chore: release

[openstack-experimental-release-plz]

🤖 New release

• openstack-keystone-config: 0.1.0
• openstack-keystone-core-types: 0.1.1
• openstack-keystone-api-types: 0.1.0 -> 0.1.1 (✓ API compatible changes)
• openstack-keystone-distributed-storage: 0.1.0 -> 0.1.1 (✓ API compatible changes)
• openstack-keystone-core: 0.1.1 -> 0.1.2 (✓ API compatible changes)
• openstack-keystone-appcred-driver-sql: 0.1.0
• openstack-keystone-assignment-driver-sql: 0.1.0
• openstack-keystone-catalog-driver-sql: 0.1.0
• openstack-keystone-federation-driver-sql: 0.1.0
• openstack-keystone-identity-driver-sql: 0.1.0
• openstack-keystone-idmapping-driver-sql: 0.1.0
• openstack-keystone-k8s-auth-driver-raft: 0.1.0
• openstack-keystone-k8s-auth-driver-sql: 0.1.0
• openstack-keystone-mapping-driver-raft: 0.1.0
• openstack-keystone-resource-driver-sql: 0.1.0
• openstack-keystone-revoke-driver-sql: 0.1.0
• openstack-keystone-role-driver-sql: 0.1.0
• openstack-keystone-token-driver-fernet: 0.1.1
• openstack-keystone-token-restriction-driver-sql: 0.1.0
• openstack-keystone-trust-driver-sql: 0.1.0
• openstack-keystone-webauthn: 0.1.0
• openstack-keystone: 0.1.1 -> 0.1.2 (✓ API compatible changes)
• openstack-keystone-cli-manage: 0.1.0

Changelog

openstack-keystone-config

0.1.0 - 2026-06-19

Added

• Add bootstrap cli command (#809)
• (mapping) ADR-0020 (mapping engine) phase 1 (#794)
• Add inter-provider event notification system (#784)
• Add SO_PEERCRED peer credential validation (#775)
• Validate password for compliance conformity (#774)
• Enforce minimum range boundaries for security
• Add role-imply rest api (#750)
• Add user update functionality (#747)
• Make drivers more dynamic (#737)
• Add keystone container with opa and policies (#738)
• Add Admin interface over the UDS (#735)
• Add spiffe provider (#733)
• Introduce SecurityContext (#710)
• Add skeleton for the spiffe mTLS integration (#695)
• Implement ConfigManager for config watching (#691)
• Improve the code (#686)
• Add k8s-auth raft driver (#676)
• Add raft support under skaffold (#667)
• Introduce raft backend for webauthn (#658)
• Introduce the keystone-manage cli managing raft (#656)

Other

• mapping engine phase 3 - migrate SPIFFE (#811)
• Rename identity_mapping to idmapping (#788)
• Replace Regex with str::find for db connection (#760)
• Redesign SecurityContext with two-phase validation (#717)
• Split out remaining sql drivers (#633)
• Split config into standalone crate (#628)

openstack-keystone-core-types

0.1.1 - 2026-06-19

Added

• (mapping) ADR-0020 (mapping engine) phase 1 (#794)
• Add endpoint CRUD to catalog provider (#785)
• Add inter-provider event notification system (#784)
• Add service CRUD to the catalog provider (#773)
• Validate password for compliance conformity (#774)
• Return 401 on roleless scoped contexts (#742)
• Add region CRUD to catalog SQL driver (#761)
• Add role-imply rest api (#750)
• Add role imply API (#749)
• Add user update functionality (#747)
• Add spiffe binding API (#740)
• Add Admin interface over the UDS (#735)
• Add spiffe provider (#733)
• Expand role info in expand_implied_roles (#730)
• Introduce SecurityContext (#710)
• Improve the code (#686)
• Add k8s-auth raft driver (#676)
• Introduce the keystone-manage cli managing raft (#656)

Fixed

• Align "extra" property handling (#787)

