[release-announce] keystone 15.0.1 (stein)

no-reply at openstack.org no-reply at openstack.org
Tue May 12 10:03:05 UTC 2020


We are gleeful to announce the release of:

keystone 15.0.1: OpenStack Identity

This release is part of the stein stable release series.

The source is available from:

    https://opendev.org/openstack/keystone

Download the package from:

    https://tarballs.openstack.org/keystone/

Please report issues through:

    https://bugs.launchpad.net/keystone/+bugs

For more details, please see below.

15.0.1
^^^^^^


Upgrade Notes
*************

* [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)]
  Added a default TTL of 15 minutes for signed EC2 credential
  requests, where previously an EC2 signed token request was valid
  indefinitely. This change in behavior is needed to protect against
  replay attacks.


Critical Issues
***************

* [bug 1855080 (https://bugs.launchpad.net/keystone/+bug/1855080)]
  An error in the policy target filtering inadvertently allowed any
  user to list any credential object with the /v3/credentials API when
  "[oslo_policy]/enforce_scope" was set to false, which is the
  default. This has been addressed: users with non-admin roles on a
  project may not list other users' credentials. However, users with
  the admin role on a project may still list any users credentials
  when "[oslo_policy]/enforce_scope" is false due to bug 968696
  (https://bugs.launchpad.net/keystone/+bug/968696).

* [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)]
  Fixed a critical security issue in which an authenticated user could
  escalate their privileges by altering a valid EC2 credential.

* [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
  Fixed a security issue in which a trustee or an application
  credential user could create an EC2 credential or an application
  credential that would permit them to get a token that elevated their
  role assignments beyond the subset delegated to them in the trust or
  application credential. A new attribute "app_cred_id" is now
  automatically added to the access blob of an EC2 credential and the
  role list in the trust or application credential is respected.


Security Issues
***************

* [bug 1855080 (https://bugs.launchpad.net/keystone/+bug/1855080)]
  An error in the policy target filtering inadvertently allowed any
  user to list any credential object with the /v3/credentials API when
  "[oslo_policy]/enforce_scope" was set to false, which is the
  default. This has been addressed: users with non-admin roles on a
  project may not list other users' credentials. However, users with
  the admin role on a project may still list any users credentials
  when "[oslo_policy]/enforce_scope" is false due to bug 968696
  (https://bugs.launchpad.net/keystone/+bug/968696).

* [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)]
  Fixed a critical security issue in which an authenticated user could
  escalate their privileges by altering a valid EC2 credential.

* [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
  Fixed a security issue in which a trustee or an application
  credential user could create an EC2 credential or an application
  credential that would permit them to get a token that elevated their
  role assignments beyond the subset delegated to them in the trust or
  application credential. A new attribute "app_cred_id" is now
  automatically added to the access blob of an EC2 credential and the
  role list in the trust or application credential is respected.

* [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)]
  Fixed an incorrect EC2 token validation implementation in which the
  timestamp of the signed request was ignored, which made EC2 and S3
  token requests vulnerable to replay attacks. The default TTL is 15
  minutes but is configurable.

* [bug 1872755 (https://bugs.launchpad.net/keystone/+bug/1872755)]
  Added validation to the EC2 credentials update API to ensure the
  metadata labels 'trust_id' and 'app_cred_id' are not altered by the
  user. These labels are used by keystone to determine the scope
  allowed by the credential, and altering these automatic labels could
  enable an EC2 credential holder to elevate their access beyond what
  is permitted by the application credential or trust that was used to
  create the EC2 credential.

* [bug 1873290 (https://bugs.launchpad.net/keystone/+bug/1873290)]
  [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
  Fixed the token model to respect the roles authorized OAuth1 access
  tokens. Previously, the list of roles authorized for an OAuth1
  access token were ignored, so when an access token was used to
  request a keystone token, the keystone token would contain every
  role assignment the creator had for the project. This also fixed EC2
  credentials to respect those roles as well.


Bug Fixes
*********

* [bug 1773967 (https://bugs.launchpad.net/keystone/+bug/1773967)]
  Fixes an issue where users who had role assignments only via a group
  membership and not via direct assignment could create but not use
  application credentials. It is important to note that federated
  users who only have role assignments via a mapped group membership
  still cannot create application credentials.

* [bug 1782922 (https://bugs.launchpad.net/keystone/+bug/1782922)]
  Fixed the problem where Keystone indiscriminately return the first
  RDN as the user ID, regardless whether it matches the configured
  'user_id_attribute' or not. This will break deployments where
  'group_members_are_ids' are set to False and 'user_id_attribute' is
  not in the DN. This patch will perform a lookup by DN if the first
  RND does not match the configured 'user_id_attribute'.

