Skip to content

chore: release#754

Open
openstack-experimental-release-plz[bot] wants to merge 1 commit into
mainfrom
release-plz-2026-06-05T09-00-15Z
Open

chore: release#754
openstack-experimental-release-plz[bot] wants to merge 1 commit into
mainfrom
release-plz-2026-06-05T09-00-15Z

Conversation

@openstack-experimental-release-plz

@openstack-experimental-release-plz openstack-experimental-release-plz Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

🤖 New release

  • openstack-keystone-config: 0.1.0
  • openstack-keystone-core-types: 0.1.1
  • openstack-keystone-api-types: 0.1.0 -> 0.1.1 (✓ API compatible changes)
  • openstack-keystone-audit: 0.1.0
  • openstack-keystone-auth-plugin-runtime: 0.1.0
  • openstack-keystone-key-repository: 0.1.0
  • openstack-keystone-local-emergency-store: 0.1.0
  • openstack-keystone-storage-api: 0.1.0
  • openstack-keystone-core: 0.1.1 -> 0.1.2 (✓ API compatible changes)
  • openstack-keystone-storage-crypto: 0.1.0
  • openstack-keystone-storage-crypto-pkcs11: 0.1.0
  • openstack-keystone-storage-crypto-tpm: 0.1.0
  • openstack-keystone-distributed-storage: 0.1.0 -> 0.1.1 (✓ API compatible changes)
  • openstack-keystone-api-key-driver-raft: 0.1.0
  • openstack-keystone-appcred-driver-sql: 0.1.0
  • openstack-keystone-assignment-driver-sql: 0.1.0
  • openstack-keystone-catalog-driver-sql: 0.1.0
  • openstack-keystone-credential-driver-sql: 0.1.0
  • openstack-keystone-auth-plugin-identity-driver-raft: 0.1.0
  • openstack-keystone-federation-driver-sql: 0.1.0
  • openstack-keystone-identity-driver-sql: 0.1.0
  • openstack-keystone-idmapping-driver-sql: 0.1.0
  • openstack-keystone-k8s-auth-driver-raft: 0.1.0
  • openstack-keystone-k8s-auth-driver-sql: 0.1.0
  • openstack-keystone-mapping-driver-raft: 0.1.0
  • openstack-keystone-oauth2-client-driver-raft: 0.1.0
  • openstack-keystone-oauth2-key-driver-raft: 0.1.0
  • openstack-keystone-oauth2-session-driver-raft: 0.1.0
  • openstack-keystone-resource-driver-sql: 0.1.0
  • openstack-keystone-revoke-driver-sql: 0.1.0
  • openstack-keystone-role-driver-sql: 0.1.0
  • openstack-keystone-scim-driver-raft: 0.1.0
  • openstack-keystone-token-driver-fernet: 0.1.1
  • openstack-keystone-token-driver-jws: 0.1.0
  • openstack-keystone-token-restriction-driver-sql: 0.1.0
  • openstack-keystone-trust-driver-sql: 0.1.0
  • openstack-keystone-webauthn: 0.1.0
  • openstack-keystone: 0.1.1 -> 0.1.2 (✓ API compatible changes)
  • openstack-keystone-cli-manage: 0.1.0
Changelog

openstack-keystone-config

0.1.0 - 2026-07-16

Added

  • (adr0028) Add local-quorum-bypass emergency rotation (#1032)
  • Add catalog CRUD API and bootstrap support (#1029)
  • (adr0026) Add RFC 8628 Device Authorization Grant (#1023)
  • (adr0026) Add authorization code flow with PKCE (#1015)
  • (adr0026) Add client_credentials token endpoint (#1014)
  • (adr0026) Phase 2 client registration & OIDC discovery (#1013)
  • (adr0026) Phase 0 token abstraction and JWS driver (#1010)
  • (api) capture client IP via proxy headers & SPIFFE (Start capturing client information in the request processing #358 follow-up) (#908)
  • (identity) Add per-user auth rate limiting (#996)
  • (adr0025) Complete imlpementation (#969)
  • (api) Add global IP rate limiting framework (ADR-0022 phase 1) (#846)
  • (scim) Harden RFC 7644 compliance, add docs (#968)
  • (adr0025) Phase 1 (1.1+1.2) (#952)
  • (security) Wrap secrets with secrecy crate (#369) (#912)
  • (scim) ADR 0024 - Phase 5 (#951)
  • (scim) ADR 0024 - Phase 1+2 (#925)
  • (fernet) Unify credential/token key repositories (#915)
  • Start ADR 0025 immplementation (#911)
  • (credential) Implement Phase 3 of ADR 0019 (#909)
  • Prepare PKCS#11/TPM KEK support in storage (#907)
  • (credential) Implement ADR 0019 phases 1-2 (#897)
  • Implement stateless SCIM ingress auth (ADR 0021) (#891)
  • (auth) Password hashing parity with Python Keystone (#859)
  • (audit) Implement CADF audit framework Phase 2 (#872)
  • (storage) SPIFFE checks, RBAC, rate limiting, auto-join (#861)
  • (storage) Harden preflight and erase dev KEK (#860)
  • Add bootstrap cli command (#809)
  • (mapping) ADR-0020 (mapping engine) phase 1 (#794)
  • Add inter-provider event notification system (#784)
  • Add SO_PEERCRED peer credential validation (#775)
  • Validate password for compliance conformity (#774)
  • Enforce minimum range boundaries for security
  • Add role-imply rest api (#750)
  • Add user update functionality (#747)
  • Make drivers more dynamic (#737)
  • Add keystone container with opa and policies (#738)
  • Add Admin interface over the UDS (#735)
  • Add spiffe provider (#733)
  • Introduce SecurityContext (#710)
  • Add skeleton for the spiffe mTLS integration (#695)
  • Implement ConfigManager for config watching (#691)
  • Improve the code (#686)
  • Add k8s-auth raft driver (#676)
  • Add raft support under skaffold (#667)
  • Introduce raft backend for webauthn (#658)
  • Introduce the keystone-manage cli managing raft (#656)