Other

• mapping engine phase 3 - migrate SPIFFE (#811)
• Rename identity_mapping to idmapping (#788)
• Make resolve_implied_roles optional (#764)
• Redesign SecurityContext with two-phase validation (#717)
• Unify state initialization in test (#642)
• Small optimization of the derives (#638)
• Split the core-types crate (#640)

openstack-keystone-api-types

0.1.1 - 2026-06-19

Added

• (mapping) ADR-0020 phase 2 (#807)
• (mapping) ADR-0020 (mapping engine) phase 1 (#794)
• Validate password for compliance conformity (#774)
• Add system-user-role assignments API (#762)
• Add role-imply rest api (#750)
• Add user update functionality (#747)
• Add api to list user roles on project (#639)
• Add domain CRUD operations (#743)
• Add spiffe binding API (#740)
• Add spiffe provider (#733)
• Introduce SecurityContext (#710)
• Add skeleton for the spiffe mTLS integration (#695)
• Improve the code (#686)

Other

• (tests) Reorganize integration_api tests (#815)
• mapping engine phase 3 - migrate SPIFFE (#811)
• Rename identity_mapping to idmapping (#788)
• Further align workspace features (#772)
• Make resolve_implied_roles optional (#764)
• Redesign SecurityContext with two-phase validation (#717)
• Small optimization of the derives (#638)
• Split the core-types crate (#640)
• Introduce features in api-types crate (#624)
• Slim down api-types crate (#622)

openstack-keystone-distributed-storage

0.1.1 - 2026-06-19

Added

• (mapping) ADR-0020 phase 2 (#807)
• (adr) Add updated revision of the DS ADR (#795)
• (mapping) ADR-0020 (mapping engine) phase 1 (#794)
• Add skeleton for the spiffe mTLS integration (#695)
• Implement ConfigManager for config watching (#691)
• Improve the code (#686)
• Add k8s-auth raft driver (#676)
• Add SetIndex/RemoveIndex storage commands (#675)
• Add basic healthcheck endpoint (#671)
• Add metadata for raft data (#670)
• Add transaction support for Raft storage (#669)
• Add initial benchmarks for the storage (#668)
• Add raft support under skaffold (#667)
• Introduce raft backend for webauthn (#658)
• Prepare raft storage promotion (#659)
• Make raft storage available through state (#657)
• Introduce the keystone-manage cli managing raft (#656)

Other

• Update raft drivers mocking (#791)
• Add mock raft storage for unittest (#790)
• Make core crates a workspace dependency (#736)
• Redesign SecurityContext with two-phase validation (#717)
• (deps) Bump openraft to alpha17 (#641)

openstack-keystone-core

0.1.2 - 2026-06-19

Added

• Add bootstrap cli command (#809)
• (mapping) ADR-0020 (mapping engine) phase 1 (#794)
• Add endpoint CRUD to catalog provider (#785)
• Add inter-provider event notification system (#784)
• Add service CRUD to the catalog provider (#773)
• Validate password for compliance conformity (#774)
• Return 401 on roleless scoped contexts (#742)
• Add region CRUD to catalog SQL driver (#761)
• Add timing attack protection and failed auth tracking (#758)
• Add role-imply rest api (#750)
• Add role imply API (#749)
• Add user update functionality (#747)
• Add domain CRUD operations (#743)
• Add spiffe binding API (#740)
• Normalize the policy enforcer structure (#741)
• Make drivers more dynamic (#737)
• Add Admin interface over the UDS (#735)
• Add spiffe provider (#733)
• Expand role info in expand_implied_roles (#730)
• Introduce SecurityContext (#710)
• Talk to OPA over unix socket (#701)
• Add skeleton for the spiffe mTLS integration (#695)
• Implement ConfigManager for config watching (#691)
• Improve the code (#686)
• Add k8s-auth raft driver (#676)
• Add basic healthcheck endpoint (#671)
• Make raft storage available through state (#657)