* [bug 1831918 (https://bugs.launchpad.net/keystone/+bug/1831918)]
  Credentials now logs cadf audit messages.

* [bug 1832265 (https://bugs.launchpad.net/keystone/+bug/1832265)]
  Binary msgpack payload types are now consistently and correctly
  decoded when running Keystone under Python 3, avoiding any
  TypeErrors when attempting to convert binary encoded strings into
  UUID's.

* [bug 1840291 (https://bugs.launchpad.net/keystone/+bug/1840291)]
  Adds retries for "delete_credential_for_user" method to avoid
  DBDeadlocks when deleting large number of credentials concurrently.

* [*bug 1843609 <https://bugs.launchpad.net/keystone/+bug/1843609>*]
  Fixed an issue where system-scoped tokens couldn't be used to list
  users and groups (e.g., GET /v3/users or GET /v3/groups) if
  "keystone.conf [identity] domain_specific_drivers_enabled=True" and
  the API would return an "HTTP 401 Unauthorized". These APIs now
  recognize system-scoped tokens when using domain-specific drivers.

* [bug 1856881 (https://bugs.launchpad.net/keystone/+bug/1856881)]
  "keystone-manage bootstrap" can be run in upgrade scenarios where
  pre-existing domain-specific roles exist named "admin", "member",
  and "reader".

* [Bug 1856904 (https://bugs.launchpad.net/keystone/+bug/1856904)]
  The initiator object for CADF notifications now will always contain
  the username for the user who initated the action. Previously, the
  initator object only contained the user_id, which lead to issues
  mapping to users when using LDAP-backed identity providers. This
  also helps the initiator object better conform to the OpenStack
  standard for CADF.

* [bug 1858012 (https://bugs.launchpad.net/keystone/+bug/1858012)]
  Fixes a bug in the /v3/role_assignments filtering where the
  *role.id* query parameter didn't properly filter role assignments by
  role in cases where there were multiple system role assignments.

* [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)]
  Fixed a critical security issue in which an authenticated user could
  escalate their privileges by altering a valid EC2 credential.

* [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
  Fixed a security issue in which a trustee or an application
  credential user could create an EC2 credential or an application
  credential that would permit them to get a token that elevated their
  role assignments beyond the subset delegated to them in the trust or
  application credential. A new attribute "app_cred_id" is now
  automatically added to the access blob of an EC2 credential and the
  role list in the trust or application credential is respected.

* [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)]
  Fixed an incorrect EC2 token validation implementation in which the
  timestamp of the signed request was ignored, which made EC2 and S3
  token requests vulnerable to replay attacks. The default TTL is 15
  minutes but is configurable.

* [bug 1872755 (https://bugs.launchpad.net/keystone/+bug/1872755)]
  Added validation to the EC2 credentials update API to ensure the
  metadata labels 'trust_id' and 'app_cred_id' are not altered by the
  user. These labels are used by keystone to determine the scope
  allowed by the credential, and altering these automatic labels could
  enable an EC2 credential holder to elevate their access beyond what
  is permitted by the application credential or trust that was used to
  create the EC2 credential.

* [bug 1873290 (https://bugs.launchpad.net/keystone/+bug/1873290)]
  [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
  Fixed the token model to respect the roles authorized OAuth1 access
  tokens. Previously, the list of roles authorized for an OAuth1
  access token were ignored, so when an access token was used to
  request a keystone token, the keystone token would contain every
  role assignment the creator had for the project. This also fixed EC2
  credentials to respect those roles as well.

Changes in keystone 15.0.0..15.0.1
----------------------------------

af9927479 Temporarily disable k2k tests on train and stein
206392a40 Fix security issues with EC2 credentials
330911cee Ensure OAuth1 authorized roles are respected
1ef382851 Check timestamp of signed EC2 token request
e57e44c0e Add cadf auditing to credentials
2de401b79 Tell reno to ignore the kilo branch
615fe2138 Always have username in CADF initiator
f2f79a9a6 Constraint dependencies for docs build
8f537ed54 Add voting k2k tests
0e6c07e46 Added keystone identity provider installation to Devstack plugin
1ba238e49 Ensure bootstrap handles multiple roles with the same name
af470fd63 Fix role_assignments role.id filter
17947516b Fix credential list for project members
ac3d3125a token: consistently decode binary types
ccd9c7b2a Switch to the opensuse-15 nodeset
cebed4114 Docs: Make robust with using real links
e9612a672 Make system tokens work with domain-specific drivers
929c6a4d7 Switch to opensuse-15 nodeset
429923fbb Import LDAP job into project
52ef61868 Add retry for DBDeadlock in credential delete
10cc1ff64 Update broken links to dogpile.cache docs
933ea511d Allows to use application credentials through group membership
6e8be2a0d Fix python3 compatibility on LDAP search DN from id
909cc9fa8 Fixing dn_to_id function for cases were id is not in the DN
90f9da82a Revert "Blacklist bandit 1.6.0"
a7f5e7a91 [docs] remove deprecated ubuntu package from installation
1828d0612 Blacklist bandit 1.6.0
03946c50b OpenDev Migration Patch
46dcd7ffe Update UPPER_CONSTRAINTS_FILE for stable/stein
fda8e84b6 Update .gitreview for stable/stein


