tokens API
* Update sample configuration file for Queens
* Imported Translations from Zanata
* Finish refactoring self.\*\_api out of tests
* Add cache invalidation when delete application credential
* Expose a bug that application credential cache is not invalidated
* Fix cache invalidation for application credential
* Expose a bug that cache invalidation doesn't work for application credential
* Update the base class for application credential
* Fix list users by name
* Refactor self.\*\_api out of tests
* Use keystone.common.provider\_api for auth APIs
* Fix the wrong description
* Remove the redundant word
* Validate identity providers during token validation
* Update historical context about the removal of v2.0
* Document flat limit enforcement model
* add 'tags' in request body of projects
* Increase MySQL max\_connections for unit tests
* Add scope\_types for user policies
* Use native Zuul v3 tox job
* Update documentation to reflect system-scope
* Add a release note for application credentials
* Impose limits on application credentials
* Enable application\_credential auth by default
* Add api-ref for application credentials
* Add application credential auth plugin
* Add Application Credentials controller
* Zuul: Remove project name
* Refresh the admin\_token doc
* Remove pki\_setup step in doc
* Add documentation describing unified limits
* Handle TZ change in iso8601 >=0.1.12
* Remove PKI/PKIZ token in doc
* Add api-ref for unified limits
* Expose unified limit APIs
* Implement policies for limits
* Add limit provider
* Improve limit sql backend
* Replace Chinese punctuation with English punctuation

13.0.0.0b3
----------

* Add release note for system-scope
* Implement GET /v3/auth/system
* Updated from global requirements
* Implement system-scoped tokens
* Document scope\_types for project policies
* Add scope\_types to trust policies
* Add scope\_types to grant policies
* Add scope\_types to role assignment policies
* Fix column rename migration for mariadb 10.2
* Remove foreign key for registered limit
* Introduce assertions for system-scoped token testing
* Implement system-scope in the token provider API
* Teach TokenFormatter how to handle system scope
* Remove the deprecated "giturl" option
* Relay system information in RoleAssignmentNotFound
* Rename application credential restriction column
* Update token doc
* Update keystone v2/tokenauth example
* Reorganize api-ref: v3-ext revoke.inc
* Reorganize api-ref: v3-ext ep-filter.inc
* Reorganize api-ref: v3-ext simple-cert.inc
* Reorganize api-ref: v3-ext federation projects-domains.inc
* Document scope\_types for credential policies
* Document scope\_types for ec2 policies
* Move token\_formatter to token
* Document fixes needed for token scope\_types
* Add scope\_types to service provider policies
* Add scope\_types to group policies
* Add scope\_types to domain config policies
* Add system column to app cred table
* Fix outdated links
* Add ability to list all system role assignments
* Add system role assignment documentation
* Add Application Credentials manager
* Handle TODO notes for using new\_user\_ref
* Updated from global requirements
* Add application credentials driver
* Make entries in policy\_mapping.rst consistent
* Add application credentials db migration
* Fix indentation in docs
* remove \_append\_null\_domain\_id decorator
* Fix wrong url in domains-config-v3.inc
* msgpack-python has been renamed to msgpack
* adjust response code order in 'regions-v3.inc'
* Fix wrong url in config-options.rst
* adjust response code order in 'authenticate-v3.inc'
* Reorganize api-ref: v3-ext endpoint-policy.inc
* Imported Translations from Zanata
* Extract expiration validation to utils
* Implement controller logic for system group assignments
* adjust response code order in ''policies.inc''
* adjust response code order in ''domains-config-v3.inc''
* put response code in table of ''domains.inc''
* adjust response code in order of credentials.inc
* fix wrong url link of User trusts
* Reorganize api-ref: v3-ext federation assertion.inc
* Implement controller logic for system user assignments
* Add schema check for authorize request token
* Remove whitespace from policy sample file
* Use keystone.common.provider\_api for trust APIs
* Add db operation for unified limit
* Add new tables for unified limits
* Fix federation unit test
* add response example and 'extra' info of create user
* Add scope\_types to domain policies
* Add scope\_types for policy policies
* Add scope\_types to oauth policies
* Add scope\_types to token revocation policies
* Add scope\_types to endpoint group policies
* Migrate jobs to zuulV3
* Add scope\_types to role policies
* Add scope\_types to implied role policies
* Add expired\_at\_int column to trusts
* Add scope\_types for revoke event policies
* Add scope\_types to protocol policies
* Add scope\_types to project endpoint policies
* Add scope\_types to policy association policies
* Add scope\_types to mapping policies
* Add scope\_types to identity provider policies
* Add scope\_types to service policies
* Handle InvalidScope exception from oslo.policy
* Use keystone.common.provider\_api directly in assignment
* Add scope\_types to region policies
* Add scope\_types to endpoint policies
* Expose a get\_enforcer method for oslo.policy scripts
* Reorganize api-ref: v3 project-tags
* Reorganize api-ref: v3 authenticate-v3
* Deprecate [trust]/enabled option
* Use keystone.common.provider\_api for resource APIs
* Re-organize api-ref: v3 inherit.inc
* Implement get\_unique\_role\_by\_name
* Reorganize api-ref: v3-ext federation projects-domains
* Reorganize api-ref: v3 regions-v3
* Reorganize api-ref: v3 policies
* Remove duplicated release note
* Reorganize api-ref: v3 credentials
* Reorganize api-ref: v3 domains-config-v3
* Reorganize api-ref: v3 service-catalog
* Reorganize api-ref: v3 projects
* Reorganize api-ref: v3 roles
* Use keystone.common.provider\_api for identity APIs
* Use keystone.common.provider\_api for revoke APIs
* Use keystone.common.provider\_api for policy APIs
* Use keystone.common.provider\_api for oauth APIs
* Use keystone.common.provider\_api for federation APIs
* Use keystone.common.provider\_api for endpoint\_policy APIs
* Use keystone.common.provider\_api for credential APIs
* Use keystone.common.provider\_api for catalog APIs
* Use keystone.common.provider\_api for token APIs
* modify LOG.error tip message
* Performance: improve get\_role
* Add group system grant policies
* Replace parse\_strtime with datetime.strptime
* Remove private methods for v2.0 and v3 tokens
* Ensure building scope is mutually exclusive
* Add user system grant policies
* Implement manager logic for group+system roles
* Implement manager logic for user+system roles
* Implement backend logic for system roles
* Add a new table for system role assignments
* Refactor project tags encoding
* Expose a bug when authorize request token
* Bump API version and date to 3.9
* Create doc/requirements.txt
* remove some misleading info in Update user API doc
* Updated from global requirements
* remove "admin\_token\_auth" related content"
* Remove rolling\_upgrade\_password\_hash\_compat
* Deprecate member\_role\_id and member\_role\_name
* Migrate functional tests to stestr
* Remove Dependency Injection
* Rename fernet\_utils to token\_utils
* Remove extra parameter for token auth
* Refresh sample\_data.sh
* Improve exception logging with 500 response
* Remove dead code for auth\_context
* Updated from global requirements

13.0.0.0b2
----------

* Reorganize api-ref:v3 groups
* Handle deprecation of inspect.getargspec
* Enforce policy on oslo-context
* Correct error message for request token
* Refresh the Controller list
* Updated from global requirements
* Update keystone testing documentation
* Fix role schema in trust object
* Validate disabled domains and projects online
* Add New in Pike note to using db\_sync check
* Fix 500 error when create trust with invalid role key
* Expose a bug when create trust with roles
* Remove member role assignment
* Fix wrong links in keystone documentation
* Add schema check for OS-TRUST:trust authentication
* Expose a bug when authenticating for a trust-scoped token
* Update the help message for unique\_last\_password\_count
* Remove apache-httpd related link
* Populate user, project and domain names from token into context
* Remove setting of version/release from releasenotes
* Updated from global requirements
* Update cache doc
* Updated from global requirements
* Fix 500 error when authenticate with "mapped"
* Updated from global requirements
* Filter users/groups in ldap with whitespaces
* Deprecate policies API
* Change url in middleware test to v3
* Remove ensure\_default\_domain\_exists
* Ensure listing projects always returns tags
* Consolidate V2Controller functionality
* Remove v2 token value model
* Add non-voting rolling upgrade test
* Remove "no auth token" debug log
* Partially clarify federation auth plugins
* Handle ldap size limit exeeded exception
* policy.v3cloudsample.json: remove redundant blank space
* Remove expired password v2 test
* Remove v2 token test models
* Remove/update v2 catalog endpoint tests
* Remove unnecessary dependency injection
* Remove identity v2 to v3 test case
* Reorganize api-ref: v3 domains
* Correct parameter to follow convention

13.0.0.0b1
----------

* Remove v2 schema and validation tests
* Implement project tags API controller and router
* Implement project tags logic into manager
* Implement backend logic for project tags
* Remove v2.0 assignment schema
* Add project tags api-ref documentation and reno
* Deleting an identity provider doesn't invalidate tokens
* Add policy for project tags
* Add JSON schema validation for project tags
* Fix initial mapping example
* Fix list in caching documentation
* Updated from global requirements
* Refactor test\_backend\_ldap tests
* Emit deprecation warning for federated domain/project APIs
* Reorganize api-ref: v3-ext federation auth
* Update the release name in install tutorial
* Reorganize api-ref: v3 users
* Add explain of mapping group attribute
* Remove v2.0 identity API documentation
* Add database migration for project tags
* Remove the v2\_deprecated decorator
* Remove the v3 to v2 resource test case
* Remove admin\_token\_auth steps from install guide
* Remove the v2.0 validate path from validate\_token
* Remove v2.0 test plumbing
* Remove v2.0 auth APIs
* Remove v2.0 token APIs
* Move auth header definitions into authorization
* Remove v2.0 identity APIs
* Use stestr directly instead of ostestr
* Remove middleware reference to PARAMS\_ENV and CONTEXT\_ENV
* Migrate to stestr
* Updated from global requirements
* Add default configuration files to data\_files
* Add unit tests to mapping\_purge
* Replace assertRegexpMatches with assertregex
* Update API reference link in README
* Refactor removal of duplicate projects/domains
* Update links in keystone
* Fix role assignment api-ref docs
* Update invalid url in admin docs
* Remove keystone-all doc
* Fix typos in bootstrap doc
* Properly normalize protocol in Fedrations update\_protocol
* Two different API achieve listing role assignments
* Add backport migrations for Pike
* Adds Bandit #nosec flag to instances of SHA1
* Policy exception
* Remove duplicate code
*   Fix a typo
* Increase multi region endpoints test coverage
* Replace DbMigrationError with DBMigrationError
* Confusing notes of ephemeral user's domain
* Confusing log messages in project hierarchy checking
* Remove vestigate HUDSON\_PUBLISH\_DOCS reference
* Add test GET for member url in the Assignment API
* Remove v2.0 resource APIs
* Remove v2.0 assignment APIs
* Remove v2.0 service and endpoint APIs
* Fix endpoint examples in api-ref
* Copy specific distro pages for install guide
* Imported Translations from Zanata
* Log format error
* Updated from global requirements
* Ignore release notes for pike and master
* Clarify documentation for release notes
* Revert "Fix wrong links"
* Remove missing release note from previous revert
* Include a link in release note for bug 1698900
* Delete redundant code
* Call methods with kwargs instead of positionals
* Remove duplicate roles from federated auth
* Add the step to create a domain
* Add int storage of datetime for password created/expires
* Resource backend is SQL only now
* Assert default project id is not domain
* Fix wrong links
* Imported Translations from Zanata
* Remove deprecation of domain\_config\_upload
* Update reno for stable/pike

12.0.0.0rc1
-----------

* Unset project ids for all identity backends
* Update docs: fernet is the default provider
* Add description for relationship links in api-ref
* Updated URLs in docs
* Cache list projects and domains for user
* Remove unused hints from assignment APIs
* Make an error state message more explicit
* Fill in content in CLI Documentation
* Except forbidden when clearing default project IDs
* Update URL in README.rst
* Document required \`type\` mapping attribute
* Imported Translations from Zanata
* Fix man page builds
* Fill in content in User Documentation
* Clarify SELinux note in LDAP documentation
* Remove duplicate sample files
* Remove policy for self-service password changes
* Add role\_domain\_id\_request\_body in parameters
* use the show-policy directive to show policy settings
* Move credential encryption docs to admin-guide
* Consolidate LDAP documentation into admin-guide
* Imported Translations from Zanata
* Add description of domain\_id in creating user/group
* Add cli/ directory for documentation
* Add user/ directory for documentation
* Add contributor/ directory for docs
* Removed unnecessary setUp() calls from unit tests
* Filter users and groups in ldap
* Move url safe naming docs to admin guide
* Fix ec2tokens validation in v2 after regression in metadata\_ref removal
* Add the step to install apache2 libapache2-mod-wsgi
* Handle auto-generated domains when creating IdPs
* Updated from global requirements
* Fix the documentation sample for OS-EP-FILTER

12.0.0.0b3
----------

* Clarify documentation on whitelists and blacklists
* In the devstack plugin, restart keystone after modifying conf
* Fix typo in index documentation
* Move performance documentation to admin-guide
* Consolidate certificate docs to admin-guide
* Move auth plugin development doc to contrib guide
* Add missing comma to json sample
* Added new subsections to developer docs
* Fix wording of configuration help text
* Added index.rst in each sub-directory
* Optional request parameters should be not required
* Updated from global requirements
* Move development environment setup to contributor docs
* Add a hacking rule for string interpolation at logging
* Make the devstack plugin more configurable for federation
* Reorganised developer documentation
* Enable sphinx todo extension
* Remove duplicate configuration sections
* Expanded the best practices subsection in devdocs
* Added new docs to admin section
* Move bootstrapping documentation to admin-guide
* Updated from global requirements
* Add a release note for bug 1687593
* Reorganised api-ref index page
* remove default rule
* Merged the caching subsections in admin docs
* Move trust to DocumentedRuleDefault
* Improved the keystone federation image
* [install] Clarify the paths of the rc files
* fix identity:get\_identity\_providers typo
* fix assert\_admin
* Fixing flushing tokens workflow
* Replaced policy.json with policy.yaml
* Added configuration options using oslo.config
* Added configuration references to documentation
* Add history behind why keystone has two ports
* Move upgrade documentation to admin-guide
* Stop using deprecated 'message' attribute in Exception
* Move caching docs into admin-guide
* Gear documentation towards a wider audience
* Removed apache-httpd guide from docs
* Update security compliance documentation
* A simple fix about explicit unscoped string
* Remove duplicate token docs
* Update info about logging in admin guide
* Use log debug instead of warning
* Added a note for API curl examples
* Move import down to correct group
* Switch from oslosphinx to openstackdocstheme
* Clarify LDAP invalid credentials exception
* Ensure there isn't duplication in federated auth
* Remove keystone\_tempest\_plugin from setup.cfg
* Move implied role policies to DocumentedRuleDefault
* Remove duplicated list conversion
* Remove duplicated hacking rule
* Document and add release note for HEAD APIs
* Validate rolling upgrade is run in order
* Remove duplicate logging documentation
* Migrated docs from devdocs to user docs
* Updated from global requirements
* Remove note about kvs from admin-guide
* Move token flush documentation to admin-guide
* Remove the revocation api config section
* Rename Developer docs to Contributor docs
* Removed unnecessary line breaks from install-guides
* Added keystone installation guides
* Implement HEAD for assignment API
* Make federation documentation consistent
* Added keystone admin guides to documentation
* Add annotation about token authenticate
* Split test\_get\_head\_catalog\_no\_token
* Move related project information into main doc
* Move ec2 credential policies to DocumentedRuleDefault
* Return 400 when trying to create trust with ambiguous role name
* Reorganised keystone documentation structure
* Updated the keystone docs to follow the docs theme
* Fix PCI DSS docs on change\_password\_after\_first\_use
* Add HEAD API to auth
* Add HEAD APIs to federated API
* Ensure the trust API supports HEAD requests
* Ensure oauth API supports HEAD
* Ensure the endpoint policy API supports HEAD
* Improve handling of database migration checks
* Updated from global requirements
* Check log output rather than emitting in tests
* Ensure HEAD is supported with simple cert
* Ensure the ec2 API supports HEAD
* Ensure the endpoint filter API supports HEAD
* Move domain config to DocumentedRuleDefault
* Add HEAD API to domain config
* Updated from global requirements
* Move grant policies to DocumentedRuleDefault
* Move role policies to DocumentedRuleDefault

12.0.0.0b2
----------

* Use DocumentedRuleDefault for token operations
* Remove the local tempest plugin
* Add response example in authenticate-v3.inc
* Addition of "type" optional attribute to list credentials
* Remove keystone.conf if not used
* Updated from global requirements
* Remove assertRaisesRegexp testing function
* Update DirectMappingError in keystone.exception
* Remove dependency requires if not used
* Add role test to test\_consume\_trust\_once in test\_v3\_auth.py
* Writing API & Scenario Tests docs
* Handle group NotFound in effective assignment list
* Updated from global requirements
* Update doctor warning about caching
* Basic overview of tempest and devstack plugins
* Updated from global requirements
* Updated from global requirements
* Don't need to contruct data if not need persistence
* Fix response body of getting role inference rule
* Quotation marks should be included in http url using curl
* Updated from global requirements
* Replace test.attr with decorators.attr
* Update test case for federation
* Support new hashing algorithms for securely storing password hashes
* Remove loading drivers outside of their expected namespaces
* Change LDAPServerConnectionError
* Error api about grant collections in policy\_mapping.rst
* Updated from global requirements
* Handle NotFound when listing role assignments for deleted users
* Update sample configuration file for Pike
* Change url scheme passed to oauth signature verifier
* Updated from global requirements
* Role name is unique within the owning domain
* Remove LDAP delete logic and associated tests
* Revert change 438035 is\_admin\_project default
* Trivial fix typo in doc
* Fix misnamed variable in config
* Change url passed to oauth signature verifier to request url
* Expose a bug in domain creation from idps
* Role name is unique within the owning domain
* Refactor is\_admin
* Update fail message to test\_database\_conflicts
* Fix keystone.tests.unit.test\_v3\_oauth1.MaliciousOAuth1Tests
* Test config option 'user\_enabled\_default' with string type value
* Stop using oslotest.mockpatch
* Remove X-Auth-Token from response parameters
* Fix test\_minimum\_password\_age\_and\_password\_expires\_days\_deactivated
* Refactor Authorization:
* Cleanup policy generation
* Fix test keystone.tests.unit.test\_token\_bind.BindTest
* Fix keystone.tests.unit.test\_backend\_ldap.LDAPIdentity
* Remove test\_metadata\_invalid\_contact\_type
* Update dead API spec links
* override config option notification\_opt\_out with list
* Add filter explain in api ref about parents\_as\_list and subtree\_as\_list
* use '&' instead of '?' to connect parameters in url
* Remove usage of enforce\_type
* Revise doc about python 3.4
* Update Devstack plugin for uwsgi and mod\_proxy\_uwsgi
* Add notes in inherit.inc
* Do not fetch group assignments without groups
* Readability enhancements to architecture doc
* Add response examples to OS-OAUTH1 api documentation
* Correct oauth create\_request\_token documentation
* Remove unused CONF
* Remove unused LOG
* Move policy generator config to config-generator/
* Include sample policy file in documentation
* Trivial Fix: fix typo in test comments
* Move user policies to DocumentedRuleDefault
* Explicitly set 'builders' option
* Make flushing tokens more robust
* Minor corrections in OS-OAUTH1 api documentation
* Fix-test-of-assertValidRole
* Small refactoring in tests development docs
* Move endpoint group to DocumentedRuleDefault
* Fix doc generation for python 3

12.0.0.0b1
----------

* Updated from global requirements
* Imported Translations from Zanata
* Updated scope parameter description in v3 API-ref
* Add Apache License Content in index.rst
* Address comments from Policy in Code 5
* Remove unused revocation check in revoke\_models
* Updated from global requirements
* Remove unused code in test\_revoke
* Move group policies to DocumentedRuleDefault
* Move consumer to DocumentedRuleDefault
* Move access token to DocumentedRuleDefault
* Move mapping to DocumentedRuleDefault
* Move role assignment to DocumentedRuleDefault
* Move region policies to DocumentedRuleDefault
* Move project endpoint to DocumentedRuleDefault
* Remove unnecessary processing when deleting grant
* Add sem-ver flag so pbr generates correct version
* Move protocol to DocumentedRuleDefault
* Move credential policies to DocumentedRuleDefault
* Move policy association to DocumentedRuleDefault
* Move and refactor test\_revoke\_by\_audit\_chain\_id
* Move policy policies to DocumentedRuleDefault
* Move and refactor project\_and\_user\_and\_role
* Updated from global requirements
* Move and refactor test\_by\_domain\_domain
* Move and refactor test\_by\_domain\_project
* Move and refactor test\_by\_domain\_user
* Remove unused method \_sample\_data in test\_revoke
* Refactor test\_revoke to call check\_token directly
* Differentiate between dpkg and rpm for libssl-dev
* Move auth to DocumentedRuleDefault
* Move service policies to DocumentedRuleDefault
* Remove unnecessary setUp function in testcase
* Remove policy file from source and refactor tests
* Remove revocation API dependency from identity API
* Remove revocation API dependency from resource API
* Move project policies to DocumentedRuleDefault
* Replace wip with skip
* Removed domain conflict guard in load\_fixtures
* Updated from global requirements
* Remove create\_container\_group from tests
* Add charset to webob.Response
* Move identity provider to DocumentedRuleDefault
* Move endpoint policies to DocumentedRuleDefault
* Move domain policies to DocumentedRuleDefault
* Move service provider to DocumentedRuleDefault
* Add policy sample generation
* Removed the deprecated pki\_setup command
* Reduce fixture setup in test\_backend\_ldap
* Consolidate and cleanup test\_backend\_ldap setup
* Remove conflict guards in load\_fixtures
* Remove orphaned \_create\_context test helper
* Remove decorator for asserting validation errors
* Remove orphaned AuthTestMixin from test\_v3
* Move revoke events to DocumentedRuleDefault
* Doc db\_sync --expand incurring downtime in upgrades to Newton
* Fix some reST field lists in docstrings
* Remove log translations in keystone
* Move release note from /keystone/releasenotes to /releasenotes
* Small fixes for WebOb 1.7 compatibiltity
* Error messages are not translating with locale
* Add a note to db\_sync configuration section
* Remove unused revoke\_by\_domain\_role\_assignment
* Remove unused revoke\_by\_project\_role\_assignment
* Remove unnecessary revocation events revoke grant
* Remove unnecessary revocation events
* Remove unnecessary revocation events
* Policy in code (part 5)
* Policy in code (part 4)
* Set the correct in-code policy for ec2 operations
* Don't persist revocation events when deleting a role
* Policy in code (part 3)
* Policy in code (part 2)
* Policy in code
* Speed up check\_user\_in\_group for LDAP users
* Don't persist rev event when deleting access token
* Include the requested URL in authentication errors
* Remove extra duplicate 'be' in description
* Add group\_members\_are\_ids to whitelisted options
* Use HostAddressOpt for opts that accept IP and hostnames
* Remove x-subject-token in api-ref for v3/auth/catalog
* Add reno conventions to developer documentation
* Updated from global requirements
* Fix description for 204 response
* Updated from global requirements
* Remove keystone.common.ldap
* Fix the typo
* Add in-code comment to clarify pattern in tests
* Fix keystone.o.o URL
* Test for fernet rotation recovery after disk full
* API-ref return code fix
* Updated from global requirements
* Imported Translations from Zanata
* Fix api-ref building with sphinx 1.5
* Change is\_admin\_project to False by default
* Remove pbr warnerrors in favor of sphinx check
* Move driver loading inside of dict
* Minor cleanup from patch 429047
* Remove password\_expires\_ignore\_user\_ids
* Remove unused variable
* Revise conf param in releasenotes
* Modify examples to use v3 URLs
* Fix duplicate handling for user-specified IDs
* Removing group role assignments results in overly broad revocation events
* Typos in the LoadAuthPlugins note
* Remove domains \*-log-\* from compile\_catalog
* Add instruction to restart apache
* Exchange cURL examples for openstackclient
* Updated from global requirements
* Remove x-subject-token in api-ref for v3/auth/{projects,domains}
* Exclusively use restore\_padding method in unpacking fernet tokens
* Remove EndpointFilterCatalog
* Give a prospective removal date for all v2 APIs
* Fix some typo in releasenotes
* Correct and enhance OpenId Connect docs
* Imported Translations from Zanata
* Correct and enhance Mellon federation docs
* Clear the project ID from user information
* Fix MFA rule checks for LDAP auth
* Fix v2 role create schema validation
* Update reno for stable/ocata
* Fix the s3tokens endpoint
* Stop reading local config dirs for domain-specific file config driver
* Fix typo in config doc
* Updated from global requirements
* Fix example response formatting
* Rename protocol cascade delete migration file
* Remove logging import unused
* Address db\_sync check against new install
* Deprecate (and slate for removal) UUID tokens
* Remove the file encoding which is unnecessary
* Correct some typo errors
* Federated mapping doc improvements
* Include 'token' in the method list for federated scoped tokens
* Add --check to keystone-manage db\_sync command
* Deprecate (and emit message) AdminTokenAuthMiddleware
* Use ostestr instead of the custom pretty\_tox.sh
* Fix multiple uuid warnings with pycadf
* Add unit test for db\_sync run out of order
* Fixed warning when building keystone docs
* Ensure migration file names are unique to avoid caching errors
* use the correct bp link for shadow-mapping rel note
* Readability/Typo Fixes in Release Notes
* Remove unused api parameters
* Make use of Dict-base including extras explicit
* Add placeholder migrations for Ocata
* Update hacking version
* Use httplib constants for http status codes
* Renaming of api parameters
* Remove KVS code

11.0.0
------

* Modify the spelling mistakes
* Stop reading local config dirs for domain-specific SQL config driver
* Prepare for using standard python tests
* update keystone.conf.sample for ocata-rc
* Add MFA Rules Release Note
* Remove de-dupe for MFA Rule parsing
* Add comment to clarify resource-options jsonschema
* Cleanup TODO, AuthContext and AuthInfo to auth.core
* Cleanup TODO about auth.controller code moved to core
* Add validation that token method isn't needed in MFARules
* Add validation for mfa rule validator (storage)
* Process and validate auth methods against MFA rules
* Update endpoint api for optional region\_id
* No need to enable infer\_roles setting
* Fix bad error message from FernetUtils
* Use https for docs.openstack.org references
* Update PCI documenation
* Auth Plugins pass data back via AuthHandlerResponse
* Auth Method Handlers now return a response object always
* Add MFA Rules and Enabled User options
* cleanup release notes from PCI options
* Create user option \`ignore\_lockout\_failure\_attempts\`
* Implement better validation for resource options
* Deprecate [security\_compliance]\password\_expires\_ignore\_user\_ids
* Fixes deprecations caused by latest oslo.context
* PCI-DSS Force users to change password upon first use
* clean up release notes for ocata
* Reuse already existing groups from upstream tempest config
* add additional deprecation warnings for KVS options
* Address follow-up comments from previous patchset
* Cleanup for resource-specific options
* Adds tests showing how mapping locals are handled

11.0.0.0b3
----------

* Add 'options' as an explicit user schema validation
* Code-Defined Resource-specific Options
* Set the domain for federated users
* Refactor shadow users tests
* Add domain\_id to the user table
* Do not call \`to\_dict\` outside of a session context
* Remove code supporting moving resources between domains
* Change unit test class to a less generic name
* Remove dogpile.core dependencies
* Verbose breakup of method into seperate methods
* Fixed unraised exception in \_disallow\_write for LDAP
* Add password expiration queries for PCI-DSS
* Add missing parentheses
* Add queries for federated attributes in list\_users
* update entry points related to paste middleware
* Remove LDAP write support
* Remove releated role\_tree\_dn test
* Add warning about using \`external\` with federation
* Allow user to change own expired password
* Fix warnings generated by os-api-ref 1.2.0
* Improvements to external auth documentation page
* Test cross domain authentication via implied roles
* Updates to project mapping documentation
* Add documentation for auto-provisioning
* Implement federated auto-provisioning
* Fix typo in main docs page
* switch @hybrid\_property to @property
* Catch potential SyntaxError in federation mapping
* Fix typo in shibboleth federation docs
* Handling of 'region' parameter as None
* Corrected punctuation on multiple exceptions
* Exclude 'keystone\_tempest\_plugin' in doc build
* Force use of AuthContext object in .authentcate()
* Cascade delete federated\_user fk
* update sample config for ocata release
* Drop type in filters
* Add DB operations tracing
* fix broken links
* Changed 'Driver' reference to 'TokenDriverBase'
* Fix keystone-manage mapping\_engine tester
* Add anonymous bind to get\_connection method
* Set connection timeout for LDAP configuration
* Invalid parameter name on interface
* Bump API version and date
* listing revoke events should be admin only
* Adds projects mapping to the mapping engine
* Updated docstring for test\_sql\_upgrade.py
* Use public interfaces of pep8 for hacking
* [api-ref] Clean up OS-EP-FILTER association docs
* Remove comment from previous migration
* [api-ref] Clean up OS-EP-FILTER documentation
* Fixed not in toctree warnings when building docs
* Remove stevedore warning when building docs
* Update docs to require domain\_id when registering Identity Providers
* Retry on deadlock Transactions in backend
* Fix region\_id responses and requests to be consistent
* Remove endpoint\_id parameter from EP-FILTER docs
* [api] fix ep filter example
* Require domain\_id when registering Identity Providers
* Fix minor typo
* Remove references to Python 3.4
* Improve assertion in test
* Use assertGreater(len(x), y) instead of assertTrue(len(x) > y)
* Correct invalid rst in api docs
* Fixed 7 tests running twice in v3 identity
* Fix issues with keystone-dsvm-py35-functional-v3-only on py35
* Fix the usage of tempest.client.Manager class
* Correct timestamp format in token responses
* Remove unused exceptions from CADF notifications
* Minor improvement in test\_user\_id\_persistence
* Remove CONF.domain\_id\_immutable
* Fix test function name with two underscores to have only one
* Updated from global requirements
* Fix import ordering in tempest plugins
* [api] Inconsistency between v3 API and keystone token timestamps
* Federated authentication via ECP functional tests
* Removes unnecessary utf-8 encoding
* Handle disk write failure when doing Fernet key rotation
* Fix cloud\_admin rule and ensure only project tokens can be cloud admin
* Updated from global requirements
* Remove duplicate role assignment in federated setup
* Remove unused variables from federation tests
* Remove unused variables from unit test method
* Add reason to CADF notifications in docs
* [doc] point release note docs to project team guide
* [api] set \`is\_admin\_project\` on tokens for admin project
* Settings for test cases
* Add reason to notifications for PCI-DSS
* Fix typo in doc
* fix one typo
* Updated from global requirements
* Wrap invalidation region to context-local cache
* move common sql test helpers to base class
* Use assertGreater(len(x), y) instead of assertTrue(len(x) > y)
* replace assertTrue with assertIs

11.0.0.0b2
----------

* Replace logging with oslo\_log
* expose v3policy failure with is\_admin\_token
* Add doctor checks for ldap symptoms
* Implement password requirements API
* Fix a typo in comment
* Add unit tests for doctor token\_fernet symptoms
* Remove impossible case from \_option\_dict method
* Make \_option\_dict() a method for domain\_config\_api
* Add unit tests for doctor tokens symptoms
* Add checks for doctor credential symptoms
* Make user to nonlocal\_user a 1:1 relationship
* Add id to conflict error if caused by duplicate id
* Refactors \_get\_names\_from\_role\_assignments
* Do not manually remove /etc/shibboleth folder
* API Documentation for user password expires
* Revert "API Documentation for user password expires"
* API Documentation for user password expires
* Clean up keystone doc landing page
* Add doctor tests on security\_compliance and rename
* Fix typo in api-ref doc
* Move V2TokenDataHelper to the v2.0 controller
* Remove exception from v2 validation path
* Make bootstrap idempotent when it needs to be
* Add unit tests for doctor's database symptoms
* Print name with duplicate error on user creation
* Expose idempotency issue with bootstrap
* Print domain name in mapping\_populate error message
* Correct missspellings of secret
* Trivial indentation corrections in mappings doc
* Add doctor check for debug mode enabled
* Fixed multiple warnings in tox -edocs
* Get assignments with names honors inheritance flag
* Updated from global requirements
* Add test to expose bug 1625230
* Invalidate token cache after token delete
* Revert "Rename doctor symptom in security\_compliance"
* Domain included for role in list\_role\_assignment
* api-ref update for roles assignments with names
* Rename doctor symptom in security\_compliance
* Corrects sample-data incorrect credential call
* Correct minor issues in test schema
* Add unit tests for doctor federation file
* Remove CONF.os\_inherit.enabled
* Add unit tests for doctor's caching symptoms
* Updated from global requirements
* Updated from global requirements
* More info in schema validation error
* Minor fix in role\_assignments api-ref
* Include mapped in the default auth methods
* Validate token issue input
* Removes unused exceptions
* Removes unused method from assignment core
* Removes unused default\_assignment\_driver method
* Removed unused EXTENSION\_TO\_ADD test declarations
* Use sha512.hash() instead of .encrypt()
* Don't invalidate all user tokens of roleless group
* Upload service provider metadata to testshib
* Updated from global requirements
* SAML federation docs refer to old WSGIScriptAlias
* cache\_on\_issue default to true
* Make try/except work for passlib 1.6 and 1.7
* Document token header in federation auth response
* Refactor Keystone admin-tokens and admin-users v2
* ignore deprecation warning for .encrypt()
* Send the identity.deleted.role\_assignment after the deletion
* Allow fetching an expired token
* Show team and repo badges on README
* Remove eventlet-related call to sleep
* Add a comment about not using assertTrue
* clean up developer docs
* Improvements in error messages
* Remove trailing "d" from -days param of OpenSSL command
* Swap the notification formats in the docs
* Normalizes use of ForbiddenAction in trusts
* Enable CADF notification format by default
* Remove unused statements in matches
* Fix doc example
* Remove extension and auth\_token middleware docs
* Move docs from key\_terms to architecture
* move content from configuringservices to configuration
* Update configuration.rst documentation
* Verbose 401/403 debug responses
* Fix the misspelling in \`keystone/tests/unit/test\_cli.py\`
* refactor notification test to work with either format
* Clarify the v2.0 validation path
* Remove metadata from token provider
* Lockout ignore user list
* Add developer docs for keystone-manage doctor
* [api] add changelog from 3.0 -> 3.7
* Devstack plugin to federate with testshib.org
* Remove entry\_points to non-existent drivers
* Fix typo in doc

