[release-announce] keystone 15.0.1 (stein)
no-reply at openstack.org
no-reply at openstack.org
Tue May 12 10:03:05 UTC 2020
We are gleeful to announce the release of:
keystone 15.0.1: OpenStack Identity
This release is part of the stein stable release series.
The source is available from:
https://opendev.org/openstack/keystone
Download the package from:
https://tarballs.openstack.org/keystone/
Please report issues through:
https://bugs.launchpad.net/keystone/+bugs
For more details, please see below.
15.0.1
^^^^^^
Upgrade Notes
*************
* [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)]
Added a default TTL of 15 minutes for signed EC2 credential
requests, where previously an EC2 signed token request was valid
indefinitely. This change in behavior is needed to protect against
replay attacks.
Critical Issues
***************
* [bug 1855080 (https://bugs.launchpad.net/keystone/+bug/1855080)]
An error in the policy target filtering inadvertently allowed any
user to list any credential object with the /v3/credentials API when
"[oslo_policy]/enforce_scope" was set to false, which is the
default. This has been addressed: users with non-admin roles on a
project may not list other users' credentials. However, users with
the admin role on a project may still list any users credentials
when "[oslo_policy]/enforce_scope" is false due to bug 968696
(https://bugs.launchpad.net/keystone/+bug/968696).
* [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)]
Fixed a critical security issue in which an authenticated user could
escalate their privileges by altering a valid EC2 credential.
* [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
Fixed a security issue in which a trustee or an application
credential user could create an EC2 credential or an application
credential that would permit them to get a token that elevated their
role assignments beyond the subset delegated to them in the trust or
application credential. A new attribute "app_cred_id" is now
automatically added to the access blob of an EC2 credential and the
role list in the trust or application credential is respected.
Security Issues
***************
* [bug 1855080 (https://bugs.launchpad.net/keystone/+bug/1855080)]
An error in the policy target filtering inadvertently allowed any
user to list any credential object with the /v3/credentials API when
"[oslo_policy]/enforce_scope" was set to false, which is the
default. This has been addressed: users with non-admin roles on a
project may not list other users' credentials. However, users with
the admin role on a project may still list any users credentials
when "[oslo_policy]/enforce_scope" is false due to bug 968696
(https://bugs.launchpad.net/keystone/+bug/968696).
* [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)]
Fixed a critical security issue in which an authenticated user could
escalate their privileges by altering a valid EC2 credential.
* [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
Fixed a security issue in which a trustee or an application
credential user could create an EC2 credential or an application
credential that would permit them to get a token that elevated their
role assignments beyond the subset delegated to them in the trust or
application credential. A new attribute "app_cred_id" is now
automatically added to the access blob of an EC2 credential and the
role list in the trust or application credential is respected.
* [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)]
Fixed an incorrect EC2 token validation implementation in which the
timestamp of the signed request was ignored, which made EC2 and S3
token requests vulnerable to replay attacks. The default TTL is 15
minutes but is configurable.
* [bug 1872755 (https://bugs.launchpad.net/keystone/+bug/1872755)]
Added validation to the EC2 credentials update API to ensure the
metadata labels 'trust_id' and 'app_cred_id' are not altered by the
user. These labels are used by keystone to determine the scope
allowed by the credential, and altering these automatic labels could
enable an EC2 credential holder to elevate their access beyond what
is permitted by the application credential or trust that was used to
create the EC2 credential.
* [bug 1873290 (https://bugs.launchpad.net/keystone/+bug/1873290)]
[bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
Fixed the token model to respect the roles authorized OAuth1 access
tokens. Previously, the list of roles authorized for an OAuth1
access token were ignored, so when an access token was used to
request a keystone token, the keystone token would contain every
role assignment the creator had for the project. This also fixed EC2
credentials to respect those roles as well.
Bug Fixes
*********
* [bug 1773967 (https://bugs.launchpad.net/keystone/+bug/1773967)]
Fixes an issue where users who had role assignments only via a group
membership and not via direct assignment could create but not use
application credentials. It is important to note that federated
users who only have role assignments via a mapped group membership
still cannot create application credentials.
* [bug 1782922 (https://bugs.launchpad.net/keystone/+bug/1782922)]
Fixed the problem where Keystone indiscriminately return the first
RDN as the user ID, regardless whether it matches the configured
'user_id_attribute' or not. This will break deployments where
'group_members_are_ids' are set to False and 'user_id_attribute' is
not in the DN. This patch will perform a lookup by DN if the first
RND does not match the configured 'user_id_attribute'.