Fixed

  • (passkey) Prevent user enumeration (#905)

Other

  • Moves health and metrics endpoints to dedicated listener on separate port (#910)
  • Move jsonwebtoken to keystone crate (#820)
  • mapping engine phase 3 - migrate SPIFFE (#811)
  • Rename identity_mapping to idmapping (#788)
  • Replace Regex with str::find for db connection (#760)
  • Redesign SecurityContext with two-phase validation (#717)
  • Split out remaining sql drivers (#633)
  • Split config into standalone crate (#628)

openstack-keystone-core-types

0.1.1 - 2026-07-16

Added

  • (test) Add tempest identity compatibility (#998)
  • (adr0028) Add local-quorum-bypass emergency rotation (#1032)
  • Add catalog CRUD API and bootstrap support (#1029)
  • (adr0026) Add RFC 8628 Device Authorization Grant (#1023)
  • (adr0026) Phase 6a (#1017)
  • (adr0026) Add Phase 5 offline token verification (#1016)
  • (adr0026) Add authorization code flow with PKCE (#1015)
  • (adr0026) Add client_credentials token endpoint (#1014)
  • (adr0026) Phase 2 client registration & OIDC discovery (#1013)
  • (adr0026) Phase 1 crypto engine & JWKS endpoint (#1011)
  • (adr0026) Phase 0 token abstraction and JWS driver (#1010)
  • (identity) Add per-user auth rate limiting (#996)
  • (adr0025) Complete imlpementation (#969)
  • (api) Add global IP rate limiting framework (ADR-0022 phase 1) (#846)
  • (adr0025) Phase 1 (1.1+1.2) (#952)
  • (security) Wrap secrets with secrecy crate (#369) (#912)
  • (scim) ADR 0024 - Phase 4 (protocol surface completion) (#929)
  • (scim) ADR 0024 - Phase 3 (#928)
  • (scim) ADR 0024 - Phase 1+2 (#925)
  • (credential) Implement Phase 3 of ADR 0019 (#909)
  • (credential) Implement ADR 0019 phases 1-2 (#897)
  • Implement stateless SCIM ingress auth (ADR 0021) (#891)
  • Audit framework (ADR-0023) phase 3 (#880)
  • (audit) Implement CADF audit framework Phase 2 (#872)
  • Migrate federation to new mapping engine (#839)
  • Add access rule CRD to appcred provider (#806)
  • ADR-0020 mapping phase 4 (#818)
  • (mapping) ADR-0020 (mapping engine) phase 1 (#794)
  • Add endpoint CRUD to catalog provider (#785)
  • Add inter-provider event notification system (#784)
  • Add service CRUD to the catalog provider (#773)
  • Validate password for compliance conformity (#774)
  • Return 401 on roleless scoped contexts (#742)
  • Add region CRUD to catalog SQL driver (#761)
  • Add role-imply rest api (#750)
  • Add role imply API (#749)
  • Add user update functionality (#747)
  • Add spiffe binding API (#740)
  • Add Admin interface over the UDS (#735)
  • Add spiffe provider (#733)
  • Expand role info in expand_implied_roles (#730)
  • Introduce SecurityContext (#710)
  • Improve the code (#686)
  • Add k8s-auth raft driver (#676)
  • Introduce the keystone-manage cli managing raft (#656)

Fixed

  • (federation) Allow long external unique_id values (#1033)
  • Unify ApiClient scope validation, fix nextest filter (#947)
  • Finalize ADR 0021 work (#906)
  • Resolve raft replication state races (#884)
  • (k8s_auth) Flatten k8s.aud claim from JWT TokenReview (#834)
  • Align "extra" property handling (#787)

Other

  • Move jsonwebtoken to keystone crate (#820)
  • mapping engine phase 3 - migrate SPIFFE (#811)
  • Rename identity_mapping to idmapping (#788)
  • Make resolve_implied_roles optional (#764)
  • Redesign SecurityContext with two-phase validation (#717)
  • Unify state initialization in test (#642)
  • Small optimization of the derives (#638)
  • Split the core-types crate (#640)

openstack-keystone-api-types

0.1.1 - 2026-07-16

Added

  • (test) Add tempest identity compatibility (#998)
  • (adr0028) Add local-quorum-bypass emergency rotation (#1032)
  • Add catalog CRUD API and bootstrap support (#1029)
  • (adr0026) Extend keystone-manage oauth2 CLI (#1020)
  • (adr0026) Phase 6a (#1017)
  • (adr0026) Add client_credentials token endpoint (#1014)
  • (adr0026) Phase 2 client registration & OIDC discovery (#1013)
  • (adr0026) Phase 1 crypto engine & JWKS endpoint (#1011)
  • (identity) Add per-user auth rate limiting (#996)
  • (adr0025) Complete imlpementation (#969)
  • (identity) Implement user password change endpoint (#970)
  • (api) Add global IP rate limiting framework (ADR-0022 phase 1) (#846)
  • (adr0025) Phase 1 (1.1+1.2) (#952)
  • (security) Wrap secrets with secrecy crate (#369) (#912)
  • (scim) ADR 0024 - Phase 5 (#951)
  • (scim) ADR 0024 - Phase 1+2 (#925)
  • (credential) Implement Phase 3 of ADR 0019 (#909)
  • ADR 0021 admin surface, simulate-access, and janitor (#896)
  • Implement stateless SCIM ingress auth (ADR 0021) (#891)
  • Migrate federation to new mapping engine (#839)
  • ADR-0020 mapping phase 4 (#818)
  • (mapping) ADR-0020 phase 2 (#807)
  • (mapping) ADR-0020 (mapping engine) phase 1 (#794)
  • Validate password for compliance conformity (#774)
  • Add system-user-role assignments API (#762)
  • Add role-imply rest api (#750)
  • Add user update functionality (#747)
  • Add api to list user roles on project (#639)
  • Add domain CRUD operations (#743)
  • Add spiffe binding API (#740)
  • Add spiffe provider (#733)
  • Introduce SecurityContext (#710)
  • Add skeleton for the spiffe mTLS integration (#695)
  • Improve the code (#686)