11.0.0.0b1
----------

* remove release note about LDAP write removal
* Change "Change User Password" request example
* Fixes remaining nits in endpoint\_policy tests
* Remove reference to future removal of saml
* Limits config fixture usage to where it's needed
* Updated from global requirements
* Remove format\_token method
* Remove issue\_v3\_token in favor of issue\_token
* Remove issue\_v2\_token
* refactor the token controller
* Use issue\_v3\_token instead of issue\_v2\_token
* Updates to the architecture doc
* Support nested groups in Active Directory
* Add healthcheck middleware to pipelines
* Request cache should not update context
* Change cfg.set\_defaults into cors.set\_defaults
* Updated from global requirements
* Updated from global requirements
* Doc warning for keystone db migration
* Wording error in upgrading documentation
* Updated from global requirements
* fix credentials backend tests
* Allow running expand & migrate at the same time
* Add test cases for passing "None" as a hint
* Fix test\_revoke to run all tests after pki removal
* Updated from global requirements
* Switch fernet to be the default token provider
* Remove support for PKI and PKIz tokens
* Doc the difference between memcache and cache
* Doctor ldap check fix for config files
* Additional logging when authenticating
* Document OS-SIMPLE-CERT Routes
* Document v2 Revoked Token Route
* Add api-ref /auth/tokens/OS-PKI/revoked (v3)
* Fix broken links in the docs
* Add structure for Devstack plugin
* Add bindep environment to tox
* Pass a request to controllers instead of a context
* Create default role as a part of bootstrap
* Updated from global requirements
* Don't deprecate the LDAP property which is still needed
* Clarifying on the remove of \`build\_auth\_context\` middleware
* log.error use \_ of i18n
* Doctor check for LDAP domain specific configs
* Updated from global requirements
* Updated from global requirements
* Validate mapping exists when creating/updating a protocol
* Remove new\_id() in test\_revoke
* Adds warning when no domain configs were uploaded
* Add release note for fernet tokens
* Tweak api-ref doc for v3 roles
* Tweak api-ref doc for v3 roles status codes
* Reorder APIs in api-ref for v3 groups
* [api-ref] Remove the duplicated sample
* Follow-on of memcache token persistence removal
* changed domain id to name in JSON request
* More configuration doc edits
* Remove backend dependencies from token provider
* Updated from global requirements
* [api-ref] Fix couple of issues on OS-INHERIT API
* Code cleanup
* Replace tenant with project for keystone catalog
* Imported Translations from Zanata
* Update, correct, and enhance federation docs
* Invalidate trust when the related project is deleted
* Remove unused arg(project and initiator)
* Drop MANIFEST.in - it's not needed by pbr
* Ignore unknown arguments to fetch\_token
* Return password\_expires\_at during auth
* Move the token abstract base class out of core
* Add is\_admin\_project to policy dict
* Fix a typo in token\_formatters.py
* Improve check\_token validation performance
* Add revocation event indexes
* Add docs for PCI-DSS
* Invalidate trust when the trustor or trustee is deleted
* Updated from global requirements
* [api] add a note about project name restrictions
* One validate method to rule them all..
* Simplify the KeystoneToken model
* Remove validate\_v2\_token() method
* [api] remove \`user\_id\` and \`project\_id\` from policy
* Remove the decorator where it's not applied
* Optimize remove unused variable
* Remove those redundant variable declaration
* [doc] Correct mapping JSON example
* Remove no use variable (domain\_id)
* Remove redundant variable declaration
* Deprecate \`endpoint\_filter.sql\` backend
* remove deprecated \`[endpoint\_policy] enable\` option
* Pass initiator to Manager as a kwarg
* create release notes for removed functionality
* Remove driver version specifiers from tests
* Enable release notes translation
* Remove driver version from identity backend test names
* Remove driver version from docs
* Updated from global requirements
* Default the assignment backend to SQL
* remove legacy driver tox target
* Use validate\_v3\_token instead of validate\_token
* Ensure all v2.0 tokens are validated the same way
* Make sure all v3 tokens are validated the same way
* re-add valid comment about None domain ID
* Default the resource backend to SQL
* Make returning is\_domain conditional
* Move audit initiator creation to request
* Don't validate token expiry in the persistence backend
* Add tests for validating expired tokens
* Fix a typo in \_init\_.py
* Remove password history validation from admin password resets
* Updating the document regarding LDAP options
* Updated from global requirements
* Remove the unused sdx doc files
* Updated from global requirements
* Remove the no use arg (auth=None)
* Fix typo in docstring
* Tweak api-ref for v3 groups status codes
* Updated from global requirements
* Add Apache 2.0 license to source file
* Fix a typo in core.py and bp-domain-config-default-82e42d946ee7cb43.yaml
* Validate password history for self-service password changes
* Make test\_v3\_auth exercise the whole API
* Remove stable driver interfaces
* Updated from global requirements
* Remove the check for admin token in build\_auth\_context middleware
* Reorder APIs in api-ref doc for v3 users
* Fix a docstring typo in test\_v3\_resource.py
* Using assertIsNone(...) instead of assertIs(None, ...)
* Updated from global requirements
* remove deprecated items from contrib
* Update man page for Ocata release version and date
* Using assertIsNone() instead of assertIs(None)
* Remove default=None when set value in config
* Undeprecate options used for signing
* Remove unused path in the v2 token controller
* Fix the belongsTo query parameter
* Fix 'API Specification for Endpoint Filtering' broken link
* Add domain check in domain-specific role implication
* Override credential key repository for null key tests
* Remove useless method override
* remove memcache token persistence backends
* remove keystone/service.py
* remove saml2 auth plugin
* remove httpd/keystone.py
* remove cache backends
* Revert "Allow compatibility with keystonemiddleware 4.0.0"
* Consolidate the common code into one method
* Handle the exception from creating request token properly
* Fix formatting strings in LOG.debug
* Fix formatting strings in LOG.warning
* Handle the exception from creating access token properly
* Updated from global requirements
* Tweak status code in api-ref doc for v3 users
* Fix prameters names in Keystone API v2-ext
* Refactor Keystone admin-tenant API v2
* Refactor Keystone admin-endpoint API
* Fix for unindent warning in doc build
* add placeholder migrations for newton
* Remove  default=None for config options
* Ensure the sqla-migrate scripts cache is cleared
* Move test\_sql\_upgrade.MigrationRepository into keystone.common
* Rename sql.migration\_helpers to sql.upgrades
* Give domain admin rights to domain specific implied roles
* Update reno for stable/newton
* Refactor find\_migrate\_repo(): require caller to specify repo
* Fixes password created\_at errors due to the server\_default
* Move the responsibility for stdout to the CLI module
* Use a read-only DB session to retrieve schema version
* Move rolling upgrade repo names into constants

10.0.0.0rc1
-----------

* Removal of imports within functions
* Trivial fixes in the ldap common functions
* Test that rolling upgrade repos are in lockstep
* Add unit tests for isotime()
* Remove unused \_convert\_to\_integers() method
* Adds tests for verify\_length\_and\_trunc\_password()
* Remove unused read\_cached\_file method from utils
* Allow compatibility with keystonemiddleware 4.0.0
* Fix links on configure\_federation documentation
* Add edge case tests for disabling a trustee
* Fix prameters name and response codes in Keystone API v2
* Tweak api-ref doc for services/endpoints
* Use issued\_at in fernet token provider
* Remove unused method from keystone.common.utils
* Use ConfigParser instead of SafeConfigParser
* Consistently round down timestamps
* Remove the APIs from doc that is not supported yet
* TrivialFix: Merge imports in code
* Fix the nit on how to deploy keystone with \`mod\_proxy\_uwsgi\`
* Tweak api-ref doc for projects
* Remove the dead link in schema migration doc
* Updated from global requirements
* Fix order of arguments in assertIs
* New notes on advanced upgrade/fallback for cluster
* standardize release note page ordering
* [api-ref] Correct response code status
* Replace six iteration methods with standard ones
* Fixes a nit in a comment
* Updates configuration doc with latest changes
* Use freezegun for change password tests
* Update sample keystone.conf for Newton
* Project domain must match role domain for assignment
* Add docs for the null key
* Log warning if null key is used for encryption
* Introduce null key for credential encryption
* More nit doc fixes
* Keep the order of passwords in tests
* EndpointPolicy driver doesn't inherit interface
* [api-ref] Stop supporting os-api-ref 1.0.0
* Fix up some doc nits
* Only cache callables in the base manager
* [api-ref] Correcting parameter's type
* Correct link type
* Fix problems in service api doc
* Raise NotImplementedError instead of NotImplemented
* Add the deprecated\_since to deprecated options
* Add doctor checks for credential fernet keys
* Few new commands missing from docs
* Emit log message for fernet tokens only
* Implement encryption of credentials at rest
* Typo: key\_manger\_factory to key\_mangler\_factory

10.0.0.0b3
----------

* Fixes spelling mistakes
* Fixes migration where password created\_at is nullable
* Block global roles implying domain specific roles
* Correct typo in mapping\_populate command's help
* Relax the requirement for mappings to result in group memberships
* Document credential encryption
* Update sample uwsgi config for lazy-apps
* Add documentation on how to set a user's tenant
* Pre-cache new tokens
* Config logABug feature for Keystone api-ref
* Fix nits in db migration dev docs
* Disallow new migrations in the legacy migration repository
* Updated from global requirements
* Update developer docs for new rolling upgrade repos
* Add man page info for credential setup command
* Remove unnecessary try/except from token provider
* Fixes small grammar mistake in docstring
* Add a feature support matrix for identity sources
* Fix wrong response codes in 'groups' APIs
* Make token\_id a required parameter in v3\_to\_v2\_token
* Distributed cache namespace to invalidate regions
* Fix formatting strings when using multiple variables
* Add credential setup command
* Add Response Example for 'Create credential' API
* Add Response Example for 'Passwd auth with unscoped authorization'
* Remove mapping schema from the doc
* Impose a min and a max on time values in CONF.token
* Repair link in Keystone documentation
* Faster id mapping lookup
* Fix some typos in comments
* Cleaning imports in code
* Updated from global requirements
* TrivialFix: Remove logging import unused
* Removes old, unused code
* Reduce log level of Fernet key count message
* Updated from global requirements
* Adds password regular expression checks to doctor
* Let upgrade tests control all 4 repositories at once
* Adds check that minimum password age is less than password expires days
* Remove unused global variable from unit tests
* Modify sql banned operations for each of the new repos
* Use egg form of osprofiler in paste pipeline
* api-ref: Splitting status lines in API v3-ext
* api-ref: Splitting status lines in API v3
* Remove mox from test-requirements
* TrivialFix: Remove logging import unused
* [api-ref]: Outdated link reference
* Remove unnecessary \_\_init\_\_
* Add mapping\_populate command
* Doc fix: license rendered in published doc
* Doc fix: "keystone-manage upgrade" is not a thing
* Fix credential update to ec2 type
* Add key repository uniqueness check to doctor
* Update \`href\` for keystone extensions
* Updated from global requirements
* Fix the wrong URI for the OAuth1 extension in api-ref
* Shadowing a nonlocal\_user incorrectly creates a local\_user
* Add entrypoint for mapped auth method
* Get ready for os-api-ref sphinx theme change
* Add rolling upgrade documentation
* Add create and update methods to credential Manager
* Create a fernet credential provider
* Make KeyRepository shareable
* Add conf to support credential encryption
* Password expires ignore user list
* Add expand, data migration and contract logic to keystone-manage
* [api] add relationship links to v3-ext
* Removes use of freezegun in test\_auth tests
* Removes a redundant test from FernetAuthWithTrust
* api-ref: Fix parameters attributes
* Set default value for [saml]/idp\_contact\_surname
* Tidy up for late-breaking review comments on keystone-manage
* PCI-DSS Minimum password age requirements
* api-ref: Document domain specific roles
* Revert "Add debug logging to revocation event checking"
* Replace the content type with correct one
* Add credential encryption exception
* Pass key\_repository and max\_active\_keys to FernetUtils
* Make a FernetUtils class
* Move fernet utils into keystone/common/
* Add support for rolling upgrades to keystone-manage
* api-ref: Document implied roles API
* Support new osprofiler API
* api-ref: Correcting V3 OS-INHERIT APIs
* Fix typo in the file
* Add debug logging to revocation event checking
* Detail Federation Service Provider APIs in api-ref
* Detail Fed Projects and Domains APIs in api-ref
* add a header for the federation APIs
* Detail Federation Mapping APIs in api-ref docs
* Detail Federation Auth APIs in api-ref docs
* Detail Federation Assertion APIs in api-ref docs
* Move other-requirements.txt to bindep.txt
* Detail IdP APIs in api-ref docs
* api-ref: Add default domain config documentation
* Constraints are ready to be used for tox.ini
* Updated from global requirements
* [api] add relationship links to v3
* Refactor revoke matcher
* Document get auth/catalog,projects,domains
* api-ref: Renaming parameters of V3-ext APIs
* api-ref: Correcting V3 Credentials APIs
* api-ref: Correcting V3 Policies APIs
* api-ref: Correcting V3 Authentication APIs
* api-ref: Correcting V3 Domain config APIs
* Use international logging message
* Updates Development Environment Docs
* Create unit tests for endpoint policy drivers
* api-ref: Add query options to GET /projects API documentation
* Updated from global requirements
* api-ref: Add missing parameter tables to tenant
* Create unit tests for the policy drivers
* api-ref: Correcting V3 Endpoints APIs
* api-ref: Correcting V3 Services APIs
* api-ref: Add "nocatalog" option to GET /v3/auth/tokens
* Fix warning when running tox -e api-ref
* Add basic upgrade documentation
* Document query option (is\_domain) for projects
* remove test utilities related to adding extensions
* Update etc/keystone.conf.sample
* Make hash\_algorithms order deterministic
* PCI-DSS Password expires validation
* Report v2.0 as deprecated in version discovery
* Update the api-ref to mark the v2 API as deprecated
* Add schema validation to create user v2
* Fix the spelling of a test name
* Remove mention of db\_sync per backend
* Trust controller refactoring
* Use more specific asserts in tests
* Updated from global requirements
* Add debug logging for RevokeEvent deserialize problem
* Make all token provider behave the same with trusts
* Use URIOpt for endpoint URL options
* Clean up the introductory text in the docs
* Retry revocation on MySQL deadlock
* Add schema validation to update user v2
* PCI-DSS Lockout requirements
* Improve domain configuration API docs
* Skip middleware request processing for admin token
* Move Assertion API to its own file
* Bump API version number and date
* Move Federation Auth API to its own file
* Move List Projects and Domains API to its own file
* Move Service Provider API to its own file
* Move Mapping API to its own file
* Use %()d for integer substitution
* Don't include openstack/common in flake8 exclude list
* Added postgresql libs to developer docs
* Add schema validation to create service in v2
* Remove the redundant verification in OAuth1 authorization
* Add schema validation to v2 update tenant
* refactor idp to its own file
* Updated from global requirements
* PCI-DSS Password history requirements
* Move Identity Provider API to its own file
* Add dummy domain\_id column to cached role
* Allow attributes other than \`enabled\` in schema
* Remove the extensions repos
* Document the domain config API as stable
* Remove configuration references to eventlet
* Adds a custom deepcopy handler
* Add token feature support matrix to documentation
* Test number of queries on list\_users
* No need the redundant validation in manager level
* Add the missing testcases for \`name\` and \`enabled\`
* Adds test for SecurityError's translation behavior
* TOTP auth not functional in python3
* Invalid tls\_req\_cert constant as default
* Add schema validation to v2 create tenant
* Use quotes consistently in token controller
* Add performance tuning documentation
* Allow V2TestCase to be tested against fernet and uuid
* Make AuthWithTrust testable against uuid and fernet
* Improve os-federation docs
* Fix v2-ext API enabled documentation
* PCI-DSS Adds password\_expires\_at to API docs
* Make it so federated tokens are validated on v2.0
* Use freezegun in AssignmentInheritanceTestCase
* Only run KvsTokenCacheInvalidation against uuid
* Use freezegun in OSRevokeTests
* refactor: make TestFetchRevocationList test uuid
* refactor: make TestAuthExternalDefaultDomain test uuid/pki/pkiz
* refactor: make TestAuthKerberos test pki/pkiz/uuid
* Add schema validation to create role
* Replace OpenStack LLC with OpenStack Foundation
* refactor: inherit AuthWithRemoteUser for other providers
* Run AuthWithToken against all token providers
* Don't run TokenCacheInvalidation with Fernet
* Refactor TestAuthExternalDomain to not inherit tests
* Use freezegun to increment clock in test\_v3\_assignment
* Add schema for enabling a user
* Fix up the api-ref request/response parameters for projects
* \`password\` is not required for updating a user
* Clarify V2 API for enabling or disabling user
* Removed duplicate parameter in v2-admin api-ref
* Fix the errors in params in api-ref for V3 region
* Fix the errors in params in api-ref for V3 user
* Added cache for id mapping manager
* Updated from global requirements
* Add Python 3.5 classifier
* Handle Py35 fix of ast.node.col\_offset bug
* deprecate a few more LDAP config options
* Clean up api-ref for domains
* keystone-manage doctor
* v2 api: add APIs for setting a user's password
* Update os-inherit API reference
* Updated from global requirements
* Run AuthTokenTests against fernet and uuid
* Use freezegun to increment the clock in test\_v3\_filters
* Prevent error when duplicate mapping is created
* Fix the wrong check condition
* Clean up the api-ref for groups
* Updated from global requirements
* Improve introdcution to api-ref projects
* Migrate OS-FEDERATION from specs repo
* v2 api: remove APIs for global roles
* v2 api: group and order the v2-ext APIs
* v2 api: remove duplicated delete user API
* v2 api: add missing /roles in role CRUD APIs
* v2 api: list user roles is defined twice
* v2 api: add OS-KSADM to service API routes
* v2 api: add tenant APIs
* v2 api: delete user is defined twice
* v2 api: change update user
* v2 api: correct user list
* Update Identity endpoint in v2 samples
* Fix up numerous errors in params in api-ref for roles
* Fix up the api-ref for role query paramaters
* Fix the username value in federated tokens
* Improve readability of the api-ref roles section
* Use constraints for coverage job
* clean up OAUTH API
* Add relationship links to OAUTH APIs
* Remove \`name\` property from \`endpoint\` create/update API
* Add v2.0 /endpoints/ api-ref
* Update identity endpoint in v3 and v3-ext samples
* Pass request to v2 token authenticate
* Remove unused context from AuthInfo
* Correct normal response codes for v2.0 extensions
* Improve user experience involving token flush
* Add "v2 overview" docs to APIs
* add OS-OAUTH1/authorize/{request\_token\_id} API
* Move OS-INHERIT api-ref from extensions to core
* re-order the oauth APIs
* Copy the preamble / summary of OAuth1 from the specs repo
* Correct normal response codes in trust documentation
* Add OS-EP-FILTER to api-ref

10.0.0.0b2
----------

* PCI-DSS Password strength requirements
* Variables in URL path should be required
* Remove get\_trust\_id\_for\_request function
* Pass request to normalize\_domain\_id
* Remove a validate\_token\_bind call
* Remove get\_user\_id in trust controller
* Cleanup trusts controller
* Trivial spacing and comma corrections
* Add OS-KSCRUD api-ref
* Disable warnerrors in setup.cfg temporarily
* Add is\_domain to project example responses
* Add is\_domain to scope token response examples
* Improve keystone.conf [security\_compliance] documentation
* Improve keystone.conf [signing] documentation
* Correct normal response codes in OS-INHERIT docs
* Fix python{3,}-all-dev depends in deb based
* Correct normal status codes for v2.0 admin docs
* Improve keystone.conf [shadow\_users] documentation
* Correct normal response codes for region docs
* Correct normal response codes for auth docs
* Correct normal response codes for credential docs
* Correct normal response codes for project docs
* Correct normal response codes for policy docs
* Correct normal response codes for v2.0 versions doc
* Correct normal response codes in v2.0 versions doc
* Correct normal response codes in v2.0 tenant docs
* Use URIOpt instead of StrOpt for SAML config
* Correct normal response codes for role docs
* Correct normal response codes in v2.0 token docs
* Correct normal response codes in service catalog doc
* Correct normal response codes in oauth docs
* Correct normal response codes in v2.0 admin user docs
* Improve keystone.conf [token] documentation
* Correct normal response codes in endpoint policy docs
* Validate SAML keyfile & certfile options
* Improve keystone.conf [tokenless\_auth] documentation
* Complete OS-TRUST API documentation
* Fixes response codes in endpoint policy api-ref
* List 20X status codes as Normal in domain docs
* Improve the API documentation for groups
* Create APIs for OS-REVOKE
* Clean up token binding validation code
* Reorder request params in endpoint policy api-ref
* Adds missing parameter to endpoint policy api-ref
* Adds missing docs to endpoint policy api-ref
* Reorders API calls to match precedence rules
* Improve keystone.conf [saml] documentation
* Handle more auth information via context
* Require auth\_context middleware in the pipeline
* Updated from global requirements
* Improve keystone.conf [trust] documentation
* Improve keystone.conf [role] documentation
* Improve keystone.conf [ldap] documentation
* Improve keystone.conf [os\_inherit] documentation
* Improve keystone.conf [revoke] documentation
* Improve keystone.conf [resource] documentation
* Move logic for catalog driver differences to manager
* Minor docstring cleanup for domain\_id mapping
* Remove unnecessary stable attribute value for status
* Updated from global requirements
* Mark the domain config via API as stable
* Remove validated decorator
* Move request validation inline
* Invalidate token cache on domain disablement
* Isolate token caching into its own region
* Doc update on enabled external auth and federation
* keystone recommend deprecated memcache backend
* Use request object in policy enforcement
* Use the context's is\_admin property
* Add the oslo\_context to the environment and request
* Use http\_client constants instead of hardcoding
* Increase test coverage for token APIs
* Ensure status code is always passed as int
* Fix fernet token validate for disabled domains/trusts
* Doc update for moving abstract base classes out of core
* Fix \_populate\_token\_dates method signature
* Move the trust abstract base class out of core
* Move the credential abstract base class out of core
* Move the auth plugins abstract base class out of core
* Expose bug with Fernet tokens and trusts
* Remove last parts of query\_string from context
* Remove get\_auth\_context
* Correct reraising of exception
* Pass request to build\_driver\_hints
* Remove headers from context
* Use request.environ through auth and federation
* Remove accept\_header from context
* Fixed a Typo
* Docs: Fix the query params in role\_assignments example
* [doc/api]Remove space within word
* Remove unused LOG
* Make assert\_admin work with a request
* Add missing preamble for v3 and v3-ext
* move OAUTH1 API to extensions
* generate separate index files for each api-ref
* Migrate identity /v2-admin docs from api-ref repo
* Use request instead of context in v2 auth
* Handle catalog backends that don't support all functions
* Refactoring: remove the duplicate method
* Return \`revoked\_at\` for list revoke events
* Use skip\_test\_overrides everywhere we feature skip
* Improve keystone.conf [fernet\_tokens] documentation
* Improve keystone.conf [catalog] documentation
* Refactor: [ldap] suffix should not be an instance attribute
* Grammar fix: will -> can
* Fixes hacking's handling of log hints
* Improve keystone.conf [paste\_deploy] documentation
* Improve keystone.conf [kvs] documentation
* Improve keystone.conf [identity] documentation
* Improve keystone.conf [endpoint\_filter] documentation
* Improve keystone.conf [oauth1] documentation
* Verify domain\_id when get\_domain is being called
* Updated from global requirements
* Include doc directory in pep8 checks
* Do not register options on import
* Improve keystone.conf [policy] documentation
* Improve keystone.conf [memcache] documentation
* Use min to avoid checking < 1 max fernet keys
* Improve keystone.conf [identity\_mapping] documentation
* Improve keystone.conf [federation] documentation
* Updated tests that claimed to be blocked by bugs
* Use skip\_test\_overrides in test\_backend\_ldap
* Adds a skip method to identify useless skips
* Update the nosetests test regex for legacy tests
* update a config option deprecation message
* Improve keystone.conf [eventlet\_server] documentation
* Improve keystone.conf [endpoint\_policy] documentation
* Improve keystone.conf [credential] documentation
* Improve keystone.conf [domain\_config] documentation
* Rename [DEFAULT] keystone.conf module to keystone.conf.default
* Improve keystone.conf [DEFAULT] documentation
* Remove test\_backend\_ldap skips for missing tests
* Removes duplicate ldap test setup
* Extracted common ldap setup and use in the filter tests
* Reduce domain specific config setup duplication
* API Change Tutorial doc code modify
* Update other-requirements for Xenial
* Concrete role assignments for federated users
* PCI-DSS Disable inactive users requirements
* Migrate identity /v3-ext docs from api-ref repo
* Migrate identity /v2-ext docs from api-ref repo
* Migrate identity /v2 docs from api-ref repo
* Use request.params instead of context['query\_string']
* Config: no need to set default=None
* Do not spam the log with uncritical stacktraces
* Improve keystone.conf [auth] documentation
* Improve keystone.conf [assignment] documentation
* Group test\_backend\_ldap skips for readability
* Adds a backend test fixture
* Remove unused test code
* Moves auth plugin test setup closer to its use
* Add security\_compliance group back to config
* Fix nits related to the new keystone.conf package
* Fixes failure when password is null
* Allow auth plugins to be setup more than once
* Removes outdate comment from a test
* Replace keystone.common.config with keystone.conf package
* Updated from global requirements
* Fix a few spelling mistakes
* Allow user to get themself and their domain
* PCI-DSS Password SQL model changes
* Fix argument order for assertEqual to (expected, observed)
* Use the ldap fixture to simplify tests
* Change the remaining conf setup to use the fixture
* Reduce setup overhead in auth\_plugin tests
* /services?name=<name> API fails when using list\_limit
* Updated from global requirements
* Make sure to use InnoDB as the DB engine
* Remove TestAuth
* Move last few TestAuth tests to TokenAPITests
* Move external auth and bind test to TokenAPITests
* Refactor test\_validate\_v2\_scoped\_token\_with\_v3\_api
* Remove test\_validate\_v2\_unscoped\_token\_with\_v3\_api
* Move more project scoped token behavior to TokenAPITests
* Validate impersonation in trust redelegation
* Correct domain\_id and name constraint dropping
* Integration tests cleanup
* Use http\_proxy\_to\_wsgi from oslo.middleware
* Use request object in auth plugins
* Move cross domain/group/project auth tests
* Move negative token tests to TokenAPITests
* Move unscoped token test to TokenAPITests
* Move negative domain scope test to TokenAPITests
* Consolidate domain token tests into TokenAPITests
* Move more project scoped behavior tests to TokenAPITests
* Move project scoped catalog tests to TokenAPITests
* Update driver versioning documentation
* Move project scoped tests to TokenAPITests
* Move TestAuth unscoped token tests to TokenAPITests
* Add cache invalidation for service providers
* Updated from global requirements
* Add 'links' to implied roles response
* Updated from global requirements
* fix ldap delete\_user group member cleanup
* exception sensitive cache/audit changes
* Fix TOTP transient test failure
* Change LocalUser sql model to eager loading
* Shadow LDAP and custom driver users
* Refactor shadow users
* Fix ValidationError exception name in docstring
* Add docstring to delete\_project
* Updated from global requirements
* Revert to caching fernet tokens the same way we do UUID
* Honor ldap\_filter on filtered group list
* Pass a request to controllers instead of a context
* Update the keystone-manage man page options
* clean up test\_resource\_uuid
* Return 404 instead of 401 for tokens w/o roles
* Updating sample configuration file
* Revert "Install necessary files in etc/"
* Keystone uwsgi performance tuning
* Add caching config for federation
* Updated from global requirements
* Updating sample configuration file
* Updating sample configuration file
* Bootstrap: enable and reset password for existing users
* PEP257: Ignore D203 because it was deprecated
* Cache service providers on token validation
* Refactor revoke\_model to remove circular dependency
* Update man page for Newton release
* Move stray notification options into config module
* Adding role assignment lists unit tests
* Add protocols integration tests
* Add mapping rules integration tests
* Add service providers integration tests
* Imported Translations from Zanata
* Updated from global requirements

10.0.0.0b1
----------

* Simplify & fix configuration file copy in setup.cfg
* Config settings to support PCI-DSS
* Fix credentials\_factory method call
* Allow domain admins to list users in groups with v3 policy
* Updating sample configuration file
* Updated from global requirements
* Honor ldap\_filter on filtered user list
* Install necessary files in etc/
* Replace revoke tree with linear search
* Migrate identity /v3 docs from api-ref repo
* Updated from global requirements
* Add new functionality to @wip
* remove deprecated revoke\_by\_expiration function
* Isolate common ldap code to the identity backend
* Updated from global requirements
* Remove helper script for py34
* Include project\_id in the validation error on default project is domain
* Add python 3 release note
* Add comment to test case helper function
* Add Python 3 classification
* Py3 oauth tests
* Enable py3 tests for test\_v3\_auth
* make sure default\_project\_id is not domain on user creation and update
* Let setup.py compile\_catalog process all language files
* Fix broken link of federation docs
* Add new line in keystone/common/request.py
* Move identity.backends.sql model code to sql\_model.py
* Add .mo files to MANIFEST.in
* Replace context building with a request object
* Enable py3 testing for Fernet token provider
* Enable py3 for credential tests
* reorganize mitaka release notes
* enable ldap tests for py3
* Updated from global requirements
* Add the validation rules when create token
* Use PyLDAP instead of python-ldap
* Fix config path for running wsgi in developer mode
* Move the revoke abstract base class out of core
* Updated from global requirements
* Port test\_v2 unit test to Python 3
* Move the oauth1 abstract base class out of core
* Drop the (unused) domain table
* Don't set None for ldap.OPT\_X\_TLS\_CACERTFILE
* Add API Change Tutorial
* Deprecate keystone.common.kvs
* Updating sample configuration file
* Add is\_domain in token response
* Switch to use \`new\_domain\_ref\` for testcases
* Move the assignment abstract base class out of core
* Add identity providers integration tests
* Update documentation to remove keystone-all
* Updating sample configuration file
* Updated from global requirements
* replace logging with oslo.log
* Move the federation abstract base class out of core
* Separate protocol schema
* Updated from global requirements
* Move the catalog abstract base class and common code out of core
* Enhance federation group mapping validation
* Add mapping validation tests
* Fixes example in the mapping combinations docs
* do not search file on real environment
* Allow 'domain' property for local.group
* Add conflict validation for idp update
* Always add is\_admin\_project if admin project defined
* Make keystone exit when fernet keys don't exist
* Fix fernet audit ids for v2.0
* Revert "Revert "Unit test for checking cross-version migrations compatibility""
* Make all fixture project\_ids into uuids
* Fixing D105, D203, and D205 PEP257
* Remove test\_invalid\_policy\_raises\_error
* switch to tempest instead of deprecated tempest-lib
* Move the resource abstract base class out of core
* Correct RST syntax for a code block
* Restructure policy abstract driver
* Updated from global requirements
* Add test for authentication when project and domain name clash
* Fix doc build if git is absent
* Restructure endpoint policy abstract driver
* Clean up test\_receive\_identityId
* Fix typos
* Fixes incorrect deprecation warning for IdentityDriverV8
* Add other-requirements.txt
* Fix D400 PEP257
* Imported Translations from Zanata
* Updating sample configuration file
* Customize config file location when run as wsgi app
* Updated from global requirements
* Updating sample configuration file
* Updated from global requirements
* Bump the required tox version to 2.3.1
* Add set\_config\_defaults() call to tests
* update deprecation warning for falling back to default domain
* Tests clean up global ldap settings
* Define identity interface - easy cases
* add missing deprecation reason for eventlet option
* Remove comments mentioning eventlet
* Remove support for generating ssl certs
* Updating sample configuration file
* Remove eventlet support
* Default caching to on for request-local caching
* Typo in sysctl command example Edit
* Typo fix in tests
* Add logging to cli if keystone.conf is not found
* Fix post jobs
* Refactor domain config upload
* Keystone jobs should honor upper-constraints.txt
* Fix confusing naming in ldap EnableEmuMixin
* Updating sample configuration file
* Deprecation reason for domain\_id\_immutable
* Test list project hierarchy is correct for a large tree
* Fix D401 PEP8 violation
* OSprofiler release notes
* Updating sample configuration file
* Updated from global requirements
* Add keystone service ID to observer audit
* group federated identity docs together
* Change Role/Region to role/region in keystone-manage bootstrap
* Use mockpatch fixtures from fixtures
* Set the values for the request\_local\_cache
* Add missing backslash to keystone-manage bootstrap command in documentation
* fix typo
* Fix KeyError when rename to a name is already in use
* Improve project name conflict message
* Imported Translations from Zanata
* Updating sample configuration file
* Dev doc update for moving abstract base classes out of core
* Simplify chained comparison
* Update the description of the role driver option
* Integrate OSprofiler in Keystone
* Update the Administrator guide link
* Clean up test case for shadow users
* Fixes bug where the updated federated display\_name is not returned
* Make AuthContext depend on auth\_token middleware
* Fix totp test fails randomly

9.0.0
-----

* Update federated user display name with shadow\_users\_api
* Update federated user display name with shadow\_users\_api
* Remove comment from D202 rule
* Remove backend interface and common code out of identity.core
* Use messaging notifications transport instead of default
* Run federation tests under Python 3
* Bandit test results
* create a new \`advanced topics\` section in the docs

9.0.0.0rc2
----------

* Correct \`role\_name\` constraint dropping
* Correct \`role\_name\` constraint dropping
* Base for keystone tempest plugin
* Random project should return positive numbers
* Imported Translations from Zanata
* Improve error message for schema validation
* Imported Translations from Zanata
* The name can be just white character except project and user
* Fix typos in Keystone files
* Add \`patch\_cover\` to keystone
* Fix keystone-manage config file path
* Cleanup LDAP models
* Correct test to support changing N release name
* Correct \_populate\_default\_domain in tests
* Imported Translations from Zanata
* Removing redundant words
* Imported Translations from Zanata
* Correct test to support changing N release name
* Fix keystone-manage config file path
* Opportunistic testing with different DBs
* Correct test\_implied\_roles\_fk\_on\_delete\_cascade
* Fix table row counting SQL for MySQL and Postgresql
* Switch migration tests to oslo.db DbTestCase
* Correct test\_migrate\_data\_to\_local\_user\_and\_password\_tables
* Fix test\_add\_int\_pkey\_to\_revocation\_event\_table for MySQL
* Imported Translations from Zanata
* Implement HEAD method for all v3 GET actions
* Avoid name repetition in equality comparisons
* Simplify repetitive unequal checks
* Imported Translations from Zanata
* Add test for domains list filtering and limiting
* Imported Translations from Zanata
* remove endpoint\_policy from contrib
* Moved name formatting (clean) out of the driver
* Add py3 debugging
* Add release note for list\_limit support
* Add release note for list\_limit support
* Cleanup migration tests
* Imported Translations from Zanata
* Imported Translations from Zanata
* Update dev docs and sample script for v3/bootstrap
* add placeholder migrations for mitaka
* Enables the notification tests in py3
* Update reno for stable/mitaka
* Update .gitreview for stable/mitaka

9.0.0.0rc1
----------

* Support \`id\` and \`enabled\` attributes when listing service providers
* Check for already present user without inserting in Bootstrap
* Mapping which yield no identities should result in ValidationError
* Make backend filter testing more comprehensive
* Move region configuration to a critical section
* Change xrange to range for python3 compatibility
* Remove reference to keystoneclient CLI
* Document running in uwsgi proxied by apache
* Updating sample configuration file
* Imported Translations from Zanata
* Correct Hints class filter documentation
* Release note cleanup
* Update reported version for Mitaka
* Add docs for additional bootstrap endpoint parameters
* Remove unused notification method and class
* Consolidate @notifications.internal into Audit
* Imported Translations from Zanata
* Remove some translations
* Imported Translations from Zanata
* Fixed user in group participance
* register the config generator default hook with the right name
* Imported Translations from Zanata
* Rename v2 token schema used for validation
* Migrate\_repo init version helper
* Remove TestFernetTokenProvider
* Refactor TestFernetTokenProvider trust-scoped tests
* Refactor TestFernetTokenProvider project-scoped tests
* Refactor TestFernetTokenProvider domain-scoped tests
* Refactor TestFernetTokenProvider unscoped token tests
* Fixing mapping schema to allow local user
* Fix keystone-manage example command path
* Make modifications to domain config atomic
* Add auto-increment int primary key to revoke.backends.sql
* Add PKIZ coverage to trust tests
* Consolidate TestTrustRedelegation and TestTrustAuth tests
* Expose not clearing of user default project on project delete
* Split out domain config driver and manager tests
* Add notifications to user/group membership
* Add ability to send notifications for actors
* Updated from global requirements
* Remove foreign assignments when deleting a domain
* Correct create\_project driver versioning
* Explicitly exclude tests from bandit scan
* Move role backend tests
* v2 tokens validated on the v3 API are missing timezones
* Move domain config backend tests
* Validate v2 fernet token returns extra attributes
* Clarify virtualenv setup in developer docs
* Fixes a few LDAP tests to actually run
* Imported Translations from Zanata
* Un-wrap function
* Fix warning when running tox
* Race condition in keystone domain config
* Adding 'domain\_id' filter to list\_user\_projects()
* Add identity endpoint creation to bootstrap
* Updated from global requirements
* Remove \_disable\_domain from the resource API
* Remove \_disable\_project from the resource API
* Remove the notification.disabled decorator
* Remove unused notification decorators
* Cleanup from from split of token backend tests
* Split identity backend tests
* Split policy backend tests
* Split catalog backend tests
* Split trust backend tests
* Split token backend tests
* Split resource backend tests
* Split assignment backend tests
* Updated from global requirements
* Consolidate configuration default overrides
* Updating sample configuration file
* IPV6 test unblacklist
* Fix trust chain tests