* [bug 1831918 (https://bugs.launchpad.net/keystone/+bug/1831918)]
Credentials now logs cadf audit messages.
* [bug 1832265 (https://bugs.launchpad.net/keystone/+bug/1832265)]
Binary msgpack payload types are now consistently and correctly
decoded when running Keystone under Python 3, avoiding any
TypeErrors when attempting to convert binary encoded strings into
UUID's.
* [bug 1840291 (https://bugs.launchpad.net/keystone/+bug/1840291)]
Adds retries for "delete_credential_for_user" method to avoid
DBDeadlocks when deleting large number of credentials concurrently.
* [*bug 1843609 <https://bugs.launchpad.net/keystone/+bug/1843609>*]
Fixed an issue where system-scoped tokens couldn't be used to list
users and groups (e.g., GET /v3/users or GET /v3/groups) if
"keystone.conf [identity] domain_specific_drivers_enabled=True" and
the API would return an "HTTP 401 Unauthorized". These APIs now
recognize system-scoped tokens when using domain-specific drivers.
* [bug 1856881 (https://bugs.launchpad.net/keystone/+bug/1856881)]
"keystone-manage bootstrap" can be run in upgrade scenarios where
pre-existing domain-specific roles exist named "admin", "member",
and "reader".
* [Bug 1856904 (https://bugs.launchpad.net/keystone/+bug/1856904)]
The initiator object for CADF notifications now will always contain
the username for the user who initated the action. Previously, the
initator object only contained the user_id, which lead to issues
mapping to users when using LDAP-backed identity providers. This
also helps the initiator object better conform to the OpenStack
standard for CADF.
* [bug 1858012 (https://bugs.launchpad.net/keystone/+bug/1858012)]
Fixes a bug in the /v3/role_assignments filtering where the
*role.id* query parameter didn't properly filter role assignments by
role in cases where there were multiple system role assignments.
* [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)]
Fixed a critical security issue in which an authenticated user could
escalate their privileges by altering a valid EC2 credential.
* [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
Fixed a security issue in which a trustee or an application
credential user could create an EC2 credential or an application
credential that would permit them to get a token that elevated their
role assignments beyond the subset delegated to them in the trust or
application credential. A new attribute "app_cred_id" is now
automatically added to the access blob of an EC2 credential and the
role list in the trust or application credential is respected.
* [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)]
Fixed an incorrect EC2 token validation implementation in which the
timestamp of the signed request was ignored, which made EC2 and S3
token requests vulnerable to replay attacks. The default TTL is 15
minutes but is configurable.
* [bug 1872755 (https://bugs.launchpad.net/keystone/+bug/1872755)]
Added validation to the EC2 credentials update API to ensure the
metadata labels 'trust_id' and 'app_cred_id' are not altered by the
user. These labels are used by keystone to determine the scope
allowed by the credential, and altering these automatic labels could
enable an EC2 credential holder to elevate their access beyond what
is permitted by the application credential or trust that was used to
create the EC2 credential.
* [bug 1873290 (https://bugs.launchpad.net/keystone/+bug/1873290)]
[bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
Fixed the token model to respect the roles authorized OAuth1 access
tokens. Previously, the list of roles authorized for an OAuth1
access token were ignored, so when an access token was used to
request a keystone token, the keystone token would contain every
role assignment the creator had for the project. This also fixed EC2
credentials to respect those roles as well.