Fixed

  • (federation) Allow long external unique_id values (#1033)
  • Unify ApiClient scope validation, fix nextest filter (#947)
  • Finalize ADR 0021 work (#906)

Other

  • (test) Improve testing of the oauth2 OP (#1024)
  • Move jsonwebtoken to keystone crate (#820)
  • (tests) Reorganize integration_api tests (#815)
  • mapping engine phase 3 - migrate SPIFFE (#811)
  • Rename identity_mapping to idmapping (#788)
  • Further align workspace features (#772)
  • Make resolve_implied_roles optional (#764)
  • Redesign SecurityContext with two-phase validation (#717)
  • Small optimization of the derives (#638)
  • Split the core-types crate (#640)
  • Introduce features in api-types crate (#624)
  • Slim down api-types crate (#622)

openstack-keystone-audit

0.1.0 - 2026-07-16

Added

  • (audit) Complete ADR-0023 audit implementation (#887)
  • Audit framework (ADR-0023) phase 3 (#880)
  • (audit) Implement CADF audit framework Phase 2 (#872)

openstack-keystone-auth-plugin-runtime

0.1.0 - 2026-07-16

Added

  • (adr0025) Complete imlpementation (#969)

openstack-keystone-key-repository

0.1.0 - 2026-07-16

Added

  • (adr0026) Add previous-key and JTI-revocation janitor (#1021)
  • (adr0026) Add Phase 5 offline token verification (#1016)
  • (adr0026) Add client_credentials token endpoint (#1014)
  • (adr0026) Phase 0 token abstraction and JWS driver (#1010)
  • (scim) ADR 0024 - Phase 1+2 (#925)
  • (fernet) Unify credential/token key repositories (#915)

Fixed

  • Support macOS dev builds and fs watcher shutdown (#1009)

openstack-keystone-local-emergency-store

0.1.0 - 2026-07-16

Added

  • (test) Add tempest identity compatibility (#998)
  • (adr0028) Add local-quorum-bypass emergency rotation (#1032)

openstack-keystone-storage-api

0.1.0 - 2026-07-16

Added

  • (adr0026) Phase 1 crypto engine & JWKS endpoint (#1011)
  • (storage) Cert validity and SVID TTL enforcement (#886)
  • (storage) SPIFFE checks, RBAC, rate limiting, auto-join (#861)
  • (storage) Complete ADR-0016-v2 (#844)
  • (storage) implement ADR 0016-v2 Phases 1-4 — encrypted storage with quarantine (#840)

Fixed

  • (webauthn) Rotate raft ceremony-state keyspaces (#890)

Other

  • (storage) Decouple core from storage (#832)

openstack-keystone-core

0.1.2 - 2026-07-16

Added

  • (test) Add tempest identity compatibility (#998)
  • (adr0028) Add local-quorum-bypass emergency rotation (#1032)
  • (adr0026) Add RFC 8628 Device Authorization Grant (#1023)
  • (adr0026) Add previous-key and JTI-revocation janitor (#1021)
  • (adr0026) Phase 6a (#1017)
  • (adr0026) Add Phase 5 offline token verification (#1016)
  • (adr0026) Add authorization code flow with PKCE (#1015)
  • (adr0026) Add client_credentials token endpoint (#1014)
  • (adr0026) Phase 2 client registration & OIDC discovery (#1013)
  • (adr0026) Phase 1 crypto engine & JWKS endpoint (#1011)
  • (adr0026) Phase 0 token abstraction and JWS driver (#1010)
  • (api) capture client IP via proxy headers & SPIFFE (Start capturing client information in the request processing #358 follow-up) (#908)
  • (identity) Add per-user auth rate limiting (#996)
  • (adr0025) Complete imlpementation (#969)
  • (api) Add global IP rate limiting framework (ADR-0022 phase 1) (#846)
  • (adr0025) Phase 1 (1.1+1.2) (#952)
  • (security) Wrap secrets with secrecy crate (#369) (#912)
  • (scim) ADR 0024 - Phase 5 (#951)
  • (scim) ADR 0024 - Phase 4 (protocol surface completion) (#929)
  • (scim) ADR 0024 - Phase 3 (#928)
  • (scim) ADR 0024 - Phase 1+2 (#925)
  • (credential) Implement Phase 3 of ADR 0019 (#909)
  • (credential) Implement ADR 0019 phases 1-2 (#897)
  • ADR 0021 admin surface, simulate-access, and janitor (#896)
  • Implement stateless SCIM ingress auth (ADR 0021) (#891)
  • (audit) Complete ADR-0023 audit implementation (#887)
  • (storage) Cert validity and SVID TTL enforcement (#886)
  • Audit framework (ADR-0023) phase 3 (#880)
  • (auth) Password hashing parity with Python Keystone (#859)
  • (audit) Implement CADF audit framework Phase 2 (#872)
  • Migrate federation to new mapping engine (#839)
  • Add access rule CRD to appcred provider (#806)
  • ADR-0020 mapping phase 4 (#818)
  • Add bootstrap cli command (#809)
  • (mapping) ADR-0020 (mapping engine) phase 1 (#794)
  • Add endpoint CRUD to catalog provider (#785)
  • Add inter-provider event notification system (#784)
  • Add service CRUD to the catalog provider (#773)
  • Validate password for compliance conformity (#774)
  • Return 401 on roleless scoped contexts (#742)
  • Add region CRUD to catalog SQL driver (#761)
  • Add timing attack protection and failed auth tracking (#758)
  • Add role-imply rest api (#750)
  • Add role imply API (#749)
  • Add user update functionality (#747)
  • Add domain CRUD operations (#743)
  • Add spiffe binding API (#740)
  • Normalize the policy enforcer structure (#741)
  • Make drivers more dynamic (#737)
  • Add Admin interface over the UDS (#735)
  • Add spiffe provider (#733)
  • Expand role info in expand_implied_roles (#730)
  • Introduce SecurityContext (#710)
  • Talk to OPA over unix socket (#701)
  • Add skeleton for the spiffe mTLS integration (#695)
  • Implement ConfigManager for config watching (#691)
  • Improve the code (#686)
  • Add k8s-auth raft driver (#676)
  • Add basic healthcheck endpoint (#671)
  • Make raft storage available through state (#657)

