[release-announce] keystone 17.0.0 (ussuri)
no-reply at openstack.org
no-reply at openstack.org
Wed May 13 10:59:20 UTC 2020
We are excited to announce the release of:
keystone 17.0.0: OpenStack Identity
This release is part of the ussuri release series.
The source is available from:
https://opendev.org/openstack/keystone
Download the package from:
https://tarballs.openstack.org/keystone/
Please report issues through:
https://bugs.launchpad.net/keystone/+bugs
For more details, please see below.
17.0.0
^^^^^^
Upgrade Notes
*************
* [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)]
Added a default TTL of 15 minutes for signed EC2 credential
requests, where previously an EC2 signed token request was valid
indefinitely. This change in behavior is needed to protect against
replay attacks.
Critical Issues
***************
* [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)]
Fixed a critical security issue in which an authenticated user could
escalate their privileges by altering a valid EC2 credential.
* [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
Fixed a security issue in which a trustee or an application
credential user could create an EC2 credential or an application
credential that would permit them to get a token that elevated their
role assignments beyond the subset delegated to them in the trust or
application credential. A new attribute "app_cred_id" is now
automatically added to the access blob of an EC2 credential and the
role list in the trust or application credential is respected.
Security Issues
***************
* [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)]
Fixed a critical security issue in which an authenticated user could
escalate their privileges by altering a valid EC2 credential.
* [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
Fixed a security issue in which a trustee or an application
credential user could create an EC2 credential or an application
credential that would permit them to get a token that elevated their
role assignments beyond the subset delegated to them in the trust or
application credential. A new attribute "app_cred_id" is now
automatically added to the access blob of an EC2 credential and the
role list in the trust or application credential is respected.
* [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)]
Fixed an incorrect EC2 token validation implementation in which the
timestamp of the signed request was ignored, which made EC2 and S3
token requests vulnerable to replay attacks. The default TTL is 15
minutes but is configurable.
* [bug 1872755 (https://bugs.launchpad.net/keystone/+bug/1872755)]
Added validation to the EC2 credentials update API to ensure the
metadata labels 'trust_id' and 'app_cred_id' are not altered by the
user. These labels are used by keystone to determine the scope
allowed by the credential, and altering these automatic labels could
enable an EC2 credential holder to elevate their access beyond what
is permitted by the application credential or trust that was used to
create the EC2 credential.
* [bug 1873290 (https://bugs.launchpad.net/keystone/+bug/1873290)]
[bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
Fixed the token model to respect the roles authorized OAuth1 access
tokens. Previously, the list of roles authorized for an OAuth1
access token were ignored, so when an access token was used to
request a keystone token, the keystone token would contain every
role assignment the creator had for the project. This also fixed EC2
credentials to respect those roles as well.
Bug Fixes
*********
* [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)]
Fixed a critical security issue in which an authenticated user could
escalate their privileges by altering a valid EC2 credential.
* [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
Fixed a security issue in which a trustee or an application
credential user could create an EC2 credential or an application
credential that would permit them to get a token that elevated their
role assignments beyond the subset delegated to them in the trust or
application credential. A new attribute "app_cred_id" is now
automatically added to the access blob of an EC2 credential and the
role list in the trust or application credential is respected.
* [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)]
Fixed an incorrect EC2 token validation implementation in which the
timestamp of the signed request was ignored, which made EC2 and S3
token requests vulnerable to replay attacks. The default TTL is 15
minutes but is configurable.
* [bug 1872755 (https://bugs.launchpad.net/keystone/+bug/1872755)]
Added validation to the EC2 credentials update API to ensure the
metadata labels 'trust_id' and 'app_cred_id' are not altered by the
user. These labels are used by keystone to determine the scope
allowed by the credential, and altering these automatic labels could
enable an EC2 credential holder to elevate their access beyond what
is permitted by the application credential or trust that was used to
create the EC2 credential.