9.0.0.0b3
---------

* Minor edits to the developing doc
* Add release notes for projects acting as domains
* Fix keystone.common.wsgi to explicitly use bytes
* fix sample config link that 404s
* add hints to list\_services for templated backend
* Fixes hacking for Py3 tests
* Fixes to get cert tests running in Py3
* Fixes the templated backend tests for Python3
* remove pyc files before running tests
* Stop using oslotest.BaseTestCase
* Return 404 instead of 401 for tokens w/o roles
* Remove unused domain driver method in legacy wrapper
* Deprecate domain driver interface methods
* Fix the migration issue for the user doesn't have a password
* Add driver details in architecture doc
* Shadow users - Shadow federated users
* Projects acting as domains
* Update developer docs for ubuntu 15.10
* Moved CORS middleware configuration into oslo-config-generator
* V2 operations create default domain on demand
* Make keystone tests work on leap years
* Updating sample configuration file
* Fix doc build warnings
* Enable LDAP connection pooling by default
* Delay using threading.local() to fix check job failure
* Minor edits to the installation doc
* Minor edits to the configuration doc
* Minor community doc edits
* Updated from global requirements
* Followup for LDAP removal
* Remove get\_session and get\_engine
* No more legacy engine facade in tests
* Use requst local in-process cache per request
* Move admin\_token\_auth before build\_auth\_context in sample paste.ini
* Update default domain's description
* Reference config values at runtime
* Use the new enginefacade from oslo.db
* Updated from global requirements
* Fix incorrect assumption when deleting assignments
* Remove migration\_helpers.get\_default\_domain
* db\_sync doesn't create default domain
* Implied roles index with cascading delete
* Fix project-related forbidden response messages
* Fixes a bug when setting a user's password to null
* Renamed TOTP passcode generation function
* Updates TOTP release note
* Simplify use of secure\_proxy\_ssl\_header
* Shadow users - Separate user identities
* Switch to configless bandit
* Parameter to return audit ids only in revocation list
* Add tests for fetching the revocation list
* Updating sample configuration file
* Deprecate logger.WritableLogger
* Removing H405 violations from keystone
* Updated from global requirements
* Updated from global requirements
* Updating sample configuration file
* Remove useless {} from \_\_table\_args\_\_
* Time-based One-time Password
* Fix inconsistencies between Oauth1DriverV8 interface and driver
* Oauth1 manager sets consumer secret
* Remove setting class variable
* Allow user list without specifying domain
* Adds user\_description\_attribute mapping support to the LDAP backend
* encode user id for notifications
* Add back a bandit tox job
* Enable support for posixGroups in LDAP
* Add is\_domain filter to v3 list\_projects
* Add tests in preparation of projects acting as a domain
* Avoid using \`len(x)\` to check if x is empty
* Use the driver to get limits
* Fallback to list\_limit from default config
* Add list\_limit to the white list for configs in db
* Updating sample configuration file
* handle unicode names for federated users
* Verify project unique constraints for projects acting as domains
* wsgi: fix base\_url finding
* Disable Admin tokens set to None
* Modify rules for domain specific role assignments
* Modify implied roles to honor domain specific roles
* Modify rules in the v3 policy sample for domain specifc roles
* Re-enable and undeprecate admin\_token\_auth
* Don't describe trusts as an extension in configuration doc
* Tidy up configuration documentation for inherited assignments
* Clean up configuration documentataion on v2 user CRUD
* Allow project domain\_id to be nullable at the manager level
* Trivial: Cleanup unused conf variables
* Updating sample configuration file
* Updating sample configuration file
* Fixes parameter in duplicate project name creation
* Fix terms from patch 275706
* sensible default for secure\_proxy\_ssl\_header
* Restricting domain\_id update
* Allow project\_id in catalog substitutions
* Avoid \`None\` as a redundant argument to dict.get()
* Avoid "non-Pythonic" method names
* Manager support for project cascade update
* Updating sample configuration file
* Expand implied roles in trust tokens
* add a test that uses trusts and implies roles
* Updating sample configuration file
* Convert assignment.root\_role config option to list of strings
* Avoid wrong deletion of domain assignments
* Manager support for project cascade delete
* AuthContextMiddleware admin token handling
* Deprecate admin\_token\_auth
* Adds better logging to the domain config finder
* Extracts logic for finding domain configs
* Fix nits from domain specific roles CRUD support
* Change get\_project permission
* Updated from global requirements
* Enables token\_data\_helper tests for Python3
* Stop using nose as a Python3 test runner
* Fix release note of removal of v2.0 trusts support
* Remove PostParams middleware
* Updated from global requirements
* Moves policy setup into a fixture
* Make pep8 \*the\* linting interface
* Added tokenless auth headers to CORS middleware
* Add backend support for deleting a projects list
* Make fernet work with oauth1 authentication
* Consolidate the fernet provider validate\_v2\_token()
* Remove support for trusts in v2.0
* Add CRUD support for domain specific roles
* Added CORS support to Keystone
* Deprecate Saml2 auth plugin
* Uses open context manager for templated catalogs
* Disable the ipv6 tests in py34
* Missing 'region' in service and 'name' in endpoint for EndpointFilterCatalog
* Small typos on the ldap.url config option help
* Replace exit() with sys.exit()
* include sample config file in docs
* Fixes a language issue in a release note
* Imported Translations from Zanata
* Updated from global requirements
* Support multiple URLs for LDAP server
* Set deprecated\_reason on deprecated config options
* Move user and admin crud to core
* squash migrations - kilo
* Adds validation negative unit tests
* Use oslo.log specified method to set log levels
* Add RENO update for simple\_cert\_extension deprecation
* Opt-out certain Keystone Notifications
* Update the home page
* Release notes for implied roles
* deprecate pki\_setup from keystone-manage
* test\_credential.py work with python34
* Consolidate \`test\_contrib\_ec2.py\` into \`test\_credential.py\`
* Reinitialize the policy engine where it is needed
* Provide an error message if downgrading schema
* Updated from global requirements
* Consolidate the fernet provider issue\_v2\_token()
* Consolidate the fernet provider validate\_v3\_token()
* Add tests for role management with v3policy file
* Fix some word spellings
* Make WebSSO trusted\_dashboard hostname case-insensitive
* Deprecate simple\_cert extension
* Do not assign admin to service users
* Add in TRACE logging for the manager
* Add schema for OAuth1 consumer API
* Correct docstrings
* Remove un-used test code
* Raise more precise exception on keyword mapping errors
* Allow '\_' character in mapping\_id value
* Implied Roles API
* Revert "Unit test for checking cross-version migrations compatibility"
* replace tenant with project in cli.py
* Fix schema validation to use JSONSchema for empty entity
* Replace tenant for project in resource files
* Reuse project scoped token check for trusts
* Add checks for project scoped data creep to tests
* Add checks for domain scoped data creep
* Use the oslo.utils.reflection to extract the class name
* Test hyphens instead of underscores in request attributes
* Simplify admin\_required policy
* Add caching to role assignments
* Enable bandit tests
* Update bandit.yaml
* Enhance manager list\_role\_assignments to support group listing
* remove KVS backend for keystone.contrib.revoke
* Fix trust redelegation and associated test
* use self.skipTest instead of self.skip
* Removed deprecated revoke KVS backend
* Revert "skip test\_get\_token\_id\_error\_handling to get gate passing"
* Updated from global requirements
* Updated from global requirements
* skip test\_get\_token\_id\_error\_handling to get gate passing
* Ensure pycadf initiator IDs are UUID
* Check for circular references when expanding implied roles
* Improves domain name case sensitivity tests
* Fixes style issues in a v2 controller tests
* Prevents creating is\_domain=True projects in v2
* Refactors validation tests to better see the cases
* Remove keystone/common/cache/\_memcache\_pool.py
* Update mod\_wsgi + cache config docs
* Address comments from Implied Role manager patch
* Fix nits in include names patch
* Unit test for checking cross-version migrations compatibility
* Online schema migration documentation
* Updated from global requirements
* Remove additional references to ldap role attribs
* Remove duplicate LDAP test class
* Remove more ldap project references

9.0.0.0b2
---------

* Add testcases to check cache invalidation
* Fix typo abstact in comments
* deprecate write support for identity LDAP
* Deprecate \`hash\_algorithm\` config option
* Mark memcache and memcache\_pool token deprecated
* List assignments with names
* Remove LDAP Role Backend
* Remove LDAP Resource and LDAP Assignment backends
* Removes KVS catalog backend
* Fix docstring
* Strengthen Mapping Validation in Federation Mappings
* Add checks for token data creep using jsonschema
* Deprecating API v2.0
* Implied roles driver and manager
* Add support for strict url safe option on new projects and domains
* Remove bandit tox environment
* Add linters environment, keep pep8 as alias
* Make sure the assignment creation use the right arguments
* Fix indentation for oauth context
* Imported Translations from Zanata
* document the bootstrapping process
* Add release note for revert of c4723550aa95be403ff591dd132c9024549eff10
* Updated from global requirements
* Enable \`id\`, \`enabled\` attributes filtering for list IdP API
* Improve Conflict error message in IdP creation
* Fedora link is too old and so updated with newer version
* Support the reading of default values of domain configuration options
* Correct docstrings for federation driver interface
* Update v3policysample tests to use admin\_project not special domain\_id
* Enable limiting in ldap for groups
* Enable limiting in ldap for users
* Doc FIX
* Store config in drivers and use it to get list\_limit
* Add asserts for service providers
* Fix incorrect signature in federation legacy V8 wrapper
* Tidy up release notes for V9 drivers
* Adds an explicit utils import in test\_v3\_protection.py
* Refactor test auth\_plugin config into fixture
* Create V9 version of resource driver interface
* Updated from global requirements
* Separate trust crud tests from trust auth tests
* Delete checks for default domain delete
* correct help text for bootstrap command
* Replace unicode with six.text\_type
* Escape DN in enabled query
* Test enabled emulation with special user\_tree\_dn
* SQL migrations for implied roles
* Revert "Validate domain ownership for v2 tokens"
* Use assertIn to check if collection contains value
* Updated from global requirements
* Perform middleware tests with webtest
* De-duplicate fernet payload tests
* Reference driver methods through the Manager
* Fix users in group and groups for user exact filters
* Expose defect in users\_in\_group, groups\_for\_user exact filters
* Replace deprecated library function os.popen() with subprocess
* OAuth1 driver doesnt inherit its interface
* Update man pages with Mitaka version and dates
* Fixes hacking logger test cases to use same base
* Adds a hacking check looking for Logger.warn usage
* Change LOG.warn to LOG.warning
* Remove redundant check after enforcing schema validation
* Updating sample configuration file
* Create V9 version of federation driver interface
* Do not use \_\_builtin\_\_ in python3
* Define paste entrypoints
* Add schema for federation protocol
* Expose method list inconsistency in federation api
* remove irrelevant parenthesis
* Add return value
* Test: make enforce\_type=True in CONF.set\_override
* Updated from global requirements
* Add schema for identity provider
* Updating sample configuration file
* Use six.moves.reload\_module instead of builtin reload
* Fix the incompatible issue in response header
* Wrong usage of "an"
* Correct fernet provider reference
* Correct DN/encoding in test
* Support url safe restriction on new projects and domains
* Correct the class name of the V9 LDAP role driver
* Wrong usage of "a/an"
* Trival: Remove unused logging import
* Updating sample configuration file
* Fix pep8 job
* Fix some inconsistency in docstrings
* Fix 500 error when no fernet token is passed
* Cleanup tox.ini py34 test list
* Fixes kvs cache key mangling issue for Py3
* Some small improvements on fernet uuid handling
* Updated from global requirements
* Updating sample configuration file
* Fix key\_repository\_signature method for python3
* Add audit IDs to revocation events
* Enable os\_inherit of Keystone v3 API
* Use pip (and DevStack) instead of setuptools in docs
* Correct developer documentation on venv creation
* Updating sample configuration file
* Updated from global requirements
* Validate domain for DB-based domain config. CRUD
* fix up release notes, file deprecations under right title
* Updated Cloudsample
* Update \`developing.rst\` to remove extensions stuff
* Verify that user is trustee only on issuing token
* Adds a base class for functional tests
* Make \`bootstrap\` idempotent
* Add \`keystone-manage bootstrap\` command
* Changed the key repo validation to allow read only
* Deprecated tox -downloadcache option removed
* Fix defect in list\_user\_ids that only lists direct user assignments
* Show defect in list\_user\_ids that only lists direct user assignments
* Add API route for list role assignments for tree
* Use list\_role\_assignments to get projects/domains for user
* Add \`type' filter for list\_credentials\_for\_user
* Clean up new\_credential\_ref usage and surrounding code
* Create neutron service in sample\_data.sh
* Updating sample configuration file
* Updated from global requirements
* Limiting for fake LDAP
* Make @truncated common for all backends
* Fix exposition of bug about limiting with ldap
* Use assertDictEqual instead of assertEqualPolicies
* refactor: Remove unused test method
* Remove unfixable FIXME
* Use new\_policy\_ref consistently
* fix reuse of variables
* Remove comments on enforcing endpoints for trust
* refactor: move the common code to manager layer
* Create V9 Role Driver
* Create new version of assignment driver interface
* Remove keystoneclient tests
* Verify that attribute \`enabled\` equals True
* Remove invalid comment about LDAP domain support
* Pass dict into update() rather than \*\*kwargs
* Refactor test use of new\_\*\_ref
* Cleans up code for \`is\_admin\` in tokens
* Deprecate ldap Role
* Update extensions links
* Improve comments in test\_catalog
* Fix for GET project by project admin
* Fix multiline strings with missing spaces
* Updating sample configuration file
* Remove invalid TODO in extensions
* Updated from global requirements
* Refactor: Remove use of self where not needed
* Refactor: Move uncommon entities from setUp
* Split resource tests from assignment tests
* Remove invalid TODO related to bug 1265071
* Fix test\_crud\_user\_project\_role\_grants
* Deprecate the pki and pkiz token providers
* Remove invalid FIXME note
* Refactor: Use Federation constants where possible
* Remove exposure of routers at package level
* Update API version info for Liberty
* remove version from setup.cfg
* Ensure endpoints returned is filtered correctly
* Put py34 first in the env order of tox

9.0.0.0b1
---------

* Add release notes for mitaka-1
* set \`is\_admin\` on tokens for admin project
* Use unit.new\_project\_ref consistently
* Reference environment close to use
* refactor: move variable to where it's needed
* Needn't care about the sequence for cache validation
* Updated from global requirements
* Fix a typo in notifications function doc
* Remove RequestBodySizeLimiter from middleware
* Optimize "open" method with context manager
* eventlet: handle system that misses TCP\_KEEPIDLE
* force releasenotes warnings to be treated as errors
* Cleanup region refs
* Remove \`extras\` from token data
* Use subprocess.check\_output instead of Popen
* Remove deprecated notification event\_type
* Remove check\_role\_for\_trust
* Correct RoleNotFound usage
* Remove example extension
* Updating sample configuration file
* Correct docstring warnings
* Using the right format to render the docstring correctly
* Add release notes for mitaka thus far
* Accepts Group IDs from the IdP without domain
* Cleanup use of service refs
* Update docs for legacy keystone extensions
* Correct SecurityError with unicode args
* Updated from global requirements
* Use idp\_id and protocol\_id in jsonhome
* Use standard credential\_id parameter in jsonhome
* Remove core module from the legacy endpoint\_filter extension
* Minor cleanups for usage of group refs
* Reject user creation using admin token without domain
* Add Trusts unique constraint to remove duplicates
* deprecate \`enabled\` option for endpoint-policy extension
* remove useless config option in endpoint filter
* Use [] where a field is required
* Manager support for projects acting as domains
* Config option for insecure responses
* Add missing colon separators to inline comments
* Simplify LimitTests
* Rationalize list role assignment routing
* Enable listing of role assignments in a project hierarchy
* Capital letters
* remove use of magic numbers in sql migrate extension tests
* Use new\_trust\_ref consistently
* Updating sample configuration file
* Move endpoint\_filter migrations into keystone core
* Move endpoint filter into keystone core
* Move revoke sql migrations to common
* Move revoke extension into core
* Move oauth1 sql migrations to common
* Move oauth1 extension into core
* Move federation sql migrations to common
* Move federation extension into keystone core
* Fix string conversion in s3 handler for python 2
* Fix inaccurate debug mode response
* Use unit.new\_user\_ref consistently
* Imported Translations from Zanata
* Updated from global requirements
* Add testcases to check cache invalidation in endpoint filter extension
* Fix the wrong method name
* Updating sample configuration file
* change some punctuation marks
* Updated from global requirements
* Remove hardcoded LDAP group schema from emulated enabled mix-in
* Exclude old Shibboleth options from docs
* Updated from global requirements
* Use new\_domain\_ref instead of manually created ref
* Use new\_region\_ref instead of manually created dict
* Document release notes process
* Use new\_service\_ref instead of manually created dict
* Use unit.new\_group\_ref consistently
* Use unit.new\_role\_ref consistently
* Use unit.new\_domain\_ref consistently
* Use unit.new\_region\_ref() consistently
* Use unit.new\_service\_ref() consistently
* Move AuthContext middleware into its own file
* Use unit.new\_endpoint\_ref consistently
* Use list\_role\_assignments to get assignments by role\_id
* Pass kwargs when using revoke\_api.list\_events()
* Add reno for release notes management
* Make K2K Mapping Attribute Examples more visible
* Add S3 signature v4 checking
* Fix some nits inside validation/config.py
* Add Mapping Combinations for Keystone to Keystone Federation
* Remove manager-driver assignment metadata construct
* Correct description in Keystone key\_terms
* Imported Translations from Zanata
* Handle fernet payload timestamp differences
* Fix fernet padding for python 3
* More useful message when using direct driver import
* Get user role without project id is not implemented
* Update sample catalog templates
* update mailmap with gyee's new email
* Revert "Added CORS support to Keystone"
* Updated from global requirements
* test\_backend\_sql work with python34
* Use assertTrue/False instead of assertEqual(T/F)
* Fix the issues found with local conf
* Add test for security error with no message
* Add exception unit tests with different message types
* Cleanup message handling in test\_exception
* Normalize fernet payload disassembly
* Common arguments for fernet payloads assembly
* Capitalize a Few Words
* I18n safe exceptions
* Keystone Spelling Errors in docstrings and comments
* [rally] remove deprecated arg
* Move endpoint\_policy migrations into keystone core
* Promote an arbitrary string to be a docstring
* Fix D204: blank line required after class docstring (PEP257)
* Fix D202: No blank lines after function docstring (PEP257)
* Update Configuring Keystone doc for consistency
* Comment spelling error in assignment.core file
* Fix exceptions to use correct titles
* Fix UnexpectedError exceptions to use debug\_message\_format
* Fix punctuation in doc strings
* Fix docstring
* Updating sample configuration file
* Explain default domain in docs for other services
* Correct bashate issues in gen\_pki.sh
* Fix incorrect federated mapping example
* change stackforge url to openstack url
* Updated from global requirements
* Adds already passing tests to py34 run
* Wrong usage of "an"
* Allow the PBR\_VERSION env to pass through tox
* Fix D200: 1 line docstrings should fit with quotes (PEP257)
* Fix D210: No whitespaces allowed surrounding docstring text (PEP257)
* Fix D300: Use """triple double quotes""" (PEP257)
* Fix D402: First line should not be the function's "signature" (PEP257)
* Fix D208: Docstring over indented. (PEP257)
* Add docstring validation
* Add caching to get\_catalog
* Fix fernet key writing for python 3
* Update test modules passing on py34
* Updated from global requirements
* Forbid non-stripped endpoint urls
* fix deprecation warnings in cache backends
* Create tests for set\_default\_is\_domain in LDAP
* Enable try\_except\_pass Bandit test
* Enable subprocess\_without\_shell\_equals\_true Bandit test
* Correct typo in copyright
* Updated from global requirements
* switch to oslo.cache
* Updating sample configuration file
* Updated from global requirements
* keystone-paste.ini docs for deployers are out of date
* Correct the filename
* More info in RequestContext
* Fix some nits in \`configure\_federation.rst\`
* add placeholder migrations for liberty
* Remove bas64utils and tests
* Create a version package
* Remove oslo.policy implementation tests from keystone
* Refactor: Don't hard code 409 Conflict error codes
* Fix use of TokenNotFound
* Refactor: change 403 status codes in test names
* Refactor: change 410 status codes in test names
* Refactor: change 400 status codes in test names
* Refactor: change 404 status codes in test names
* Updated from global requirements
* Imported Translations from Zanata
* add initiator to v2 calls for additional auditing
* Fixed missed translatable string inside exception
* Handle 16-char non-uuid user IDs in payload
* Additional documentation for services
* Rename fernet methods to match expiration timestamp
* Updated from global requirements
* Enable password\_config\_option\_not\_marked\_secret Bandit test
* Enable hardcoded\_bind\_all\_interfaces Bandit test
* Documentation for other services
* Reclassify get\_project\_by\_name() controller method
* Trivial fix of some typos found
* Filters is\_domain=True in v2 get\_project\_by\_name
* Add test case passing is\_domain flag as False

8.0.0
-----

* Ensure token validation works irrespective of padding
* Ensure token validation works irrespective of padding
* Imported Translations from Zanata
* Rename RestfulTestCase.v3\_authenticate\_token() to v3\_create\_token()
* Improving domain\_id update tests
* Show v3 endpoints in v2 endpoint list
* Expose 1501698 bug
* Replace sqlalchemy-migrate occurences from code.google to github
* Fix unreachable code in test\_v3 module
* Imported Translations from Zanata
* Use deepcopy of mapping fixtures in tests
* Show v3 endpoints in v2 endpoint list
* Enable Bandit 0.13.2 tests
* Update bandit blacklist\_imports config
* Cleanup \_build\_federated\_info
* Add LimitRequestBody to sample httpd config
* Make \_\_all\_\_ immutable
* Skip rows with empty remote\_ids
* Includes server\_default option in is\_domain column
* Remove unused get\_user\_projects()
* Deprecate httpd/keystone.py
* Skip rows with empty remote\_ids
* Fix order of arguments in assertDictEqual
* Cleanup fernet validate\_v3\_token
* Update bandit blacklist\_calls config
* Add unit test for creating RequestContext
* Add user\_domain\_id, project\_domain\_id to auth context
* Add user domain info to federated fernet tokens
* Unit tests for fernet validate\_v3\_token
* Fix order of arguments in assertEqual
* Updating sample configuration file
* Cleanup of Translations
* Imported Translations from Zanata
* Uses constants for 5XX http status codes in tests
* Fixes v3\_authenticate\_token calls - no default
* Fixes the way v3\_admin is called to match its def
* Declares expected\_status in method signatures
* Refactor: Don't hard code the error code
* Correct docstrings
* Correct comment to not be driver-specific
* Move development environment setup instructions to standard location
* Fix typo in config help
* Use the correct import for range
* Adds interface tests for timeutils
* Add unit tests for token\_to\_auth\_context
* Updating sample configuration file

8.0.0.0rc1
----------

* Open Mitaka development
* Bring bandit config up-to-date
* Update the examples used for the trusted\_dashboard option
* Log message when debug is enabled
* Clean up bandit profiles
* federation.idp use correct subprocess
* Change ignore-errors to ignore\_errors
* Imported Translations from Zanata
* Remove unused code in domain config checking
* Relax newly imposed sql driver restriction for domain config
* Add documentation for configuring IdP WebSSO
* Updated from global requirements
* check if tokenless auth is configured before validating
* Fix the referred [app:app\_v3] into [pipeline:api\_v3]
* Updated from global requirements
* Issue deprecation warning if domain\_id not specified in create call
* functional tests for keystone on subpaths
* Removed the extra http:// from JSON schema link
* Document httpd for accept on /identity, /identity\_admin
* Updated from global requirements
* Update federation router with missing call
* Reject rule if assertion type unset
* Update man pages with liberty version and dates
* Refactor: Don't hard code the error code
* Move TestClient to test\_versions
* Use oslo.log fixture
* Update apache-httpd.rst
* Updated from global requirements
* Remove padding from Fernet tokens
* Imported Translations from Transifex
* Updated from global requirements
* Fixed typos in 'developing\_drivers' doc
* Stop using deprecated keystoneclient function
* Change tests to use common name for keystone.tests.unit
* Removes py3 test import hacks
* Updating sample configuration file
* Fixes confusing deprecation message

8.0.0.0b3
---------

* Add methods for checking scoped tokens
* Build oslo.context RequestContext
* Correct docstring for common.authorization
* Deprecate LDAP Resource Backend
* Added CORS support to Keystone
* List credentials by type
* Fixes a typo in a comment
* Tokenless authz with X.509 SSL client certificate
* Support project hierarchies in data driver tests
* Stable Keystone Driver Interfaces
* Initial support for versioned driver classes
* Add federated auth for idp specific websso
* Adds caching to paste deploy's egg lookup
* Fix grammar in doc string
* Test list\_role\_assignment in standard inheritance tests
* Broaden domain-group testing of list\_role\_assignments
* Add support for group membership to data driven assignment tests
* Add support for effective & inherited mode in data driven tests
* Add support for data-driven backend assignment testing
* Updated from global requirements
* Change JSON Home for OS-FEDERATION to use /auth/projects|domains
* Unit tests for is\_domain field in project's table
* Group tox optional dependencies
* Provide new\_xyz\_ref functions in tests.core
* Refactor mapping rule engine tests to not create servers
* Updating sample configuration file
* Correct docstrings in resource/core.py
* Validate Mapped User object
* Set max on max\_password\_length to passlib max
* Simplify federated\_domain\_name processing
* Get method's class name in a python3-compatible way
* Stop reading local config for domain-specific SQL config driver
* Enforce .config\_overrides is called exactly once
* Use /auth/projects in tests
* Remove keystone/openstack/\* from coveragerc
* Rationalize unfiltered list role assignment test
* Change mongodb extras to lowercase
* Refactor: Provider.\_rebuild\_federated\_info()
* Refactor: rename Fernet's unscoped federated payload
* Fernet payloads for federated scoped tokens
* No More .reload\_backends() or .reload\_backend()
* Ensure ephemeral user's user\_id is url-safe
* Use min and max on IntOpt option types
* Adds a notification testcase for unbound methods
* Do not revoke all of a user's tokens when a role assignment is deleted
* Handle tokens created and quickly revoked with insufficient timestamp precision
* Show that unscoped tokens are revoked when deleting role assignments
* Prevent exception due to missing id of LDAP entity
* Expose exception due to missing id of LDAP entity
* Add testcase to test invalid region id in request
* Add region\_id filter for List Endpoints API
* Remove references to keystone.openstack.common
* Remove all traces of oslo incubator
* Updating sample configuration file
* Test v2 tokens being deleted by v3
* Use entrypoints for paste middleware and apps
* update links in http-api to point to specs repo
* Add necessary executable permission
* Refactor: use fixtures.TempDir more
* Add is\_domain field in Project Table
* Prevent exception for invalidly encoded parameters
* Extras for bandit
* Use extras for memcache and MongoDB packages
* Use wsgi\_scripts to create admin and public httpd files
* Update Httpd configuration docs for sites-available/enabled
* Remove unnecessary check
* Update 'doc/source/setup.rst'
* Remove unnecessary load\_backends from TestKeystoneTokenModel
* Updated from global requirements
* Imported Translations from Transifex
* Updated from global requirements
* Show helpful message when request body is not provided
* Fix logging in federation/idp.py
* Enhance tests for saml2 signing exception logging
* Remove deprecated methods from assignment.Manager
* Stop using deprecated assignment manager methods
* EndpointFilter driver doesnt inherit its interface
* Hardens the validated decorator's implementation
* Updating sample configuration file
* Simplify rule in sample v3 policy file
* Improve a few random docstrings
* Maintain datatypes when loading configs from DB
* Remove "tenants" from user\_attribute\_ignore default
* Use oslo\_config PortOpt support
* Updated from global requirements
* Updated from global requirements
* Fix the misspelling
* When validating a V3 token as V2, use the v3\_to\_v2 conversion
* Do not require the token\_id for converting v3 to v2 tokens
* Maintain the expiry of v2 fernet tokens
* Fix typo in doc-string
* Validate domain ownership for v2 tokens
* Fix docstring in mapped plugin
* Updated from global requirements
* Minor grammar fixes to connection pooling section
* Creates a fixture representing as LDAP database
* Sample config help for supplied drivers
* Improve List Role Assignments Filters Performance
* Update docs for stevedore drivers
* Fixes an incorrect docstring in notifications
* Stop calling deprecated assignment manager methods
* Updated from global requirements
* Updating sample configuration file
* Adds backend check to setup of LDAP tests
* Improve a few random docstrings (H405)
* Remove excessive transformation to list
* Stop calling deprecated assignment manager methods
* Remove reference of old endpoint\_policy in paste file
* Fernet 'expires' value loses 'ms' after validation
* Correct enabled emulation query to request no attributes
* NotificationsTestCase running in isolation
* Adds/updates notifications test cases
* Fix duplicate-key pylint issue
* Fix explicit line joining with backslash
* Fixes an issue with data ordering in the tests
* Imported Translations from Transifex
* Allow Domain Admin to get domain details
* Assignment driver cleaning
* Cleanup tearDown in unit tests
* Fix unbound error in federation \_sign\_assertion
* Fix typos of RoleAssignmentV3.\_format\_entity doc
* Updating sample configuration file
* Updated from global requirements
* Remove unnecessary check from notifications.py
* Remove oslo import hacking check
* Use dict.items() rather than six.iteritems()
* Cleanup use of iteritems
* Imported Translations from Transifex
* Missing ADMIN\_USER in sample\_data.sh
* Update exported variables for openstack client
* Use extras for ldap dependencies
* Add better user feedback when bind is not implemented
* Test to ensure fernet key rotation results in new key sets
* Better error message when unable to map user
* Refactor \_populate\_roles\_for\_groups()
* Add groups in scoped federated tokens
* Adds missing list\_endpoints tests
* Reject create endpoint with invalid urls
* Explain the "or None" on eventlet's client\_socket\_timeout
* Reduce number of Fernet log messages
* Fix test\_admin to expect admin endpoint
* Fixes a docstring to reflect actual return values
* Give some message when an invalid token is in use

8.0.0.0b2
---------

* Updated from global requirements
* Ensure database options registered for tests
* Document sample config updated automatically
* Test function call result, not function object
* Test admin app in test\_admin\_version\_v3
* Updating sample configuration file
* Handle non-numeric files in key\_repository
* Fix remaining mention of KLWT
* Updated from global requirements
* Replace 401 to 404 when token is invalid
* Assign different values to public and admin ports
* Fix four typos and Add one space on keystone document
* Reuse token\_ref fetched in AuthContextMiddleware
* Refactor: clean up TokenAPITests
* pemutils isn't used anymore
* Imported Translations from Transifex
* Fix test\_exception.py for py34
* Fix s3.core for py34
* Updating sample configuration file
* Fix test\_utils for py34
* test\_base64utils works with py34
* Minor fix in the \`configuration.rst\`
* Correct spacing in \`\`mapping\_combinations.rst\`\`
* add federation docs for mod\_auth\_mellon
* Avoid the hard coding of admin token
* Adding Documentation for Mapping Combinations
* Clean up docs before creating new ones
* Document policy target for operation
* Fix docs in federation.routers
* Fix docstrings in contrib
* Additional Fernet test coverage
* Refactor websso \`\`origin\`\` validation
* Docs link to ACTIONS
* Clean up code to use .items()
* Document default value for tree\_dn options
* Remove unnecessary ldap imports
* Move backends.py to keystone.server
* move clean.py into keystone/common
* Updated from global requirements
* Remove unnecessary executable permission
* Move cli.py into keystone.cmd
* Do not remove expired revocation events on "get"
* Clean up notifications type checking
* Federation API provides method to evaluate rules
* Move constants out of federation.core
* Implement backend filtering on membership queries
* Moves keystone.hacking into keystone.tests
* Add missing "raise" when throwing exception
* Log xmlsec1 output if it fails
* Fix test method examining scoped federation tokens
* Spelling correction
* Fixes grammar in setup.rst in doc source
* Updated from global requirements
* Deprecate LDAP assignment driver options
* Register fatal\_deprecations before use
* Use oslo.utils instead of home brewed tempfile
* Updating sample configuration file
* Add testcases for list\_role\_assignments of v3 domains
* Centralizing build\_role\_assignment\_\* functions
* Replace reference of ksc with osc
* Updated from global requirements
* Changing exception type to ValidationError instead of Forbidden
* Standardize documentation at Service Managers
* Fixes grammar in the httpd README
* Fix the incorrect format for docstring
* Imported Translations from Transifex
* Fixes docstring to make it more precise
* Removed optional dependency support
* Decouple notifications from DI
* Adds proper isolation to templated catalog tests
* Fix log message in one of the v3 create call methods
* Catch exception.Unauthorized when checking for admin
* Remove convert\_to\_sqlite.sh
* Fix for LDAP filter on group search by name
* Remove fileutils from oslo-incubator
* Remove comment for doc building bug 1260495
* Fix code-block in federation documentation
* Modified command used to run keystone-all
* Delete extra parentheses in assertEqual message
* Fix the invalid testcase
* Updating sample configuration file
* Add unit test for fernet provider
* Update federation docstring
* Do not specify 'objectClass' twice in LDAP filter string
* Fix tox -e py34
* Change mapping model so rules is dict
* Add test case for deleting endpoint with space in url
* Update requirements by hand
* Consolidate the fernet provider issue\_v3\_token()
* Group role revocation invalidates all user tokens
* OS-FEDERATION no longer extension in docs
* Switch from deprecated oslo\_utils.timeutils.strtime
* Remove unused setUp for RevokeTests
* Update MANIFEST.in
* Update sample config file
* Disable migration sanity check
* Updated from global requirements
* Use oslo.service ServiceBase when loading from eventlet
* Document use of wip up to developer
* Simplify fernet rotation code
* Tests for correct key removed
* Relax the formats of accepted mapping rules for keystone-manage
* Python 3: Use range instead of xrange for py3 compatibility

8.0.0.0b1
---------

* Document entrypoint namespaces
* Short names for auth plugins
* Update sample configuration file
* Switch to oslo.service
* Update sample configuration file
* Remove redundant config
* Don't try to drop FK constraints for sqlite
* Remove unused requirements
* Add missing keystone-manage commands to doc
* Mask passwords in debug log on user password operations
* Add test showing password logged
* Adds some debugging statements
* Imported Translations from Transifex
* Use stevedore for auth drivers
* Refactor extract function load\_auth\_method
* Add unit test to exercise key rotation
* Fix Fernet key rotation
* Update version for Liberty