Fixed

  • (adr0026) Bind Token Exchange grant to the issuing domain (#1019)
  • Unify ApiClient scope validation, fix nextest filter (#947)
  • Finalize ADR 0021 work (#906)
  • (ci) Prepare workflows for merge queue (#902)
  • Resolve raft replication state races (#884)
  • (core) Eliminate mapping race condition (#876)
  • (k8s_auth) Flatten k8s.aud claim from JWT TokenReview (#834)
  • (auth) Close admin SVID impersonation gap (#833)

Other

  • (test) Improve testing of the oauth2 OP (#1024)
  • (deps) bump scrypt from 0.11.0 to 0.12.0 (#923)
  • Reorganize dockerfile and deps (#857)
  • (core) Remove spiffe crate dependency (#858)
  • Wrap ServiceState under ExecutionContext (#856)
  • (storage) Decouple core from storage (#832)
  • (core) Eliminate XxxProvider enums (#830)
  • Move jsonwebtoken to keystone crate (#820)
  • mapping engine phase 3 - migrate SPIFFE (#811)
  • (deps) bump hmac from 0.12.1 to 0.13.0 (#801)
  • Rename identity_mapping to idmapping (#788)
  • Consolidate password update flows (#778)
  • Further align workspace features (#772)
  • Make resolve_implied_roles optional (#764)
  • Redesign SecurityContext with two-phase validation (#717)
  • (deps) bump jsonwebtoken from 10.3.0 to 10.4.0 (#707)
  • Introduce dynamic plugins (#643)
  • Small optimization of the derives (#638)
  • Split the core-types crate (#640)
  • Split out remaining sql drivers (#633)
  • Split more drivers to separate crates (#632)
  • Drop unnecessary derives to help compilation (#631)
  • Drop unnecessary tracing directives (#627)
  • Split config into standalone crate (#628)
  • Rework http client pool (#629)
  • Make assignment sql driver a standalone crate (#626)
  • Move assignment parameters resolution to driver (#625)
  • Introduce features in api-types crate (#624)
  • Slim down api-types crate (#622)
  • Split out webauthn into crate (#621)
  • Split out token-fernet driver (#620)
  • Prepare slit out of the FernetTokenProvider (#619)
  • Move benchmark into the proper crate (#614)

openstack-keystone-storage-crypto

0.1.0 - 2026-07-16

Added

  • (scim) ADR 0024 - Phase 3 (#928)
  • (storage) Add PKCS#11 KEK provider crate (#917)
  • (storage) Cert validity and SVID TTL enforcement (#886)
  • (audit) Implement CADF audit framework Phase 2 (#872)
  • (storage) SPIFFE checks, RBAC, rate limiting, auto-join (#861)
  • (storage) Harden preflight and erase dev KEK (#860)
  • (storage) Complete ADR-0016-v2 (#844)
  • (storage) implement ADR 0016-v2 Phases 1-4 — encrypted storage with quarantine (#840)

Other

  • (deps) Batch update dependencies (#875)

openstack-keystone-storage-crypto-pkcs11

0.1.0 - 2026-07-16

Added

  • (adr0026) Phase 1 crypto engine & JWKS endpoint (#1011)
  • (storage) Add PKCS#11 KEK provider crate (#917)

openstack-keystone-storage-crypto-tpm

0.1.0 - 2026-07-16

Added

  • (adr0026) Phase 1 crypto engine & JWKS endpoint (#1011)
  • (storage) Add PKCS#11 KEK provider crate (#917)

openstack-keystone-distributed-storage

0.1.1 - 2026-07-16

Added

  • (test) Add tempest identity compatibility (#998)
  • (adr0028) Add local-quorum-bypass emergency rotation (#1032)
  • (adr0026) Phase 1 crypto engine & JWKS endpoint (#1011)
  • (storage) Add PKCS#11 KEK provider crate (#917)
  • Prepare PKCS#11/TPM KEK support in storage (#907)
  • Implement background DEK re-encryption pipeline (#898)
  • ADR 0021 admin surface, simulate-access, and janitor (#896)
  • (storage) Cert validity and SVID TTL enforcement (#886)
  • (storage) SPIFFE checks, RBAC, rate limiting, auto-join (#861)
  • (storage) Harden preflight and erase dev KEK (#860)
  • (storage) Add SPIFFE mTLS support to Raft gRPC (#852)
  • (cli) Add cli storage subcommands per ADR 0016-v2 (#850)
  • (storage) Complete ADR-0016-v2 (#844)
  • (storage) implement ADR 0016-v2 Phases 1-4 — encrypted storage with quarantine (#840)
  • (mapping) ADR-0020 phase 2 (#807)
  • (adr) Add updated revision of the DS ADR (#795)
  • (mapping) ADR-0020 (mapping engine) phase 1 (#794)
  • Add skeleton for the spiffe mTLS integration (#695)
  • Implement ConfigManager for config watching (#691)
  • Improve the code (#686)
  • Add k8s-auth raft driver (#676)
  • Add SetIndex/RemoveIndex storage commands (#675)
  • Add basic healthcheck endpoint (#671)
  • Add metadata for raft data (#670)
  • Add transaction support for Raft storage (#669)
  • Add initial benchmarks for the storage (#668)
  • Add raft support under skaffold (#667)
  • Introduce raft backend for webauthn (#658)
  • Prepare raft storage promotion (#659)
  • Make raft storage available through state (#657)
  • Introduce the keystone-manage cli managing raft (#656)

