2025.2 Series Release Notes

2025.2 Series Release Notes¶

28.0.0-10¶

Security Issues¶

A potential security related issue is fixed where a token of the user from a read-only backend (i.e. LDAP) continues being accepted after the user is disabled in the backend. This is caused by the fact that Keystone does not receive any notification for that and is not able to revoke such tokens. See https://bugs.launchpad.net/keystone/+bug/2122615 for details.

28.0.0¶

New Features¶

bug 2060972 Added new configuration option [security_compliance] report_invalid_password_hash to enable and configure reporting of hashes of submitted invalid passwords, which could be used to facilitate analysis of failed login attempts (as per PCI DSS requirements). The corresponding Keystone specification - Include invalid password details in audit messages.

Upgrade Notes¶

Support for Python 3.9 has been removed. Now Python 3.10 is the minimum version supported.

The WSGI scripts, keystone-wsgi-admin and keystone-wsgi-public, have been removed. Deployment tooling should instead reference the Python module paths for the service, keystone.wsgi.api, if their chosen WSGI server supports this (gunicorn, uWSGI) or implement a .wsgi script themselves if not (mod_wsgi).

this page last updated: 2025-12-16 13:14:19

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.