* [bug 1873290 (https://bugs.launchpad.net/keystone/+bug/1873290)]
[bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)]
Fixed the token model to respect the roles authorized OAuth1 access
tokens. Previously, the list of roles authorized for an OAuth1
access token were ignored, so when an access token was used to
request a keystone token, the keystone token would contain every
role assignment the creator had for the project. This also fixed EC2
credentials to respect those roles as well.
Changes in keystone 16.0.0.0rc1..17.0.0
---------------------------------------
2f2736ebb Fix security issues with EC2 credentials
ba89d2779 Ensure OAuth1 authorized roles are respected
8d5becbe4 Check timestamp of signed EC2 token request
aef912187 Imported Translations from Zanata
61f60ed4c Update TOX_CONSTRAINTS_FILE for stable/ussuri
961b39c3e Update .gitreview for stable/ussuri
e45a75d62 Add schema placeholders for Ussuri
af916d9ba Remove Babel as requirement
f7c1a8494 Remove a note related to UUID tokens from example configuration
d23965aaf Update api-ref for federated objects in user
c18956f19 Expiring Group Memberships API - Allow set idp authorization_ttl
e723a1c16 Add federated support for updating a user
39d66ac78 Update contributors document keystone
1627c2828 Add federated support for creating a user
121ee8ce7 Stop configuring install_command in tox.
35e83918f Cleanup py27 support
652f02c8b Add federated support for get user
8153a9d59 Add expiring user group memberships on mapped authentication
d8938514f Expiring Group Membership Driver - Add, List Groups
ee54ba0ce Expiring User Group Membership Model
143f07f54 Community goal: Adding contributing.rst
ba8dd06e1 Parse cli args in get_enforcer
dda426b61 Add openstack_groups to assertion
6525203c1 Change time faking for totp test
34f6144a4 Document the "immutable" resource option
e5bab15a0 remove oslo-concurrency from requirements
b35459b29 drop mock from test-requirements
271c09bb5 Correcting api-ref for users
ba2e4b83e NIT: Fix spelling
0bbd2dd6f Copy shibboleth logs in federation jobs
a183badaa Ignore SQLAlchemy RemovedIn20Warning
8c99a90f3 Switch from mock to unittest.mock use
a6bb81146 Refactor some ldap code to implement TODOs
e715a4bbd Doc Cleanup
175cb0b64 Tell reno to ignore the kilo branch
13410383c Constraint dependencies for docs build
9ee3d337f Removing tempest-full from gate
5544bca8e Check if content-type contains http, not equals
2e97ec577 Add docs about bootstrapping immutable roles
3aacc4dfe Add domain admin grant test cases
da2804694 Default to bootstrapping roles as immutable
527b1587e Use inspect instead of Inspector.from_engine()
453004193 Remove six usage
9fed446b0 Updating tox -e all-plugin command
1db57944d Capture output from test run of policy generator
6dbf3a68b Cleanup doc/requirements.txt
95edaaab0 Always have username in CADF initiator
a4b7a6106 Fix duplicated words issue like "each each user_id"
25cf359e5 Ensure bootstrap handles multiple roles with the same name
c2d883066 Fix role_assignments role.id filter
150d3ef8b Fix release note link formatting
f0d964e66 Fix token auth error if federated_groups_id is empty list
01a8c1fca Update OIDC documentation to handle bearer access token flow
a950f9c37 Imported Translations from Zanata
58790d9dc Add docs for app cred access rules
90f6ff727 Remove python 2.7 specific library
2c0623bab Add name in GET API of application credentials
7597ecc13 Stop adding entry in local_user while updating ephemerals
5d6b8cb3d Fix api-ref roles response description
17c337dbd Fix credential list for project members
8c58b5b75 Fix application credential doc example
48f70150b Migrate grenade jobs to py3
72cbaa91f Start README.rst with a better title
f421a0f07 Drop old neutron-grenade job
a92885a98 Stop testing Python 2
d6977a0e9 Remove group deletion for non-sql driver when removing domains.