8.0.0a0
-------

* Refactor: move PKI-specific tests into the appropriate class
* Needn't load fernet keys twice
* Pass environment variables of proxy to tox
* Fix tests failing on slower system
* Mapping Engine CLI
* Imported Translations from Transifex
* Fix spelling in configuration comment
* Switch keystone over to oslo\_log versionutils
* Updated from global requirements
* Use lower default value for sha512\_crypt rounds
* Updated from global requirements
* Add more Rally scenarios
* Remove unnecessary dependencies from KerberosDomain
* Remove deprecated external authentication plugins
* Remove unnecessary code for default suffix
* Remove custom assertions for python2.6
* Avoid using the interactive interpreter for a one-liner
* Add validity check of 'expires\_at' in trust creation
* Revocation engine refactoring
* Updated from global requirements
* Rename directory with rally jobs files
* Fix req.environ[SCRIPT\_NAME] value
* Don't query db if criteria longer than col length
* Updated from global requirements
* Run WSGI with group=keystone
* Consolidate test-requirements files
* Switch from deprecated isotime
* Fix the wrong order of parameters when using assertEqual
* Add testcases to test DefaultDomain
* Remove the deprecated ec2 token middleware
* Replace blacklist\_functions with blacklist\_calls
* updates sample\_data script to use the new openstack commands
* Log info for Fernet tokens over 255 chars
* Update functional tox env requirements
* Update sample config file
* Correct oauth1 driver help text
* Rename driver to backend and fix the inaccurate docstring
* Add "enabled" to create service provider example
* Update testing keystone2keystone doc
* Removes unused database setup code
* Refactor: use \_\_getitem\_\_ when the key will exists
* Refactor: create the lookup object once
* Order routes so most frequent requests are first
* \`api\_curl\_examples.rst\` is out of date
* Don't assume project IDs are UUID format
* Don't assume group IDs are UUID format
* Don't fail on converting user ids to bytes
* Move endpoint policy into keystone core
* Update sample config file
* Tests don't override default auth methods/plugins
* Tests consistently use auth\_plugin\_config\_override
* Test use config\_overrides for configs
* Correct tests setting auth methods to a non-list
* Make sure LDAP filter is constructed correctly
* basestring no longer exists in Python3
* Add mocking for memcache for Python3 tests
* Fix xmldsig import
* Refactor deprecations tests
* Switch from MySQL-python to PyMySQL
* Improve websso documentation
* Remove the deprecated compute\_port option
* Workflow documentation is now in infra-manual
* Remove XML middleware stub
* Rename sample\_config to genconfig
* Imported Translations from Transifex
* Replace ci.o.o links with docs.o.o/infra
* Sync oslo-incubator cc19617
* Use single connection in get\_all function
* Removes temporary fix for doc generation
* Improve error message when tenant ID does not exist
* Updated from global requirements
* Add missing part for \`token\` object
* Remove identity\_api from AuthInfo dependencies
* Move bandit requirement to test-requirements-bandit.txt
* Adds inherited column to RoleAssignment PK
* Update dev setup requirements for Python 3.4
* Update sample config file
* Remove support for loading auth plugin by class
* Use [] where a value is required
* De-duplicate auth methods
* Remove unnecessary oauth\_api check
* Use short names for drivers
* Fixes deprecations test for Python3
* Add mocking for ldappool for Python3 tests
* Fixes a whitespace issue
* Handles modules that moved in Python3
* Handles Python3 builtin changes
* Fixes use of dict methods for Python3
* Updated from global requirements
* Replace github reference by git.openstack.org and change a doc link
* Refactor \_create\_attribute\_statement IdP method
* Revert "Loosen validation on matching trusted dashboard"
* Updated from global requirements
* Use correct LOG translation indicator for errors
* Add openstack\_user\_domain to assertion
* Pass-in domain when testing saml signing
* Fixes test nits from a previous review
* Implement validation on the Identity V3 API
* Fix tiny typo in comment message
* Updates the \*py3 requirements files
* Fixes mocking of oslo messaging for Python3
* pycadf now supports Python3
* eventlet now supports Python3
* Updated from global requirements
* Add openstack\_project\_domain to assertion
* Use stevedore for backend drivers
* Prohibit invalid ids in subtree and parents list
* Update sample config
* Fix sample policy to allow user to check own token
* Replaced filter with a list comprehension
* Ignore multiple imports per line for six.moves
* Fixes order of imports for pep8
* pep8 whitespace changes
* Remove randomness from test\_client\_socket\_timeout
* Allow wsgiref to reconstruct URIs per the WSGI spec
* Fix the misuse of \`versionutils.deprecated\`
* Updated from global requirements
* Update openid connect docs to include other distros

2015.1.0
--------

* Updated from global requirements
* Remove pysqlite test-requirement dependency
* Fixes tests to use the config fixture
* Isolate injection tests
* Sync oslo-incubator Ie51669bd278288b768311ddf56ad31a2f28cc7ab
* Sync oslo-incubator Ie51669bd278288b768311ddf56ad31a2f28cc7ab
* Fixes cyclic ref detection in project subtree
* Updated from global requirements
* Updated from global requirements
* Release Import of Translations from Transifex
* Make memcache client reusable across threads
* Imported Translations from Transifex
* Remove project association before removing endpoint group
* Loosen validation on matching trusted dashboard
* adds a tox target for functional tests
* Adds an initial functional test
* Fix the incorrect comment
* Set default branch to stable/kilo
* Remove assigned protocol before removing IdP
* Expose domain\_name in the context for policy.json
* Update developer doc to reference Ubuntu 14
* Make memcache client reusable across threads
* Update Get API version Curl example
* Remove unused policy rule for get\_trust
* backend\_argument should be marked secret
* Update man pages for the Kilo release
* make sure we properly initialize the backends before using the drivers
* WebSSO should use remote\_id\_attribute by protocol
* Work with pymongo 3.0
* Fix incorrect setting in WebSSO documentation
* Stops injecting revoke\_api into TestCase
* Checking if Trust exists should be DRY
* Use correct LOG translation indicator for warnings
* backend\_argument should be marked secret
* Fix signed\_saml2\_assertion.xml tests fixture
* Don't provide backends from \_\_all\_\_ in persistence
* Add domain\_id checking in create\_project
* Update keystone.sample.conf
* Use choices in config.py
* make sure we properly initialize the backends before using the drivers
* WebSSO should use remote\_id\_attribute by protocol
* Refactor common function for loading drivers
* Tests don't override default config with default
* Refactor MemcachedBackend to not be a Manager
* Update openstack-common reference in openstack/common/README
* Exposes bug on role assignments creation
* Removes discover from test-reqs
* Work with pymongo 3.0

2015.1.0rc1
-----------

* Update man pages for the Kilo release
* Add placeholders for reserved migrations
* Redundant events on group grant revocation
* Open Liberty development
* Improved policy setting in the 'v3 filter' tests
* Handle NULL value for service.extra in migration 066
* Skip SSL tests because some platforms do not enable SSLv3
* Fix the typo in \`token/providers/fernet/core.py\`
* Fix index name the assignment.actor\_id table
* Add index to the revocation\_event.revoked\_at
* Document websso setup
* Allow identity provider to be created with remote\_ids set to None
* Update testing docs
* Import fernet providers only if used in keystone-manage
* Imported Translations from Transifex
* Fix multiple SQL backend usage validation error
* Expose multiple SQL backend usage validation error
* Fix for notifications for v2 role grant/delete
* Update sample config file
* Fix errors in ec2 signature logic checking
* Don't add unformatted project-specific endpoints to catalog
* Reload drivers when their domain config is updated
* Correcting the name of directory holding dev docs
* Fixes bug in Federation list projects endpoint
* Exposes bug in Federation list projects endpoint
* Updated from global requirements
* Refactor assignment driver internal clean-up method names
* Remove unnecessary .driver. references in assignment manager
* Rename notification for create/delete grants
* Drop sql.transaction() usage in migration
* Update configuration documentation for domain config
* Fix for migration 062 on MySQL
* Bump advertised API version to 3.4
* Extract response headers to private method
* Deprecate eventlet config options
* Imported Translations from Transifex
* remove useless nocatalog tests of endpoint\_filter
* Add API to create ecp wrapped saml assertion
* Add relay\_state\_prefix to Service Provider
* Change the way values are migrated for 007\_add\_remote\_id\_table
* Add routing for list\_endpoint\_groups\_for\_project
* Use ORM in upgrade test instead of manual query construction
* Remove empty request bodies
* Remove unnecessary import that was not checked
* IdP ID registration and validation
* Imported Translations from Transifex
* add test of /v3/auth/catalog for endpoint\_filter
* Entrypoints for commands
* More content in the guide for core components' migration
* Make trust manager raise formatted message exception
* Revert "Document mapping of policy action to operation"
* Remove SQL Downgrades
* Add caching to getting of the fully substituted domain config
* Refactor \_create\_projects\_hierarchy in tests
* Fixes bug when getting hierarchy on Project API
* Exposes bug when getting hierarchy on Project API
* Move common checks into base testcase
* Tests use common base class
* use tokens returned by delete\_tokens to invalidate cache
* Loosen the validation schema used for trustee/trustor ids
* region.description is optional and can be null
* Update access control configuration in httpd config
* Document mapping of policy action to operation
* Update install.rst for Fedora
* Update sample config file
* Remove parent\_id in v2 tenant response
* Tox env for Bandit
* Refactor: extract and rename unique\_id method
* create \_member\_ role as specified in CONF
* Fix sample policy to allow user to revoke own token
* Add unit tests for sample policy token operations
* Mark some strings for translation
* Add fernet to test\_supported\_token\_providers
* Fix up token provider help text
* Tests use Database fixture
* Remove parent\_id in v2 token response
* Update ServiceProviderModel attributes
* Add docstrings to keystone.notifications functions
* Remove unused metadata parameter from get\_catalog methods
* Imported Translations from Transifex
* Cleanup use of .driver
* Specify time units for default\_lock\_timeout
* Remove stevedore from test-requirements
* Lookup identity provider by remote\_id for websso
* Deal with PEP-0476 certificate chaining checking
* Distinguish between unset and empty black and white lists
* Remove unused domain config method paramters
* Correct path in request logging
* Correct request logging query parameters separator
* Fix setting default log levels
* On creation default service name to empty string
* Needn't workaround when invoking \`app.request()\`

2015.1.0b3
----------

* Imported Translations from Transifex
* Support upload domain config files to database
* Update sample httpd config file
* Update Apache httpd config docs for token persistence
* Cleanup Fernet testcases and add comments
* Add inline comment and docstrings fixes for Fernet
* Fix nullable constraints in service provider table
* Move backend LDAP role testing to the new backend testing module
* URL quote Fernet tokens
* Use existing token test for Fernet tokens
* Implement Fernet tokens for v2.0 tokens
* Refactor code supporting status in JSON Home
* remove expected backtrace from logs
* Log when no external auth plugin registered
* Adds test for federation mapping list order issues
* Updated from global requirements
* Enable sensitive substitutions into whitelisted domain configs
* Imported Translations from Transifex
* Create a fixture for key repository
* Ignore unknown groups in lists for Federation
* Remove RestfulTestCase.admin\_request
* Remove SSL configuration instructions from HTTPd docs
* Wrap apache-httpd.rst
* Remove fix for migration 37
* Cleanup for credentials schema test
* Refactor sql filter code for clarity
* Prefer . to setattr()/getattr()
* Build domain scope for Fernet tokens
* Mark the domain config API as experimental
* Imported Translations from Transifex
* Allow methods to be carried in Fernet tokens
* Federated token formatter
* Refactor: make Fernet token creation/validation API agnostic
* Convert audit\_ids to bytes
* Drop Fernet token prefixes & add domain-scoped Fernet tokens
* Add JSON schema validation for service providers
* Implements whitelist and blacklist mapping rules
* Adding utf8 to federation tables
* Eventlet green threads not released back to pool
* Abstract the direct map concept into an object
* Remove redundant creation timestamp from fernet tokens
* Fix deprecated group for eventlet\_server options
* Sync oslo-incubator to f2cfbba
* Cleanup test keeping unnecessary fixture references
* Fix typo in name of variable in resource router
* Add test to list projects by the parent\_id
* Fixes minor spelling issue
* Crosslink to other sites that are owned by Keystone
* Imported Translations from Transifex
* move region and service exist checks into manager layer
* make credential policy check ownership of credential
* Remove unused threads argument
* Refactor: remove dep on trust\_api / v3 token helper
* Enable use of database domain config
* add oauth authentication to config file
* Prevent calling waitall() inside a GreenPool's greenthread
* Rename get\_events to list\_events on the Revoke API
* Address nits for default cache time more explicit
* add cadf notifications for oauth
* Add scope info to initiator data for CADF notifications
* Removed maxDiff attribute from TestCase
* Refactoring: use BaseTestCase instead of TestCase
* Moved sys.exit mocking into BaseTestClass
* Refactor: move initiator test to cadf specific section
* Refactor: create a common base for notification tests
* Migrations squash
* Consistently use oslo\_config.cfg.CONF
* Removes logging code that supported Python <2.7
* Refactoring: removed client method from TestCase
* Refactoring: remove self.\_config\_file\_list from TestCase
* Deprecate passing "extras" in token data
* 'Assignment' has no attr 'get\_domain\_by\_name'
* Refactor: make extras optional in v3 get\_token\_data
* Remove extra semicolon from mapping fixtures
* Imported Translations from Transifex
* Fix seconds since epoch use in fernet tokens
* Add API support for domain config
* Remove unused checkout\_vendor
* Move test\_core to keysteone.tests.unit.tests
* Fixes the SQL model tests
* Add documentation for key terms and basic authenticating
* Remove useless comment from requirements.txt
* Move pysaml to requirements.txt for py3
* Docstring fixes in fernet.token\_formatters
* Made project\_id required for ec2 credential
* Add Federation mixin for setting up data
* Refactor: remove token formatters dep on 'token\_data' on create()
* Refactor: rename the "standard" token formatter to "scoped"
* Add unscoped token formatter for Fernet tokens
* Fix the wrong order of parameters when using assertEqual
* Imported Translations from Transifex
* Spelling and grammar cleanup
* Fixes bug in SQL/LDAP when honoring driver\_hints
* Remove policy parsing exception
* Cleanup policy related tests
* Remove incubated version of oslo policy
* Use oslo.policy instead of incubated version
* Fixes minor whitespace issues
* Updated from global requirements
* Add checking for existing group/option to update domain config
* Stop debug logging of Ldap while running unit tests
* Exposes bug in SQL/LDAP when honoring driver\_hints
* Updated from global requirements
* Fix typos in tests/unit/core.py
* Remove unnecessary import
* Update developer docs landing page
* Add support for whitelisting and partial domain configs
* Change headers to be byte string friendly
* fix import order in federation controller
* Imported Translations from Transifex
* Fix a minor coding nit in Fernet testing
* Move install of cryptography before six
* refactor: extract and document audit ID generation
* Update sample config file
* log query string instead of openstack.params and request args
* Cleanup docstrings in test\_v3\_federation.py
* refactor: consistently refer to "unpacked tokens" as the token's "payload"
* refactor: extract fernet packing & unpacking methods
* Fix nits from 157495
* Deprecate Eventlet Deployment in favor of wsgi containers
* remove old docstr referring to keyczar
* Implement backend driver support for domain config
* Use revocation events for lightweight tokens
* Avoid multiple instances for a provider
* Always load revocation manager
* Cleanup comments from 159865
* Updated from global requirements
* Rename "Keystone LightWeight Tokens" (KLWT) to "Fernet" tokens
* Make the default cache time more explicit in code
* Keystone Lightweight Tokens (KLWT)
* Refactor and provide scaffolding for domain specific loading
* Populate token with service providers
* Add CADF notifications for trusts
* Get initiator from manager and send to controller
* Add in non-decorator notifiers
* Implemented caching in identity layer
* Imported Translations from Transifex
* Use dict comprehensions instead of dict constructor
* Remove deprecated methods and functions in token subsystem
* Authenticate local users via federated workflow
* Move UserAuthInfo to a separate file
* Make RuleProcessor.\_UserType class public
* Enhance user identification in mapping engine
* Remove conditional check (and test) for oauth\_api
* Fixes test\_multiple\_filters filters definition
* Remove conditionals that check for revoke\_api
* Use correct dependency decorator
* Add minimum release support notes for federation
* Update \`os service create\` examples in config services
* Reference OSC docs in CLI examples
* Chain a trust with a role specified by name
* Add parent\_id to test\_project\_model
* Revamp the documentation surrounding notifications
* Remove unused tmp directory in tests
* Correct initialization order for logging to use eventlet locks
* add missing links for v3 OS-EC2 API response
* Remove explicit mentions of JSON from test\_v2
* Rename test\_keystoneclient\*
* Rename test\_content\_types
* Fix for KVS cache backend incompatible with redis-py
* Enable endpoint\_policy, endpoint\_filter and oauth by default
* Add links to extensions that point to api specs
* Classifying extensions and defining process
* Imported Translations from Transifex
* Add oslo request id middleware to keystone paste pipeline
* Uses SQL catalog driver for v2 REST tests
* Fixed skip msg in templated catalog test
* Remove invalid comment/statement at role manager
* Standardize notifications types as constants
* Change use of random to random.SystemRandom
* Remove extra call to oauth manager from tests
* Remove an extra call to create federation manager
* Updated from global requirements
* Imported Translations from Transifex
* Improve List Role Assignment Tests
* Enable filtering in LDAP backend for listing entities
* Refactor filter and sensitivity tests in prepartion for LDAP support
* Imported Translations from Transifex
* Provide additional detail if OAuth headers are missing
* Add WebSSO support for federation
* Check consumer and project id before creating request token
* Regenerate sample config file
* Move eventlet server options to a config section
* refactor: use \_get\_project\_endpoint\_group\_url() where applicable
* Update sample config file
* Consistently use oslo\_config.cfg.CONF
* Imported Translations from Transifex
* Removes unnecessary checks when cleaning a domain
* Remove check\_role\_for\_trust from sample policies
* Remove duplicated test for get\_role
* Add a test for create\_domain in notifications
* Add CADF notification handling for policy/region/service/endpoint
* Publicize region/endpoint/policy/service events
* Add CADF notifications for most resources
* Updated from global requirements
* Drop foreign key (domain\_id) from user and group tables
* Make federated domain configurable
* Imported Translations from Transifex
* Move backend role tests into their own module
* Fix nits from patch #110858
* Fix invalid super() usage in memcache pool
* Add a domain to federated users
* Wrap dependency registry
* Remove unnecessary code setting provider
* Fix tests to not load federation manager twice
* Fix places where role API calls still called assignment\_api
* fix a small issue in test\_v3\_auth.py
* Imported Translations from Transifex
* rename cls in get\_auth\_context to self
* make tests of endpoint\_filter check endpoints num
* remove the Conf.signing.token\_format option support
* Remove list\_endpoint\_groups\_for\_project from sample policies
* Add get\_endpoint\_group\_in\_project to sample policy files
* Check for invalid filtering on v3/role\_assignments
* Remove duplicate token revocation check
* Remove incubator version of log and local
* Use oslo.log instead of incubator
* Move existing tests to unit
* Cleanup tests to not set multiple workers
* Use subunit-trace from tempest-lib
* Log exceptions safely
* Imported Translations from Transifex
* Refactor \_send\_audit\_notification
* Updated from global requirements
* Remove excess brackets in exception creation
* Update policy doc to use new rule format
* remove the unused variables in indentity/core.py
* fix assertTableColumns
* Imported Translations from Transifex
* make federation part of keystone core
* Small cleanup of cloudsample policy
* Fix error message on check on RoleV3
* Improve creation of expected assignments in tests
* Add a check to see if a federation token is being used for v2 auth
* Adds a fork of python-ldap for Py3 testing
* Updates Python3 requirements
* Sync with oslo-incubator
* Add local rules in the federation mapping tests
* Don't try to convert LDAP attributes to boolean
* Add schema for endpoint group
* Split the assignments controller
* Use \_VersionsEqual for a few more version tests
* Remove test PYTHONHASHSEED setting
* Correct version tests for result ordering
* Correct a v3 auth test for result ordering
* Correct catalog response checker for result ordering
* Correct test\_get\_v3\_catalog test for result ordering
* Correct test\_auth\_unscoped\_token\_project for result ordering
* Fix the syntax issue on creating table \`endpoint\_group\`
* Change hacking check to verify all oslo imports
* Change oslo.i18n to oslo\_i18n
* Change oslo.config to oslo\_config
* Change oslo.db to oslo\_db
* Remove XMLEquals from tests
* Remove unused test case
* Don't coerce port config values
* Make identity id mapping handle unicode
* Improve testing of unicode id mapping
* Add new "RoleAssignment" exception
* Imported Translations from Transifex
* log wsgi requests at INFO level
* Fix race on default role creation
* Imported Translations from Transifex
* Unscoped to Scoped only
* Refactor federation SQL backend

2015.1.0b2
----------

* Set initiators ID to user\_id
* Updated from global requirements
* Change oslo.messaging to oslo\_messaging
* Change oslo.serialization to oslo\_serialization
* Handle SSL termination proxies for version list
* Imported Translations from Transifex
* Update federation config to use Service Providers
* Drop URL field from region table
* Create K2K SAML assertion from Service Provider
* Service Providers API for OS-FEDERATION
* Implements subtree\_as\_ids query param
* Refactor role assignment assertions
* Fixes 'OS-INHERIT:inherited\_to' info in tests
* During authentication validate if IdP is enabled
* Fix typo in Patch #142743
* Make the LDAP dependency clear between identity, resource & assignment
* Implements parents\_as\_ids query param
* Internal notifications for cleanup domain
* Multiple IDP authentication URL
* Change oslo.utils to oslo\_utils
* Imported Translations from Transifex
* Regenerate sample config file
* Make unit tests call the new resource manager
* Make controllers and managers reference new resource manager
* Remove unused pointer to assignment in identity driver
* Move projects and domains to their own backend
* Make role manager refer to role cache config options
* Documentation fix for Keystone Architecture
* Imported Translations from Transifex
* Fix evaluation logic of federation mapping rules
* Deprecate LDAP Assignment Backend
* Fix up \_ldap\_res\_to\_model for ldap identity backend
* Remove local conf information from paste-ini
* Use RequestBodySizeLimiter from oslo.middleware
* Adds a wip decorator for tests
* Remove list\_user\_projects method from assignment
* Updated from global requirements
* Remove unnecessary code block of exception handling
* Updated from global requirements
* Add library oslo.concurrency in config-generator config file
* Updated from global requirements
* Explicit Unscoped
* add missing API in docstring of EndpointFilterExtension
* fix test\_ec2\_list\_credentials
* Assignment sql backend create\_grant refactoring
* Updated from global requirements
* Imported Translations from Transifex
* Remove TODO comment which has been addressed
* Refactor keystone-all and http/keystone
* Updated from global requirements
* Identify groups by name/domain in mapping rules
* do parameter check before updating endpoint\_group
* Move sql specific filter test code into test\_backend\_sql
* Fix incorrect filter test name
* Update the keystone sample config
* Minor fix in RestfulTestCase
* Scope federated token with 'token' identity method
* Correct comment about circular dependency
* Refactor assignment manager/driver methods
* Make unit tests call the new, split out, role manager
* Make controllers call the new, split out, role manager
* Correct doc string for grant driver methods
* Split roles into their own backend within assignments
* correct the help text of os\_inherit
* Update Inherited Role Assignment Extension section
* Limit lines length on configuration doc
* Fixes spacing in sentences on configuration doc
* Fixes several typos on configuration doc
* Trust redelegation
* add missing parent\_id parameter check in project schema
* Fix incorrect session usage in tests
* Fix migration 42 downgrade
* Updated from global requirements
* Additional test coverage for password changes
* Fix downgrade test for migration 61 on non-sqlite
* Fix transaction issue in migration 44 downgrade
* Correct failures for H238
* Move to hacking 0.10
* Updated from global requirements
* Remove unused fields in base TestCase
* Keystoneclient tests from venv-installed client
* Fix downgrade from migration 61 on non-sqlite
* explicit namespace prefixes for SAML2 assertion
* Remove requirements not needed by oslo-incubator modules anymore
* Remove unused testscenarios requirement
* Cleanup test-requirements for keystoneclient
* Fix tests using extension drivers
* Ensure manager grant methods throw exception if role\_id is invalid
* update sample conf using latest oslo.conf
* Remove unnecessary oslo incubator bits
* let endpoint\_filter sql backend return dict data
* Tests fail only on deprecation warnings from keystone
* switch from sample\_config.sh to oslo-config-generator
* Add positive test case for content types
* Update the keystone.conf sample
* remove invalid note
* invalidate cache when updating catalog objects
* Enable hacking rule H302
* fix wrong self link in the response of endpoint\_groups API
* Imported Translations from Transifex
* improve the EP-FILTER catalog length check in test\_v3.py
* Don't allow deprecations during testing
* Fix to not use deprecated Exception.message
* Integrate logging with the warnings module
* rename oslo.concurrency to oslo\_concurrency
* Fix to not use empty IN clause
* Be more precise with flake8 filename matches
* Use bashate to run\_tests.sh
* Move test\_utils to keystone/tests/unit/
* add circular check when updating region
* fix the wrong update logic of catalog kvs driver
* Removes a Py2.6 version of assertSetEqual
* Removes a Py2.6 version of inspect.getcallargs
* Removes a bit of WSGI code converts unicode to str
* Expanded mutable hacking checks
* Make the mutable default arg check very strict
* sync to oslo commit 1cf2c6
* Update federation docs to point to specs.o.org
* Memcache connection pool excess check
* Always return the service name in the catalog
* Update docs to no longer show XML support

2015.1.0b1
----------

* Check and delete for policy\_association\_for\_region\_and\_service
* Remove unnecessary ldap import
* Rename \`removeEvent\` to be more pythonic
* Fix the way migration helpers check FK names
* Remove XML support
* Fix modifying a role with same name using LDAP
* Add a test for modifying a role to set the name the same
* Fix disabling entities when enabled is ignored
* Add tests for enabled attribute ignored
* Cleanup eventlet use in tests
* Fix update role without name using LDAP
* Add test for update role without name
* Inherited role assignments to projects
* Updated from global requirements
* Fix inherited user role test docstring
* Fixes links in Shibboleth configuration docs
* Updated from global requirements
* fix wrong indentation in contrib/federation/utils.py
* Adds openSUSE support for developer documentation
* User ids that begin with 0 cannot authenticate through ldap
* Typo in policy call
* Updated from global requirements
* Remove endpoint\_substitution\_whitelist config option
* Correct max\_project\_tree\_depth config help text
* Adds correct checks in LDAP backend tests
* Updated from global requirements
* Add an identity backend method to get group by name
* Create, update and delete hierarchical projects
* drop developer support for OS X
* Ignore H302 - bug 1398472
* Remove irrelative comment
* remove deprecated access log middleware
* Multiple IdPs problem
* Fixes docstring at eventlet\_server
* Fix the copy-pasted help info for db\_version
* Updated from global requirements
* TestAuthPlugin doesn't use test\_auth\_plugin.conf
* Add missing translation marker for dependency
* Use \_ definition from keystone.i18n
* Remove Python 2.6 classifier
* Correct token flush logging
* Speed up memcache lock
* Moves hacking tests to unit directory
* Fixes create\_saml\_assertion() return
* Add import i18n to federation/controllers.py
* Correct use of config fixture
* Extends hacking check for logging to verify i18n hints
* Adds missing log hints for level E/I/W
* make sample\_data.sh account for the default options in keystone.conf
* Adds dynamic checking for mapped tokens
* Updated from global requirements
* Enable cloud\_admin to list projects in all domains
* Remove string from URL in list\_revoke\_events()
* Configuring Keystone edits
* Update keystone readme to point to specs.o.org
* Imported Translations from Transifex
* Add WSGIPassAuthorization to OAuth docs
* Increase test coverage of test\_versions.py
* Move test\_pemutils.py to unit test directory
* Don't return \`\`user\_name\`\` in mapped.Mapped class
* Increase test coverage of test\_base64utils.py
* Move base64 unit tests to keystone/tests/unit dir
* Move injection unit tests to keystone/tests/unit
* Move notification unit tests to unit test dir
* Allow for REMOTE\_USER name in federation mapping
* Doc about specifying domains in domains specific backends
* Remove useless field passed into SQLAlchemy "distinct" statement
* Exclude domains with inherited roles from user domain list
* Improve testing of exclusion of inherited roles
* Fix project federation tokens for inherited roles
* Improve testing of project federation tokens for inherited roles
* Fix domain federation tokens for inherited roles
* Improve testing of domain federation tokens for inherited roles
* Fix misspelling at configuration.rst file
* Remove duplicate setup logic in federation tests
* Imported Translations from Transifex
* Enable hacking rule H904
* Move shib specific documentation
* Additional debug logs for federation flows
* Add openid connect support
* Imported Translations from Transifex
* Enable hacking rule H104 File contains nothing but comments
* Rename \_handle\_saml2\_tokens() method
* Updated from global requirements
* Update references to auth\_token middleware
* Use true() rather than variable/singleton
* Change ca to uppercase in keystone.conf
* default revoke driver should be the non-deprecated driver
* Prevent infinite loop in token\_flush
* Adds IPv6 url validation support
* Provide useful info when parsing policy file
* Doc about deleting a domain specific backend domain
* Updated from global requirements
* Remove token persistence proxy
* Correct use of noqa
* Use oslo.concurrency instead of sync'ed version
* revise error message for keystone.token.persistence pkg
* Change config option examples to v3
* Sync modules from oslo-incubator
* test\_utils use jsonutils from oslo.serialization
* Add fileutils module
* Move check\_output and git() to test utils
* Remove nonexistant param from docstring
* Fixes aggressive use of translation hints
* PKI and PKIZ tokens unnecessary whitespace removed
* Move unit tests from test\_backend\_ldap
* Use correct name of oslo debugger script
* Updated from global requirements
* Imported Translations from Transifex
* Change /POST to /ECP at federation config
* Base methods to handle hierarchical projects
* use expected\_length parameter to assert expected length
* fix the wrong order of assertEqual args in test\_v3
* sys.exit mock cleanup
* Tests raise exception if logging problem
* Correct the code path of implementation for the abstract method
* Use newer python-ldap paging control API
* Add xmlsec1 dependency comments
* Add parent\_id field to projects
* Add max-complexity to pep8 for Keystone
* Remove check\_password() in identity.backend.ldap
* Restrict certain APIs to cloud admin in domain-aware policy
* Remove unused ec2 driver option
* Extract Assignment tests from IdentityTestCase
* Clean up federated identity audit code
* obsolete deployment docs
* Remove database setup duplication
* Fixes endpoint\_filter tests
* Fixes a spelling error in hacking tests
* Fixes docstrings to be more accurate
* Update the feature/hierarchical-multitenancy branch
* Updated from global requirements

2014.2
------

* updated translations
* Remove deprecated KVS trust backend
* Imported Translations from Transifex
* Ensure sql upgrade tests can run with non-sqlite databases
* Ensure sql upgrade tests can run with non-sqlite databases
* Validates controller methods exist when specified
* Fixes an error deleting an endpoint group project
* Add v3 openstackclient CLI examples
* Update the CLI examples to also use openstackclient
* Replace an instance of keystone/openstack/common/timeutils
* Use importutils from oslo.utils
* Use jsonutils from oslo.serialization
* Update 'Configuring Services' documentation
* Use openstackclient examples in configuration documentation
* Validates controller methods exist when specified
* Fixes an error deleting an endpoint group project
* Switch LdapIdentitySqlAssignment to use oslo.mockpatch
* Fix tests comparing tokens
* Remove deprecated TemplatedCatalog class
* Remove images directory from docs
* Remove OS-STATS monitoring
* Remove identity and assignment kvs backends
* Add an XML code directive to a shibboleth example
* revise docs on default \_member\_ role
* Convert unicode to UTF8 when calling ldap.str2dn()
* Fix tests comparing tokens
* Fix parsing of emulated enabled DN
* Handle default string values when using user\_enabled\_invert
* Handle default string values when using user\_enabled\_invert
* Convert unicode to UTF8 when calling ldap.str2dn()
* Fix parsing of emulated enabled DN
* Add test for getting a token with inherited role
* wrong logic in assertValidRoleAssignmentListResponse method
* Open Kilo development

2014.2.rc1
----------

* Enhance FakeLdap to require base entry for subtree search
* Imported Translations from Transifex
* Uses session in migration to stop DB locking
* Address some late comments for memcache clients
* Set issuer value to CONF.saml.idp\_entity\_id
* Updated from global requirements
* Add placeholders for reserved migrations
* Mark k2k as experimental
* Add version attribute to the SAML2 Assertion object
* New section for CLI examples in docs
* Fix failure of delete domain group grant when identity is LDAP
* Clean up the Configuration documentation
* Adding an index on token.user\_id and token.trust\_id
* Update architecture documentation
* Fix a spelling mistake in keystone/common/utils.py
* Imported Translations from Transifex
* Prevent infinite recursion on persistence core on init
* Read idp\_metadata\_path value from CONF.saml
* Remove duplicated assertion
* Fix create and user-role-add in LDAP backend
* Fix minor spelling issues in comments
* Add a pool of memcached clients
* Update URLs for keystone federation configuration docs
* add --rebuild option for ssl/pki\_setup
* Mock doesn't have assert\_called\_once()
* Do not run git-cloned ksc master tests when local client specified
* Add info about pysaml2 into federation docs
* Imported Translations from Transifex
* Remove unused cache functions from token.core
* Updated from global requirements
* Safer check for enabled in trusts
* Set the default number of workers when running under eventlet
* Add the processutils from oslo-incubator
* Update 'Configure Federation' documentation
* Ensure identity sql driver supports domain-specific configuration
* Allow users to clean up role assignments
* Adds a whitelist for endpoint catalog substitution
* Revoke the tokens of group members when a group role is revoked
* Change pysaml2 comment in test-requrements.txt
* Document Keystone2Keystone federation
* Set LDAP certificate trust options for LDAPS and TLS
* Fail on empty userId/username before query
* Refactor FakeLdap to share delete code
* ldap/core deleteTree not always supported
* Reduce unit test log level for notifications
* Fix delete group cleans up role assignments with LDAP
* Refactor LDAP backend using context manager for connection
* Fix fakeldap search\_s documentation
* Add delete notification to endpoint grouping
* Fix using local ID to clean up user/group assignments
* Add characterization test for cleanup role assignments for group
* Fix LDAP group role assignment listing
* Correct typos in keystone/common/base64utils.py docstrings
* Add V3 JSON Home support to GET /
* Ensure a consistent transactional context is used
* Adds hint about filter placement to extension docs
* Adds pipeline hints to the example paste config
* Make the extension docs a top level entry in the landing page
* LDAP: refactor use of "1.1" OID
* Fix Policy backend driver documentation
* improve dependency injection doc strings
* Document mod\_wsgi doesn't support chunked encoding
* Making KvsInheritanceTests use backend KVS
* Keystone local authenticate has an unnecessary pending audit record
* Use id attribute map for read-only LDAP
* Stop skipping LDAP tests
* Update the revocation configuration docs
* Fixes formatting error in debug log statement
* Remove trailing space from string
* Update paste pipelines in configuration docs
* Update man pages
* Updates package comment to be more accurate
* Fixed typo 'in sane manner' to 'in a sane manner'
* Enable filtering of services by name
* correct typos
* Fixes code comment to be more accurate
* Prevent domains creation for the default LDAP+SQL
* Add testcase for coverage of 002\_add\_endpoint\_groups
* Fix oauth sqlite migration downgrade failure
* Sync jsonutils from oslo-incubator 32e7f0b5
* Imported Translations from Transifex
* Avoid conversion of binary LDAP values
* Remove unused variable TIME\_FORMAT
* Add characterization test for group role assignment listing
* Fix dn\_startswith
* Use oslo\_debug\_helper and remove our own version
* Fixes a mock cleanup issue caused by oslotest
* Add rst code-blocks to a bunch of missing examples
* Capitalize all instances of Keystone in the docs

