[release-announce] keystone 16.0.1 (train)
no-reply at openstack.org
no-reply at openstack.org
Tue May 12 10:03:31 UTC 2020
We are pleased to announce the release of:
keystone 16.0.1: OpenStack Identity
This release is part of the train stable release series.
The source is available from:
https://opendev.org/openstack/keystone
Download the package from:
https://tarballs.openstack.org/keystone/
Please report issues through:
https://bugs.launchpad.net/keystone/+bugs
For more details, please see below.
16.0.1
^^^^^^
Upgrade Notes
*************
* [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)]
Added a default TTL of 15 minutes for signed EC2 credential
requests, where previously an EC2 signed token request was valid
indefinitely. This change in behavior is needed to protect against
replay attacks.
Critical Issues
***************
* [bug 1855080 (https://bugs.launchpad.net/keystone/+bug/1855080)]
An error in the policy target filtering inadvertently allowed any
user to list any credential object with the /v3/credentials API when
"[oslo_policy]/enforce_scope" was set to false, which is the
default. This has been addressed: users with non-admin roles on a
project may not list other users' credentials. However, users with
the admin role on a project may still list any users credentials
when "[oslo_policy]/enforce_scope" is false due to bug 968696
(https://bugs.launchpad.net/keystone/+bug/968696).
* [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)]
Fixed a critical security issue in which an authenticated user could
escalate their privileges by altering a valid EC2 credential.
* [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
Fixed a security issue in which a trustee or an application
credential user could create an EC2 credential or an application
credential that would permit them to get a token that elevated their
role assignments beyond the subset delegated to them in the trust or
application credential. A new attribute "app_cred_id" is now
automatically added to the access blob of an EC2 credential and the
role list in the trust or application credential is respected.
Security Issues
***************
* [bug 1855080 (https://bugs.launchpad.net/keystone/+bug/1855080)]
An error in the policy target filtering inadvertently allowed any
user to list any credential object with the /v3/credentials API when
"[oslo_policy]/enforce_scope" was set to false, which is the
default. This has been addressed: users with non-admin roles on a
project may not list other users' credentials. However, users with
the admin role on a project may still list any users credentials
when "[oslo_policy]/enforce_scope" is false due to bug 968696
(https://bugs.launchpad.net/keystone/+bug/968696).
* [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)]
Fixed a critical security issue in which an authenticated user could
escalate their privileges by altering a valid EC2 credential.
* [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
Fixed a security issue in which a trustee or an application
credential user could create an EC2 credential or an application
credential that would permit them to get a token that elevated their
role assignments beyond the subset delegated to them in the trust or
application credential. A new attribute "app_cred_id" is now
automatically added to the access blob of an EC2 credential and the
role list in the trust or application credential is respected.
* [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)]
Fixed an incorrect EC2 token validation implementation in which the
timestamp of the signed request was ignored, which made EC2 and S3
token requests vulnerable to replay attacks. The default TTL is 15
minutes but is configurable.
* [bug 1872755 (https://bugs.launchpad.net/keystone/+bug/1872755)]
Added validation to the EC2 credentials update API to ensure the
metadata labels 'trust_id' and 'app_cred_id' are not altered by the
user. These labels are used by keystone to determine the scope
allowed by the credential, and altering these automatic labels could
enable an EC2 credential holder to elevate their access beyond what
is permitted by the application credential or trust that was used to
create the EC2 credential.
* [bug 1873290 (https://bugs.launchpad.net/keystone/+bug/1873290)]
[bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
Fixed the token model to respect the roles authorized OAuth1 access
tokens. Previously, the list of roles authorized for an OAuth1
access token were ignored, so when an access token was used to
request a keystone token, the keystone token would contain every
role assignment the creator had for the project. This also fixed EC2
credentials to respect those roles as well.
Bug Fixes
*********
* [bug 1856881 (https://bugs.launchpad.net/keystone/+bug/1856881)]
"keystone-manage bootstrap" can be run in upgrade scenarios where
pre-existing domain-specific roles exist named "admin", "member",
and "reader".
* [Bug 1856904 (https://bugs.launchpad.net/keystone/+bug/1856904)]
The initiator object for CADF notifications now will always contain
the username for the user who initated the action. Previously, the
initator object only contained the user_id, which lead to issues
mapping to users when using LDAP-backed identity providers. This
also helps the initiator object better conform to the OpenStack
standard for CADF.
* [bug 1856962 (https://bugs.launchpad.net/keystone/+bug/1856962)]
Fixes an issue where federated users could not authenticate if their
mapped group membership was empty.