d75b2552b Refresh "how can I help?" doc
e2d83ae95 Re-enable line-length linter
19d4831da Fix line-length PEP8 errors for c7fae97
fb0be8e59 Add voting k2k tests
7debb1a30 Fix K2K auth flow diagram
5c71ebd7a Stop explicitly requiring pycodestyle
1d40b2e61 Add Source links to readme
acfb60249 Switch to opensuse-15 nodeset
5d54d2d93 Switch to official Ussuri jobs
9607ed326 Revert "Resource backend is SQL only now"
c4d609778 Drop project.id foreign keys
1f860f939 Fix sql migrate repo prefix check
e4626f4bc Add schema placeholders for Train
9d949e494 Overhaul the RBAC documentation for administrators
c7331ccd2 Fix wrong interface description
52ab0cf57 Import LDAP job into project
e894842a0 Update getting started guide
5f5f10630 Remove legacy protection tests
3b6accf18 Update token definitions
d4a6023de Remove policy.v3cloudsample.json
e383fb7e5 Imported Translations from Zanata
5b2b67f64 Fix misspell word
d435995c4 Update master for stable/train
Diffstat (except docs and test files)
-------------------------------------
.gitignore | 2 +
.gitreview | 1 +
.zuul.yaml | 49 +-
README.rst | 16 +-
api-ref/source/conf.py | 5 -
.../v3-ext/federation/identity-provider/idp.inc | 6 +-
.../federation/identity-provider/parameters.yaml | 9 +
.../identity-provider/samples/get-response.json | 3 +-
.../identity-provider/samples/update-response.json | 3 +-
api-ref/source/v3/application-credentials.inc | 1 +
api-ref/source/v3/domains.inc | 5 +
api-ref/source/v3/index.rst | 9 +
api-ref/source/v3/parameters.yaml | 115 +-
api-ref/source/v3/projects.inc | 7 +-
api-ref/source/v3/roles.inc | 13 +-
.../v3/samples/admin/domain-create-response.json | 3 +-
.../v3/samples/admin/domain-show-response.json | 3 +-
.../v3/samples/admin/domain-update-response.json | 3 +-
.../v3/samples/admin/project-create-request.json | 3 +-
.../v3/samples/admin/project-create-response.json | 3 +-
.../admin/project-show-parents-response.json | 1 +
.../v3/samples/admin/project-show-response.json | 3 +-
.../admin/project-show-subtree-response.json | 1 +
.../v3/samples/admin/project-update-response.json | 3 +-
.../v3/samples/admin/role-create-response.json | 3 +-
.../v3/samples/admin/role-show-response.json | 3 +-
.../v3/samples/admin/role-update-response.json | 3 +-
.../v3/samples/admin/user-create-request.json | 11 +
.../v3/samples/admin/user-create-response.json | 11 +
.../samples/admin/user-groups-list-response.json | 2 +
.../v3/samples/admin/user-show-response.json | 1 +
.../v3/samples/admin/user-update-response.json | 1 +
api-ref/source/v3/service-catalog.inc | 2 +-
api-ref/source/v3/users.inc | 23 +-
devstack/files/federation/attribute-map.xml | 1 +
devstack/lib/federation.sh | 9 +
.../admin/federation/configure_federation.rst | 13 +-
.../admin/federation/mapping_combinations.rst | 57 +-
etc/policy.v3cloudsample.json | 30 -
keystone/api/_shared/EC2_S3_Resource.py | 84 +-
keystone/api/_shared/authentication.py | 5 +-
keystone/api/_shared/saml.py | 24 +-
keystone/api/auth.py | 18 +-
keystone/api/credentials.py | 108 +-
keystone/api/discovery.py | 8 +-
keystone/api/domains.py | 22 +-
keystone/api/ec2tokens.py | 4 +-
keystone/api/endpoints.py | 6 +-
keystone/api/groups.py | 12 +-