2014.2.b3
---------

* Update the docs that list sections in keystone.conf
* Fixed spelling mistakes in comments
* use one indentation style
* Fix admin server doesn't report v2 support in Apache httpd
* Add test for single app loaded version response
* Work toward Python 3.4 support and testing
* Update the federation configuration docs for saml2
* Add docs for enabling endpoint policy
* warn against sorting requirements
* Adds region back into the catalog endpoint
* Remove extra V3 version router
* Implementation of Endpoint Grouping
* Fix minor nits for token2saml generation
* Routes for Keystone-IdP metadata endpoint
* Generate IdP Metadata with keystone-manage
* IdP SAML Metadata generator
* Implement validation on Trust V3 API
* Create SAML generation route and controller
* trustor\_user\_id not available in v2 trust token
* Transform a Keystone token to a SAML assertion
* Remove TODO that was done
* Fix region schema comment
* Remove unused \_validate\_endpoint
* Fix follow up review issues with endpoint policy backend patch
* controller for the endpoint policy extension
* Mark the revoke kvs backend deprecated, for removal in Kilo
* Fix logging config twice
* Implement validation on the Catalog V3 API
* General logging cleanup in keystone.notifications
* Lower log level for notification registration
* backend for policy endpoint extension
* Implement validation on Credential V3
* Implement validation on Policy V3 API
* Fix token flush fails with recursion depth exception
* Spelling errors fixed in the comments
* Add index for actor\_id in assignments table
* Endpoint table is missing reference to region table
* add missing log hints for level C/E/I/W
* Add audit support to keystone federation
* Add string id type validation
* Implement validation on Assignment V3 API
* Adds tests that show how update with validation works
* Mark the trust kvs backend deprecated, for removal in Kilo
* Test cleanup: do not leak FDs during test runs
* Do not load auth plugins by class in tests
* JSON Home data is required
* Cleanup superfluous string comprehension and coersion
* Add commas for ease of maintenance
* Comments to docstrings for notification emit methods
* Notification cleanup: namespace actions
* Mark kvs backends as deprecated, for removal in Kilo
* Add bash code style to some portions of configuration.rst
* Update sample config
* Update tests to not use token\_api
* Make persistence manager in token\_provider\_api private
* Enhance GET /v3 to handle Accept header
* Enhance V3 extensions to provide JSON Home data
* Enhance V3 extension class to integrate JSON Home data
* Change OS-INHERIT extension to provide JSON Home data
* Change the sub-routers to provide JSON Home data
* Change V3 router classes to provide JSON Home data
* Create additional docs for role assignment events
* Add libxmlsec1 as external package dependency on OS X
* Add \_\_repr\_\_ to KeystoneToken model
* Add extra guarding to revoke\_by\_audit\_id methods
* Mark methods on token\_api deprecated
* Remove SAML2 plugin dependency on token\_api
* Remove oauth controller dependency on token\_api
* Remove assignment\_api dependency on token\_api
* Notification Constant Cleanup and internal notify type
* Remove wsgi and base controller dependency on token\_api
* Remove identity\_api dependency on token\_api
* Remove trust dependency on token\_api
* Update AuthContextMiddleware to not use token\_api
* Revoke by Audit Id / Audit Id Chain instead of expires
* assignment controller error path fix
* Make SQL the default backend for Identity & Assignment unit tests
* Add CADF notifications for role assignment create and delete
* Add notifications for policy, region, service and endpoint
* Enhance V3 version controller to provide JSON Home response
* Provide the V3 routers to the V3 extension controller
* Enhance V3 routers to store basic resource description
* Correct the signature for some catalog abstract method signatures
* Convert to urlsafe base64 audit ids
* Sync Py2 and Py3 requirements files
* Sync with oslo-incubator
* Add audit ids to tokens
* Fixing simple type in comment
* Create authentication specific routes
* Standardizing the Federation Process
* Enable filtering of credentials by user ID
* Expose context to create grant and delete grant
* Redirect stdout and stderr when using subprocess
* Back off initial migration to 34
* Back off initial migration to 35
* Use python convention for function names in test\_notifications
* Use mail for the default LDAP email attribute name
* Bump hacking to 0.9.x series
* Fixes an issue with the XMLEquals matcher
* Do not require method attribute on plugins
* Remove \_BaseFederationExtension
* Add a URL field to region table
* Remove unnecessary declaration of CONF
* Remove trailing space in tox.ini
* Rename bash8 requirement
* Updates the sample config
* remove unused import
* Clean whitespace off token
* Support the hints mechanism in list\_credentials()
* Keystone service throws error on receiving SIGHUP
* Remove strutils and timeutils from openstack-common.conf
* Use functions in oslo.utils
* Add an OS-FEDERATION section to scoped federation tokens
* Ensure roles created by unit tests have correct attributes
* Update control\_exchange value in keystone.conf
* swap import order of lxml
* add i18n to lxml error
* Check for empty string value in REMOTE\_USER
* Refactor names in catalog backends
* Update CADF auditing example to show non-payload information
* Remove ec2 contrib dependency on token\_api
* Expose token revocation list via token\_provider\_api
* Remove assignment controller dependency on token\_api
* Refactor serializer import to XmlBodyMiddleware
* Delete intersphinx mappings
* Fix documentation link
* Make token\_provider\_api contain token persistence
* Remove S3 middleware tests from tox.ini
* Remove unused function
* Add oslo.utils requirement
* Surround REMOTE\_USER variable name with quotes
* Remove \`with\_lockmode\` use from Trust SQL backend
* Allow LDAP lock attributes to be used as enable attributes
* Improve instructions about federation
* Do not override venvs
* Imported Translations from Transifex
* Remove debug CADF payload for every authN request
* Don't override tox envdir for pep8 and cover jobs
* Change V3 extensions to use resources
* Enhance V3 extension class to use resources
* V3 Extension class
* Change V3 router classes to use resources
* Enhance V3 router class for resources
* Class for V3 router packages
* Filter List Regions by 'parent\_region\_id'
* Refactor existing endpoint filter tests
* Trust unit tests should target additional threat scenarios
* Update the config file
* Fix revocation event handling with MySQL
* Set default token provider to UUID
* Add filters to the collections 'self' link
* Issue multiple SQL statements in separate engine.execute() calls
* Remove fixture from openstack-common.conf
* Use config fixture from oslo.config
* Fix revoking a scoped token from an unscoped token
* Updated from global requirements
* KeyError instead of exception.KeyError
* Catch correct oslo.db exception
* Update setup docs with Fedora 19+ dependencies
* Add a test for revoking a scoped token from an unscoped
* Fix revoking domain-scoped tokens
* Correct revocation event test for domain\_id
* Add pluggable range functions for token flush
* Configurable python-keystoneclient repo
* Fix invalid self link in get access token
* Add workaround to support tox 1.7.2
* Fixes a capitalization issue
* Do not consume trust uses when create token fails
* Refactor set domain-id and mapping code
* Remove duplicated asserts
* Fix for V2 token issued\_at time changing
* Add tests related to V2 token issued\_at time changing
* Sample config update
* Add the new Keystone TokenModel
* Add X-Auth-Token header in federation examples
* Check url is in the 'self' link in list responses
* Clean up EP-Filter after delete project/endpoint
* add internal delete notification for endpoint
* remove static files from docs
* Move token persistence classes to token.persistence module
* cache the catalog
* Disable a domain will revoke tokens under the same domain
* Sqlite files excluded from the repo
* Adding support for ldap connection pooling
* Details the proper way to call a callable

2014.2.b2
---------

* Add the new oslo.i18n as a dependency for Python 3
* Fixes test\_exceptions.py for Python3
* Fixes test\_wsgi for Python3
* Adds several more test modules that pass on Py3
* Reduces the amount of mocked imports for Python 3
* Disables LDAP unit tests
* Updated from global requirements
* Initial implementation of validator
* Mark the 'check\_vX\_token' methods deprecated
* Extracting get group roles for project logic to drivers
* implement GET /v3/catalog
* Adds coverage report to py33 test runs
* Fixed tox cover environment to share venv
* Regenerate sample config file
* Check that region ID is not an empty string
* auth tests should not require admin token
* Example JSON files should be human-readable
* Consolidate \`assert\_XXX\_enabled\` type calls to managers
* Move keystone.token.default\_expire\_time to token.provider
* Move token\_api.unique\_id to token\_provider\_api
* Capitalize a few project names in configuring services doc
* Fixes a Python3 syntax error
* Introduce pragma no cover to asbtract classes
* Update middleware that was moved to keystonemiddleware
* Sync with oslo-incubator
* project disabled/deleted notification recommendations
* render json examples with syntax highlighting
* Use oslo.i18n
* Make sure unit tests set the correct log levels
* Clean up the endpoint filtering configuration docs
* Avoid loading a ref from SQL to delete the ref
* Add revocation extension to default pipeline
* multi-backend support for identity
* Update docs to reflect new db\_sync behaviour
* Migrate default extensions
* Add oslo.i18n as dependency
* Do not use lazy translation for keystone-manage
* Update the configuration docs for the revocation extension
* Remove deprecated token\_api.list\_tokens
* Imported Translations from Transifex
* Add keystonemiddleware to requirements
* Add \_BaseFederationExtension class
* Correct the region table to be InnoDB and UTF8
* HEAD responses should return same status as GET
* Updated from global requirements
* Sync with oslo-incubator e9bb0b59
* Add schema check for OS-FEDERATION mapping table
* Make OS-FEDERATION core.Driver methods abstract
* update example with a status code we actually use
* Correct docstring for assertResponseSuccessful
* Fix the section name in CONTRIBUTING.rst
* Fix OAuth1 to not JSON-encode create access token response
* Ending periods in exception messages deleted
* Ensure that in v2 auth tenant\_id matches trust
* Add identity mapping capability
* Do not use keystone's config for nova's port
* Fix docs and scripts for pki\_setup and ssl\_setup
* LDAP: Added documentation for debug\_level option
* Updated from global requirements
* Fixes the order of assertEqual arguments
* remove default=None for config options
* Fix test for get\_\*\_by\_name invalidation
* Do not support toggling key\_manglers in cache layer
* Implicitly ignore attributes that are mapped to None in LDAP
* Move bash8 to run under pep8 tox env
* Remove db, db.sqlalchemy from openstack-common.conf
* Remove backend\_entities from backend\_ldap.conf
* Consolidate provider calls to token\_api.create\_token
* Adds hacking check for debug logging translations
* Updates Python3 requirements to match Python2
* Adds oslo.db support for Python 3 tests
* Do not leak SQL queries in HTTP 409 (conflict)
* Imported Translations from Transifex
* Do not log 14+ INFO lines on a broken pipe error (eventlet)
* Regenerate sample config file
* deprecate LDAP config options for 'tenants'
* the user\_tenant\_membership table was replaced by "assignment"
* Corrects minor spelling mistakes
* Ignoring order of user list in TenantTestCase
* Make gen\_pki.sh & debug\_helper.sh bash8 compliant
* TestAuthInfo class in test\_v3\_auth made more efficient
* Update docs to reference #openstack-keystone
* Don't set sqlite\_db default
* Migrate ID generation for users/groups from controller to manager
* oslo.db implementation
* Test \`common.sql\` initialization
* Kerberos as method name
* test REMOTE\_USER  does not authenticate
* Document pkiz as provider in config
* Only emit disable notifications for project/domain on disable
* Fix the typo and reformat the comments for the added option
* Updated from global requirements
* fix flake8 issues
* Update sample keystone.conf file
* Fix 500 error if request body is not JSON object
* Default to PKIZ tokens
* Fix a few typos in the shibboleth doc
* pkiz String conversion
* Fixes catalog URL formatting to never return None
* Updates keystone.catalog.core.format\_url tests
* Ignore broken endpoints in get\_catalog
* Allow for multiple PKI Style Providers
* Add instructions for removing pyc files to docs
* Password trunction makes password insecure
* enable multiple keystone-all worker processes
* Add cloud auditing notification documentation
* Block delegation escalation of privilege
* Fixes typo error in Keystone
* Add missing docstrings and 1 unittest for LDAP utf-8 fixes
* Properly invalidate cache for get\_\*\_by\_name methods
* Make sure domains are enabled by default
* Convert explicit session get/begin to transaction context

2014.2.b1
---------

* remove unnecessary word in docs: 'an'
* add docs on v2 & v3 support in the service catalog
* Add v3 curl examples
* Use code-block for curl examples
* Sync service module from oslo-incubator
* remove unneeded definitions of Python Source Code Encoding
* gitignore etc/keystone/
* Enforce \`\`saml2\`\` protocol in Apache config
* install gettext on OS X for msgfmt
* Use translation hints
* Add v2 & v3 API documentation
* Make sure all the auth plugins agree on the shared identity attributes
* update release support warning for domain-specific drivers
* Catalog driver generates v3 catalog from v2 catalog
* Compressed Token Provider
* document keystone-specs instead of LP blueprints in README
* fixed several pep8 issues
* Invalid command referenced in federation documentation
* Fix curl example refs in docs
* pep8: do not test locale files
* Consistenly use jsonutils instead of json
* Fix type error message in format\_url
* Updated from global requirements
* remove out of date docs for Fedora 15
* Make sure scoping to the project of a disabled domain result in 401
* document pki\_setup and ssl\_setup in keystone.conf.sample
* Fixed wrong behavior when updating tenant or user with LDAP backends
* Cleanup openstack-common.conf and sync from olso
* recommend excluding 35357 from ephemeral ports
* Fixes duplicated DELETE queries on SQL backends
* Refactor tests regarding required attributes
* Suggest users to remove REMOTE\_USER from shibd conf
* Refactor driver\_hints
* Imported Translations from Transifex
* Code which gets and deletes elements of tree was moved to one method
* indicate that sensitive messages can be disabled
* Check that the user is dumb moved to the common method
* Fix spelling mistakes in docs
* Replace magic value 'service/security' in CadfNotificationWrapper
* Replace assertTrue and assertFalse with more suitable asserts
* replaced unicode() with six.text\_type()
* Remove obsolete note from ldap
* install from source docs never actually install the keystone service
* LDAP fix for get\_roles\_for\_user\_and\_project user=group ID
* Cleanup of ldap assignment backend
* Remove all mostly untranslated PO files
* Mapping engine does not handle regex properly
* SQL fix for get\_roles\_for\_user\_and\_project user=group ID
* Unimplemented get roles by group for project list
* sql migration: ensure using innodb utf8 for assignment table
* Update mailmap entry for Brant
* Reduce log noise on expired tokens
* Add note for v3 API clients using auth plugin docs
* Refactor test\_auth trust related tests
* Add detailed federation configuration docs
* remove a few backslash line continuations
* Reduce excess LDAP searches
* Regenerate sample config
* Fix version links to docs.openstack.org
* Add mailmap entry
* Refactor create\_trust for readability
* Adds several more tests to the Python 3 test run
* Fixed the policy tests in Python 3
* Fixed the size limit tests in Python 3
* fixed typos found by RETF rules in RST files
* Remove the configure portion of extension docs
* Ensure token is a string
* Fixed some typos throughout the codebase
* Allow 'description' in V3 Regions to be optional
* More random values for oAuth1 verifier
* Add rally performance gate job for keystone
* Set proper DB\_INIT\_VERSION on db\_version command
* Escape values in LDAP search filters
* Migration DB\_INIT\_VERSION in common place
* Redundant unique constraint
* Correct \`nullable\` values in models and migrations
* Move hacking code to a separate fixture
* Some methods in ldap were moved to superclass
* Sync with oslo-incubator 28fba9c
* Use oslo.test mockpatch
* Check that all po/pot files are valid
* No longer allow listing users by email
* Refactor notifications
* Add localized response test
* Refactor service readiness notification
* Make test\_revoke expiry times distinct
* Removed duplication with list\_user\_ids\_for\_project
* Fix cache configuration checks
* setUp must be called on a fixture's parent first
* First real Python 3 tests
* Make the py33 Jenkins job happy
* Fix the "search for sql.py" files for db models
* Sync with oslo-incubator 74ae271
* no one uses macports
* Updated from global requirements
* Compatible server default value in the models
* Explicit foreign key indexes
* Added statement for ... if ... else
* Imported Translations from Transifex
* Ignore broken endpoints in get\_v3\_catalog
* Fix typo on cache backend module
* Fix sql\_upgrade tests run by themselves
* Discourage use of pki\_setup
* add dependencies of keystone dev-enviroment
* More efficient DN list for LDAP role delete
* Stronger assertion for test\_user\_extra\_attribute\_mapping
* Refactor test\_password\_hashed to the backend testers
* Remove LDAP password hashing code
* More notification unit tests
* Add missing import, remove trailing ":" in middleware example
* Fixes for in-code documentation
* Isolate backend loading
* Sync with oslo-incubator 2fd457b
* Adding one more check on project\_id
* Moves test database setup/teardown into a fixture
* Make the LDAP debug option a configurable setting
* Remove unnecessary dict copy
* More debug output for test
* Code which gets elements of tree in ldap moved to a common method
* Removed unused code
* Don't re-raise instance
* Fix catalog Driver signatures
* Include extra attributes in list results
* Allow any attributes in mapping
* Enhance tests for user extra attribute mapping
* Fix typo of ANS1 to ASN1
* Updated from global requirements
* Refactor: moved flatten function to utils
* Collapse SQL Migrations
* Treat LDAP attribute names as case-insensitive
* replace word 'by' with 'be'
* Configurable token hash algorithm
* Adds style checks to ease reviewer burden
* Adding more descriptive error message
* Fixed wrong behavior in method search\_s in BaseLdap class
* Fix response for missing attributes in trust
* Refactor: move federation functions to federation utils
* List all forbidden attributes in the request body
* Convert test\_backend\_ldap to config fixture
* Add tests for user ID with comma
* Fix invalid LDAP filter for user ID with comma
* Remove assignment proxy methods/controllers
* Remove legacy\_endpoint\_id and enabled from service catalog
* Replace all use of mox with mock
* Fix assertEqual arguments order(catalog, cert\_setup, etc)
* Remove common.V3Controller.check\_required\_params() method
* Fix parallel unit tests keystoneclient partial checkout
* Sync from oslo db.sqlalchemy.migration
* Removes unused db\_sync methods
* Removes useless wrapper from manager base class
* Cleanup of test\_cert\_setup tests
* Sanitizes authentication methods received in requests
* Fix create\_region\_with\_id raise 500 Error bug
* For ldap, API wrongly reports user is in group
* support conventional domain name with one or more dot
* Remove \_delete\_tokens function from federation controller
* Keystone doesn't use pam
* Fixed small capitalization issue
* Fix Jenkins translation jobs
* Removes some duplicate setup from a testcase
* Updated from global requirements
* Enable concurrent testing by default
* Cleanup ldap tests (mox and reset values)
* Check domain\_id with equality in assignment kvs
* Moves database setup/teardown closer to its usage
* Cleanup config.py
* Clean up config help text
* Imported Translations from Transifex
* test\_v3\_token\_id correctly hash token
* Safer noqa handling
* Remove noqa form import \_s
* Fix assertEqual arguments order(auth\_plugin, backend, backend\_sql, etc)
* Expand the use of non-ascii values in ldap test
* Properly handle unicode & utf-8 in LDAP
* Refactor LDAP API
* Use in-memory SQLite for sql migration tests
* Use in-memory SQLite for testing
* Remove extraenous instantiations of managers
* Make service catalog include service name
* Add placeholders for reserved migrations

2014.1.rc1
----------

* Open Juno development
* Enable lazy translations in httpd/keystone.py
* Avoid using .values() on the indexed columns
* Imported Translations from Transifex
* revert deprecation of v2 API
* Remove unnecessary test setUps
* code hygiene; use six.text\_type, escape regexp's, use key function
* Use CMS to generate sample tokens
* Allows override of stdout/stderr/log capturing
* exclude disabled services from the catalog
* refactor AuthCatalog tests
* Rename keystone.tests.fixtures
* Change the default version discovery URLs
* Remove extra cache layer debugging
* Updated from global requirements
* Fix doc build errors with SQLAlchemy 0.9
* Sync oslo-incubator db.sqlalchemy b9e2499
* Create TMPDIR for tests recursively
* Always include 'enabled' field in service response
* test tcp\_keepidle only if it's available on the current platform
* Add dedicated URL for issuing unscoped federation tokens
* Cleanup revocation query
* Reduce environment logging
* Use assertIsNone when comparing against None
* Removes the use of mutables as default args
* Add a space after the hash for block comments
* Filter SAML2 assertion parameters with certain prefix
* Use assertIn in test\_v3\_catalog
* Add support for parallel testr workers in Keystone
* is\_revoked check all viable subtrees
* update sample conf
* explicitly import gettext function
* expires\_at should be in a tuple not turned into one
* Comparisons should account for instantaneous test execution
* Start using to oslotest
* Uses generator expressions instead of filter
* Remove unused db\_sync from extensions
* Ability to turn off ldap referral chasing
* Add user\_id when calling populate\_roles\_for\_groups
* Store groups ids objects list in the OS-FEDERATION object
* Make domain\_id immutable by default
* Do not expose internal data on UnexpectedError
* Use oslo db.sqlalchemy.session.EngineFacade.from\_config
* Uses explicit imports for \_
* Rename scope\_to\_bad\_project() to test\_scope\_to\_bad\_project()
* Make LIVE Tests configurable with ENV
* Filter out nonstring environment variables before rules mapping
* Provide option to make domain\_id immutable
* Replace httplib.HTTPSConnection in ec2\_token
* Move test .conf files to keystone/tests/config\_files
* Removal of test .conf files
* Don't automatically enable revocation events
* Ensure v3policysample correctly limits domain\_admin access
* Sync db, db.sqlalchemy from oslo-incubator 0a3436f
* Do not use keystone.conf.sample in tests
* Filter LDAP dumb member when listing role assignments
* Updated from global requirements
* Remove unnecessary oauth1.Manager constructions
* Enforce groups presence for federated authn
* Update sample config
* Very minor cleanup to default\_fixtures
* Cleanup keystoneclient tests
* Cleanup fixture data added to test instances
* Cleans up test data from limit tests
* Cleanup of instance attrs in core tests
* Cleanup backends after each test
* Fixup region description uniqueness
* Add slowest output to tox runs (testr)
* Add missing documentation for enabling oauth1 auth plugin
* Add missing documentation for enabling federation auth plugin
* Use class attribute to represent 'user' and 'group'
* Configurable temporary directory for tests
* Call an existing method in sync cache for revoke events
* Remove unnecessary calls to self.config()
* remove the unused variable in test\_sql\_upgrade
* remove hardcoded SQL queries in tests
* Fix db\_version failed with wrong arguments
* Use config fixture
* Fix docstrings in federation related modules
* Sync db, db.sqlalchemy, gettextutils from oslo-incubator 6ba44fd
* V3 xml responses should use v3 namespace
* trust creation allowed with empty roles list
* Fix test\_provider\_token\_expiration\_validation transient failure
* Fix include only enabled endpoints in catalog
* Add unit tests for disabled endpoints in catalog

2014.1.b3
---------

* Update ADMIN\_TOKEN description in docs
* Mark revoke as experimental
* Import order is fixed
* Remove unused function from tests
* Add OS-OAUTH1 to consumers links section
* Don't need session.flush in context managed by session
* Imported Translations from Transifex
* allow create credential with the system admin token
* Stop gating on up-to-date sample config file
* Always include 'enabled' field in endpoint response
* Add the last of the outstanding helpstrings to config
* Token Revocation Extension
* Remove vim headers
* Removes use of timeutils.set\_time\_override
* drop key distribution from icehouse
* Limited use trusts
* Update curl api example to specify tenant
* Update Oslo wiki link in README
* Properly configure OS-EP-FILTER test backend
* Add tests for endpoint enabled
* Remove the un-used and non-maintained PAM identity backend
* Remove paste\_deploy from test\_overrides.conf
* SQLAlchemy Change to support more strict dialect checking
* Remove "test-only" pam config options
* Imported Translations from Transifex
* Fix get project users when no user exists
* deprecate XML support in favor of JSON
* Lazy gettextutils behavior
* Fix the order of assertEqual arguments(keystoneclient, kvs, etc)
* Update Oslo wiki link in README
* Removes a redundant test
* Remove unused variable
* Implement V3 Specific Version of EC2 Contrib
* revocation\_list only call isotime on datetime objects
* Support authentication via SAML 2.0 assertions
* Fix table name typo in test\_sql\_upgrade
* Cleanup and add more config help strings
* Ensure v2 API only returns projects in the default domain
* Support for mongo as dogpile cache backend
* v3 endpoint create should require url
* Fix issue with DB upgrade to assignment table
* Remove duplicated cms file
* oauth1 extension migration fails with DB2
* Handle exception messages with six.text\_type
* Remove common.sql.migration
* Unimplemented error on V3 get token
* Updated from global requirements
* Replace assertEqual(None, \*) with assertIsNone in tests
* Fix keystone-manage db\_version
* Fix assertEqual arguments order(\_ldap\_tls\_livetest, backend\_kvs, etc)
* Fix assertEqual arguments order(backend\_ldap, cache, v3\_protection)
* Fix the order of assertEqual arguments(v3\_auth, v3\_identity)
* Move \_BaseController to common/controllers.py
* Remove oslo rpc
* Fix webob.exc.HTTPForbidden parameter miss
* Remove redundant default value None for dict.get
* Remove oslo notifier
* Uses the venv virtualenv for the pep8 command
* Sync db.exception from Oslo
* Update oslo-incubator log.py to a01f79c
* Update man pages
* Add tests for create grant when no group
* Add tests for create grant when no user
* Correct a docstring in keystone.common.config
* Enable pep8 test against auto-generated configuration
* Update config options with helpstrings and generate sample
* Keystone doc has wrong keystone-manage command
* Fix assertEqual arguments order
* strengthen assertion for unscoped tokens
* Remove sql.Base
* Always hash passwords on their way into the DB
* bad config user\_enable\_emulation in mask test
* Convert Token Memcache backend to new KeyValueStore Impl
* Implement mechanism to provide non-expiring keys in KVS
* Rationalize the Assignment Grant Tables
* Add version routes to KDS
* Keystone team uses #openstack-keystone now
* Adds model mixin for {to,from}\_dict functionality
* Adds Cloud Audit (CADF) Support for keystone authentication
* Use class attribute to represent 'project'
* Switch over to oslosphinx
* Replace notifier with oslo.messaging
* Clean StatsController unnecesary members
* Use global to represent OS-TRUST:trust
* Additional notifications for revocations
* add policy entries for /v3/regions
* Use Oslo.db migration
* \`find\_migrate\_repo\` improvement
* Variable 'domain\_ref' referenced before assignment
* Cleanup Dogpile KVS Memcache backend support
* Fix test\_provider\_token\_expiration\_validation transient failure
* Restructure KDS options to be more like Keystone's options
* Setup code for auto-config sample generation
* Correct \`find\_migrate\_repo\` usage
* Make live LDAP user DN match the default from devstack
* Set sensible default for keystone's paste
* Treat sphinx warnings as errors
* Use WebOb directly in ec2\_token middleware
* Add lockfile and kombu as requirements for keystone
* Move filter\_limit\_query out of sql.Base
* List trusts, incorrect self link
* LDAP: document enabled\_emulation
* Remove s3\_token functional tests
* Provide clearer error when deleting enabled domain
* Remove copyright from empty files
* Syncing policy engine from oslo-incubator
* Rename Openstack to OpenStack
* Refactor get role for trust
* KDS fix documented exception
* Cleanup oauth tests
* Correctly normalize consumer fields on update
* Add tests for oauth consumer normalize fields
* Adds a fixture for setting up the cache
* Clean up database fixtures
* Fixes bug in exception message generation
* reverse my preferred mailmap
* Notifications upon disable
* Move identity logic from controller to manager
* Changing testcase name to match our terminology
* Allow specifying region ID when creating region
* explicitly expect hints in the @truncated signature
* list limit doc cleanup
* Correct error class in find\_migrate\_repo
* Remove unnecessary check to see if trustee exists
* Enforce current certificate retrieval behaviour
* Use WebOb directly for locale testing
* Cleanup KDS doc build errors
* Adds rule processing for mapping
* Add in functionality to set key\_mangler on dogpile backends
* Fix indentation issue
* Cleanup invalid token exception text
* Limit calls to memcache backend as user token index increases in size
* Style the code examples in docs as python
* Fixes a misspelling
* Doc - Keystone configuration - moving RBAC section
* Doc - Detailing  objects' attributes available for policy.json
* Do not use auth\_info objects for accessing the API
* Remove unused method \_get\_domain\_id\_from\_auth
* Remove unused method \_get\_domain\_conf
* Remove unused method \_store\_protocol
* Remove tox locale overrides
* Remove unused methods from AuthInfo
* Remove unused method \_create\_metadata
* Add test for list project users when no user
* Fix assignment KVS backend to not use identity
* Update kvs assignment backend docs
* Don't skip tests for some bugs
* Update oslo-incubator fixture to 81c478
* Remove vim header
* revise example extension directory structure
* Deprecate s3\_token middleware
* Update requirements to 661e6
* Implement list limiting support in driver backends
* Fix misspellings in keystone
* Removes use of fake\_notify and fixes notify test
* Remove host from per notification options
* Document priority level on Keystone notifications
* Remove default\_notification\_level from conf
* Mock sys.exit in testing
* Remove auth\_token middleware doc
* Move v3\_to\_v2\_user from manager to controller
* Update db.sqlalchemy.session from oslo-incubator 018138
* Adds tcp\_keepalive and tcp\_keepidle config options
* Ensure mapping rule has only local and remote properties
* clean up keystone-manage man page
* Refactor tests move assertValidErrorResponse
* fix grammar error in keystone-manage.rst
* Add rules to be a required field for mapping schema
* Cleanup docstrings
* Do not call deprecated functions
* Removes useless string
* Removes duplicate key from test fixtures
* Fixes a Python3 syntax error using raise
* Uses six.text\_type instead of unicode
* Uses six.iteritems for Python3 compat
* Add tests to ensure additional remote properties are not validated
* Removes xrange for Python3 compat
* Cleanup sample config
* Change 'oauth\_extension' to 'oauth1\_extension'
* Modified keystone endpoint-create default region
* Load the federation manager
* Fix indentation errors found by Pep8 1.4.6+
* Mark strings for translation in ldap backends
* Remove unused variable assignment
* Sync oslo's policy module
* Replace urllib/urlparse with six.moves.\*
* Change Continuous Integration Project link
* Remove legacy diablo and essex test cruft
* Refactor Auth plugin configuration options
* Use self.opt\_in\_group overrides
* Federation IdentityProvider filter fields on update response
* Remove unnecessary test methods
* Refactor federation controller class hierarchy
* Refactor mutable parameter handling
* Avoid use of str() with exceptions
* Use message when creating Unauthorized exception
* Make error strings translatable
* Enhancing tests to check project deletion in Active Directory
* Add required properties field to rules schema
* Fix assignment to not require user or group existence
* deprecate access log middleware
* remove access log middleware from the default paste pipeline
* deprecate v2.0 API in multiple choice response
* cleaned up extension development docs
* Add a docstring and rename mapping tests
* Remove versionId, versionInfo, versionList from examples
* Tests initialize database
* Don't set default for a nullable column
* Remove autoincrement from String column
* Fix docstrings in federation controller
* Change assertTrue(isinstance()) by optimal assert
* sync oslo-incubator log.py
* turn off eventlet.wsgi debug
* Make boolean query filter "False" argument work
* Fix list\_projects\_for\_endpoint failed bug
* Introduce database functionality into KDS
* Update the default\_log\_levels defaults
* Correct sample config default log levels
* deprecate stats middleware
* Use passed filter dict param in core sql filtering
* Fix federation documentation reference
* build auth context from middleware
* correct the document links in man documents
* Use six.text\_type to replace unicode
* Don't mask the filter built-in
* Move sql.Base.transaction
* Remove sql.Base.get\_session
* renamed extensions development doc
* Implement filter support in driver backends
* append extension name to trust notifications
* Allow event callback registration for arbitrary resource types
* Fix test\_auth isolation
* Policy sample - Identity v3 resources management
* Tests use setUp rather than init
* Improve forbidden checks
* Tests remove useless config list cleanup code
* use assertEqual instead of assertIs for string comparison
* Don't configure on import
* Fix reading cache-time before configured
* Cleanup eventlet setup
* Remove unused variables from common.config
* Reference dogpile.cache.memcached backend properly
* Unify StringIO usage with six.StringIO
* Fix typos in documents and comments
* Sync oslo strutils.py
* Use six.string\_types instead of basestring

2014.1.b2
---------

* Use six to make dict work in Python 2 and Python 3
* initialize environment for tests that call popen
* Don't duplicate the existing config file list
* Implement notifications for trusts
* Remove kwargs from trust\_api.create\_trust
* Fixup incorrect comment
* Simple Certificate Extension
* Add mapping function to keystone
* Switch from 400 to 403 on ImmutableAttributeError
* Identity Providers CRUD operations
* Move KDS paths file
* Update comments in test\_v3\_protection.py
* description is wrong in endpoint filter rst doc
* Drop unsused "extras" dependency
* LDAP Assignment does not support grant v3 API
* Adds run\_tests.sh cli option to stop on failure
* Removes option to delete test DB from run\_tests.sh
* Removes deprecation warning from run\_tests.sh
* v3 credentials, ensure blob response is json
* Store ec2 credentials blob as json
* remove unused LOG
* Store trust\_id for v3/credentials ec2 keypairs
* Refactor context trust\_id check to wsgi.Application base class
* Implementation of internal notification callbacks within Keystone
* Replacing python-oauth2 by oauthlib
* Fix using non-default default\_domain\_id
* Enhance auth tests for non-default default\_domain\_id
* KVS support domain as namespace for users
* Remove unused member from KVS assignment
* Enhance tests for non-default default\_domain\_id
* rename templated.TemplatedCatalog to templated.Catalog
* Sync with global requirements
* Implements regions resource in 3.2 Catalog API
* Reduces memory utilization during test runs
* reduce default token duration to one hour
* Document running with pdb
* Restructure developing.rst
* Enable lazy translation
* Sync gettextutils from oslo-incubator 997ab277
* derive custom exceptions directly from Exception
* Do not append to messages with +
* Convert Token KVS backend to new KeyValueStore Impl
* Fix sample config external default doc
* Documentation cleanup
* Make common log import consistent
* Remove unused variables
* Safe command handling for openssl
* Fix external auth (REMOTE\_USER) plugin support
* Cleanup test\_no\_admin\_token\_auth cleanup code
* Subclasses of TestCase don't need to reset conf
* Cleanup test\_associate\_project\_endpoint\_extension
* Tests use cleanUp rather than tearDown
* Remove netifaces requirement
* Clean up fakeldap logging
* Resolve oauth dependency after paste pipeline is loaded
* Change ListOpt default value from str or None to list
* Sync oslo-incubator rpc	module
* Cleanup from business logic refactor
* Introduce basic Pecan/WSME framework for KDS
* Don't need session.flush in context managed by session
* races cause 404 when removing user from project
* initialize eventlet for tests
* Flush tokens in batches with DB2
* Remove unnecessary line in test\_auth
* Clean up docstrings in contrib.oauth1.core
* Remove unused test function
* Remove 'disable user' logic from \_delete\_domain\_contents
* Break dependency of base V3Controller on V2Controller
* Move deletion business logic out of controllers
* Do not update password when updating grants in Assignment KVS
* Cleanup of new credential\_api delete methods
* Enhance list\_group\_users in GroupApi
* Remove noop code
* Remove unused imports
* Fix typo in test
* Fix IPv6 check
* Remove unused code in contrib/ec2/controllers.py
* Fix use the fact that empty sequences are false
* Imported Translations from Transifex
* Synchronized with oslo db and db.sqlalchemy
* Fix variable passed to driver module
* Updated Keystone development install instructions for Ubuntu
* Stops file descriptor leaking in tests
* Re-write comment for ADMIN\_TOKEN
* Reduced parameters not used in \_populate\_user()
* Sync several modules from oslo-incubator
* Use oslo.db sessions
* Switch to oslo-incubator mask\_password
* Replace xrange in for loop with range
* Move Assignment Controllers and Routers to be First Class
* Remove Identity and Assignment controller interdependancies
* Policy based domain isolation can't be defined
* Moves keystoneclient master tests in a new class
* Makes the test git checkout info more declaritive
* trustee unable to perform role based operations on trust
* Cleanup backend loading
* Uses oslo's deprecated decorator; removes ours
* Move endpoint\_filter extension documentation
* Refactor setup\_logging
* Fixes documentation building
* Create user returns 400 without a password
* Fixes the v2 GET /extensions curl example in the documentation
* Add assertSetEqual to base test class
* Base Implementation of KVS Dogpile Refactor
* Sync db.sqlalchemy from oslo-incubator
* Fix errors for create\_endpoint api in version2
* Fix issues handling trust tokens via ec2tokens API
* Fix typo in identity:list\_role\_assignments policy
* Debug env for tox
* Updated from global requirements
* Sync global requirements to pin sphinx to sphinx>=1.1.2,<1.2
* Add ABCMeta metaclass to token provider
* token provider cleanup
* Sync versionutils from oslo
* Cleanup duplication in test\_backend
* replace "global" roles var names with "all" roles
* Remove unused token.valid index
* Narrow columns used in list\_revoked\_tokens sql
* Remove roles from OS-TRUST list responses
* Remove deprecated code
* Sync rpc fix from oslo-incubator
* Don't run non-tests
* Formalize deprecation of token\_api.list\_tokens
* Add index to cover revoked token list