Fixed

  • Support macOS dev builds and fs watcher shutdown (#1009)
  • Finalize ADR 0021 work (#906)
  • (ci) Prepare workflows for merge queue (#902)
  • Further polish storage crate (#892)
  • (webauthn) Rotate raft ceremony-state keyspaces (#890)
  • Resolve raft replication state races (#884)

Other

  • Silence some clippy warnings (#1030)
  • (deps) Batch update dependencies (#875)
  • (core) Remove spiffe crate dependency (#858)
  • Add SpiFFE Raft integration test by skaffold (#854)
  • Wrap ServiceState under ExecutionContext (#856)
  • (storage) Decouple core from storage (#832)
  • Update raft drivers mocking (#791)
  • Add mock raft storage for unittest (#790)
  • Make core crates a workspace dependency (#736)
  • Redesign SecurityContext with two-phase validation (#717)
  • (deps) Bump openraft to alpha17 (#641)

openstack-keystone-api-key-driver-raft

0.1.0 - 2026-07-16

Added

  • ADR 0021 admin surface, simulate-access, and janitor (#896)
  • Implement stateless SCIM ingress auth (ADR 0021) (#891)

openstack-keystone-appcred-driver-sql

0.1.0 - 2026-07-16

Added

  • (security) Wrap secrets with secrecy crate (#369) (#912)
  • Add access rule CRD to appcred provider (#806)
  • Make drivers more dynamic (#737)

Other

  • (core) Eliminate XxxProvider enums (#830)
  • Move jsonwebtoken to keystone crate (#820)
  • Further align workspace features (#772)

openstack-keystone-assignment-driver-sql

0.1.0 - 2026-07-16

Added

  • (audit) Implement CADF audit framework Phase 2 (#872)
  • Add role-imply rest api (#750)
  • Make drivers more dynamic (#737)

Fixed

  • Respect group_id param in assignment list (#953)
  • (ci) Prepare workflows for merge queue (#902)

Other

  • Wrap ServiceState under ExecutionContext (#856)
  • (storage) Decouple core from storage (#832)
  • Move jsonwebtoken to keystone crate (#820)
  • Further align workspace features (#772)
  • Make resolve_implied_roles optional (#764)

openstack-keystone-catalog-driver-sql

0.1.0 - 2026-07-16

Added

  • (mapping) ADR-0020 (mapping engine) phase 1 (#794)
  • Add endpoint CRUD to catalog provider (#785)
  • Add inter-provider event notification system (#784)
  • Add service CRUD to the catalog provider (#773)
  • Add region CRUD to catalog SQL driver (#761)
  • Make drivers more dynamic (#737)

Fixed

  • Align "extra" property handling (#787)

Other

  • Move jsonwebtoken to keystone crate (#820)
  • Further align workspace features (#772)

openstack-keystone-credential-driver-sql

0.1.0 - 2026-07-16

Added

  • (adr0026) Phase 1 crypto engine & JWKS endpoint (#1011)
  • (adr0026) Phase 0 token abstraction and JWS driver (#1010)
  • (fernet) Unify credential/token key repositories (#915)
  • (credential) Enforce Null Key check at startup (#913)
  • (credential) Implement Phase 3 of ADR 0019 (#909)
  • (credential) Implement ADR 0019 phases 1-2 (#897)

openstack-keystone-auth-plugin-identity-driver-raft

0.1.0 - 2026-07-16

Added

  • (adr0025) Complete imlpementation (#969)

openstack-keystone-federation-driver-sql

0.1.0 - 2026-07-16

Added

  • (security) Wrap secrets with secrecy crate (#369) (#912)
  • (scim) ADR 0024 - Phase 5 (#951)
  • Migrate federation to new mapping engine (#839)
  • Make drivers more dynamic (#737)

Other

  • Move jsonwebtoken to keystone crate (#820)
  • Further align workspace features (#772)

openstack-keystone-identity-driver-sql

0.1.0 - 2026-07-16

Added

  • (identity) Add per-user auth rate limiting (#996)
  • (identity) Implement user password change endpoint (#970)
  • (security) Wrap secrets with secrecy crate (#369) (#912)
  • (scim) ADR 0024 - Phase 5 (#951)
  • (scim) ADR 0024 - Phase 3 (#928)
  • (scim) ADR 0024 - Phase 1+2 (#925)
  • (auth) Password hashing parity with Python Keystone (#859)
  • (mapping) ADR-0020 (mapping engine) phase 1 (#794)
  • Add inter-provider event notification system (#784)
  • Add timing attack protection and failed auth tracking (#758)
  • Add role-imply rest api (#750)
  • Add user update functionality (#747)
  • Make drivers more dynamic (#737)

Fixed

  • (federation) Allow long external unique_id values (#1033)
  • (identity) Support federated existence checks (#1012)
  • Validate password complexity before storing password (#845)
  • Align "extra" property handling (#787)

Other

  • Silence some clippy warnings (#1030)
  • Move jsonwebtoken to keystone crate (#820)
  • Consolidate password update flows (#778)
  • Further align workspace features (#772)

openstack-keystone-idmapping-driver-sql

0.1.0 - 2026-07-16

Added

  • Make drivers more dynamic (#737)

Fixed

  • (ci) Prepare workflows for merge queue (#902)