keystone/api/limits.py | 6 +-
keystone/api/os_ep_filter.py | 16 +-
keystone/api/os_federation.py | 25 +-
keystone/api/os_inherit.py | 26 +-
keystone/api/os_oauth1.py | 12 +-
keystone/api/policy.py | 24 +-
keystone/api/projects.py | 26 +-
keystone/api/regions.py | 8 +-
keystone/api/registered_limits.py | 6 +-
keystone/api/roles.py | 12 +-
keystone/api/s3tokens.py | 10 +-
keystone/api/services.py | 6 +-
keystone/api/system.py | 14 +-
keystone/api/trusts.py | 25 +-
keystone/api/users.py | 42 +-
keystone/application_credential/backends/base.py | 5 +-
keystone/application_credential/backends/sql.py | 9 +-
keystone/assignment/backends/base.py | 5 +-
keystone/assignment/core.py | 12 +-
keystone/assignment/role_backends/base.py | 5 +-
keystone/auth/core.py | 20 +-
keystone/auth/plugins/base.py | 6 +-
keystone/auth/plugins/core.py | 17 +-
keystone/auth/plugins/external.py | 4 +-
keystone/auth/plugins/mapped.py | 12 +-
keystone/auth/plugins/token.py | 3 +-
keystone/auth/plugins/totp.py | 3 +-
keystone/catalog/backends/base.py | 6 +-
keystone/cmd/bootstrap.py | 18 +-
keystone/cmd/cli.py | 17 +-
keystone/cmd/doctor/ldap.py | 2 +-
keystone/common/manager.py | 4 +-
keystone/common/policies/endpoint_group.py | 8 +-
keystone/common/policies/grant.py | 28 +-
keystone/common/policies/policy_association.py | 39 +-
keystone/common/policies/trust.py | 12 +-
keystone/common/rbac_enforcer/enforcer.py | 2 +-
keystone/common/rbac_enforcer/policy.py | 7 +-
keystone/common/resource_options/core.py | 6 +-
.../014_contract_add_domain_id_to_user_table.py | 3 +-
...e_service_and_region_fk_for_registered_limit.py | 2 +-
..._contract_expand_update_pk_for_unified_limit.py | 2 +-
.../sql/contract_repo/versions/067_placeholder.py | 18 +
.../sql/contract_repo/versions/068_placeholder.py | 18 +
.../sql/contract_repo/versions/069_placeholder.py | 18 +
.../sql/contract_repo/versions/070_placeholder.py | 18 +
.../sql/contract_repo/versions/071_placeholder.py | 18 +
.../versions/072_contract_drop_domain_id_fk.py | 47 +
.../073_contract_expiring_group_membership.py | 15 +
.../sql/contract_repo/versions/074_placeholder.py | 18 +
.../sql/contract_repo/versions/075_placeholder.py | 18 +
.../sql/contract_repo/versions/076_placeholder.py | 18 +
.../sql/contract_repo/versions/077_placeholder.py | 18 +
.../sql/contract_repo/versions/078_placeholder.py | 18 +
keystone/common/sql/core.py | 9 +-
.../versions/067_placeholder.py | 18 +
.../versions/068_placeholder.py | 18 +
.../versions/069_placeholder.py | 18 +
.../versions/070_placeholder.py | 18 +
.../versions/071_placeholder.py | 18 +
.../versions/072_migrate_drop_domain_id_fk.py | 20 +
.../073_migrate_expiring_group_membership.py | 15 +
.../versions/074_placeholder.py | 18 +
.../versions/075_placeholder.py | 18 +
.../versions/076_placeholder.py | 18 +
.../versions/077_placeholder.py | 18 +
.../versions/078_placeholder.py | 18 +
...pand_add_application_credential_access_rules.py | 3 +-
...te_id_attribute_to_federation_protocol_table.py | 3 +-
.../sql/expand_repo/versions/067_placeholder.py | 18 +
.../sql/expand_repo/versions/068_placeholder.py | 18 +
.../sql/expand_repo/versions/069_placeholder.py | 18 +