Other

• mapping engine phase 3 - migrate SPIFFE (#811)
• (deps) bump hmac from 0.12.1 to 0.13.0 (#801)
• Rename identity_mapping to idmapping (#788)
• Consolidate password update flows (#778)
• Further align workspace features (#772)
• Make resolve_implied_roles optional (#764)
• Redesign SecurityContext with two-phase validation (#717)
• (deps) bump jsonwebtoken from 10.3.0 to 10.4.0 (#707)
• Introduce dynamic plugins (#643)
• Small optimization of the derives (#638)
• Split the core-types crate (#640)
• Split out remaining sql drivers (#633)
• Split more drivers to separate crates (#632)
• Drop unnecessary derives to help compilation (#631)
• Drop unnecessary tracing directives (#627)
• Split config into standalone crate (#628)
• Rework http client pool (#629)
• Make assignment sql driver a standalone crate (#626)
• Move assignment parameters resolution to driver (#625)
• Introduce features in api-types crate (#624)
• Slim down api-types crate (#622)
• Split out webauthn into crate (#621)
• Split out token-fernet driver (#620)
• Prepare slit out of the FernetTokenProvider (#619)
• Move benchmark into the proper crate (#614)

openstack-keystone-appcred-driver-sql

0.1.0 - 2026-06-19

Added

• Make drivers more dynamic (#737)

Other

• Further align workspace features (#772)

openstack-keystone-assignment-driver-sql

0.1.0 - 2026-06-19

Added

• Add role-imply rest api (#750)
• Make drivers more dynamic (#737)

Other

• Further align workspace features (#772)
• Make resolve_implied_roles optional (#764)

openstack-keystone-catalog-driver-sql

0.1.0 - 2026-06-19

Added

• (mapping) ADR-0020 (mapping engine) phase 1 (#794)
• Add endpoint CRUD to catalog provider (#785)
• Add inter-provider event notification system (#784)
• Add service CRUD to the catalog provider (#773)
• Add region CRUD to catalog SQL driver (#761)
• Make drivers more dynamic (#737)

Fixed

• Align "extra" property handling (#787)

Other

• Further align workspace features (#772)

openstack-keystone-federation-driver-sql

0.1.0 - 2026-06-19

Added

• Make drivers more dynamic (#737)

Other

• Further align workspace features (#772)

openstack-keystone-identity-driver-sql

0.1.0 - 2026-06-19

Added

• (mapping) ADR-0020 (mapping engine) phase 1 (#794)
• Add inter-provider event notification system (#784)
• Add timing attack protection and failed auth tracking (#758)
• Add role-imply rest api (#750)
• Add user update functionality (#747)
• Make drivers more dynamic (#737)

Fixed

• Align "extra" property handling (#787)

Other

• Consolidate password update flows (#778)
• Further align workspace features (#772)

openstack-keystone-idmapping-driver-sql

0.1.0 - 2026-06-19

Added

• Make drivers more dynamic (#737)

Other

• Rename identity_mapping to idmapping (#788)

openstack-keystone-k8s-auth-driver-raft

0.1.0 - 2026-06-19

Added

• (mapping) ADR-0020 (mapping engine) phase 1 (#794)
• Add user update functionality (#747)
• Make drivers more dynamic (#737)

Other

• Update raft drivers mocking (#791)
• Add mock raft storage for unittest (#790)

openstack-keystone-k8s-auth-driver-sql

0.1.0 - 2026-06-19

Added

• Make drivers more dynamic (#737)

openstack-keystone-mapping-driver-raft

0.1.0 - 2026-06-19

Added

• (mapping) ADR-0020 phase 2 (#807)
• (mapping) ADR-0020 (mapping engine) phase 1 (#794)

openstack-keystone-resource-driver-sql

0.1.0 - 2026-06-19

Added

• Add bootstrap cli command (#809)
• Make drivers more dynamic (#737)