Other

  • Move jsonwebtoken to keystone crate (#820)
  • Rename identity_mapping to idmapping (#788)

openstack-keystone-k8s-auth-driver-raft

0.1.0 - 2026-07-16

Added

  • ADR-0020 mapping phase 4 (#818)
  • (mapping) ADR-0020 (mapping engine) phase 1 (#794)
  • Add user update functionality (#747)
  • Make drivers more dynamic (#737)

Other

  • (storage) Decouple core from storage (#832)
  • Update raft drivers mocking (#791)
  • Add mock raft storage for unittest (#790)

openstack-keystone-k8s-auth-driver-sql

0.1.0 - 2026-07-16

Added

  • ADR-0020 mapping phase 4 (#818)
  • Make drivers more dynamic (#737)

Other

  • Wrap ServiceState under ExecutionContext (#856)
  • Move jsonwebtoken to keystone crate (#820)

openstack-keystone-mapping-driver-raft

0.1.0 - 2026-07-16

Added

  • (mapping) ADR-0020 phase 2 (#807)
  • (mapping) ADR-0020 (mapping engine) phase 1 (#794)

Other

  • (storage) Decouple core from storage (#832)

openstack-keystone-oauth2-client-driver-raft

0.1.0 - 2026-07-16

Added

  • (adr0026) Phase 2 client registration & OIDC discovery (#1013)

openstack-keystone-oauth2-key-driver-raft

0.1.0 - 2026-07-16

Added

  • (adr0028) Add local-quorum-bypass emergency rotation (#1032)
  • (adr0026) Add previous-key and JTI-revocation janitor (#1021)
  • (adr0026) Phase 6a (#1017)
  • (adr0026) Phase 1 crypto engine & JWKS endpoint (#1011)

openstack-keystone-oauth2-session-driver-raft

0.1.0 - 2026-07-16

Added

  • (adr0026) Add RFC 8628 Device Authorization Grant (#1023)
  • (adr0026) Add authorization code flow with PKCE (#1015)

openstack-keystone-resource-driver-sql

0.1.0 - 2026-07-16

Added

  • (test) Add tempest identity compatibility (#998)
  • Add bootstrap cli command (#809)
  • Make drivers more dynamic (#737)

Fixed

  • (ci) Prepare workflows for merge queue (#902)

Other

  • Wrap ServiceState under ExecutionContext (#856)
  • Move jsonwebtoken to keystone crate (#820)

openstack-keystone-revoke-driver-sql

0.1.0 - 2026-07-16

Added

  • (adr0026) Phase 1 crypto engine & JWKS endpoint (#1011)
  • Make drivers more dynamic (#737)

Fixed

  • Finalize ADR 0021 work (#906)

Other

  • Move jsonwebtoken to keystone crate (#820)

openstack-keystone-role-driver-sql

0.1.0 - 2026-07-16

Added

  • Add role-imply rest api (#750)
  • Add role imply API (#749)
  • Make drivers more dynamic (#737)

Other

  • Move jsonwebtoken to keystone crate (#820)

openstack-keystone-scim-driver-raft

0.1.0 - 2026-07-16

Added

  • (scim) ADR 0024 - Phase 5 (#951)
  • (scim) ADR 0024 - Phase 4 (protocol surface completion) (#929)
  • (scim) ADR 0024 - Phase 1+2 (#925)

openstack-keystone-token-driver-fernet

0.1.1 - 2026-07-16

Added

  • (adr0026) Phase 0 token abstraction and JWS driver (#1010)
  • (fernet) Unify credential/token key repositories (#915)
  • Add user update functionality (#747)
  • Make drivers more dynamic (#737)

Fixed

  • Support macOS dev builds and fs watcher shutdown (#1009)
  • Fix msgpack decode and auth-method encoding bugs (#895)

openstack-keystone-token-driver-jws

0.1.0 - 2026-07-16

Added

  • (adr0026) Add Phase 5 offline token verification (#1016)
  • (adr0026) Add client_credentials token endpoint (#1014)
  • (adr0026) Phase 1 crypto engine & JWKS endpoint (#1011)
  • (adr0026) Phase 0 token abstraction and JWS driver (#1010)

openstack-keystone-token-restriction-driver-sql

0.1.0 - 2026-07-16

Added

  • Make drivers more dynamic (#737)

Other

  • Move jsonwebtoken to keystone crate (#820)

openstack-keystone-trust-driver-sql

0.1.0 - 2026-07-16

Added

  • Make drivers more dynamic (#737)

Other

  • Move jsonwebtoken to keystone crate (#820)

openstack-keystone-webauthn

0.1.0 - 2026-07-16

Added

  • (test) Add tempest identity compatibility (#998)
  • Prepare PKCS#11/TPM KEK support in storage (#907)
  • (audit) Implement CADF audit framework Phase 2 (#872)
  • (storage) SPIFFE checks, RBAC, rate limiting, auto-join (#861)
  • (storage) Harden preflight and erase dev KEK (#860)
  • Security improvements in the webauthn crate (#838)
  • Add inter-provider event notification system (#784)
  • Make drivers more dynamic (#737)
  • Introduce SecurityContext (#710)
  • Add skeleton for the spiffe mTLS integration (#695)
  • Implement ConfigManager for config watching (#691)
  • Improve the code (#686)
  • Add k8s-auth raft driver (#676)
  • Add metadata for raft data (#670)
  • Add raft support under skaffold (#667)
  • Introduce raft backend for webauthn (#658)

Fixed

  • (passkey) Prevent user enumeration (#905)
  • (ci) Prepare workflows for merge queue (#902)
  • (webauthn) Rotate raft ceremony-state keyspaces (#890)

Other

  • (deps) Batch update dependencies (#875)
  • Wrap ServiceState under ExecutionContext (#856)
  • (storage) Decouple core from storage (#832)