.../sql/expand_repo/versions/070_placeholder.py | 18 +
.../sql/expand_repo/versions/071_placeholder.py | 18 +
.../versions/072_expand_drop_domain_id_fk.py | 20 +
.../073_expand_expiring_group_membership.py | 47 +
.../sql/expand_repo/versions/074_placeholder.py | 18 +
.../sql/expand_repo/versions/075_placeholder.py | 18 +
.../sql/expand_repo/versions/076_placeholder.py | 18 +
.../sql/expand_repo/versions/077_placeholder.py | 18 +
.../sql/expand_repo/versions/078_placeholder.py | 18 +
keystone/common/sql/upgrades.py | 3 +-
keystone/common/utils.py | 22 +-
keystone/common/validation/parameter_types.py | 5 +
keystone/common/validation/validators.py | 9 +-
keystone/conf/credential.py | 11 +-
keystone/conf/default.py | 3 +-
keystone/conf/federation.py | 10 +
keystone/conf/memcache.py | 5 +-
keystone/conf/resource.py | 8 -
keystone/credential/backends/base.py | 4 +-
keystone/credential/backends/sql.py | 3 +-
keystone/credential/providers/core.py | 5 +-
keystone/credential/providers/fernet/core.py | 5 +-
keystone/endpoint_policy/backends/base.py | 4 +-
keystone/exception.py | 56 +-
keystone/federation/backends/base.py | 5 +-
keystone/federation/backends/sql.py | 19 +-
keystone/federation/core.py | 2 +-
keystone/federation/idp.py | 26 +-
keystone/federation/schema.py | 2 +
keystone/federation/utils.py | 79 +-
keystone/identity/backends/base.py | 5 +-
keystone/identity/backends/ldap/common.py | 74 +-
keystone/identity/backends/ldap/core.py | 3 +-
keystone/identity/backends/resource_options.py | 4 +-
keystone/identity/backends/sql.py | 54 +-
keystone/identity/backends/sql_model.py | 46 +-
keystone/identity/core.py | 152 +-
keystone/identity/generator.py | 5 +-
keystone/identity/mapping_backends/base.py | 6 +-
keystone/identity/schema.py | 24 +
keystone/identity/shadow_backends/base.py | 60 +-
keystone/identity/shadow_backends/sql.py | 54 +
keystone/limit/backends/base.py | 5 +-
keystone/limit/models/base.py | 4 +-
keystone/locale/de/LC_MESSAGES/keystone.po | 123 +-
keystone/locale/en_GB/LC_MESSAGES/keystone.po | 237 +-
keystone/locale/es/LC_MESSAGES/keystone.po | 72 +-
keystone/locale/fr/LC_MESSAGES/keystone.po | 75 +-
keystone/locale/it/LC_MESSAGES/keystone.po | 73 +-
keystone/locale/ja/LC_MESSAGES/keystone.po | 74 +-
keystone/locale/ko_KR/LC_MESSAGES/keystone.po | 68 +-
keystone/locale/pt_BR/LC_MESSAGES/keystone.po | 73 +-
keystone/locale/ru/LC_MESSAGES/keystone.po | 71 +-
keystone/locale/tr_TR/LC_MESSAGES/keystone.po | 47 +-
keystone/locale/zh_CN/LC_MESSAGES/keystone.po | 67 +-
keystone/locale/zh_TW/LC_MESSAGES/keystone.po | 67 +-
keystone/models/receipt_model.py | 5 +-
keystone/models/token_model.py | 23 +-
keystone/notifications.py | 18 +
keystone/oauth1/backends/base.py | 5 +-
keystone/oauth1/validator.py | 4 +-
keystone/policy/backends/base.py | 4 +-
keystone/receipt/handlers.py | 4 +-
keystone/receipt/provider.py | 3 +-
keystone/receipt/providers/base.py | 5 +-
keystone/receipt/receipt_formatters.py | 32 +-
keystone/resource/backends/base.py | 5 +-
keystone/resource/backends/sql.py | 2 -
keystone/resource/backends/sql_model.py | 3 +-
keystone/resource/config_backends/base.py | 5 +-
keystone/resource/core.py | 14 +-
keystone/revoke/backends/base.py | 4 +-