2014.1.b1
---------

* Refactor assertEqualXML into a testtools matcher
* Adds support for username to match the v2 spec
* One transaction per call to sql assignment backend
* Allow caching to be disabled and tests still pass
* Sync From OSLO
* Updated from global requirements
* Revert "Return a descriptive error message for controllers"
* Adds a resource for changing a user's password
* Deprecates V2 controllers
* Updates .gitignore
* Ensure the sample policy file won't diverge
* Add pycrypto as a test-requirement
* Imported Translations from Transifex
* Fix typo in keystone
* Added documentation to keystone.common.dependency
* Make HACKING.rst DRYer
* Allow downgrade for extensions
* Try decoding string to UTF-8 on error message fail
* Import strutils from oslo
* Capture debug logging in tests
* Easy testing with alternate keystoneclient
* Sync log\_handler module from Oslo
* refactor test\_catalog
* PasteConfigNotFound also raised when keystone.conf not found
* Style improvements to logging format strings
* Sync the DB2 communication error code change from olso
* Skip test\_arbitrary\_attributes\_\* in \_ldap\_livetest
* Add documentation for Read Only LDAP configuration option
* Remove deprecated auth\_token middleware
* Role NoneType object has no attribute setdefault
* Utilites for manipulating base64 & PEM
* Add memcache options to sample config
* UUID vs PKI docs
* RST fix for os\_inherit example
* Rewrites the serveapp method into a fixture
* Allow use of rules Policy driver
* Return a descriptive error message for controllers
* Proxy Assignment from Identity Deprecated
* Remove obsolete redhat-eventlet.patch
* AuthInfo use dependency injection
* Issue unscoped token if user's default project is invalid
* Detangle v3 RestfulTestCase setup
* Do not name variables as builtins
* Updated from global requirements
* Removes unused paste appserver instances from tests
* Add WSGI environment to context
* trusts raise validation error if expires\_at is invalid
* Fix newly discovered H302
* test attribute update edge cases
* Return an error when a non-existing tenant is added to a user
* use different bind addresses for admin and public
* Sync log module from oslo
* Change deprecated CLI arguments
* UserAuthInfo use dependency injection
* fix unparseable JSON
* Duplicate delete the user\_project\_metadata
* Skip test\_create\_update\_delete\_unicode\_project in \_ldap\_livetest
* don't rebind stdlib's os.chdir function
* Dependency cleanup
* Moves common RestfulTestCase to it's own module
* proxy removed from identity and changed to assignment
* Uses fixtures for mox and stubs
* Adds fixture package from oslo
* Fix KVS create\_grant to not raise NotFound if no user/group
* Enhance tests for assignment create\_grant when no user or group
* Clean up duplicate exceptions in docs for assignment.Driver
* Remove obsolete driver test module
* Change sample policy files to use policy language
* Documentation on how-to develop Keystone Extensions
* Allow delete user or group at same time as role
* Enhance tests for delete\_grant no user/group
* Fix issue deleting ec2-credentials as non-admin user
* Remove duplicated code on test\_v3\_auth
* Removes NoModule from the base testcase
* Fixes tox coverage command
* Update mailmap for Joe Gordon
* Add WWW-Authenticate header in 401 responses
* Use abstract base class for endpoint\_filter driver
* Use abstract base class for oauth driver
* Use abstract base class for policy driver
* Use abstract base class for token driver
* Document tox instead of run\_tests.sh
* Update my mailmap
* remove 8888 port in sample\_data.sh
* Adds decorator to deprecate functions and methods
* Move fakeldap to tests
* Fix remove role assignment adds role using LDAP assignment
* Enhance tests for deleting a role not assigned
* Implementation of opt-out from catalog data during token validation
* Add external.Base class to external plugins
* Add notifications for groups and roles
* add IRC channel & wiki link to README
* Add python-six to requirements
* Fix v2 token user ref with trust impersonation=True
* Changes to testr as the test runner
* Fixes error messaging
* Handle unicode at the caching layer more elegantly
* set user\_update policy to admin\_required
* Remove unused DEFAULT\_DOMAIN variable
* Remove unused config option auth\_admin\_prefix
* Remove unused member
* Adds tests for user extra attribute behavior
* Adds identity v2 tests to show extra behavior
* Treats OS-KSADM:password as password in v2 APIs
* Adds more uniformity to identity update\_user calls
* Don't use default value in LimitingReader
* Use abstract base class for auth handler
* Use abstract base class for catalog driver
* Use abstract base class for credential driver
* Use abstract base class for assignment driver
* Use abstract base class for trust driver
* Use abstract base class for identity driver
* remove the nova dependency in the ec2\_token middleware
* Catch the socket exception and log it
* Fixes broken doc references
* Sync db.sqlalchemy
* Handle DB2 disconnect
* Fix mysql checkout handler AttributeError
* Disable lazy gettext

2013.2.rc1
----------

* Open Icehouse development
* Imported Translations from Transifex
* Sync with global requirements
* Add tests dir to the coverage omit list
* Update tox config
* Close the cursor for SQLite for 034 upgrade/downgrade on select
* Imports oslo policy to fix test issues
* Fixes errors logging in as a user with no password
* Fix live LDAP tests
* Eliminate type error on search\_s
* Fix error when create user with LDAP backend
* assertEquals is deprecated, use assertEqual (H602)
* Validate token calls return 404 on invalid tokens
* Protect oauth controller calls and update policy.json
* Fix updating attributes with ldap backend
* sync oslo policy
* Changes v1.1 to v2 for Compute endpoint in sample\_data.sh
* Update man pages
* Update man page version
* Sync gettextutils from oslo
* only run flake8 once (bug 1223023)
* upgrade to oslo.config 1.2 final
* Add user to project if project ID is changed
* Ensure any relevant tokens are revoked when a role is deleted
* Check token\_format for default token providers only
* Modify oauth1 tests to use generated keystone token in a call
* Test for backend case sensitivity
* Remove ldap identity domain attribute options
* Cleanup of tenantId, tenant\_id, and default\_project\_id
* Add extra test coverage for unscoped token invalidation
* Monkey patch select in environment
* Rewrite README.rst
* Enclose command args in with\_venv.sh
* check for domain existence before doing any ID work
* Ensure v2 tokens are correctly invalidated when using BelongsTo
* Sync gettextutils from oslo
* Use localisation for logged warnings
* Fix misused assertTrue in unit tests
* oauth using optional dependencies
* Rationalize list\_user\_projects and get\_projects\_for\_user
* Optional dependency injection
* Include new notification options in sample config
* fix rst syntax in database schema migrations docs
* Ignore H803 from Hacking
* Test upgrade migration 16->17
* test token revocation list API (bug 1202952)
* Imported Translations from Transifex
* gate on H304: no relative imports
* Move gettextutils installation in tests to core
* Cleanup tests imports so not relative
* Tests use "from keystone import tests"
* Reduce churn of cache on revocation\_list
* domain-specific drivers experimental in havana
* Fixes for user response with LDAP user\_enabled\_mask
* Close each LDAP connection after it is used, following python-ldap docs
* Remove CA key password from cert setup
* Import core.\* in keystone.tests
* Fix incorrect test for list\_users
* Changed header from LLC to Foundation based on trademark policies
* Changes template header for translation catalogs
* Support timezone in memcached token backend

2013.2.b3
---------

* Imported Translations from Transifex
* Move CA key from certs directory to private directory
* OAuth authorizing user should propose roles to delegate
* Need to use \_() to handle i18n string messages
* Fix the code miss to show the correct error messages
* Move \_generate\_paste\_config to tests.core
* add 'project' notifications to docs
* Implement basic caching around assignment CRUD
* Update keystone wsgi httpd script for oslo logging
* Utilities to create directores, set ownership & permissions
* Modify default file/directory permissions
* Add a oauth1-configuration.rst and extension section to docs
* Update keystone-all man page
* Cleanup cache layer tests
* Implement caching for Tokens and Token Validation
* Document usage notifications
* Imported Translations from Transifex
* Remove kvs backend from oauth1 extension
* Use joins instead of multiple lookups in groups sql
* Add project CRUD to assignment\_api Manager
* Add Memory Isolating Cache Proxy
* Enable SQL tests for oauth
* Implement decorator-based notifications for users
* Use common db model class from Oslo
* Add common code from Oslo for work with database
* Use testtools as base test class
* Bump hacking to 0.7
* Removes KVS references from the documentation
* Add notifications module
* Drop support for diablo to essex migrations
* Add 'cn' to attribute\_list for enabled\_users/tenants query
* Implement API protection on target entities
* Refactor Token Provider to be aware of expired tokens
* Implement Caching for Token Revocation List
* Keystone Caching Layer for Manager Calls
* Create associations between projects and endpoints
* Fixes a link in the documentation
* Use correct filename for index & serial file when setting permissions
* remove flake8 option from run\_tests.sh
* Fix role lookup for Active Directory
* Clean up keystone-manage man page
* change oauth.consumer description into nullable
* Use system locale when Accept-Language header is not provided
* Fix translate static messages in response
* Migrating ec2 credentials to credential
* Fix error where consumer is not deleted from sql
* add foreign key constraint on oauth tables
* Remove a useless arg in range()
* Remove enumerate calls
* filter in ldap list\_groups\_for\_user
* Delete file TODO
* use provider to validate tokens
* Fix isEnabledFor for compatibility with logging
* Ensure username passed by REMOTE\_USER can contain '@'
* fix the default values for token and password auth
* Remove an enumerate call
* Add defense in ldap:get\_roles\_for\_user\_and\_project
* remove unused function
* Remove Keystone specific logging module
* remove refs to keystone.common.logging
* Remove User Check from Assignments
* Refactor Token Providers for better version interfaces
* Remove kwargs from manager calls / general cleanup
* Store hash of access as primary key for ec2 type
* Add delegated\_auth support for keystone
* Fix LDAP Identity get user with user\_enabled\_mask
* Fix LDAP Identity with non-zero user\_enabled\_default
* More validation in test\_user\_enable\_attribute\_mask
* Add test test\_deleting\_project\_delete\_grants
* Cleaned up a few old crufties from README
* Clean hacking errors in advance of hacking update
* Add unit test to check non-string password support
* Assignment to reserved built-in symbol: filter
* Implement domain specific Identity backends
* Increase length of username in DB
* Cleaned up pluggable auth docs
* Fix test\_user\_enable\_attribute\_mask so it actually tests
* Do not skip test\_user\_enable\_attribute\_mask in \_ldap\_livetest
* Skip test\_create\_unicode\_user\_name in \_ldap\_livetest
* Refactor Keystone to use unified logging from Oslo
* Revoke user tokens when disabling/delete a project
* Move affirm\_unique() in create() to BaseLdap
* Move some logic from update() to BaseLdap
* Add support for API message localization
* Remove unused import
* Assignment to reserved built-in symbol: dir
* Move 'tests' directory into 'keystone' package
* Initial implementation of unified-logging
* Sync notifier module from Oslo
* Move Babel dependency from test-req to req
* Ignore flake issues in build/ directory
* update usage in run\_test.sh for flake8
* Drop extra credential indexes
* Sync models with migrations
* Add memcache to httpd doc
* Sync unified logging solution from Oslo
* Configurable max password length (bug 1175906)
* Fix select n+1 issue in keystone catalog
* Make pki\_setup work with OpenSSL 0.9.x
* extension migrations
* Create default role on demand
* Set wsgi startup log level to INFO
* Abstract out attribute\_ignore assigning in LDAP driver
* Abstract out attribute\_mapping filling in LDAP driver
* Imported Translations from Transifex
* remove swift dependency of s3 middleware
* Raise max header size to accommodate large tokens
* Clean up use of token\_provider manager in tests
* add OS-TRUST to links
* Run test\_mask\_password once
* Remove kwargs from manager calls where not needed
* V3 API need to check mandatory field when creating resources
* Use dependency injection for assignment and identity
* Handle circular dependencies
* Clear out the dependency registry between tests
* .gitignore eggs
* Handle json data when migrating role metadata
* Sync DB models and migrations in keystone.assignment.backends.sql
* Remove passwords from LDAP queries
* use 'exc\_info=True' instead of import traceback
* Fix typo: Tenents -> Tenants
* Use keystone.wsgi.Request for RequestClass
* Update references with new Mailing List location
* Scipped tests don't render as ERROR's
* Implement exception module i18n support
* Remove vestiges of Assignments from LDAP Identity Backend
* Load backends before deploy app in client tests
* default token format/provider handling
* Fixing broken credential schema in sqlite
* Use assignment\_api rather than assignment
* Deprecate kvs token backend
* Ec2 credentials table not created during testing
* Correct Spelling Mistake
* Remove an enumerate call
* Load app before loading legacy client in tests
* Add [assignment].driver to sample config
* Deprecation warning for [signing] token\_format
* Support token\_format for backward compatibility
* sql.Driver:authenticate() signatures should match
* update requires to prevent version cap
* Return correct link for effective group roles in GET /role\_assignments
* Implement Token Binding
* Implemented token creation without catalog response
* Fix XML rendering with empty auth payload
* Pluggable Remote User
* grammar fixes in error messages
* Implement role assignment inheritance (OS-INHERIT extension)
* Implements Pluggable V2 Token Provider
* Register Extensions
* Implements Pluggable V3 Token Provider
* Mixed LDAP/SQL Backend
* Clear cached engine when global engine changes
* python3: Introduce py33 to tox.ini
* Add version so that pre-release versioning works
* Sync-up crypto from oslo-incubator
* Add crypto dependency
* Imported Translations from Transifex
* Change domain component value to org from com
* Move temporary test files into tests/tmp
* Use InnoDB for MySQL
* Rationalize how we get roles after authentication in the controllers
* Python 3.x compatible use of print
* Regenerate example PKI after change of defaults
* assignment backend
* wsgi.BaseApplication and wsgi.Router factories should use \*\*kwargs
* Add unittest for keystone.identity.backends.sql Models
* Imported Translations from Transifex
* Do not create LDAP Domains sub tree
* Use oslo.sphinx and remove local copy of doc theme
* Move comments in front of dependencies
* Remove context from get\_token call in normalize\_domain\_id
* Fix issue with v3 tokens and group membership roles
* Sync install\_venv\_common from oslo
* Remove a useless arg in range()
* Remove an enumerate call
* Update paths to pem files in keystone.conf.sample
* Don't use deprecated BaseException.message
* Add callbacks for set\_global\_engine
* Work without admin\_token\_auth middleware
* Implement GET /role\_assignment API call
* rename quantum to neutron in docs
* Install locales for httpd
* DB2 migration support
* Use event.listen() instead of deprecated listeners kwarg
* Add 'application' to keystone.py for WSGI
* Remove hard tabs and trailing whitespace
* Manager instead of direct driver
* check for constraint before dropping
* Stop passing context to managers (bug 1194938)
* \`tox -ecover\` failure. Missing entry in tox.ini
* Clean up keystone-all.rst
* Fix up some trivial license mismatches
* Revert environment module usage in middleware
* LDAP list group users not fail if user entry deleted
* Do not raise NEW exceptions
* Move identity ldap backend from directory to file
* wsgi.Middleware factory should use \*\*kwargs
* Removing LDAP API Shim
* Consolidate admin\_or\_owner rule
* Isolate eventlet code into environment
* Set default 'ou' name for LDAP projects to Projects
* Imported Translations from Transifex
* Imported Translations from Transifex
* Move user fileds type check to identity.Manager
* Http 400 when project enabled is not a boolean
* Imported Translations from Transifex
* Correct the resolving api logic in stat middleware
* Remove a stat warning log
* Using sql as default driver for tokens
* Correct LDAP configuration doc
* Force simple Bind for authentication
* Initialize logging from HTTPD
* LDAP get\_project\_users should not return password
* Add checks to test if enabled is bool
* Fix link typo in Sphinx doc
* python WebOb dependency made unpinned
* Remove explicit distribute depend
* Version response compatible with Folsom
* Adds tests for XML version response
* Replace openstack-common with oslo in docs
* drop user and group constraints
* Correct the default name attribute for role
* Allow request headers access in app context
* Remove how to contribute section in favor of CONTRIBUTING.rst
* Fix token purging for memcache for user token index
* add ca\_key to sample configuration
* Commit transaction in migration
* Fix internal doc links (bug 1176211)
* Missing contraction: Its -> It's (bug 1176213)
* Pass on arguments on Base.get\_session
* Remove bufferedhttp
* Move coverage output dir for Jenkins
* Check schema when dropping constraints
* Import eventlet patch from oslo
* Raise key length defaults
* Base.get\_engine honor allow\_global\_engine=False
* run\_tests.sh should use flake8 (bug 1180609)
* Ignore the .update-venv directory
* Ignore conflict on v2 auto role assignment (bug 1161963)
* remove\_role\_from\_user\_and\_project affecting all users (bug 1170649)
* Maintain tokens after role assignments (bug 1170186)
* split authenticate call
* Add db\_version command to keystone-manage
* Live SQL migration tests
* Fix incorrect role assignment in migration
* typo in 'import pydev' statement
* Fixes a typo
* Imported Translations from Transifex
* Improve the performance of tokens deletion for user
* Revert "Set EVENTLET\_NO\_GREENDNS=yes in tox.ini."
* Disable eventlet monkey-patching of DNS
* Fix the debug statement
* Document size limits
* Add index on valid column of the SQL token Backend
* Add KEYSTONE\_LOCALEDIR env variable
* Add <version> arg to keystone-manage db\_sync

2013.2.b1
---------

* Add index on expires column of the SQL token Backend
* fix error default policy for create\_project
* Require keystone-user/-group for pki\_setup
* Replace assertDictContainsSubset with stdlib ver
* separate paste-deploy configuration from parameters
* Add missing oslo module
* Convert openstack-common.conf to the nicer multiline format
*    Rename requires files to standard names
* Cleanup docstrings (flake8 H401, H402, H403, H404)
* imports not in alphabetical order (flake8 H306)
* import only modules (flake8 H302)
* one import per line (flake8 H301)
* eliminate 'except:' (flake8 H201)
* consistent i18n placeholders (flake8 H701, H702, H703)
* use the 'not in' operator (flake8 H902)
* Use TODO(NAME) (flake8 H101)
* Remove unnecessary commented out code
* Enumerate ignored flake8 H\* rules
* Migrate to pbr
* Remove unused variables (flake8 F841)
* Satisfy flake8 import rules F401 and F403
* Test 403 error title
* Imported Translations from Transifex
* Remove useless private method
* Consolidate eventlet code
* Use webtest for v2 and v3 API testing
* Add missing space to error msg
* Imported Translations from Transifex
* Read-only default domain for LDAP (bug 1168726)
* Add assertNotEmpty to tests and use it
* Implement Token Flush via keystone-manage
* get SQL refs from session (bp sql-query-get)
* extracting credentials
* Move auth\_token middleware from admin user to an RBAC policy
* Accept env variables to override default passwords
* Http 400 when user enabled is not a boolean
* Migrate to flake8
* Fix pyflakes and pep8 in prep for flake8
* Allow backend & client SQL tests on mysql and pg
* Revert "Disable eventlet monkey-patching of DNS"
* Set EVENTLET\_NO\_GREENDNS=yes in tox.ini
* Disable eventlet monkey-patching of DNS
* Revoke tokens on user delete (bug 1166670)
* A minor refactor in wsgi.py
* Skip IPv6 tests for eventlet dns
* LDAP list groups with missing member entry
* Fix 403 status response
* Remove unused CONF.pam.url
* Mark LDAP password and admin\_token secret
* HACKING LDAP
* Make migration tests postgres & mysql friendly
* Documentation about the initial configuration file and sample data
* Add rule for list\_groups\_for\_user in policy.json
* Test listing of tokens with a null tenant
* fix duplicate option error
* Delete extra dict in token controller
* What is this for?
* Removed unused imports
* Remove non-production middleware from sample pipelines
* Replace password to "\*\*\*" in the debug message
* Fixed logging usage instead of LOG
* Remove new constraint from migration downgrade
* Allow additional attribute mappings in ldap
* Enable unicode error message
* Sync with oslo-incubator copy of setup.py
* Set empty element to ""
* Fixed unicode username user creation error
* Fix token ids for memcached
* Use is\_enabled() in folsom->grizzly upgrade (bug 1167421)
* Generate HTTPS certificates with ssl\_setup
* Fix for configuring non-default auth plugins properly
* test duplicate name
* Add TLS Support for LDAP
* fix undefined variable
* clean up invalid variable reference
* Clean up duplicate methods
* stop using time.sleep in tests
* don't migrate as often
* use the openstack test runner
* Fix 401 status response
* Fix example in documentation
* Fix IBM copyright strings
* Share one engine for more than just sqlite in-memory
* Add missing colon for documentation build steps
* Mark sql connection with secret flag

2013.1.rc2
----------

* Fix test coverage for v2 scoped auth xml response (bug 1160504)
* Fix test coverage for v2 scoped auth xml response (bug 1160504)
* close db migration session
* Use string for port in default endpoints (bug 1160573)
* keystone commands don't print any version information
* bug 1159888 broken links in rst doc
* use the roles in the token when recreating
* Sync with oslo-incubator
* Rename trust extension (bug 1158980)
* Rename trust extension
* keystone commands don't print any version information
* Imported Translations from Transifex