openstack-keystone-revoke-driver-sql

0.1.0 - 2026-06-19

Added

• Make drivers more dynamic (#737)

openstack-keystone-role-driver-sql

0.1.0 - 2026-06-19

Added

• Add role-imply rest api (#750)
• Add role imply API (#749)
• Make drivers more dynamic (#737)

openstack-keystone-token-driver-fernet

0.1.1 - 2026-06-19

Added

• Add user update functionality (#747)
• Make drivers more dynamic (#737)

openstack-keystone-token-restriction-driver-sql

0.1.0 - 2026-06-19

Added

• Make drivers more dynamic (#737)

openstack-keystone-trust-driver-sql

0.1.0 - 2026-06-19

Added

• Make drivers more dynamic (#737)

openstack-keystone-webauthn

0.1.0 - 2026-06-19

Added

• Add inter-provider event notification system (#784)
• Make drivers more dynamic (#737)
• Introduce SecurityContext (#710)
• Add skeleton for the spiffe mTLS integration (#695)
• Implement ConfigManager for config watching (#691)
• Improve the code (#686)
• Add k8s-auth raft driver (#676)
• Add metadata for raft data (#670)
• Add raft support under skaffold (#667)
• Introduce raft backend for webauthn (#658)

Other

• Update raft drivers mocking (#791)
• Add mock raft storage for unittest (#790)
• Make core crates a workspace dependency (#736)
• Redesign SecurityContext with two-phase validation (#717)
• Split the core-types crate (#640)
• Move assignment parameters resolution to driver (#625)
• Introduce features in api-types crate (#624)
• Split out webauthn into crate (#621)

openstack-keystone

0.1.2 - 2026-06-19

Added

• Add bootstrap cli command (#809)
• (mapping) ADR-0020 phase 2 (#807)
• (mapping) ADR-0020 (mapping engine) phase 1 (#794)
• Add inter-provider event notification system (#784)
• Add service CRUD to the catalog provider (#773)
• Add SO_PEERCRED peer credential validation (#775)
• Return 401 on roleless scoped contexts (#742)
• Add system-user-role assignments API (#762)
• Add role-imply rest api (#750)
• Add user update functionality (#747)
• Add api to list user roles on project (#639)
• Add domain CRUD operations (#743)
• Add spiffe binding API (#740)
• Normalize the policy enforcer structure (#741)
• Make drivers more dynamic (#737)
• Add keystone container with opa and policies (#738)
• Add Admin interface over the UDS (#735)
• Add spiffe provider (#733)
• Introduce SecurityContext (#710)
• Talk to OPA over unix socket (#701)
• Add skeleton for the spiffe mTLS integration (#695)
• Implement ConfigManager for config watching (#691)
• Improve the code (#686)
• Add k8s-auth raft driver (#676)
• Add basic healthcheck endpoint (#671)
• Add raft support under skaffold (#667)
• Introduce raft backend for webauthn (#658)
• Make raft storage available through state (#657)
• Introduce the keystone-manage cli managing raft (#656)

Fixed

• (auth) Fix token-from-token auth bounds (#810)

Other

• (tests) Reorganize integration_api tests (#815)
• mapping engine phase 3 - migrate SPIFFE (#811)
• Upgrade spiffe dependencies (#805)
• Rename identity_mapping to idmapping (#788)
• Unify sea-orm features (#769)
• Make resolve_implied_roles optional (#764)
• Make core crates a workspace dependency (#736)
• Redesign SecurityContext with two-phase validation (#717)
• (deps) bump spiffe (#709)
• (deps) bump spiffe-rustls-tokio from 0.2.0 to 0.3.0 (#706)
• Add policy enforcement into group.v3 handler (#685)
• Split api.v3.group handlers (#679)
• Small optimization of the derives (#638)
• Split the core-types crate (#640)
• Split out remaining sql drivers (#633)
• Split more drivers to separate crates (#632)
• Split config into standalone crate (#628)
• Make assignment sql driver a standalone crate (#626)
• Move assignment parameters resolution to driver (#625)
• Introduce features in api-types crate (#624)
• Slim down api-types crate (#622)
• Split out webauthn into crate (#621)
• Split out token-fernet driver (#620)
• Prepare slit out of the FernetTokenProvider (#619)
• Move benchmark into the proper crate (#614)