Changes in keystone 15.0.0..15.0.1
----------------------------------
af9927479 Temporarily disable k2k tests on train and stein
206392a40 Fix security issues with EC2 credentials
330911cee Ensure OAuth1 authorized roles are respected
1ef382851 Check timestamp of signed EC2 token request
e57e44c0e Add cadf auditing to credentials
2de401b79 Tell reno to ignore the kilo branch
615fe2138 Always have username in CADF initiator
f2f79a9a6 Constraint dependencies for docs build
8f537ed54 Add voting k2k tests
0e6c07e46 Added keystone identity provider installation to Devstack plugin
1ba238e49 Ensure bootstrap handles multiple roles with the same name
af470fd63 Fix role_assignments role.id filter
17947516b Fix credential list for project members
ac3d3125a token: consistently decode binary types
ccd9c7b2a Switch to the opensuse-15 nodeset
cebed4114 Docs: Make robust with using real links
e9612a672 Make system tokens work with domain-specific drivers
929c6a4d7 Switch to opensuse-15 nodeset
429923fbb Import LDAP job into project
52ef61868 Add retry for DBDeadlock in credential delete
10cc1ff64 Update broken links to dogpile.cache docs
933ea511d Allows to use application credentials through group membership
6e8be2a0d Fix python3 compatibility on LDAP search DN from id
909cc9fa8 Fixing dn_to_id function for cases were id is not in the DN
90f9da82a Revert "Blacklist bandit 1.6.0"
a7f5e7a91 [docs] remove deprecated ubuntu package from installation
1828d0612 Blacklist bandit 1.6.0
03946c50b OpenDev Migration Patch
46dcd7ffe Update UPPER_CONSTRAINTS_FILE for stable/stein
fda8e84b6 Update .gitreview for stable/stein
Diffstat (except docs and test files)
-------------------------------------
.gitignore | 2 +
.gitreview | 3 +-
.zuul.yaml | 39 +-
devstack/files/federation/shib_apache_handler.txt | 12 +
devstack/files/federation/shibboleth2.xml | 11 +-
devstack/lib/federation.sh | 72 +++-
.../admin/{caching-layer.rst => caching-layer.inc} | 10 +-
...cific-config.rst => domain-specific-config.inc} | 4 +
...dpoint-filtering.rst => endpoint-filtering.inc} | 2 +
.../{endpoint-policy.rst => endpoint-policy.inc} | 2 +
.../admin/federation/configure_federation.rst | 52 ++-
.../admin/federation/{mellon.rst => mellon.inc} | 8 +-
.../admin/federation/{openidc.rst => openidc.inc} | 12 +-
.../federation/{shibboleth.rst => shibboleth.inc} | 8 +-
...grate-with-ldap.rst => integrate-with-ldap.inc} | 4 +
.../{limit-list-size.rst => limit-list-size.inc} | 2 +
.../admin/{performance.rst => performance.inc} | 2 +
...rity-compliance.rst => security-compliance.inc} | 4 +
.../admin/{troubleshoot.rst => troubleshoot.inc} | 2 +
.../{url-safe-naming.rst => url-safe-naming.inc} | 2 +
keystone/api/_shared/EC2_S3_Resource.py | 75 +++-
keystone/api/credentials.py | 101 +++--
keystone/api/users.py | 22 +-
keystone/assignment/core.py | 10 +-
keystone/cmd/bootstrap.py | 8 +
keystone/common/authorization.py | 4 +-
keystone/common/policies/base.py | 5 +-
.../097_drop_user_name_domainid_constraint.py | 2 +-
.../104_drop_user_name_domainid_constraint.py | 2 +-
keystone/conf/credential.py | 11 +-
keystone/credential/backends/sql.py | 3 +
keystone/credential/core.py | 17 +-
keystone/identity/backends/ldap/common.py | 34 +-
keystone/identity/backends/ldap/core.py | 7 +-
keystone/identity/backends/sql_model.py | 2 +-
keystone/models/token_model.py | 34 +-
keystone/notifications.py | 20 +-
keystone/oauth1/core.py | 4 +-
keystone/server/flask/common.py | 2 +
keystone/token/token_formatters.py | 104 ++---
.../keystone-dsvm-grenade-multinode/run.yaml | 10 +-
.../notes/bug-1773967-b59517a09e0e6141.yaml | 9 +
.../notes/bug-1782922-db822fda486ac773.yaml | 10 +
.../notes/bug-1831918-c70cf87ef086d871.yaml | 6 +
.../notes/bug-1832265-cb76ccf505c2d9d1.yaml | 7 +
.../notes/bug-1840291-35af1ac7ba06e166.yaml | 6 +
.../notes/bug-1843609-8498b132222596b7.yaml | 9 +
.../notes/bug-1855080-08b28181b7cb2470.yaml | 23 +
.../notes/bug-1856881-277103af343187f1.yaml | 7 +
.../notes/bug-1856904-101af15bb48eb3ca.yaml | 9 +
.../notes/bug-1858012-584267ada7e33f2c.yaml | 7 +
.../notes/bug-1872733-2377f456a57ad32c.yaml | 16 +
.../notes/bug-1872735-0989e51d2248ce1e.yaml | 31 ++
.../notes/bug-1872737-f8e1ad3b6705b766.yaml | 28 ++
.../notes/bug-1872755-2c81d3267b89f124.yaml | 19 +
.../notes/bug-1873290-ff7f8e4cee15b75a.yaml | 19 +
reno.yaml | 4 +
tox.ini | 11 +-
93 files changed, 1753 insertions(+), 322 deletions(-)
More information about the Release-announce
mailing list