Diffstat (except docs and test files)
-------------------------------------

.gitignore                                         |   2 +
.gitreview                                         |   3 +-
.zuul.yaml                                         |  39 +-
devstack/files/federation/shib_apache_handler.txt  |  12 +
devstack/files/federation/shibboleth2.xml          |  11 +-
devstack/lib/federation.sh                         |  72 +++-
.../admin/{caching-layer.rst => caching-layer.inc} |  10 +-
...cific-config.rst => domain-specific-config.inc} |   4 +
...dpoint-filtering.rst => endpoint-filtering.inc} |   2 +
.../{endpoint-policy.rst => endpoint-policy.inc}   |   2 +
.../admin/federation/configure_federation.rst      |  52 ++-
.../admin/federation/{mellon.rst => mellon.inc}    |   8 +-
.../admin/federation/{openidc.rst => openidc.inc}  |  12 +-
.../federation/{shibboleth.rst => shibboleth.inc}  |   8 +-
...grate-with-ldap.rst => integrate-with-ldap.inc} |   4 +
.../{limit-list-size.rst => limit-list-size.inc}   |   2 +
.../admin/{performance.rst => performance.inc}     |   2 +
...rity-compliance.rst => security-compliance.inc} |   4 +
.../admin/{troubleshoot.rst => troubleshoot.inc}   |   2 +
.../{url-safe-naming.rst => url-safe-naming.inc}   |   2 +
keystone/api/_shared/EC2_S3_Resource.py            |  75 +++-
keystone/api/credentials.py                        | 101 +++--
keystone/api/users.py                              |  22 +-
keystone/assignment/core.py                        |  10 +-
keystone/cmd/bootstrap.py                          |   8 +
keystone/common/authorization.py                   |   4 +-
keystone/common/policies/base.py                   |   5 +-
.../097_drop_user_name_domainid_constraint.py      |   2 +-
.../104_drop_user_name_domainid_constraint.py      |   2 +-
keystone/conf/credential.py                        |  11 +-
keystone/credential/backends/sql.py                |   3 +
keystone/credential/core.py                        |  17 +-
keystone/identity/backends/ldap/common.py          |  34 +-
keystone/identity/backends/ldap/core.py            |   7 +-
keystone/identity/backends/sql_model.py            |   2 +-
keystone/models/token_model.py                     |  34 +-
keystone/notifications.py                          |  20 +-
keystone/oauth1/core.py                            |   4 +-
keystone/server/flask/common.py                    |   2 +
keystone/token/token_formatters.py                 | 104 ++---
.../keystone-dsvm-grenade-multinode/run.yaml       |  10 +-
.../notes/bug-1773967-b59517a09e0e6141.yaml        |   9 +
.../notes/bug-1782922-db822fda486ac773.yaml        |  10 +
.../notes/bug-1831918-c70cf87ef086d871.yaml        |   6 +
.../notes/bug-1832265-cb76ccf505c2d9d1.yaml        |   7 +
.../notes/bug-1840291-35af1ac7ba06e166.yaml        |   6 +
.../notes/bug-1843609-8498b132222596b7.yaml        |   9 +
.../notes/bug-1855080-08b28181b7cb2470.yaml        |  23 +
.../notes/bug-1856881-277103af343187f1.yaml        |   7 +
.../notes/bug-1856904-101af15bb48eb3ca.yaml        |   9 +
.../notes/bug-1858012-584267ada7e33f2c.yaml        |   7 +
.../notes/bug-1872733-2377f456a57ad32c.yaml        |  16 +
.../notes/bug-1872735-0989e51d2248ce1e.yaml        |  31 ++
.../notes/bug-1872737-f8e1ad3b6705b766.yaml        |  28 ++
.../notes/bug-1872755-2c81d3267b89f124.yaml        |  19 +
.../notes/bug-1873290-ff7f8e4cee15b75a.yaml        |  19 +
reno.yaml                                          |   4 +
tox.ini                                            |  11 +-
93 files changed, 1753 insertions(+), 322 deletions(-)







More information about the Release-announce mailing list