openstack-keystone-cli-manage

0.1.0 - 2026-06-19

Added

• Add bootstrap cli command (#809)
• Make drivers more dynamic (#737)
• Introduce SecurityContext (#710)
• Add skeleton for the spiffe mTLS integration (#695)
• Implement ConfigManager for config watching (#691)
• Add raft support under skaffold (#667)
• Introduce the keystone-manage cli managing raft (#656)

Other

• Unify sea-orm features (#769)

---

This PR was generated with release-plz.

[github-actions]

🦢 Load Test Results

Goose Attack Report

Plan Overview

Action	Started	Stopped	Elapsed	Users
Increasing	26-06-19 19:19:17	26-06-19 19:19:19	00:00:02	0 → 4
Maintaining	26-06-19 19:19:19	26-06-19 19:19:49	00:00:30	4
Decreasing	26-06-19 19:19:49	26-06-19 19:19:49	00:00:00	0 ← 4

Request Metrics

Method	Name	# Requests	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
GET		6591	0	17.73	11	35	219.70	0.00
	Aggregated	6591	0	17.73	11	35	219.70	0.00

Response Time Metrics

Method	Name	50%ile (ms)	60%ile (ms)	70%ile (ms)	80%ile (ms)	90%ile (ms)	95%ile (ms)	99%ile (ms)	100%ile (ms)
GET		15	18	22	23	24	24	27	35
	Aggregated	15	18	22	23	24	24	27	35

Status Code Metrics

Method	Name	Status Codes
GET		6,591 [200]
	Aggregated	6,591 [200]

Transaction Metrics

Transaction	# Times Run	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
ListUsers
0.0	0	0	0.00	0	0	0.00	0.00
0.1	4032	0	14.43	11	22	134.40	0.00
ValidateToken
1.0	0	0	0.00	0	0	0.00	0.00
1.1	2559	0	23.01	18	35	85.30	0.00
Aggregated	6591	0	17.73	11	35	219.70	0.00

Scenario Metrics

Transaction	# Users	# Times Run	Average (ms)	Min (ms)	Max (ms)	Scenarios/s	Iterations
ListUsers	2	4030	14.43	11	22	134.33	2015.00
ValidateToken	2	2557	23.01	19	35	85.23	1278.50
Aggregated	4	6587	17.76	11	35	219.57	3293.50

View full report

[github-actions]