* [bug 1858012 (https://bugs.launchpad.net/keystone/+bug/1858012)]
Fixes a bug in the /v3/role_assignments filtering where the
*role.id* query parameter didn't properly filter role assignments by
role in cases where there were multiple system role assignments.
* [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)]
Fixed a critical security issue in which an authenticated user could
escalate their privileges by altering a valid EC2 credential.
* [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
Fixed a security issue in which a trustee or an application
credential user could create an EC2 credential or an application
credential that would permit them to get a token that elevated their
role assignments beyond the subset delegated to them in the trust or
application credential. A new attribute "app_cred_id" is now
automatically added to the access blob of an EC2 credential and the
role list in the trust or application credential is respected.
* [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)]
Fixed an incorrect EC2 token validation implementation in which the
timestamp of the signed request was ignored, which made EC2 and S3
token requests vulnerable to replay attacks. The default TTL is 15
minutes but is configurable.
* [bug 1872755 (https://bugs.launchpad.net/keystone/+bug/1872755)]
Added validation to the EC2 credentials update API to ensure the
metadata labels 'trust_id' and 'app_cred_id' are not altered by the
user. These labels are used by keystone to determine the scope
allowed by the credential, and altering these automatic labels could
enable an EC2 credential holder to elevate their access beyond what
is permitted by the application credential or trust that was used to
create the EC2 credential.
* [bug 1873290 (https://bugs.launchpad.net/keystone/+bug/1873290)]
[bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
Fixed the token model to respect the roles authorized OAuth1 access
tokens. Previously, the list of roles authorized for an OAuth1
access token were ignored, so when an access token was used to
request a keystone token, the keystone token would contain every
role assignment the creator had for the project. This also fixed EC2
credentials to respect those roles as well.
Changes in keystone 16.0.0..16.0.1
----------------------------------
5c34cb6c7 Temporarily disable k2k tests on train and stein
54590544f Fix security issues with EC2 credentials
fe4d48d55 Ensure OAuth1 authorized roles are respected
e3f65d6fb Check timestamp of signed EC2 token request
40b7de87e Tell reno to ignore the kilo branch
3a59d3e28 Constraint dependencies for docs build
ac7432087 Add voting k2k tests
bd983f0c7 Always have username in CADF initiator
4d413f1eb Fix role_assignments role.id filter
51ff7be73 Ensure bootstrap handles multiple roles with the same name
c0d516228 Fix token auth error if federated_groups_id is empty list
bd3f63787 Fix credential list for project members
a16400f02 Fix line-length PEP8 errors for c7fae97
d5f9c681f Switch to opensuse-15 nodeset
0f6c6061b Import LDAP job into project
4752cd3fa Remove legacy protection tests
8f58ade5a Update TOX/UPPER_CONSTRAINTS_FILE for stable/train
e60f6ac2f Update .gitreview for stable/train
Diffstat (except docs and test files)
-------------------------------------
.gitignore | 2 +
.gitreview | 1 +
.zuul.yaml | 25 +-
devstack/lib/federation.sh | 9 +
keystone/api/_shared/EC2_S3_Resource.py | 75 +-
keystone/api/credentials.py | 99 +-
keystone/api/users.py | 22 +-
keystone/assignment/core.py | 8 +-
keystone/cmd/bootstrap.py | 8 +
keystone/conf/credential.py | 11 +-
keystone/identity/backends/ldap/common.py | 6 +-
keystone/models/token_model.py | 18 +
keystone/notifications.py | 18 +
keystone/token/provider.py | 2 +-
.../notes/bug-1855080-08b28181b7cb2470.yaml | 23 +
.../notes/bug-1856881-277103af343187f1.yaml | 7 +
.../notes/bug-1856904-101af15bb48eb3ca.yaml | 9 +
.../notes/bug-1856962-2c87d541da61c727.yaml | 6 +
.../notes/bug-1858012-584267ada7e33f2c.yaml | 7 +
.../notes/bug-1872733-2377f456a57ad32c.yaml | 16 +
.../notes/bug-1872735-0989e51d2248ce1e.yaml | 31 +
.../notes/bug-1872737-f8e1ad3b6705b766.yaml | 28 +
.../notes/bug-1872755-2c81d3267b89f124.yaml | 19 +
.../notes/bug-1873290-ff7f8e4cee15b75a.yaml | 19 +
reno.yaml | 4 +
tox.ini | 5 +-
41 files changed, 1297 insertions(+), 1765 deletions(-)
More information about the Release-announce
mailing list