2013.1.rc1
----------

* Add a dereference option for ldap
* Make versions aware of enabled pipelines
* Move trusts to extension
* Move trusts to extension
* Version bump to 2013.2
* Add a dereference option for ldap
* Allow trusts to be optional
* Enable emulation for domains
* Wrap config module and require manual setup (bug 1143998)
* Correct spacing in warning msg
* Prohibit V3 V2 token intermix for resource in non-default domain (bug 1157430)
* Properly handle emulated ldap enablement
* Support for LDAP groups (bug #1092187)
* Validate domains unconditionally (bug 1130236)
* Fix live ldap tests
* V2, V3 token intermix for unscoped tokens (bug 1156913)
* Pass project membership as dict in migration 015
* Ensure delete domain removes all owned entities
* Utilize legacy\_endpoint\_id column (bug 1154918)
* Test default\_project\_id scoping (bug 1023502)
* Fix XML handling of member links (bug 1156594)
* Discard null endpoints (bug 1152632)
* extracting user and trust ids into normalized fields
* No parent exception to wrap
* Remove duplicate password/token opts
* xml\_body returns backtrace on XMLSyntaxError
* duplicated trust tests
* Migrate roles from metadata to user\_project\_metadata
* Fixes bug 1151747: broken XML translation for resource collections
* Revise docs to use keystoneclient.middleware.auth\_token
* quiet route logging on skipped tests
* Ensure tokens are revoked for relevant v3 api calls
* Remove un-needed LimitingReader read() function
* Catch and log server exceptions
* Added test cases to improve LDAP project testing
* Switch to final 1.1.0 oslo.config release
* Filter out legacy\_endpoint\_id (bug 1152635)
* Improve tests for api protection and filtering
* add belongs\_to check
* Revert "update tests/\_\_init\_\_.py to verify openssl version"
* Revert "from tests import"
* Make Keystone return v3 as part of the version api
* Run keystone server in debug mode
* remove spurious roles check
* bug 1133526
* Fix folsom -> grizzly role table migration issues (bug 1119789)
* Delete tokens for user
* from tests import
* v3 endpoints won't have legacy ID's (bug 1150930)
* return 201 Created on POST request (bug1131119)
* add missing attributes for group/project tables (bug1126021)
* Remove unused methods from LDAP backed
* Move get\_by\_name to LdapBase
* fix typo in kvs backend
* mark 2.0 API as stable
* unable to load certificate should abort request
* Move auth plugins to 'keystone.auth.plugins' (bug 1136967)
* Change exception raised to Forbidden on trust\_id
* cleanup trusts in controllers
* remove unused import
* ports should be ints in config (bug 1137696)
* Expand v3 trust test coverage
* Trusts
* bug 1134802: fix inconsistent format for expires\_at and issued\_at
* Sync timeutils with oslo
* Straighten out NotFound raising in LDAP backend
* residual grants after delete action (bug1125637)
* Remove TODO that didn't land in grizzly
* Make getting user-domain roles backend independant
* Explain LDAP page\_size & default value
* Imported Translations from Transifex
* Enable a parameters on ldap to allow paged\_search of ldap queries This fixes bug 1083463
* update tests/\_\_init\_\_.py to verify openssl version
* command line switch for short pep8 output
* Convert api to controller
* bug 1131840: fix auth and token data for XML translation
* flatten payload for policy
* Unpin pam dependency version
* keystone : Use Ec2Signer utility class from keystoneclient
* Move handle\_conflicts decorator into sql
* domain\_id\_attributes in config.py have wrong default value
* Rework S3Token middleware tests
* Remove obsolete \*page[\_marker] methods from LDAP backend
* Setup logging in keystone-manage command
* Ensure keystone unittests do not leave CONF.policyfile in bad state
* catch errors in wsgi.Middleware
* Fix id\_to\_dn for creating objects
* Tests for domain-scoped tokens
* domain-scoping
* Pass query filter attributes to policy engine
* Removed redundant assertion
* v3 token API
* Update oslo-config version
* Correct SQL migration 017 column name
* merging in fix from oslo upstream
* enabled attribute emulation support
* Change the default LDAP mapping for description
* Ensure user and tenant enabled in EC2
* Disable XML entity parsing
* Remove old, outdated keystone devref docs
* Update the Keystone policy engine to the latest openstack common
* Implement name space for domains
* Update sample\_data.sh to match docs
* project membership to role conversion
* Remove test\_auth\_token\_middleware
* Workaround Migration issue with PostgreSQL
* make LDAP query scope configurable
* make fakeldap.\_match\_query work for an arbitrary number of groups
* Use oslo-config-2013.1b3
* Remove usage of UserRoleAssociation.id in LDAP
* Add an update option to run\_tests.sh
* Add pysqlite as explicit test dep
* fix unit test when memcache middleware is not configured
* add missing kvs functionality (bug1119770)
* Update to oslo version code
* adding additional backend tests (bug1101244)
* Fix spelling mistakes
* Cleaned up keystone-all --help output
* Keystone backend preparation for domain-scoping
* Use install\_venv\_common.py from oslo
* Spell accommodate correctly
* Missed import for IPv6 tests skip
* Add missing log\_format, log\_file, log\_dir opts
* Fix normalize identity sql ugrade for Mysql and postgresql
* remove duplicate model declaration/attribution
* simplify query building logic
* Fix test\_contrib\_s3\_core unit test
* Expand dependency injection test coverage
* remove unneeded config reloading (it's already done during setUp)
* allow unauthenticated connections to an LDAP server
* Relational API links
* return 400 Bad Request if invalid params supplied (bug1061738)
* UserApi.update not to require all fields in arg
* Tenant update on LDAP breaks if there is no update to apply
* Query only attributes strictly required for keystone when using it with existing LDAP servers
* Update .coveragerc
* Add size validations to token controller
* add check for config-dir parameter (bug1101129)
* Silence routes internal debug logging
* Imported Translations from Transifex
* Delete Roles for User and Project LDAP
* Why .pop()'ing urls first is important
* don't create a new, copied list in get\_project\_users
* Fixes 'not in' operator usage
* Add --keystone-user/group to keystone-manage pki\_setup
* Adds png versions of all svg image files. Changes reference
* Updates migration 008 to work on PostgreSQL
* Create a default domain (bp default-domain)
* Generate apache-style common access logs
* import tools/flakes from oslo
* tenant to project in the apis
* Tenant to Project in Back ends
* Fix bugs with set ldap password
* Enable/disable domains (bug 1100145)
* Readme: use 'doc' directory not 'docs'
* rename tenant to project in sql
* Update to requests>=1.0.0 for keystoneclient
* Fix pep8 error
* Document user group LDAP options
* Sync latest cfg from oslo-incubator
* Limit the size of HTTP requests
* Fix role delete method in LDAP backend
* public\_endpoint & admin\_endpoint configuration
* Skip IPv6 tests if IPv6 is not supported
* Allow running of sql against the live DB
* Test that you can undo & re-apply all migrations
* downgrade user and tenant normalized tables downgraded such that sqlite is supported, too
* Auto-detect max SQL migration
* Safer data migrations
* Sync base identity Driver defs with SQL driver
* Fix i18n of string templates
* Enhance wsgi to listen on ipv6 address
* add database string field length check
* Autoload schema before creating FK's (bug 1098174)
* Enable exception format checking in the tests
* reorder tables for delete
* Validated URLs in v2 endpoint creation API
* Fixes import order nits
* Cleanup keystoneclient testing requirements
* Fix issue in test\_forbidden\_action\_exposure
* Correct spelling errors / typos in test names
* Update ldap exceptions to pass correct kwargs
* Add \_FATAL\_EXCEPTION\_FORMAT\_ERRORS global
* Keystone server support for user groups
* Add missing .po files to tarball
* Imported Translations from Transifex
* adds keyring to test-requires
* Revert "shorten pep8 output"
* Upgrade WebOb to 1.2.3
* il8n some strings
* Imported Translations from Transifex
* Removed unused variables
* Removed unused imports
* Add pyflakes to tox.ini
* Fix spelling typo
* shorten pep8 output
* Driver registry
* Adding a means to connect back to a pydevd debugger
* add in pip requires for requests
* Split endpoint records in SQL by interface
* Fix typo s/interalurl/internalurl/
* module refactoring
* Test for content-type appropriate 404 (bug 1089987)
* Imported Translations from Transifex
* fixing bug 1046862
* Expand default time delta (bug 1089988)
* Add tests for contrib.s3.core
* Test drivers return HTTP 501 Not Implemented
* Support non-default role\_id\_attribute
* Remove swift auth
* Move token controller into keystone.token
* Import pysqlite2 if sqlite3 is not available
* Remove mentions of essex in docs (bug 1085247)
* Ensure serviceCatalog is list when empty, not dict
* Adding downgrade steps for migration scripts
* Port to argparse based cfg
* Only 'import \*' from 'core' modules
* use keystone test and change config during setUp
* Bug 1075090 -- Fixing log messages in python source code to support internationalization
* Added documentation for the external auth support
* check the redirected path on the request, not the response
* Validate password type (bug 1081861)
* split identities module into logical parts remove unneeded imports from core
* Ensure token expiration is maintained (bug 1079216)
* normalize identity
* Fixes typo in keystone setup doc
* Imported Translations from Transifex
* Stop using cfg's internal implementation details
* syncing run\_tests to match tox
* Expose auth failure details in debug mode
* Utilize policy.json by default (bug 1043758)
* Wrap v3 API with RBAC (bug 1023943)
* v3 Identity
* v3 Catalog
* v3 Policies
* Import auth\_token middleware from keystoneclient
* Imported Translations from Transifex
* Refix transient test failures
* Make the controller addresses configurable
* Expose authn/z failure info to API in debug mode
* Refactor TokenController.authenticate() method
* Fix error un fixtures
* Ensures User is member of tenant in ec2 validation
* Properly list tokens with a null tenant
* Reduce total number of fixtures
* Provide config file fields for enable users in LDAP backend (bug1067516)
* populate table check
* Run test\_keystoneclient\_sql in-memory
* Make tox.ini run pep8 checks on bin
* tweaking docs to fix link to wiki Keystone page
* Various pep8 fixes for keystone
* Use the right subprocess based on os monkeypatch
* Fix transient test failures (bug 1077065, bug 1045962)
* Rewrite initial migration
* Fix default port for identity.internalURL
* Improve feedback on test failure
* fixes bug 1074172
* SQL upgrade test
* Include 'extra' attributes twice (bug 1076120)
* Return non-indexed attrs, not 'extra' (bug 1075376)
* bug 1069945: generate certs for the tests in one place
* monkeypatch cms Popen
* HACKING compliance: consistent use of 'except'
* auth\_token hash pki key PKI tokens on hash in memcached when accessed by auth\_token middelware
* key all backends off of hash of pki token
* don't import filter\_user name, use it from the identity module
* don't modify the passed in dict to from\_dict
* move hashing user password functions to common/utils
* ignore .tox directory for pep8 in runtests
* Imported Translations from Transifex
* Implements REMOTE\_USER authentication support
* pin sqlalchemy to 0.7
* Move 'opentack.context' and 'openstack.params' definitions to keystone.common.wsgi
* Removes duplicate flag for token\_format
* Raise exception if openssl stderr indicates one
* Ignore keystone.openstack for PEP8
* Fixed typo in log message
* Fixes 500 err on authentication for invalid body
* Enable Deletion of Services with Endpoints
* Exception.message deprecated in py26 (bug 1070890)
* Utilize logging instead of print()
* stop LdapIdentity.create\_user from returning the user's password
* Compare token expiry without seconds
* Moved SQL backend tests into memory
* Add trove classifiers for PyPI
* Adding handling for get user/tenant by name
* Fixed bug 1068851. Refreshed new crypto for the SSL tests
* move filter\_user function to keystone.identity.core
* Fixes response for missing credentials in auth
* making PKI default token type
* Fixes Bug 1063852
* bug 1068674
* Update common
* Extract hardcoded configuration in ldap backend (bug 1052111)
* Fix Not Found error, when router not match
* add --config-dir=DIR  for keystone-all option
* Add  --config-dir=DIR in OPTIONS
* Delete role does not delete role assignments in tenants (bug 1057436)
* replacing PKI token detection from content length to content prefix. (bug 1060389)
* Document PKI configuration and management
* Raise if we see incorrect keyword args "condition" or "methods"
* Filter users in LDAP backend (bug 1052925)
* Use setup.py develop to insert code into venv
* Raise 400 if credentials not provided (bug 1044032)
* Fix catalog when services have no URL
* Unparseable endpoint URL's should raise friendly error
* Configurable actions on LDAP backend in users Active Directory (bug 1052929)
* Unable to delete tenant if contains roles in LDAP backend (bug 1057407)
* Replaced underscores with dashes
* fixes bug 1058429
* Command line switch for standard threads
* Remove run\_test.py in favor of stock nose
* utf-8 encode user keys in memcache (bug 1056373)
* Convert database schemas to use utf8 character set
* Return a meaningful Error when token\_id is missing
* Backslash continuation cleanup
* notify calling process we are ready to serve
* add Swift endpoint in sample data
* Updated Fix for duplicated entries on LDAP backend for get\_tenant\_users
* Fix wsgi config file access for HTTPD
* Bump version to 2013.1
* Limit token revocation to tenant (bug 1050025)
* Fixed trivally true tests (bug 983304)
* add Quantum endpoint in sample data
* Add XML namespace support for OSADM service api
* Delete user tokens after role grant/revoke
* LDAP backend attribute fixes
* Document memcached host system time configuration
* Implementation of tenant,user,role list functions for ldap
* Initialize Metadata variable
* Cleanup PEP8 errors from Common
* List tokens for memcached backend
* Implement token endpoint list (bug 1006777)
* Ignore eclipse files
* Identity API v3 Config, Routers, Controllers
* Sync some misc changes from openstack-common
* Sync latest cfg from openstack-common
* Remove id\_hash column
* LOG.warn all exception.Unauthorized authentication failures
* Fixed: test\_default\_tenant\_uuid\_token not running
* Upgrade PEP8 to 1.3.3 (bug 1037303)
* Expand PEP8 coverage to include docs & tests
* Removed/fixed unused variable references
* HACKING compliance & staticly init module vars
* PEP8 fix E251
* PEP8 fix
* Removed unused imports
* Check for expected cfg impl (bug 1043479)
* Fixed typos in comment
* HACKING: Import by full module path
* HACKING: Use single quotes
* mistake in doc string
* pep8 1.3.3 cleanup removing unused imports
* Removed dead code
* Fix auth\_token middleware to fetch revocation list as admin
* Require authz to update user's tenant (bug 1040626)
* Code cleanup in doc/source/conf.py
* Typo fix in keystone: existant => existent
* allow middleware configuration from app config
* PEP8 fix for PAM test
* change verbose and debug to Fasle in keystone.conf.sample
* add token\_format=UUID to keystone.conf.sample
* Demonstrate that authenticate() returns roles
* Add nosehtmloutput as a test dependency
* Less information returned with IntegrityError
* Support running the tests in the debugger
* Removed stray print statement (bug 1038131)
* Remove unused variables
* PKI Token revocation
* Remove unused imports
* Adding missing files to MANIFEST.in
* Simplify the sql backend deletion of users and tenants
* Add tests for PAM authentication
* Allow overloading of username and tenant name in the config files
* Enabling SQL Catalog tests (bug 958950)
* Use user home dir as default for cache
* Set example key\_size to 1024
* Log errors when signing/verifying
* Implement python version of migration 002
* Set default signing\_dir based on os USER
* Assert adminness on token validation (bug 1030968)
* Test for Cert by name
* Typo error in keystone/doc/source/configuration.rst
* fix broken link
* Cryptographically Signed tokens
* Sync jsonutils from openstack-common
* Added user name validation. Fixes bug 966251
* Import ec2 credentials from old keystone db
* Debug output may include passwords (bug 1004114)
* Raise unauthorized if tenant disabled (bug 988920)
* Files for  Apache-HTTPD
* Implementation of LDAP functions
* Fix the wrong infomation in keystone-manage.rst
* Webob needs body to calc Content-Length (bug 1016171)
* Prevent service catalog injection in auth\_token
* Admin Auth URI prefix
* updating testing documentation
* adding keystoneclient test
* Removed redundant / excessively verbose debug
* Making docs pretty!
* Adding user password setting api call
* Fixing pep8 errors in tests/\*py
* Make sure user dict has id key before checking against it
* pep8 for openssl
* Run pep8 for tests
* Move monkey patch to keystone-all startup
* Use sdist tarball instead of zipball
* Return a 409 error when adding a second time a role to user/tenant
* notify calling process we are ready to serve
* Set iso8601 module as default dependence
* Fixed user-only role deletion error
* Use PyPI for keystoneclient
* keystone\_manage certificate generation
* documenting models
* Reorder test imports by full import path
* pep8 v1.3.3 compliance (bug 1019498)
* Correct Tree DN
* don't assume that the LDAP server require authentication
* fix variable names to coincide with the ones in common.ldap
* Keystone should use openstack.common.timeutils
* Fixed marker & limit computation (bug 1006055)
* Do not crash when trying to remove a user role (without a tenant)
* Keystone should use openstack.common.jsonutils
* Refactor 404's into managers & drivers (bug 968519)
* fix sphinx warnings
* fix man page build
* Utilize newer changes in openstack-common
* Add .mailmap file
* setting up babel for i18n work blueprint start-keystone-i18n
* Removed unused import
* Fix order of returned tuple elements in pam authenticate
* Reorder imports by full module path
* Pass serviceCatalog in auth\_token middleware
* Fixed typo in routing conditions (bug 1006793)
* 400 on unrecognized content type (bug 1012282)
* Basic request stats monitoring & reporting
* Monkey patching 'thread'
* Speed up SQL unit tests
* PEP8 fixes
* Clean up test requires a bit
* Use cfg's new global CONF object
* Add s3 extension in keystone.conf sample
* Tweak for easier, safer subclassing
* Revert file mode to be non-executable
* fix importing of optional modules in auth\_token
* Carrying over token expiry time when token chaining
* Keystone should use openstack.common.importutils
* Require authz for user role list (bug 1006815)
* Require authz for service CRUD (bug 1006822)
* PEP8 fixes
* Use cfg's new behavior of reset() clearing overrides
* Use cfg's new group autocreation feature
* Sync with latest version of openstack.common.cfg
* blueprint 2-way-ssl
* Fixes some pep8 warning/errors
* Update swift\_auth documentation
* Add ACL check using <tenant\_id>:<user> format
* Use X\_USER\_NAME and X\_ROLES headers
* Allow other middleware overriding authentication
* Backslash continuation removal (Keystone folsom-1)
* Remove service\_\* from authtoken examples
* Nail prettytable test dependency at 0.5.0
* Invalidate user tokens when a user is disabled
* Fix depricated /users/{user-id}/roles
* Changed arguments in keystone CLI for consistency
* Add validations of 'name' field for roles, users and tenants
* Added 'NormalizingFilter' middleware
* One 'ctrl-c' kills keystone
* Make sure we parse delay\_auth\_decision as boolean
* Flush tenant membership deletion before user
* notify calling process we are ready to serve
* Invalidate user tokens when password is changed
* Added tenant name validation. Fixes bug 966249
* Corrects url conversion in export\_legacy\_catalog
* Truly handle mailmap entries for all combinations
* fix pam admin user case
* Improve the sample keystone.conf
* Add defaults for ldap options
* Sync to newer openstack-common
* Set defaults for sql options
* Set defaults for port options
* Add defaults for driver options
* Use ConfigOpts.find\_file() to locate catalog template
* Use ConfigOpts.find\_file() to locate policy.json
* Policy doc updates; RST syntax consistency
* Removed SimpleMatch 'shim'; updated readme
* Removed old sections; improved syntax consistency
* cleanup dependent data upon user/tenant deletion
* Update tests to run servers on 127.0.0.1
* Switch to 1000 rounds during unit tests
* Fix argument name referred in the document
* Exit on error in a S3 way
* Auto generate AUTHORS file for keystone component
* Misnamed exception attribute (bug 991936)
* Avoid ValueError in 12.04 essex pkg (bug 988523)
* Non-nullable User, Tenant, Role names (bug 987121)
* Fix expired token tests
* Make run\_tests.py non-executable
* Add distribute to test-requires
* Makes the ldap backend return proper role metadata
* cleanup no\_meta user in live LDAP test
* Add ChangeLog to tarball
* Fix "it's" grammar errors
* Rename keystone.conf to .sample
* Import latest openstack-common
* Stub out swift log configuration during testing
* Remove tenant membership during user deletion
* Add a \_ at the end of reseller\_prefix default
* additional logging to support debugging auth issue
* Add support to swift\_auth for tokenless authz
* Make import\_nova\_auth only create roles which don't already exist
* don't duplicate the extra dict in extra
* Fix looking for config files
* endpoint-crud 404 (bug 963056)
* user-role-crud 404 (bug 963056)
* ec2-credential-crud 404 (bug 963056)
* service-crud 404 (bug 963056)
* user-crud 404 (bug 963056)
* tenant-crud 404 (bug 963056)
* Add build artifacts missing from .gitignore
* Switch keystone.test.TestCase to use unittest2
* Raise keystone.exception for HTTP 401 (bug 962563)
* Fixed misc errors in configuration.rst
* Docs: SQL-based vs File-based Service Catalog
* Improve service CRUD test coverage
* Change default catalog driver to SQL; doc the options
* Replace tabs with spaces
* role-crud 404 (bug 963056)
* Improve swift\_auth test coverage + Minor fixes
* Open Folsom
* S3 tokens cleanups
* Check values for EC2
* Fix critical typo in endpoint\_create (bug 961412)
* updating docs to include creating service accts
* unique role name constraint
* Add test for swift middleware
* Spring cleaning, fix PEP8 violations
* Rename tokenauth to authtoken
* pass the arguments in when starting keystone-all
* fix keystone-all's usage of options vs conf
* Wrapped unexpected exceptions (bug 955411)
* Changing belongsTo validation back to ID
* Clean up sql connection args
* Improved file logging example (bug 959610)
* Swift middleware doc update
* Fixes LP #954089 - Service list templated catalog
* Remove nova-specific middlewares
* Add check for MAX\_PASSWORD\_LENGTH to utils
* Remove glance\_auth\_token middleware
* Support PyPAM in pam backend, update to latest API
* Fix default port for identity.internalURL
* Installing keystone docs
* Update username -> name in token response
* Refactor keystone.common.logging use (bug 948224)
* Add automatically generated code docs
* Properly return 501 for unsupported Catalog calls
* docstring cleanup to remove sphinx warnings
* updating documentation for rewrite of auth\_token
* Allow connect to another tenant
* Update docs for keystone client cli args
* Raising unauthorized instead of 500 (bug 954547)
* Failing to update tenants (bug 953678, bug 954673)
* added LDAP section to architecture and architecture
* Bug #943031 MySQL Server has gone away added docnotes of error messages caught for mysql and reference
* making all use of time follow datetime.utcnow() fixes bug 954057
* Improved legacy tenancy resolution (bug 951933)
* sample\_data.sh: check file paths for packaged installations
* Fix iso8601 import/use and date comparaison
* Fix double-quoted service names
* Remove Nova Diablo reference from migrate docs
* Fixes the cli documentation of user/tenant/roles
* Add simple set of tests for auth\_token middleware
* update documention on changing user password
* enables run\_test option to skip integration
* Add token caching via memcache
* Update get\_metadata to return {}
* Diablo to Essex migration docs (bug 934328)
* Added license header (bug 929663)
* Add AUTHORS to the tarball
* create service endpoints in sample data
* Fix EC2 credentials crud after policy backend change
* port common policy code to keystone
* rename belongs\_to to belongsTo as per the API spec
* Make sure we have a port number before int it
* fixes lp#949648 change belongsTo validate to name
* HTTP\_AUTHORIZATION was used in proxy mode
* fix Nova Volume Service in sample data
* fixes bug lp#948439 belongs\_to and serviceCatalog behavior \* removing belongs\_to as a kwarg and getting from the context \* adding a serviceCatalog for belongs\_to calls to tokens \* adding test to validate belongs\_to behavior in tokens
* Make bind host configurable
* add more default catalog templates
* Fix coverage jobs for Jenkins
* Improve auth\_str\_equal()
* Set default identity driver to sql (bug 934332)
* Renamed sqlite files (bug 944951)
* Isolating backtraces to DEBUG (bug 947060)
* updating readme to point to developer setup docs \* fixes bug 945274
* Add reseller admin capability
* Remove trailing whitespaces in regular file
* LDAP get\_user\_by\_name
* Added missing import (bug 944905)
* add git commit date / sha1 to sphinx html docs
* gitignore follow up for docs/ rename
* improve auth\_token middleware
* Add service accounts to sample\_data.sh
* standardize ldap and related tests
* Align with project configs
* Fixes doc typo s/SERVIVE/SERVICE/
* Use constant time string comparisons for auth
* Unpythonic code in redux in auth\_token.py
* fix pep8
* GET /v2.0 (bug 930321)
* LDAP member defaults
* Handle KeyError in \_get\_admin\_auth\_token
* Align tox jobs with project standards
* renaming pip-requires-test to test-requires
* Provide request to Middleware.process\_response()
* Add Vary header (bug 928057)
* Implement a Catalog SQL backend
* Set tenantName to 'admin' in get\_admin\_auth\_token
* LDAP Identity backend
* Implements extension discovery (bug 928054)
* Support unicode in the keystone database
* Add HEAD /tokens/{token\_id} (bug 933587)
* XML de/serialization (bug 928058)
* fleshing out architecture docs
* Update auth\_token middleware so it sets X\_USER\_ID
* Adds AUTHORS file generated from git log (and de-duplicated)
* The default nova compute port is 8774
* Fix case of admin role in middleware
* Fix MANIFEST.in to include missing files
* Remove extraneous \_validate\_claims() arg
* Create tools/sample\_data.sh
* Backslash continuations (Keystone)
* Correct config name for max\_pool\_size
* Use cfg's new print\_help() method
* Move cfg to keystone.openstack.common
* Remove cfg dict mixin
* Update cfg from openstack-common
* Fix copyright dates and remove duplicate Apache licenses
* some additional style bits
* Add migration path for Nova auth
* fix the style guide to match the code
* Re-adds admin\_pass/user to auth\_tok middleware
* Fix thinko in keystone-all sys.path hack
* Removing broken & redundant code (bug 933555)
* Return HTTP 401 bad user/password is specified
* cli now returns an exit status cmd is invalid
* Ignore sqlite.db files
* Implements admin logic for tenant\_list call
* Implemented get\_tenant\_users. Fixed bug 933721
* Removing unused imports from keystone.cli
* Set include\_package\_data=True in setup.py
* Remove data\_files section from setup.py
* Update Manifest.in
* Add migrate.cfg to data\_files in setup.py
* Should return 300 Multiple Choice (bug 925548)
* Admin version pipeline not utilized (bug 925548)
* fixes #934459
* Fix logging.config import
* backport some asserts
* remove pycli
* Adds missing argument to add\_user\_to\_tenant in create\_user
* Fixes a failure caused by a recent change to user update in the client
* remove executable bit from setup.py
* Raising 'NotImplmented' results in TypeError
* Update docs for Swift and S3 middlewares
* Added Apache 2.0 License information
* Add docs on keystone\_old -> ksl migration
* Add token expiration
* Update docs to for current keystone-manage usage
* add catalog export
* Handle unicode keys in memcache token backend
* make sure passwords work after migration
* add legacy diablo import tests
* change password hash
* add essex test as well
* add sql for import legacy tests
* add import legacy cli command
* add migration from legacy db
* remove keystoneclient-based manage commands
* Remove executable bit from auth\_token.py
* Update swift token middleware
* Add s3\_token
* Add pagination to GET /tokens
* Fixes role checking for admin check
* Fix webob exceptions in test\_middlware
* Add tests for core middleware
* Add version description to root path
* Add TokenNotFound exception
* remove diablo tests, they aren't doing much
* Fix largest memory leak in ksl tests
* Add memcache token backend
* Friendly JSON exceptions (bug 928061, bug 928062)
* Fix comment on bcrypt and avoid hard-coding 29 as the salt length
* Add SQL token backend
* Add content-type to responses
* Cope with unicode passwords or None
* Add auth checks to ec2 credential crud operations
* termie all the things
* example in hacking was incorrect
* Ensures duplicate users and tenants can't be made
* make pip requires match nova
* fixes lp:925721 adds .gitreview for redux branch
* remove novaclient, fix python syntax
* We don't need all the deps to check pep8
* remove extra line
* Make ec2 auth actually work
* fixing grammar, noting broken enable, adding hacking with prefs for project
* Removed unused reference
* adding a token service Driver to define the interface
* Added support for DELETE /tokens/{token\_id}
* Fixes bug 924391
* ran through all commands to verify keywords against current (master) keystonelight
* updating docs:
* Fix "KeyError: 'service-header-mappings'"
* updating tox.ini with test pip requirements
* use our own logging module
* Update auth\_token middleware to support creds
* Removes nova middleware and config from keystone
* minor docstring update for new locations
* Missed one more keystone-server
* Renamed keystone-server to keystone-all based on comments in LP: #910484
* be more safe with getting json aprams
* skip the two tests where testing code is failing
* accept POST or PUT for tenant update
* deal with reparsing the config files
* don't automatically parse sys.argv for cfg
* deal with tags in git checkout
* fix keystoneclient tests
* add tests for essex and fix the testing framework
* Update docs/source/developing.rst
* Change the name of keystone to keystone-server so the binaries dont conflict with python-keystoneclient
* Normalize build files with current jenkins
* Use gerrit instead of github
* Fix pep8 violations
* Add .gitreview file
* Added keystone-manage list\_role\_grants (bug 923933)
* removing unused images, cleaning up RST in docstrings from sphinx warnings
* pep8 cleanup
* shifting contents from \_static to static
* adding in testing details
* moved notes from README.rst into docs/architecture.rst
* updating formating for configuration page
* format tweaks and moving old docs
* shifting older docs into old/ directory
* doc updates
* moving in all the original docs from keystone
* adding python keystoneclient to setup.py deps
* fixing up PIP requirements for testing and virtualenv
* indents
* Make it as a subclass
* Added shortcut for id=NULL queries (bug 916386)
* fix style and termie's comments about comments
* invalid params for roles.delete
* initial stab at requiring adminness
* Simplify code
* add tests that auth with tenant user isn't member of
* Add s3tokens validation
* Test coverage for issue described in bug 919335
* Removing \_\_init\_\_ from non-packages (bug 921054)
* add instructions for setting up a devenv on openSUSE 11.4 and 12.1
* Documented race condition (bug 921634)
* Fix race in TestCreateTokenCommand (bug 921634)
* Forgot to update models (bug 885426)
* Updating example glance paste config
* add a bunch of basic tests for the cli
* Migrated 'enabled' int columns to bool for postgres (bug 885426)
* remove this useless catalog
* move cli code into a module for testing
* Updated bp keystone-configuration for bp keystone-manage2
* Return Version and Tenant in Endpoints
* Updated error message for keystone-manage2
* allow class names to be different from attr names
* add ec2 credentials to the cli
* fix middleware
* Added: "UserWithPassword" Added: "UserWithOnlyEnabled" Removed: "UserWithOnlyPassword"
* Update Extended Credentials (EC2, S3)
* Fix for bug 921126
* Adds keystone auth-n/auth-z for Swift S3 API
* Implement cfg.py
* bcrypt the passwords
* fix token vs auth\_token
* Implement Secure Token Auth
* some quick fixes to cli, tests incoming
* fix pep8
* fix some more pass-by-reference bugs
* strip password before checking output
* flip actual and expected to match common api
* don't allow disabled users to authenticate
* turn off echo
* fix invalid\_password, skip ec2 tests
* Suppressed backtraces in tests causes sweaty eyes
* strip password from sql backend
* raise and catch correct authenticate error
* rely on internal \_get\_user for update calls
* Fixed: Inserting URLs into endpoint version attr
* strip password from kvs backend
* fix user\_get/user\_list tests
* Release Notes for E3
* Addresses bug 918608
* Restore Console Info Logging - bp keystone-logging
* removing the sphinx\_build from setup.py, adding how to run the docs into the README
* Added Vary header to support caching (bug 913895)
* Implemented subparsers (bp keystone-manage2)
* Handle EC2 Credentials on /tokens
* ec2 docs
* simple docstrings for ec2 crud
* Fixed PEP8 violations and disallowed them
* Implemented bp keystone-manage2
* Fixes 918535: time not properly parsed in auth\_token middleware
* Use dateutil 1.5
* get docs working
* some cli improvements
* add checks for no password attribute
* Prestage fix - fixed requirement name; python-dateutil, not dateutil
* users with correct credentials but disabled are forbidden not unauthorized
* Pre-staging pip requires
* shimming in basics from original keystone
* test login fails with invalid password or disabled user
* doctry
* use token\_client in token tests
* remove duplicate pycli from pip-requires
* fix ec2 sql config
* get\_client lets you send user and tenant
* update how user is specified in tests
* rename ec2 tests to be more explicit
* use the sql backend for ec2 tests
* more failing ec2 tests
* add METADATA for boo
* add (failing) tests for scoping ec2 crud
* add some docs that got overwritten last night
* Bug #916199: keystone-manage service list fails with AttributeError on Service.description
* Exception raise error
* Updates to middleware to deprecate X\_USER
* Revert "Exception raise error"
* fix pep8
* update tests
* update some names
* fix some imports
* split up sql backends too
* split up the services and kvs backends
* establish basic structure
* add docs for various service managers
* expect sphinx sources to be autogenned
* some tiny docs
* fix sphinx
* testing rst on github
* updating dependencies for ksl
* needed to do more for cli opts
* make a main in keystone-manage
* fix pep8 error
* rename apidoc to autodoc
* Fix typo
* Fix LDAP Schema Syntax (bug 904380)
* return to starting directory after git work
* spacing
* tests for ec2 crud
* add keystoneclient expected format
* add sql backend, too
* add an ec2 extension
* update readme
* Exception raise error
* re-indent
* re-indent
* re-indent
* re-indent kvs.py
* re-indent test.py
* remove models.py
* add some docs to manager
* dynamic manager classes for now
* add a couple more tests
* Bug #915544: keystone-manage version 1 commands broken when using flags
* add some more todos
* strip newlines
* TODO
* add role refs to validate token
* fix token auth
* check for membership
* flush that sht
* add more middleware
* fixing WatchedFileHandler
* logging to debugging by default for now
* add a noop controller
* woops
* add glance middleware ??
* add legacy middleware
* fix setup.py
* adding #vim to file with changed indent
* add id-only flag to return IDs
* rename ks to keystone-manage
* fixing imports for syslog handlers and gettext
* adding gettext
* adding logging from configuration files, default logging per common
* cli using keystoneclient
* add a db\_sync command to bin/ks, remove others
* merge test and default configs
* adding project to keystone config to find default config files
* some more config in bin/keystone
* in the bin config too
* rename many service parts to public
* keystone\_compat -> service
* remove keystone from names, remove service
* remove default configuration
* basic service running again
* rename extras to metadata
* version number in setup.py
* add basic sphinx doc bits
* remove references to keystone light
* renaming keystonelight to keystone
* keystoneclient tests working against sql backend
* run all teh keystoneclient tests against sql too
* move everything over to the default config
* config system overhaul
* add nova's cfg framework
* fix pep8
* missed a file
* most tests working again
* still wip, got migration mostly working
* get the sql ball rolling, still wip
* add sql backend, WIP
* Show useful traceback if manage command fails
* Fix minor typo
* Add 'tenants' to Auth & Validate Response
* Fixed Test Coverage Handling
* Adding prettytable dependency
* Front-end logging
* tweaking for running regular tests in jenkins
* Implement Role Model
* xsd fixes
* Added decorators for admin and service\_admin checks
* Initial keystone-manage rewrite (bp keystone-manage2)
* Correct endpoint template URLs in docs
* fix bug lp:843064
* finished up services stuff
* add the various role tests
* add list users
* get user tests working
* Remove install\_requires processing
* get endpoints test working
* get tenant\_add\_and\_remove\_user test working
* tenant test working again
* copy over the os-ksadm extension
* Implement Endpoint, Endpoint Template, and Credential Managers
* PEP8 keystone cleanup
* Changes run\_tests.sh to also run pep8 by default
* example crud extension for create\_tenant
* Updates to Tests/Testing
* Un-pythonic methods lp:911311 Fixed pep8 problems Changed comments to docstrings
* get some tests working again
* merge fixes
* fixup
* Made tests use both service and admin endpoints
* All tests but create\_tenant pass
* Split keystone compat by admin and service endpoints
* Install a good version of pip in the venv
* fix bug lp:910491 option "service\_host" in keystone.conf not works
* Added broken tests to show compatibility gaps
* Added tox.ini file
* Split keystone compat by admin and service endpoints
* Implement Service Manager
* Implement Tenant Manager
* Fixes bug lp:910169 - Tests are using too much memory Added super() call to tearDown() method
* Changed the call to create the KeystoneContextMiddleware object to pass the correct glance ConfigOpts object
* Added logging on core modules
* Adding logging to Auth-Token Middleware
* Implement Role Manager
* Refactor models and backends
* Add HP-IDM extension to fix Bug 890411
* Move URL Normalizer to Frontends
* move novaclient tests over also
* clean up test\_identity\_api
* clean up keystoneclient setup
* Move Global Role variables out of backendutils
* Bug #909255: Endpoint handling broken on SQL backend by portable-identifiers changes
* add role crud
* speed up tests
* add basic fixture functionality
* documentation driven development
* novaclient now requires prettytable
* Return Endpoint IDs
* Correct Handling of Default Tenant
* Fix duplicate logging
* Added global endpoints response in XML as well
* Fix: Client and Unit Tests not correctly failing a build
*  Bug #907521.     Changes to support get roles by service
* Always Return Global Endpoints
* Added release notes
* Fixed error with database initialization
* Tests use free TCP/IP ports
* Testing Refactor - this is a squash of 6 commits - original commits are vailable for cherry-picking here:   https://github.com/ziadsawalha/keystone/commits/tests
* Added HP-IDM documentation artifacts
* whitespace
* whitespace
* make create\_tenant work for keystone api
* common ks client creation
* Fixed version response (bug 891555 and bug 843052)
* Implement Multiple Choices Response (bug 843051)
* updating of docs
* Fix LDAP schema (bug 904815)
* working on a tenant\_create test
* standardize spacing
* novaclient uses password instead of apikey
* update to use the correct repo for python-novaclient
* fix tenant auth tests
* Updated namespace
* Fixes the catalog return in d5\_compat calls
* Added: ./keystone-manage database goto <version>
* Added databased version check on startup w/ docs
* Revised in-memory sql connection path for sqlalchemy
* Clarify 'test not found' error message
* Contract fix: change IDs from xsd:ID to xsd:string
* Tenants - asserted all the things (bug 887844)
* Support for unscoped admin tokens
* LDAP: fix to keystone.ldif
* Contract fix: IDs are not Ints, they are ID or string types
* Contract fix: description optional
* Update tracer excludes for Linux
* Fixed bug 905422. Swift caching should work again.  Also fixed a few other minor syntactical stuff
* Update test\_keystone\_manage to use unittest2
* Python 2.6 subprocess.check\_output doesn't exist
* No more python path changes
* Clarified language on migration instructions
* Refactor: Workaround for python build\_sphinx failure
* Fixed some skipped tests
* Format keystone-manage output better
* Added instructions to git clone from github
* Refactor: Computing api/model module paths dynamically
* Introduces UID's & domain models (bp portable-identifiers)
* Improved test coverage of d5 compat
* Fixed: Tests returning successful (0) on failure
* D5 Compatibility Support
* Added original tenants blueprint to docs
* Fixed broken import of version info (bug 902316)
* Added missing import preventing keystone from starting (bug 901453)
* Fix some issues with new version module
* quantum\_auth\_token.py middleware fails on roles
* Removed Server class from \_\_init\_\_.py
* Fix auth\_token middleware: make \_verify\_claims not static. Fixes bug #901049
* Pylint fixes to auth\_token.py
* Split version code into its own file
* Change is\_global == 1 to is\_global == True
* Bug 897496: Remove tenant id from Glance URLs
* Refactor: move initialization code to class
* Add missing json validation
* Refactor: get rid of keystone/config.py
* Fixes missed tests and subsequently introduced bugs
* Rename .keystone-venv to .venv
* Refactor: Rename auth controller to token controller
* Added documentation
* Added SSL and memcache sample config files
* Updated auth\_token middleware caching to support memcache
* Deprecating RAX-KEY middleware
* Added argparse to support python 2.3 - 2.6
* Make bin/keystone use port settings in the config file. Fixes bug #898935
* Bug#899116: use correct module when building docs
* Minor RST changes
* Revised extension documentation
* Added documentation for SQL tables
* Remove pysqlite deps. Fixes bug #898343
* Pretty-printed JSON samples
* Added option to pretty-print JSON
* Implements blueprint keystone-swift-acls
* Updated docstring to match auth\_token.py (bug 898211)
* Bug #890801 Changes to support /extensions call. - Introduced a new extension reader to read static extension content. - Added additional rst files explaining extensions. - Removed functionality from  additional middleware that used to support /extensions call.ie RAX-KEY-extension - Removed service extension test as it was no more relavent. - Added unit test that checks toggling of extensions. - Additional notes on the conf file
* Added JSON validator; fixed samples (bug 898353)
* Fixes a number of configuration/startup bugs
* Fixed RST syntax (bug 898211)
* Revised schema migration docs
* Improved doc formatting consistency (bug 898211)
* Fixed RST syntax in doc strings (bug 898211)
* Added ssl docs to index; fixed rst syntax (bug 898211)
* Bug-897724: Added method to list endpoints specific to a service and related tests
* Eliminated debug output from sphinx\_build (bug 898211)
* Updated testing
* Fixes bug lp:897819
* Check that endpointTemplate ID is valid in endpoint add cmd (#897749)
* Added Endpoint and Endpoint Template documentation
* Bug #854104   - Changes to allow admin url to be shown only for admin users.   - Additional test asserts to verify
* Fixed memcache tests
* Update documentation and examples following API 1.1 removal
* Fixes bug 843065
* Additional middleware test coverage
* Enforce service ownership
* Add keystone\_tenant\_user\_admin option and fixes
* Make owner the user named same as tenant/account
* Restored developer default log dir
* Add default for log directory and log filenames
* Added wadls, pdfs, samples and functional test confs (bug 891093)
* Additional documentation
* ./keystone-manage endpointTemplates list missing arg (bug 891843)
* Bug #890399
* Bug #891451: Changes to support update endpointTemplates call in the WADL
* add an example for capability rbac
* make readme use code style
* add the policy code
* describe and add a policy backend
* policty stub
* re-indent
* Added timeout to bufferedhttp class and timeout setting for middleware - bug 891687
* Refactoring master to match stable/diablo fix for bug 891710
* Refactor auth\_token.py to only call out to Keystone once
* Added files missing from dist packaging (bug 891093)
* pylintrc should not be hidden (bug 891093)
* Simplified gitignore (in pursuit of bug 891093)
* Fixes typo in setup document
* Adding middleware tests
* Remove executable bit on template
* change array syntax
* updates to make compatible with middleware
* mergeish dolph's port change
* fix tests
* handle unscoped requests
* adjust default port
* Revised version status response (bug 890807)
* Refactored headers produced by middleware (bug 835087)
* move noop to identity controller
* Ignoring db migrate mgmt module to workaround bug 889287
* 'text/json' should be 'application/json' (bug 843226)
* Revised curl examples (bug 884789)
* allow setting user\_id on create
* users require a name
* pep8
* update test conf too
* cli for adding users, tenants, extras
* adjust paths and use composite apps
* add tests for extras
* add tenant crud
* oops, forgot update in crud
* add crud tests
* add crud tests
* add crud tests
* add test for create user and get user
* add test for create user and get user
* re-indent identity.py
* don't pep8 swp files
* accept data as kwargs for crud
* use the keystone app in the conf
* reorg
* re-indent service.py
* Bug 888448: - Changes to allow validate token call return user name as per contract. - Additional test assertions to test the same. - Changes to middleware
* more dyanmic client
* get some initial identity api tests working
* update service to middleware in confs
* move around middleware
* make a composite app
* add crud methods to identity manager
* Add a new swift auth middleware
* Use TENANT\_ID if it exists, but still support X\_TENANT
* cli beginnings
* Bug 888170: Fixing references to incorrect schema
* add admin port
* add an etc dir
* Bug #888210: Changes to fix calls to use the right path
* bug 878431: Minor changes to auth\_token middleware
* add a default handler for /
* Bug #886046 Add Quantum auth middleware to Keystone source code tree
* add a stubby setup.py
* use paste for the binary
* add a trivial admin-only middleware
* update keystone sample tests, skip one
* Bug #887236: - Changes to allow extensions to be configured. - Introduced a new property that holds list of extensions that are to be enabled
* add crud info to readme
* get novaclient tests working
* add novaclient, intermediate
* add run\_tests.sh and pep8 stuff
* remove italics on Light
* modify requirements
* link diagrams
* Track post-Diablo database evolution using migrations (BP: database-migrations)
* Changed blatant hack (fixed spelling also) to 5 second timout as tests were not completing
* Use TENANT\_ID instead of TENANT for project\_id
* X.509 client authentication with Keystone.  Implements blueprint 2-way-ssl
* whitespace
* added catalog tests
* added tests for tokens
* test the other methods too
* add some tests and get others to pass
* add some failing tests
* add a default conf
* minor whitespace cleanup
* add some todo
* fixed the output message error on granting user a role
* Bug #884930 Support/Remove additional calls for for Tenant. - Supported call to get users for a tenant for a specific role. - Removed calls to get specific role for a user and to get all the roles for a specific tenant as they are not useful. - Fixed LDAP backend call to get users for a tenant. - Disabling Invalid pylint check
* adding docs to test classes, updating run\_tests.sh to match reality adding debug middleware factory adding docs on enabling debug middleware resolving pep8 issues
* Fixes LP Bug#885434 - Documentation showing multiple tenants misleading
* add example
* rst blah blah
* updated readme
* authenticate and tenants working
* working authenticate in keystoneclient
* remove test\_keystone\_compat's catalog tests
* add templated catalog backend
* Use pure version number ("2012.1") in tarball name
* Set run\_tests.sh so pep8 runs in the virtualenv
* bug 885364
* bug:884518 Changes to support passwordcredentials calls as per API contract. Minor LDAP code change to support tests
* Fixed spelling of 'Resources' (Resoruces)
* pep8 cleanup
* everything but the catalog
* Remove execute bit on keystone.conf
* Fixes LP882760.Changes to return TenantId properly as part of roles.Additional tests to support the same
* Moving contributor docs into rst (bug #843056)
* fixing search sequence to not include directory structure from os.walk()
* bug lp:882371 Standardize Json pagination structures
* get a checkout of keystoneclient
* bug lp:882233 Code changes to support API calls to fetch services/roles by name
* Removed contributor doc build info from project README (bug #843056)
* Revised documentation build process (bug #843056)
* updates to keystone documentation - install & conf bug 843056 blueprint keystone-documentation
* Specific LDAP version causing hiccups installing on latest ubuntu & fedora
* Adding the concept of creating a Keystone HTTP client in Python which can be used in Keystone and imported from Keystone to allow for easier Keystone integration
* Add .gitreview config file for gerrit
* updating keystone developer documentation updating docstrings to remove errors in automodule generation updating setup.py to generate source documentation blueprint keystone-documentation bug 843056
* Changes to support getuser by name and gettenant by name calls
* Changes to support get endpoints for token call
* Additional changes to support endpointtemplates operations.Disabling pylint msgs that dont fit
* Github markdown doens't seem to like irc:// links
* Removed 'under construction' docs provided elsewhere
* Updated self-documentation to point to docs.openstack.org
* Revised documentation
* Changes to endpoint operations as per OSKSCATALOG contract. Adding couple of pylint fixes
* Refactored version attributes
* Changes to support endpointTemplate operations as per new API.Fixed issues with command line manage stuff
* Updated Secret Q&A to extend CredentialType
* Changes to support API calls as per OS-KSCATALOG extension
* Improved CLI error feedback (bug 877504)
* authenticate working, too
* base tests on keystone-diablo/stable
* get tenants passing, yay
* flow working, added debugging
* add context to calls
* move diagram into docs dir
* refactor keystone compat and add catalog service
* added sequence diagrams for keystone compat
* Resubmitting change. Fixing issue #843226. Changes to throw appropriate faults during token validation
* bug lp:865448 change abspath to dirname in controllers/version.py to correct path problems
* Moving non core users and tenants calls to appropriate extensions
* Fix issues in the ec2 middleware
* Adding calls to get roles for user as per new format.Cleaning references to old code
* Fixes LP844959, typo in Authors file
* Changes to support roles and services calls via extensions. Change-Id: I1316633b30c2be07353dacdffb321791a4e2e231
* Simplified README
* First commit for Secret Question and Answer Extension: RAX-KSQA
* Fixing issue 854425.ie chaning token table name to tokens. Fixing issue 863667.Changes to support updation of user/tenant name as well using api calls. Fixing LDAP backend to have id independent of name.Fixing getuser call to also return name
*  Fixing bug 859937.  Removing incorrect atom feed references from roles.xsd
* Minor corrections to the middleware and wadl
* Changes to show name also for the user list
* Changes to show admin URL also as a part of json in endpoints listing
* getting closer, need to match api now
* tests running through, still failing
* add a test client
* added a test, need to get it working now
* Use the tenant name for X\_TENANT
* Fix possible\_topdir computing
* Change roleId to role.id for swift middleware
* adding in doc and setup to cover existing scripts adding doc around credentials command usage (for EC2)