Bencher Report

Branch	release-plz-2026-06-05T09-00-15Z
Testbed	ubuntu-latest

Click to view all benchmark results

Benchmark	Latency	Benchmark Result nanoseconds (ns) (Result Δ%)	Upper Boundary nanoseconds (ns) (Limit %)
Command_Serde/apply/remove	📈 view plot 🚷 view threshold	84,974.00 ns (-40.51%) Baseline: 142,849.38 ns	458,968.42 ns (18.51%)
Command_Serde/apply/set	📈 view plot 🚷 view threshold	87,313.00 ns (-33.08%) Baseline: 130,478.66 ns	288,356.25 ns (30.28%)
Command_Serde/pack/delete	📈 view plot 🚷 view threshold	122.55 ns (+0.94%) Baseline: 121.40 ns	144.00 ns (85.10%)
Command_Serde/pack/delete_index	📈 view plot 🚷 view threshold	112.06 ns (-0.98%) Baseline: 113.16 ns	134.72 ns (83.18%)
Command_Serde/pack/set	📈 view plot 🚷 view threshold	191.36 ns (-2.39%) Baseline: 196.05 ns	236.33 ns (80.97%)
Command_Serde/pack/set_index	📈 view plot 🚷 view threshold	112.19 ns (-1.02%) Baseline: 113.35 ns	134.51 ns (83.41%)
Command_Serde/unpack/delete	📈 view plot 🚷 view threshold	218.32 ns (+14.75%) Baseline: 190.26 ns	235.43 ns (92.73%)
Command_Serde/unpack/delete_index	📈 view plot 🚷 view threshold	186.96 ns (+13.02%) Baseline: 165.43 ns	204.90 ns (91.24%)
Command_Serde/unpack/set	📈 view plot 🚷 view threshold	263.85 ns (+6.99%) Baseline: 246.62 ns	291.10 ns (90.64%)
Command_Serde/unpack/set_index	📈 view plot 🚷 view threshold	177.82 ns (+8.80%) Baseline: 163.44 ns	201.76 ns (88.13%)
Payload_encryption/pack/inner	📈 view plot 🚷 view threshold	64.71 ns (+3.36%) Baseline: 62.61 ns	76.70 ns (84.37%)
Payload_encryption/pack/remove_cmd	📈 view plot 🚷 view threshold	118.87 ns (-2.09%) Baseline: 121.41 ns	153.79 ns (77.29%)
Payload_encryption/pack/set_cmd	📈 view plot 🚷 view threshold	222.07 ns (-2.06%) Baseline: 226.74 ns	284.51 ns (78.05%)
Payload_encryption/unpack/inner	📈 view plot 🚷 view threshold	162.31 ns (-1.31%) Baseline: 164.47 ns	193.23 ns (84.00%)
Payload_encryption/unpack/remove_cmd	📈 view plot 🚷 view threshold	227.04 ns (+13.78%) Baseline: 199.54 ns	247.92 ns (91.58%)
Payload_encryption/unpack/set_cmd	📈 view plot 🚷 view threshold	265.94 ns (+2.90%) Baseline: 258.45 ns	312.12 ns (85.20%)
Raft_1Node_Latency/prefix/1node	📈 view plot 🚷 view threshold	5,169,400.00 ns (+38.93%) Baseline: 3,720,788.59 ns	6,886,507.63 ns (75.07%)
Raft_1Node_Latency/read/1node	📈 view plot 🚷 view threshold	601.15 ns (+4.23%) Baseline: 576.73 ns	673.66 ns (89.24%)
Raft_1Node_Latency/remove/1node	📈 view plot 🚷 view threshold	239,340.00 ns (-36.66%) Baseline: 377,884.69 ns	972,840.95 ns (24.60%)
Raft_1Node_Latency/write/1node	📈 view plot 🚷 view threshold	249,370.00 ns (-31.85%) Baseline: 365,928.59 ns	775,615.74 ns (32.15%)
build_snapshot/default	📈 view plot 🚷 view threshold	88,901.00 ns (-4.14%) Baseline: 92,739.12 ns	152,913.00 ns (58.14%)
fernet token/project	📈 view plot 🚷 view threshold	1,426.10 ns (+0.07%) Baseline: 1,425.11 ns	1,637.96 ns (87.07%)
get_data_keyspace	📈 view plot 🚷 view threshold	0.35 ns (+9.21%) Baseline: 0.32 ns	0.38 ns (92.24%)
get_db	📈 view plot 🚷 view threshold	0.35 ns (+9.23%) Baseline: 0.32 ns	0.38 ns (92.20%)
get_fernet_token_timestamp/project	📈 view plot 🚷 view threshold	146.55 ns (+0.00%) Baseline: 146.55 ns	174.95 ns (83.77%)
get_keyspace	📈 view plot 🚷 view threshold	4.76 ns (-3.23%) Baseline: 4.92 ns	9.48 ns (50.18%)

🐰 View full continuous benchmarking report in Bencher