@github-actions

github-actions Bot commented Jun 5, 2026

Copy link
Copy Markdown

🦢 Load Test Results

Goose Attack Report

Plan Overview

Action Started Stopped Elapsed Users
Increasing 26-07-16 20:56:27 26-07-16 20:56:44 00:00:17 0 → 30
Maintaining 26-07-16 20:56:44 26-07-16 20:57:14 00:00:30 30
Decreasing 26-07-16 20:57:14 26-07-16 20:57:37 00:00:23 0 ← 30

Request Metrics

Method Name # Requests # Fails Average (ms) Min (ms) Max (ms) RPS Failures/s
DELETE DELETE /v3/auth/tokens 461 0 95.20 10 195 15.37 0.00
DELETE DELETE /v3/projects/:id (teardown) 2 0 31.50 28 35 0.07 0.00
DELETE DELETE /v3/users/:id (teardown) 3 0 44.00 25 55 0.10 0.00
GET 5236 0 89.71 63 173 174.53 0.00
GET GET /v3/auth/tokens (validate new) 457 1 226.42 43 60001 15.23 0.03
GET GET /v3/projects/:id 820 0 73.10 61 101 27.33 0.00
GET GET /v3/projects/:id (catalog) 812 0 73.29 63 98 27.07 0.00
GET GET /v3/users/:id 1143 0 78.63 67 108 38.10 0.00
GET GET /v3/users/:id (catalog) 895 0 78.27 67 107 29.83 0.00
POST POST /v3/auth/tokens 456 0 71.99 64 98 15.20 0.00
Aggregated 10285 1 90.37 10 60001 342.83 0.03

Response Time Metrics

Method Name 50%ile (ms) 60%ile (ms) 70%ile (ms) 80%ile (ms) 90%ile (ms) 95%ile (ms) 99%ile (ms) 100%ile (ms)
DELETE DELETE /v3/auth/tokens 95 96 97 99 100 100 110 195
DELETE DELETE /v3/projects/:id (teardown) 28 28 28 35 35 35 35 35
DELETE DELETE /v3/users/:id (teardown) 52 52 52 52 55 55 55 55
GET 83 87 90 95 140 140 150 170
GET GET /v3/auth/tokens (validate new) 95 96 97 99 100 110 120 60,000
GET GET /v3/projects/:id 73 74 75 76 78 80 89 100
GET GET /v3/projects/:id (catalog) 73 74 75 76 78 80 88 98
GET GET /v3/users/:id 78 79 80 82 84 86 94 108
GET GET /v3/users/:id (catalog) 78 79 80 81 83 86 97 107
POST POST /v3/auth/tokens 72 72 73 75 77 79 89 98
Aggregated 78 81 87 92 100 140 150 60,000

Status Code Metrics

Method Name Status Codes
DELETE DELETE /v3/auth/tokens 461 [204]
DELETE DELETE /v3/projects/:id (teardown) 2 [204]
DELETE DELETE /v3/users/:id (teardown) 3 [204]
GET 5,236 [200]
GET GET /v3/auth/tokens (validate new) 456 [200], 1 [0]
GET GET /v3/projects/:id 820 [200]
GET GET /v3/projects/:id (catalog) 812 [200]
GET GET /v3/users/:id 1,143 [200]
GET GET /v3/users/:id (catalog) 895 [200]
POST POST /v3/auth/tokens 456 [201]
Aggregated 466 [204], 9,362 [200], 456 [201], 1 [0]

Transaction Metrics

Transaction # Times Run # Fails Average (ms) Min (ms) Max (ms) RPS Failures/s
ReadHeavy
0.0 1 0 17.00 17 17 0.03 0.00
0.1 888 0 89.45 77 121 29.60 0.00
0.2 888 0 73.72 64 100 29.60 0.00
0.3 886 0 72.88 64 103 29.53 0.00
TokenLifecycle
1.0 0 0 0.00 0 0 0.00 0.00
1.1 461 0 393.54 127 60054 15.37 0.00
ValidateToken
2.0 0 0 0.00 0 0 0.00 0.00
2.1 865 0 139.17 116 173 28.83 0.00
UserCRUD
3.0 0 0 0.00 0 0 0.00 0.00
3.1 0 0 0.00 0 0 0.00 0.00
3.2 1143 0 78.67 67 108 38.10 0.00
3.3 3 0 44.00 25 55 0.10 0.00
ProjectCRUD
4.0 0 0 0.00 0 0 0.00 0.00
4.1 0 0 0.00 0 0 0.00 0.00
4.2 820 0 73.14 61 101 27.33 0.00
4.3 2 0 31.50 28 35 0.07 0.00
UserRead
5.0 0 0 0.00 0 0 0.00 0.00
5.1 898 0 88.90 76 120 29.93 0.00
5.2 895 0 78.32 67 107 29.83 0.00
ProjectRead
6.0 0 0 0.00 0 0 0.00 0.00
6.1 811 0 74.31 63 98 27.03 0.00
6.2 812 0 73.34 63 98 27.07 0.00
Aggregated 9373 0 99.17 17 60054 312.43 0.00

Scenario Metrics

Transaction # Users # Times Run Average (ms) Min (ms) Max (ms) Scenarios/s Iterations
ReadHeavy 7 884 237.06 223 281 29.47 126.29
TokenLifecycle 4 456 264.60 246 364 15.20 114.00
ValidateToken 4 861 139.22 123 173 28.70 215.25
UserCRUD 3 1140 78.68 67 108 38.00 380.00
ProjectCRUD 2 818 73.15 61 101 27.27 409.00
UserRead 5 893 167.74 154 203 29.77 178.60
ProjectRead 4 809 148.14 135 185 26.97 202.25
Aggregated 29 5861 148.31 61 364 195.37 1625.39