keystone/server/flask/application.py | 7 +-
keystone/server/flask/common.py | 10 +-
.../request_processing/middleware/auth_context.py | 19 +-
.../protection/v3/test_application_credential.py | 24 +-
.../unit/application_credential/test_backends.py | 9 +-
.../unit/identity/backends/test_ldap_common.py | 2 +-
.../unit/receipt/test_receipt_serialization.py | 3 +-
.../test_associate_project_endpoint_extension.py | 114 +-
keystone/token/provider.py | 8 +-
keystone/token/providers/base.py | 5 +-
keystone/token/token_formatters.py | 48 +-
keystone/trust/backends/base.py | 5 +-
keystone/trust/backends/sql.py | 1 -
keystone/trust/core.py | 2 -
keystone/version.py | 2 +-
lower-constraints.txt | 4 +-
.../keystone-dsvm-grenade-multinode/run.yaml | 1 +
.../notes/bug-1641625-fe463874dc5edb10.yaml | 7 +
.../notes/bug-1806762-08ff9eecdc03c554.yaml | 21 +
.../notes/bug-1809116-b65502f3b606b060.yaml | 19 +
.../notes/bug-1816076-ba39508e6ade529e.yaml | 15 +
.../notes/bug-1823258-9649b56a440b5ae1.yaml | 10 +
.../notes/bug-1848238-f6533644f7907358.yaml | 6 +
.../notes/bug-1848342-317c9e4afa65a3ff.yaml | 23 +
.../notes/bug-1855080-08b28181b7cb2470.yaml | 23 +
.../notes/bug-1856881-277103af343187f1.yaml | 7 +
.../notes/bug-1856904-101af15bb48eb3ca.yaml | 9 +
.../notes/bug-1856962-2c87d541da61c727.yaml | 6 +
.../notes/bug-1858012-584267ada7e33f2c.yaml | 7 +
.../notes/bug-1872733-2377f456a57ad32c.yaml | 16 +
.../notes/bug-1872735-0989e51d2248ce1e.yaml | 31 +
.../notes/bug-1872737-f8e1ad3b6705b766.yaml | 28 +
.../notes/bug-1872755-2c81d3267b89f124.yaml | 19 +
.../notes/bug-1873290-ff7f8e4cee15b75a.yaml | 19 +
.../notes/drop-project-id-fk-b683b414e1585be8.yaml | 9 +
.../removed-as-of-ussuri-d2f6ef8901ef54ed.yaml | 6 +
.../notes/resource-driver-33793dd5080ee4d2.yaml | 6 +
.../use-correct-inspect-8142e317c1e39c2a.yaml | 8 +
releasenotes/source/conf.py | 13 +-
releasenotes/source/index.rst | 1 +
.../locale/en_GB/LC_MESSAGES/releasenotes.po | 1699 ----------
.../source/locale/ja/LC_MESSAGES/releasenotes.po | 3423 --------------------
releasenotes/source/train.rst | 6 +
reno.yaml | 4 +
requirements.txt | 8 +-
setup.cfg | 18 +-
setup.py | 9 -
test-requirements.txt | 3 -
tools/fast8.sh | 2 +-
tox.ini | 30 +-
356 files changed, 7282 insertions(+), 11229 deletions(-)
Requirements updates
--------------------
diff --git a/requirements.txt b/requirements.txt
index 36a0cdc68..2fa9509f8 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -5,4 +4,0 @@
-# Temporarily add Babel reference to avoid problem
-# in keystone-coverage-db CI job
-Babel!=2.4.0,>=2.3.4 # BSD
-
@@ -14 +9,0 @@ cryptography>=2.1 # BSD/Apache-2.0
-six>=1.10.0 # MIT
@@ -24 +18,0 @@ oslo.cache>=1.26.0 # Apache-2.0
-oslo.concurrency>=3.26.0 # Apache-2.0
@@ -32 +26 @@ oslo.middleware>=3.31.0 # Apache-2.0
-oslo.policy>=2.3.0 # Apache-2.0
+oslo.policy>=3.0.2 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index a86a1fa44..3e53e2553 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -7 +6,0 @@ pep257==0.7.0 # MIT License
-pycodestyle>=2.0.0 # MIT License
@@ -23,2 +21,0 @@ lxml!=3.7.0,>=3.4.1 # BSD
-# mock object framework
-mock>=2.0.0 # BSD
More information about the Release-announce
mailing list