2011.3
------

* Updating legacy auth translation to 2.0 (bug #863661)
* Shouldn't look in /etc/init/ for config files
* Changing default admin port from 5001 to 35357, per IANA/IETF (bug #843054)
* Organizing and documenting pypi requirements
* sample data updates to remove -service from image and identity
* Refactor and unit test json auth parsing
* Error message expecting 'e' in local scope
* Do not return identical error messages twice
* Update auth examples in README
* README.md changes to point to openstack repo
* updating docs for Mac source install, no docs for mac package install relevant
* POST /tokens: Added tenant id & name to scoped tokens in XML (#862752)
* Updated guides.Have recompiled to use the latest examples
* Fix bug 861546
* Fix swift middleware with regard to latest changes
* Changes to support getTenants to behave differntly for admin users when invoked as a service api or admin api
* Changes to stored hashed password in backends. Using passlib a password hashing library. Using sha512. Setting hashing to be the default behavior
* Changes to WADLs to refer actual types
* Revised docstring
* Added /etc/init/keystone.conf to list of known configuration paths
* Revising tenant IDs & Names in samples (#854228)
* Authenticating against non-existent tenant (fixed #859927)
* Adds list of dependencies to dev install
* Fixed Anne's email address & list position (alphabetical)
* Added support for scoping by tenantName
* Changes to return groups as a part of RAXKSGRP extension.Also fixed incorrect schema version references in wadls and examples
* Changes to support authenticate call to accept token as per agreed format
* Minor changes to wadl
* Making type mandatory as per sandy's request and minor fixes to wadl examples. Adding Ann as an author
* Changes to structures to support authenticate using token. Minor wadl fixes. Adding Anne as an author
* Removing token element from token.xsd
* Update to token.xsd to allow element token as a root element in relation tu bug: https://bugs.launchpad.net/keystone/+bug/855216 - apiKeyCredentials Samples casing apiKey update
* Changes to support endpoint template addition/listing by service names. Changes to list service details as well
* Modified apiKeyCredentials to extend single entity and use restriction
* Reorder params in User() constructor
* Fix for bug 856857 - add user.name to User() constructor to re-align param
* Fix for bug 856846 - cast ints to string in users\_get\_by\_tenant\_get\_page so that they can be joined
* POST /tokens: A chronicle of missing features
* Fixes issues with ldap tests
* Get Service Catalog from token
* Fixes auth\_token middleware to allow admin users in nova
* Initial set of changes to move role operations to extensions
* Updating guide wrt wadl changes
* Minor Changes to extension WADL
* Changes to support auth catalog as per new format
* Changes to docs
* Adding tenantid to user roles and endpoints
* Fixes bug 855823
* Add code removed in https://code.launchpad.net/~vishvananda/nova/remove-keystone-middleware/+merge/76297 to keystone
* Added support for HEAD /tokens/{token\_id} Changed POST /tokens response container from 'auth' to 'access'
* Making identity-admin.wadl well-formed
* Converting to new doc format for included code samples
* Changing authenticate request content xml as well as json
* GET /tokens/{token\_id}: Exposing both role ID's and Name's
* Renaming 'roleRef' container to 'role'
* Renaming 'roleRefs' container to 'roles'
* Renaming GET /tokens/{token\_id} response container to 'access'
* Revised samples
* Fixed path issues with keystone-import
* Update validate\_service\_or\_keystone\_admin\_token so that it doesn't cause exceptions if the admin or service admin haven't been configured
* Changing/introducing actual extension json/xml snippets. Adding updated documents
* Backend-managed role & service ID's (bug #834683)
* Initial Changes to move service operations to extensions
* Docs,wadls,samples,initial code to support RAX-KSKEY and OS-KSEC2 extensions. Removed tenant id from being part of endpoints
* Glance Auth Token Middleware fix
* Sorted AUTHORS list
* adding imports from Nova for roles, tenants, users and credentials
* Update keystone-manage commands to convert tenant name to id. Fixes #lp849007
* 1.Changed all Json paginated collection structure. 2.Introduced a type for credential type (path param) and change wadls and xsds. 3.Added List Users call. 4.Changed Endpoint creation example
* Don't import keystone.test unless we are in testing. Fixes #lp848267
* Add toggle to run tests in-process, w/ realtime progress feedback
* Add ability to run fakeldap in memory
* Added backend-managed primary key to User and Tenant model
* Introducing doc to support OS-KSCATALOG extensions.Adding new calls to OS-KSADM extension document
* Adding initial document for OS-KSADM-admin extension.Related changes on wadl,json,xsd etc
* Fixing sample content
* Adding new doc.Changes to sample xmls and jsons
* Validation content and relavant changes
* Minor fixes on xsds and sample xmls
* Fixing existing wadl.Completing wadl for extension OS-KSADM
* Fix invocations of TemplateError.  This exception takes precisely three parameters, so I've added a fake location (0, 0) to keep it happy
* Adding wadl for OS-KSCATALOG extension.Fixing existing xsds.Fixing service wadls. Merging changes. Change-Id: Id29dc19cbc89f47e21329e531fc33bd66c14cf61
* Update Nova and Glance paste config examples
* Various documentation-related changes
* Consolidating xsds. Splitting contrib to admin and service
* Adding guides for groups extension
* Fix host/port split code in authenticate\_ec2. Resolves an AttributeError: 'Ec2Credentials' object has no attribute 'partition' exception that can occur for EC2 auth validations
* Adding guide for RAX-KSKEY-service extension. Adding guide for OS-KSEC2-service extension
* Fix NameError exceptions in add\_credentials. Adds test case on creating credentials
* Redefining credential types. Defining additional extensions and renaming extensions. Removed wadls that are not needed
* Fix for duplicate <any> tag on credentials.xsd
* Move tools/tracer into the keystone code. Fixes ImportError's when running keystone as a .deb package
* Fixed error where endpoints returned for tenant instead of token
* Updated the AUTHORS file to test the new rpc script and workflow
* Update rfc.sh to use 'true'
* Made it possible to integrate with external LDAP
*     Dev guide rebuild and minor fixes
* Updates to samples, XSDs, and WADLs
* Added AUTHORS, .mailmap and generate\_authors.sh
* Changes to support endpoint template updates
* Fixes bug 831574. Adds missing sys import
* Updated schema to reflect id and name changes to Users and Tenants
* Updated guides and samples
* Additional contract changes
* Sample changes
* Atom links on Token
* Cleanup service it endpoint catalog
* Removed redundant function from base user api
* Updated samples
* Fixed reference to unassigned variable
* Reworked XSDs and WADL to support auth and access elements
* Remove more group stuff
* Removed OSX files that shouldn't be in git
* Documentation cleanups
* Banished .DS\_Store
* Add rfc.sh for git review
* Wrong common namespace
* XSD & sample updates
* Added more missing files to MANIFEST.in
* hanges to allow test to work on python 2.6.\*
* Cleaned up come issues with python2.6
* Refactored manage.py to be both testable and useful for testing
* Sample changes to support v2.0 api
* Sample changes to support v2.0 api
* Admin WADL Revisions
* Add the files in keystone/test/etc
* Add run\_tests.\* to the MANIFEST.in
* Keystone manage.py cleanup
* Tests running on in-memory sqlite db
* Additional changes to fix minor service support stuff and increase test coverage. Also making validate token call available using service admin tokens
* Made all sample data loading in one script
* Minor fix to run\_tests
* Contract changes
* Admin WADL updates
* Port of glance-control to keystone.  This will make writing certain keystone integration functional tests a little easier to do
* Updates to XML and JSON changes for validateToken
* Added pylint message count as run\_tests.sh -l
* Added reponse handling for xsd static file rendering III Extra extension tests (for RS-KEY)
* Creating an artificial whitespace merge conflict
* Moved run\_test logic into abstract class
* Git-ignore python coverage data
* Added reponse handling for xsd static file rendering
* Additional tests and minor changes to support services CRUD
* Added reponse handling for xsd static file rendering
* Schema updates. Split WADLs and extensions and got xsds to compile
* Ziads changes and fixes for them
* Added check\_password to abstract backend user API
* Doc changes, including service catalog xsd
* Fixed service-bound roles implementation in LDAP backend
* Removed ldap names import from fakeldap module
* fix ec2 and add keystone-manage command for creating credentials
* Legacy auth fix and doc, wadl, and xsd updates
* Replacing tokens with the dummy tokens from sampledata.sh
* Add option for running coverage with unit2
* Adding curl documentation and additional installation doc. Also updated man documentation for keystone-manage
* Changes to improve performance
* Removed the need to set PYTHONPATH before tests
* Back to zero PEP8 violations
* Schema and WADL updates
* Adding documentation to WADL
* Correct 401, 305, and www-authenticate responses
* Correct 401, 305, and www-authenticate responses
* Correct 401, 305, and www-authenticate responses
* Added xsd content, update static controller, and static tests
* Updated wadl
* Fix LDAP requires to compatible version
* Moved password check logic to backend
* Changes to delete dependencies when services,endpoint\_templates,roles are being deleted. PEP8 and Pylint fixes.Also do ldap related changes
* Add LDAP schema
* Add wrapper for real LDAP connection with logging and type converting
* Fix console and debug logging
* Redux: Add proper simple\_bind\_s to fakeldap
* Adds support for authenticating via ec2 signatures
* Changes to allow additional calls to support endpoint template CRUD and additional checks on existing method
*  Committer: Joe Savak <joe3963@joe3963-VirtualBox.(none)>
* Refactoring business logic behind GET /tenants to make it less convoluted
* Moved run\_tests.py to match other projects
* Revert "Add proper simple\_bind\_s to fakeldap, removed all imports from ldap."
* Add proper simple\_bind\_s to fakeldap, removed all imports from ldap
* Gets Keystone a bit more inline with the way that other OpenStack projects run tests. Basically, adds the standard run\_tests.sh script, modifies the run\_tests.py script to do the following:
* Changes to support CRUD on services/roles
* Issue #115: Added support for testing multiple keystone configurations (sql-only, memcache, ldap)
* Added automatic test discovery to unit tests  and removed all dead tests
* PEP8 fixes... all of them
* Small licensing change to test Gerrit
* Small change to test Gerrit
* Fix brain-o--we may not need project\_ref, but we do need to create the project!
* updated README with more accurate swift info
* Determine is\_admin based on 'Admin' role; remove dead project\_ref code; pass auth\_token into request context; pass user\_id/project\_id into request context instead of their refs
* Added support for versioned openstack MIME types
*  #16 Changes to remove unused group clls
* Add unittest2 to pip requires for testing
* #66 Change in variable cases
* #66 Change in variable cases
* Changes to make cache time configurable
* Changes to store tokens using memcache #66
* Changes suggested by Ziad.Adding validateToken operation
* Flow diagram to support keystone service registration
* Restored identity.wadl w/ system test
* pylint fixes for role api
* Removing attribute duplicated from superclass; causes an issue in py 2.7
* pylint fixes for tenant-group unit tests
* pylint fixes for server unit tests
* Making the API version configurable per API request
* PEP8 fixes for system tests
* Issue #13: Added support for Accept-appropriate 404 responses w/ tests for json & xml
* Simple change to test gerrit
* Document how to allow anonymous access
* Sigh. Proofreading..
* Update README with instructions to fix segfault
* These changes make no sense--I didn't do them, and I'm in sync!
* Add middleware for glance integration
* #3 Preventing creation of users with empty user id and pwds
* Fixing naming conflict with builtin function next()
* This makes the use of set\_enabled more clear
* Fixes failing test introduced after disabled check remove
* Changes to allow password updates even when the user is disabled.Also fixed failing tests
* Disabled users should now be returned by GET /users/{user\_id}
* Updating a disabled user (via xml) should now succeed
* Updating a disabled user should now succeed
* Noted potential issue, but I'm not sure if this is dead code or not anyway?
* Assigned Base API classes so downstream code knows what to expect
* Adding missing class variable declaration
* Cleaning up unit tests
* Removes disabled checks from get\_user and update\_user
* Fixing module-level variable naming issues
* Improving variable naming consistency
* Avoiding overloading of built-in: type()
* Fixing indentation
* Specified python-ldap version, which appears to avoid the packaging issues we've experienced
* Added missing import
* More LDAP tweaks
* LDAP backend updates
* More test fixes
* Fixed deprecation warning
* Updated test to allow for additional role
* Restored UnauthorizedFaults to token validation requests
* Fix for issue #85
* - System test framework can now assert specific response codes automatically - Revised system test for issue #85 based on clarification from Ziad - Added system test to attempt admin action using a service token
* Adds the member role to sampledata, gives it to joeuser
* PEP8 fixes
* Formatting
* Merged duplicate code
* Add first implementation of LDAP backend
* Added (failing) system test for issue #13
* Minor cleanup
* Made all API methods raise NotImplementedError if they are not implemented in backend
* Made delete\_all\_endpoint calm if there is nothing to do
* Fixed bug causing request body setting to fail
* Add check to sqlalchemy backed to prevent loud crush
* Tweaked import\_module to clearly import module if it can
* Removed hardcoded references to sql backends
* Add exception throwing and logging to keystone-manage
* Merging keystone.auth\_protocols package into keystone.middleware
* - Added 'automatic' admin authentication to KeystoneTestCase using bootstrapped user - Added system tests for admin & service authentication - Abstracted '/v2.0' path prefix away from system tests - Added simple uuid function to generate data for system tests (random number gen w/ seeds might work better?) - Refactored issue #85 tests with setUp & tearDown methods
* Clarifying test case
* Fixed minor pylint issues
* Removed tenant id from admin user
* Move dev guide to OpenStack
* Commented out failing request, until it's review
* Wrote test case for github issue #85
* Formatting change
* Was this a typo or an incredibly lame joke?
* Added missing imports and fixed a few pylint issues
* Improved dict formatting
* Improved readability a bit
* Abstracted underlying HTTP behavior away from RestfulTestCase Added 'automatic' JSON body encoding (TODO: automatic XML encoding) Improved user-feedback on automatic response status assertion
* Added run\_tests.py to keystone.test.system, which uses bootstrap db script
* Added bootstrap configuration script (with admin user assigned an Admin role)
* Added 'automatic' token auth for each API
* Refactored port configuration strategy to allow a single test case to address both the admin and service API's
* Added automatic json/xml parsing to system test framework
* Added system test discovery to run\_tests.py
* Added system tests for content type handling and url rewriting
* Updated tests to reflect last bug fix
* Extracted sample test from framework and moved system test framework into \_\_init\_\_
* Converted system test framework to use httplib
* Initial system test approach, using urllib2
* Fixed bug: traceback thrown when the path '/' is requested
* Updated \*unused\* tests to reflect refactored API's
* Removed some useless/dead code
* Cleaned up authentication tests
* Improved readability slightly
* Moved db imports to config module Removed useless try/except blocks
* Organized imports
* Simplified a few util functions
* Fixed line length
* Renamed service API configuration options
* Renamed ServiceApi router module
* Renamed ServiceApi router
* Cleaned up keystone.logic
* Removed unused logger
* Refactored routers and controllers into their own modules (issue #44)
* Fixed doc string
* Improved PEP8 compliance
* Fixed spelling
* Removed unused import
* Slightly simplified base wsgi router
* Added note about run\_tests.py to readme
* Organized imports
* Improved readme consistency
* pep8
* Pylint an pep8 fixes
* Fixing bug reported using with swift
* Fixed default content type behavior (was defaulting to XML)
* Removed redundant action mappings (for version controller)
* Renamed exthandler to urlrewritefilter to better illustrate it's purpose
* Minor comment change
* Refactored URL extensions handling (for .json/.xml) Added universal support for optional trailing slashes
* Return users in a tenant as part of a many-to-many relationship
* Added import, autoformatting
* Removed unused imports
* Moved exthandler to keystone.middleware
* \*\* keystone.conf refactoring \*\*
* Fixed 'is\_xml\_response' function, which had no clear intention
* Removed unused function
* Rewrote .json/.xml extension handler with additional unit test
* Added links to readme
* Added python-ldap to pip-requires
* Initialized LDAP backend
* Various fixes for test running
* Commented out suspicious unit tests.....
* Added test automation script
* Cleaned up file
* Added missing test files to test collection
* Made unit tests executable from the cmd line
* Added test\_auth to list of unit tests
* Update auth test to account for generic service names
* Changes to make Admin for keystone configurable.#27
* Remove old initializers
* Changes to introduce BaseAPI to support multiple back ends
* Changes to support dynamic loading of models
* Adding list of todos
* Initial changes to support multiple backends
* Fixed identity.wadl response - issue #71#
* Recompiled devguide with endpoints and templates
* Removed unnecessary symlink
* Changes to support endpoints and endpointemplates (renaming BaseUrls and BaseURLRefs)
* Make swift middleware live where it should
* Remove swift-y bits from generic token auth
* Changes on Sample data
* Code changes to support global endpointTemplates
* Swift-specific middleware
* Issue 31: Switching default ports to 5000/5001 (public/admin)
* Fixed readme instructions for Nova - Issue #55
* Fixed requires for development and in readme
* Bringing back the changes to support endpointTemplates and endpoints
* Readme fix
* Edited keystone/auth\_protocols/nova\_auth\_token.py via GitHub
* Issue 32: Updated readme to reflect fix for issue 32 (removed 'cd bin' prefixes before several commands)
* (Related to) Issue 32: bin/sampledata.sh cannot be executed outside of bin/
* Issue 32: ./bin/keystone cannot be executed outside of bin/
* Issue 31: Reverted ports to 8080/8081 while the issue is under discussion
* Adding endpoint related files
* Updated readme to reflect docs/ -> doc/ change Added tools/pip-requires-dev for depelopment dependencies
* Basic authorization for swift
* Republished developer guide for Jun 21, 2011
* Updated token validation sample xml (dev guide)
* Updated dev guide publish date
* Added developer guide build folder to git ignore list
* Auto-formatted and syntacically validated every JSON example in the doc guide
* working with dashboard
* add get\_tenants
* rudimentary login working
* most bits working
* initial
* Reverting change thats not needed
* Fixing some of the failing tests
* Merging changes from trunk
* demo of membership using keystone in sampledata
* Name changes BaseURLRefs to EndPoints and BaseURLs to  EndpointTemplates
* Fixed formatting, imports
* Issue 31: Updated docs and examples
* Committing unit test configuration for issue 31
* Issue 31: Changed default ports to 80/8080
* Issue #8: Renamed primary key of Token to 'id'
* Name changes BaseURLRefs to EndPoints and BaseURLs to  EndpointTemplates
* Changes to hash password
* Restored tools.tracer to bin/ scripts; included fix for empty frames
* Merging changes
* Removed unused import
* Removed redundant sentence in dev guide
* Removed unused imports in bin/
* Fix for keystone issue 41: https://github.com/rackspace/keystone/issues/41
* Merging changes from rackspace
* Fixed spelling error
* Changes to include support for paginations
* Fixing existing methods on wadl
* Fixed broken unit test code
* Refactored api function names to avoid redundancy with new module names
* Changes to wadl to support user operations
* Refactored DB API into modules by model
* Pep8 changes
* Changes to allow user creation without a tenant
* for got to change a 1.1 to 1.0
* dash needs both 1.0 and 1.1 compatability - need to fix that!
* nova needs 1.0 api currently
* Some field validations
* Merged docs
* make sampledata executable again
* Admin for nova doesn't take a tenant
* add keystone to its own service catalog
* Fixed error on UrlExtensionFilterTest
* Fixed imports; improved PEP8 formatting compliance
* Fixed imports in keystone.common
* Removed unused imports and denoted unused variables
* Fixed imports in auth\_protocols
* Removed duplicated function
* Added coverage to pip development requirements
* Fixed relative & unused imports
* Adding py init to functional tests
* Created pip requirements file for development env (added sphinx python doc generation to start)
* Added pydev files to gitignore
* Added py init files to directories already being referenced as modules
* Users must have tenants or nova breaks
* Doc updates and dev requires
* Resolved conflicts
* To PUT or to POST
* Fixed v1.0 auth test to account for cdn baseURL order
* Support for GET /v2.0/users and add cdn back to sampledata for v1.0 support
* Update the baseURL data pushed into glance
* Fix symlinks after docs -> doc rename
* Adding call to modify tenant.Adding more tests and fixing minor issue
* Added pip requirements file for testing environments
* Grammar corrections
* Adds Sphinx build ability and RST documentation
* Removing unused references to UserTenantAssociation
* Introduced a method to get all users @Users resource.Also moved the method to get user groups out of tenant scope
* Changed BaseURLs to OpenStack names
* Test fixes
* Seperating user calls from tenants
* Improved README formatting/consistency
* Updated paths to unit/function tests in README
* Updated docs: sampledata.sh can't be executed outside of bin/
* Added Routes and httplib2 to production dependencies
* Correcting typo
* Setup.py fix
* Readd test folder
* Forgot to add doc file
* Moved tests to keystone folder and removed old management tools - issue #26
* Updated SWIFT endpoint default
* Update to dev guide explaining admin call auth requirements
* Update sample data and keystone-manage for local install of OpenStack
* Put updated Swift Quickstart into README.md
* API v2.0 Proposal
* Doc updates.Minor keyston-manage changes
* Doc updates
* Doc updates
* set nova admin role if keystone user has "Admin" role
* keystone repo is now at github.com/rackspace/keystone
* Add success test for GET /v2.0/tokens/<TOKEN\_ID> in json and xml
* Add Admin API tests for v2 authentication
* Add test verifying a missing tenantId key in the password creds works properly in JSON
* Rename file.Ziad suggestion
* Name changes suggested by Ziad
* Minor fixes
* Code cleanup
* PEP8 changes
* Removing redundant files
* Changing to legacy auth to standard wsgi middleware.Name change of some of the files
* Changing to legacy auth to standard wsgi middleware
* Introducing new frontend component to handle rackspace legacy calls
* Introducing new frontend component to handle rackspace legacy calls
* keystone repo is now at github.com/rackspace/keystone
* Add success test for GET /v2.0/tokens/<TOKEN\_ID> in json and xml
* Add Admin API tests for v2 authentication
* Add test verifying a missing tenantId key in the password creds works properly in JSON
* Removing debug print
* Changes to return service urls for Auth1.0 style calls
* Changes to return service urls for Auth1.0 style calls
* Updating tests and sample data
* Merging changes from rackspace
* Changes to support service catalog
* pep8
* Added URLs to sampledata
* Support for listing BaseURL refs in keystone-manage
* Support transforming service catalog
* Removing remerged comments
* Adding roles as comma seperated values on a single header
* Changes to support getTenants call for user with admin privelage and regular user
* Add more test cases for v2 authentication for bad requests and unauthorized results
* Add test case for verifying GET /v2.0/tokens returns 404 Not Found
* It's possible to authenticate through the Admin API
* Changes on auth basic middleware component to return roles.Also changes on the application to return roles not tied to a tenant
* Update the sample to reflect some minor enhancements to the base framework
* Add test for validate\_token
* Save expiration data for later comparison
* Don't need to fiddle around with user tokens here, just admin tokens
* Get and revoke both admin and user tokens..
* Merging changes
* Bah, somehow my sample data failed to include Admin as admin's role
* Merging changes
* Merging changes
* Merging changes
* Meging changes
* Changes to also return role references as a part of user when get token call is made for a specific tenant
* Use un-spaced exception names..
* Try to use an admin credential to revoke the token
* Split the Keystone service from the Admin service so we can test both
* The API is a moving target; update the test
* Support for listing roles in keystone-manage
* Adds unit testing base class that takes care of much of the tedium around setting up test fixtures. This first commit just demoes the new test case functionality with a new test case /test/unit/test\_authn\_v2.py
* pep8
* Fixed issue #6
* Support POST /tokens only - issue #5
* Added quick start guide to integrating Swift and Keystone; fixed setup.py tokenauth filter installation
* Added role and user data to sampledata.sh
* Additional unit tests for base url refs.Minor code refactorings
* Changes to support baseurlrefs operations
* MD cleanup
* md futzing
* More readme cleanup
* Merged DTest tests and moved ini file to examples/paste
* moved paste example to examples
* Readme updates
* Just making sure leading whitespace is stripped if automated
* to->too
* Updated dev guide
* Add a sample to document how to create tests
* Add a test for authenticate/revoke\_token
* Ensure that --username, --password, and --keystone are given
* Build base classes for tests
* Documentation fixes to versions
* Build the skeleton necessary to run tests
* Add x\_auth\_token header to most methods
* Make sure we don't lose the body completely if we can't json.load() it
* Add debugging messages
* Add a property to get the RESTClient instance
* Fix up get()/put()/post()/delete() calls to make\_req()
* Deal with the case that no headers are provided
* Deal more intelligently with empty strings
* Listing technologies to integrate
* Um, queries are supposed to be optional, all others required
* Properly join relative paths
* Apparently "/token" is actually spelled "/tokens"
* Accidentally left out the reqwrapper argument
* Sketch in a basis for the Keystone API 2.0
* Make argument order a little more natural
* Fixing unit tests.Introduced support for global roles
* Don't let self.\_path be the empty string
* self.\_scheme isn't set yet
* Don't add a field if there isn't one..
* Create a simple means of building a REST-based API
* Fixing unit tests for user and groups
* Docs
* Link fix
* API Spec updates
* More /token -> /tokens fixes
* /tokens instead of /token
* Prep for move to git@github.com:rackspace/keystone.git
* Made URL relative
* pep-8 and minor mapping fix
* Dev guide update - BaseURLs and Roles
* Update docs on how to use nova.sh to deploy openstack on cloud servers
* Changes to support calls to getBaseUrls
* Changes to support /tokens on docbook and minor roleref changes
* Changes to support roleref calls
* Updated to use X\_USER as decided in Issue 49
* Updated with feedback from https://github.com/khussein/keystone/issues/49#issuecomment-1237312
* Fix for issue 49 - parse X\_AUTHORIZATION header for user\_id
* Fixed issue where user tenant not returned in GET /token - related to issue #49
* user should be what keystone returns
* Fixed issue #54
* Updated to use X\_USER as decided in Issue 49
* Updated with feedback from https://github.com/khussein/keystone/issues/49#issuecomment-1237312
* Fix for issue 49 - parse X\_AUTHORIZATION header for user\_id
* Minor changes to the document
* Changes to unique relationship definition
* Adding more tests for roleref operations
* Fixed issue where user tenant not returned in GET /token - related to issue #49
* Changes to support /tokens on docbook and minor roleref changes
* Changes to support roleref calls
* user should be what keystone returns
* midnight typo
* Added examples readme
* Fixed issue #54
* Link to latest dev guide in readme
* Instructions to run with Nova
* Documentation update and new API spec
* Updates to README
* Updates to README
* Updates to README
* Updates to README
* Updates to README
* Updates to README
* Fix up broken setup.py scripts list
* -Removed .project file from project and added it to .gitignore -Moved pylintrc -> .pylintrc, personal preference that this file should be available, but not seen -Moved echo to examples directory, seemed a bit odd to be in the top level -Moved management directory to tools, seemed a bit odd to be in the top level -Moved pip-requires to tools/, and updated the reference to it in README.md
* Fix the identity.wadl symlink
* keystone src directory needs symlinked
* remove copy&paste ware from nova\_auth\_token and use auth\_token middleware
* Flow diagrams
* simple flow diagrams
* Multi-tenant token fixes
* Fixed invalid tenant authentication
* Fix error in tenant\_is\_empty (model has changed)
* Fixed debug/verbose flag processing
* update readme
* keep nova\_auth\_token in keystone
* Changes to support /Roles calls.Removing create call from being exposed as of now
* Changes to support /Roles calls.Description included
* Changes to support /Roles calls
* Readme merge
* Readme updaes for load testing
* hack nova\_auth\_token to work
* removing unused library
* Changes to support roles and baseurls on wadl
* Changes to support roles and baseurls on wadl
* Changes to support roles and baseURLs
* missed some nova reqs
* information on using nova\_auth\_token
* lazy provisioning for nova
* readme fixes
* Merged in anotherjesse's changes
* New model working with echo\_client.py
* Missed a file
* Added tracing and modified model
* echo\_client should be executable
* move nova's path injection to management scripts
* server.py/version.py shouldn't be executable while cli tools should
* spacing for readme
* Add keystone-manage to support bootstrapping Keystone with add user command
* Setup.py update
* Updated logging and parameterization for bin scripts
* Minor readme fixes
* Simplified running Keystone and Updated readme
* v1 compatibility and Service/Admin API split
* DocBook Changes
* Merging HCL changes - pull 40
* Changes to support baseurls and roles on the document.Adding sample files
* Changes to support baseurls and roles on the document
* Adding xsds to support roles and baseurls
* More version fixes
* Initial commit
* Make config compatible with legacy
* Move to v2.0
* Changes to move the db settings to conf file
* removing bottle
* Adding Accept header to is\_xml\_response logic
* Removing bottle dependencies
* Mae Pylintrc, reordered imports made pep8 of the  files
* Foundation for some server and auth unit tests
* Added as per HACKING  Files
* pylint fixes
* fixes
* fixed test cases
* Merged api,service,server,test\_common
* Added test cases for add user to a tenanat
* multi token test cases and bug fixes
* Moved all Server functions to utils.py
* Fixed failing test - bug introduced in cleanup
* Added pylint and cleanup from last commit
* Merged pull 37. Removes bottle, adds configuration, and adds daemonization
* fixed pylint
* fixed bugs
* fixes
* fixes
* removed backslashes
* Added functionality add user to a tenant
* fixes
* Pep8 test\_users.py
* checking SSLv3 problems
* checking SSLv3 problems
* checking SSLv3 problems
* checking git push problems
* Optimised test\_users.py
* Modified the README and README.md
* fixed bug raised when included exthandler
* Removed unwanted file
* removed unused run method
* Added PEP8 to test cases
* Removed importing objects from keystone
* pylintrc optimization
* optimization of test cases and handling multi token
* fixes
* Nochanges
* Modified the README for keystone-control issue
* Modified the README
* Added PEP8 for remaining test cases
* PEP8 for test cases by praveena
* renamed test\_identity.py to test\_keystone
* added pidfile and removed print statement from test\_common
* fixes
* removed print statement
* Added keystone.log to ignore list
* Modified  server.py tenant group URL to fix failing test cases
* Added \*.log to gitignore
* neglect changes
* Added new script to run all tests
* Modified and tests. Tests groups throwing some minor errors still
* Modified and commented the code
* Split the test cases into individual files Fixed Bugs of api
* Made PEP8 of server
* Too much of duplication and incomplete conflict resolution in test\_identity.py
* Sisirhs changes
* Sai and Praveena's Changes
* Added missing tests,  mad e enable and disable password work
* merged conflicts
* test cases modfications and bug fixes
* Renamed  to server.py and added  top dir in config
* Added the keystone  top dir in configuration
* Modified the README
* latest updates
* latest updates
* new merge with installation fixes
* A brief README for the auth-server
* Added keystone-control
* chasing tenant group bug
* Added tests for the URL extension middleware
* modified keystone-control and reshuffling of file names
* Adding unit test for the URL extension handler
* Modified test cases
* Yes, I modified, but I wont commit
* merged Sai changes
* Installation of keystone done
* corrects charset=utf=8
* Working on echo server
* one more push
* move the template code from bottle into a separate file:
* modified auth\_server.py
* Added echod and renamed echo.py to server.py
* Minor cleanup + pep8
* merging changes from sai branch
* saving changes to auth\_server.py
* get version implementation s Please enter the commit message for your changes. Lines starting
* get\_version\_info is still not working
* in the middle of get\_version\_info
* Modified test\_identity
* removed .auth.serve.py.swp
* Added some more functions through Routes and mapper
* Update for Abdul
* My Changes part 2
* modified Resposne to resp=Response()
* My Changes
* minor tweak
* Some more cleaning up of git merges
* Cleaning up of git merges
* Added glance type of eventlet, because of its plug and play which meets the need of running everything independently if needed
* pep8 and fixes
* Readme updates
* Removed keystone.db - should be generated by ORM
* Removed extra files from last commit
* Removed Global groups tests, which still needs to be tested. Updated README on how to run unit test
* Deleted keystone.db
* Merged pagination
* Git problems - lingering commit
* Renamed identity.py to server.py and added bin directory
* Adding router to requires. Updating standards in HACKING. Removing schema (generated from ORM)
* Added pagination functionality and tenant\_group functionality with unit tests
* Removing unused imports
* Removing unused function
* unwanted file
* added the code that would go to hussein repo
* Added tenant groups in identity, created test cases for tenant groups
* Added latest changes to sirish branch with pagination for get tenants
* Annotate TODOs
* argument handling in echo.py
* getting pep8-y with it
* Merged conflicts
* Basic auth and refactor
* more pep8
* testing merging
* get \_tenants pagination updates
* Merging keystone code
* Basic Auth support
* 17: query extension works
* Issue 17: Adding tests
* removed \r chararcter from unit directory
* removed windows newline characters from management folder
* removed unwanted files
* Adding First kestone repo
* Add Description File
* sai added by sai
* Foo2
* Foo
* Initial
* Minor changes + call using WSGI instead of bottle
* Restored remoteauth
* Reverted accidental(?) WADL deletion >:-(
* Renamed protocol modules to auth\_[type] Renamed PAPIAuth to RemoteAuth - better documented it and added redirect to auth\_token (to stop using this) Cleaned up ini files and ini file handling (removed hard-coded defaults)
* simple json cleanups for tests
* pep8-ize
* Added protocol stubs (openid and basic auth)
* Renamed delegated to 'delay\_auth\_decision' Remove PAPIAuth Rename folder to Auth\_protocols (that is where we add protocol components)Get\_request -> get\_content Make protocol module more generic (prepare for superclassing and multiple protocol support Refactor Auth\_protocol\_token If no token, bail out quick (clearer) same with if app Break out headers: - here is what is coming in - here is what we add - explain the X in headers: extended header
* Updated Readme, and added TODO
* Added XML/Json tests to the identity and updated the README
* Fixed issue with standalone install
* Updated readme
* Fixed remote proxy issue
* draft remote proxy: needs fixing
* Updated readme and echo\_client
* Adding remote echo ini file
* Fixes to middleware, ini parameters, and support for running echo remotely
* replaced localhost with config
* modifide middleware; echo\_client works
* Fixing and documenting middleware
* Merged pull request #30 from cloudbuilders/master
* Updated management scripts to use SQLAlchemy
* Fixed SQLAlchemy db location to keystone directory
* Added unit tests and updated the README.md on how to run it
* made echo test work
* get\_request is actually init model from request contents
* missed simplejson assumption
* finish removing simplejson
* pythonizing
* update fault to be pythonic
* remove unpythonic properties from atom and tenant
* error decorator and logging unhandled errors
* missed auth\_data
* fix typos
* more pythonic
* we don't need properties yet
* use string formating
* use relative import in init
* fixed paste configs to run without eggs
* Fixed mistake in port for echo service
* Added echo\_client.py
* keystone.db should be in keystone dir
* pep8 / whitespace
* gitignore pyc files
* split out running and installing sections in readme
* allow apps to be run without setup.py
* add command for test database to readme
* echo has a separate setup.py
* httplib2 isn't used
* spacing
* add httplib2 to deps and sort them
* Added pip-requires and updated readme to include missing deps
* explict installs for python libraries
* update readme formating
* update readme to be markdown
* Updated readme
* Doc fixes
* Friendly error message if a user is not associated with a tenant
* Ensure schema complience assertion is on in all tests
* Whoops, details element is optional in faults
* Remove identity (1) stuff and renamed identity2 to identity
* Added wadl and xsd contract links
* Adjust reletive links in schema
* Comment seperators
* Init version links
* Initial version support
* Initial extensions support
* Initial update tenant
* Make sure we don't delete non-empty tenants
* Initial delete tenant
* Initial getTenant
* Minor updates to tests
* Initial implementation of get tenants
* added unit tests in test/unit/test\_keystone.py
* Initial create tenant
* Minor bug when serializing tenant to JSON
* Schema update
* Whoops forgot 409 in JSON as well!
* Whoops missed 409 on create tenant
* setup.py fix
* Minor fixes
* pep-8 cleanup of model
* More pep-8 cleanup
* Minor fixes
* Some pep-8 cleanup
* Initial revoke token
* Initial support for authenticate
* Whoops, bad user data
* Initial working validate token
* Whoops need to convert datetimes to iso format
* Test updates
* tokenId should not be a string!
* Cleaned up validate token call
* Full check admin token with soap ui tests
* Some SQL testing scripts
* Initial check admin token from db
* made identity.py pep8 compliant
* Better error handling
* Initial full response to authenticate token, still having issues with errors
* Stubb for token calls
* Initial prototype of default token based auth protocol
* Initial deserialization of tenant
* Initial deserialization of password credentials
* SQL Alchemy additions: Token
* SQL Alchemy additions
* Whoops pep8
* Output serialization of faults
* XML and JSON rendering on tenant/s
* Translations of auth to XML and JSON
* Sample service.py with sqlalchemy
* Fixed relative path issue
* sqlalchemy draft
* Initial service.py
* Cleaned up setup.py
* Added collections
* Initial atom link type
* Initial fault type
* Initial tenant type
* PEP-8 for echo.py
* Initial auth types
* Readme update
* Fixed identity.py and some styling
* Minor updates
* Keystone WSGI and eventlet
* Corrected how to run echo service
* Replaced paster with eventlet for echo service
* Added create tables in README and modified keystone.db to reflect the new schema
* Merged identity functions second time
* Sync
* Whoops should have never checked this in
* all management files except user add and delete from group
* Management files except for add/delete user from group
* Updated README
* Setup PasteDeploy and configured PAPIAuth
* reorganization of files
* Add SOAPUI projects
* Resolved Conflicts
* Removed Conflicts
* dos2unix
* Deleted IDE files
* Importing from DevTeam
* Import from DevTeam
* updates DevTeam
* Code by Dev Team
* Added Power API Auth Middleware
* removed unused libraries
* Dev Team: validate\_token , create\_user ( created for test purpose) and update\_tenant
* Added to README
* Fixed bug in echo.py
* Whoops forgot auth header
* Instructions for soapUI
* Add WADL links for convenience
* Initial work into paste deploy...commen out for now
* Added echo.wadl
* Fixed for case with missing accept header
* Added content nagotiation
* Use XSL to convert
* Better quote handling
* Add JSON transform
* Whoops samples don't match
* XSD for echo service
* Initial echo service
* Updates to identity.py and README
* Added X-Auth-Token
* Added extensions
* Updated errors for extension requests
* Added getTenant, updateTenant, deleteTenant
* Added get and create tenants
* Initial WADL with token operations
* Added faults
* Remove refrences to usernameConflict and groupConflict
* Added common extensions
* Added api.xsd schema index
* Added XSD 1.1 and atom linking support
* Made the tenant xsd extensible
* Initial tenant xsd
* Made the token schema extensible
* Initial token schema
* Groups should have ids instead of names?
* Added Creating Tenants, JSON only
* Remove mention of service catalog
* Updated samples
* Updated pubdate
* Updates to intro section
* Updated concepts
* Better entities in document
* Removed init section from docs, we'll get to them later
* Added Dependencies section
* Added License & Create/Delete user management CLI
* Initial docs import
* Created DB with users table, simple schema
* first commit