Error Metrics

Method Name # Error
GET GET /v3/auth/tokens (validate new) 1 error sending request GET /v3/auth/tokens (validate new): operation timed out

View full report

@github-actions

github-actions Bot commented Jun 5, 2026

Copy link
Copy Markdown

🐰 Bencher Report

Branchrelease-plz-2026-06-05T09-00-15Z
Testbedubuntu-latest
Click to view all benchmark results
BenchmarkLatencyBenchmark Result
nanoseconds (ns)
(Result Δ%)
Upper Boundary
nanoseconds (ns)
(Limit %)
Command_Serde/apply/remove📈 view plot
🚷 view threshold
138,480.00 ns
(-33.91%)Baseline: 209,531.31 ns
679,836.32 ns
(20.37%)
Command_Serde/apply/set📈 view plot
🚷 view threshold
151,110.00 ns
(-44.04%)Baseline: 270,046.16 ns
1,264,748.02 ns
(11.95%)
Command_Serde/pack/delete📈 view plot
🚷 view threshold
128.39 ns
(+5.86%)Baseline: 121.28 ns
147.92 ns
(86.80%)
Command_Serde/pack/delete_index📈 view plot
🚷 view threshold
109.80 ns
(+1.32%)Baseline: 108.37 ns
131.78 ns
(83.32%)
Command_Serde/pack/set📈 view plot
🚷 view threshold
189.57 ns
(-3.74%)Baseline: 196.93 ns
243.92 ns
(77.72%)
Command_Serde/pack/set_index📈 view plot
🚷 view threshold
109.42 ns
(+1.07%)Baseline: 108.26 ns
131.35 ns
(83.31%)
Command_Serde/unpack/delete📈 view plot
🚷 view threshold
194.98 ns
(+1.97%)Baseline: 191.21 ns
241.88 ns
(80.61%)
Command_Serde/unpack/delete_index📈 view plot
🚷 view threshold
160.55 ns
(+0.31%)Baseline: 160.05 ns
202.45 ns
(79.30%)
Command_Serde/unpack/set📈 view plot
🚷 view threshold
276.63 ns
(+2.81%)Baseline: 269.07 ns
334.42 ns
(82.72%)
Command_Serde/unpack/set_index📈 view plot
🚷 view threshold
156.07 ns
(-1.19%)Baseline: 157.95 ns
198.48 ns
(78.63%)
Payload_encryption/pack/remove_cmd📈 view plot
🚷 view threshold
121.11 ns
(+5.05%)Baseline: 115.29 ns
143.55 ns
(84.37%)
Payload_encryption/pack/set_cmd📈 view plot
🚷 view threshold
231.69 ns
(+15.10%)Baseline: 201.29 ns
258.51 ns
(89.62%)
Payload_encryption/unpack/remove_cmd📈 view plot
🚷 view threshold
211.24 ns
(+3.71%)Baseline: 203.68 ns
259.91 ns
(81.27%)
Payload_encryption/unpack/set_cmd📈 view plot
🚷 view threshold
299.37 ns
(+5.83%)Baseline: 282.87 ns
357.67 ns
(83.70%)
Raft_1Node_Latency/prefix/1node📈 view plot
🚷 view threshold
2,528,600.00 ns
(-6.69%)Baseline: 2,709,845.16 ns
6,089,030.19 ns
(41.53%)
Raft_1Node_Latency/read/1node📈 view plot
🚷 view threshold
44,527.00 ns
(+12.95%)Baseline: 39,421.53 ns
53,970.86 ns
(82.50%)
Raft_1Node_Latency/remove/1node📈 view plot
🚷 view threshold
375,340.00 ns
(-39.35%)Baseline: 618,837.97 ns
2,475,289.70 ns
(15.16%)
Raft_1Node_Latency/write/1node📈 view plot
🚷 view threshold
409,660.00 ns
(-36.53%)Baseline: 645,405.78 ns
2,960,082.78 ns
(13.84%)
build_snapshot/default📈 view plot
🚷 view threshold
119,680.00 ns
(+3.58%)Baseline: 115,541.28 ns
159,005.82 ns
(75.27%)
fernet token/project📈 view plot
🚷 view threshold
1,466.40 ns
(+3.52%)Baseline: 1,416.47 ns
1,689.58 ns
(86.79%)
get_data_keyspace📈 view plot
🚷 view threshold
0.31 ns
(-0.95%)Baseline: 0.32 ns
0.37 ns
(83.95%)
get_db📈 view plot
🚷 view threshold
0.31 ns
(-1.47%)Baseline: 0.32 ns
0.37 ns
(83.46%)
get_fernet_token_timestamp/project📈 view plot
🚷 view threshold
152.42 ns
(+7.37%)Baseline: 141.96 ns
177.22 ns
(86.01%)
get_keyspace📈 view plot
🚷 view threshold
4.30 ns
(-11.78%)Baseline: 4.87 ns
9.87 ns
(43.54%)
🐰 View full continuous benchmarking report in Bencher

@openstack-experimental-release-plz
openstack-experimental-release-plz Bot force-pushed the release-plz-2026-06-05T09-00-15Z branch 22 times, most recently from d04a4df to 7fe2614 Compare June 12, 2026 09:11
@openstack-experimental-release-plz
openstack-experimental-release-plz Bot force-pushed the release-plz-2026-06-05T09-00-15Z branch 6 times, most recently from 3966098 to 805ed8e Compare June 15, 2026 10:08
@openstack-experimental-release-plz
openstack-experimental-release-plz Bot force-pushed the release-plz-2026-06-05T09-00-15Z branch 28 times, most recently from fd83531 to fd0af7c Compare June 26, 2026 17:15
@openstack-experimental-release-plz
openstack-experimental-release-plz Bot force-pushed the release-plz-2026-06-05T09-00-15Z branch from fd0af7c to 53568cd Compare June 26, 2026 20:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants