[release-announce] barbican 10.1.0 (ussuri)
no-reply at openstack.org
no-reply at openstack.org
Tue Aug 31 14:34:48 UTC 2021
We are psyched to announce the release of:
barbican 10.1.0: OpenStack Secure Key Management
This release is part of the ussuri stable release series.
The source is available from:
https://opendev.org/openstack/barbican
Download the package from:
https://tarballs.openstack.org/barbican/
Please report issues through:
https://bugs.launchpad.net/barbican/+bugs
For more details, please see below.
10.1.0
^^^^^^
New Features
************
* Added two options for the PKCS#11 Crypto Plugin:
*[p11_crypto_plugin]/token_serial_number* and
*[p11_crypto_plugin]/token_label*. Both are optional and can be
used instead of *[p11_crypto_plugin]/slot_id* to identify the Token
to be used by the PKCS#11 plugin. When either one of the new
options is defined the plugin will search all slots on the PKCS#11
device for a token that matches the given value.
*token_serial_number* has the highest precendence and other values
will be ignored when this value is set. If *token_serial_number* is
not set, then *token_label* has the next highest precedence and
*slot_id* will be ignored. *slot_id* will be used when neither one
of the new options is set.
* Added a new boolean option to the PKCS#11 backend:
*os_locking_ok*. When set to True, the flag CKF_OS_LOCKING_OK will
be passed to the C_Initialize function. The new option defaults to
False.
* A new "token_labels" option has been added to the PKCS#11 driver
which supersedes the previous "token_label" option. The new option
is used to specify a list of tokens that can be used by Barbican.
This is required for some HSM devices that use separate tokens for
load balancing. For most use cases the new option will just have a
single token. The old option is deprecated, but will still be used
if present.
* The hsm subcommand for the barbican-manage command line tool no
longer requires any parameters at run time. If any value used by
the PKCS#11 value is needed it will be taken from
/etc/barbican/barbican.conf. You may continue to specify any values
on the command line, and those will take precedence over the values
specified in barbican.conf, so any existing scripts that use
barbican-manage should continue to work as expected.
Deprecation Notes
*****************
* The "token_label" option in the PKCS#11 driver is deprecated. Th
new "token_labels" option should be used instead. If present,
"token_label" will still be used by appending it to "token_labels".
Bug Fixes
*********
* Fixed Story #2008649: Correctly reinitialize PKCS11 object after
secondary failures.
* Fixed Story # 2007732: Migrations broken on MySQL 8.x.
Changes in barbican 10.0.0..10.1.0
----------------------------------
7cf483e2 Allow multiple token labels for PKCS#11 driver
475074a4 Fix PKCS#11 reinitialization after failure
87822c14 Use system locks in pkcs11 library
35f13677 Drop lower-constraints job to unblock gate
48ea3222 Use barbican.conf in barbican-manage
1e2a1271 Use serial number or label for PKCS#11 tokens
c34591cd Rebase alembic migrations
5214aecc Update TOX_CONSTRAINTS_FILE for stable/ussuri
0c891b74 Update .gitreview for stable/ussuri
Diffstat (except docs and test files)
-------------------------------------
.gitreview | 1 +
.zuul.yaml | 163 ++-----
barbican/cmd/barbican_manage.py | 198 ++++----
...20ccbe7fa_remove_transport_keys_column_from_.py | 30 --
...127569afa_create_secret_store_metadata_table.py | 50 --
...9933643_add_project_column_to_consumer_table.py | 46 --
...687_fill_project_id_to_secrets_where_missing.py | 73 ---
.../versions/1a0c2cdafb38_initial_version.py | 28 --
...f79559e3_new_secret_and_container_acl_tables.py | 118 -----
.../1bc885808c76_add_project_id_to_secrets.py | 36 --
.../1bece815014f_remove_projectsecret_table.py | 30 --
...f328bfce0_fixing_composite_primary_keys_and_.py | 97 ----
...8af2dd_add_new_columns_type_meta_containerid.py | 37 --
...5565185_removing_redundant_fields_from_order.py | 35 --
...e0c5f_change_keystone_id_for_external_id_in_.py | 33 --
.../2843d6469f25_add_sub_status_info_for_orders.py | 36 --
...3f5371bde_dsa_in_container_type_modelbase_to.py | 49 --
.../2d21598e7e70_added_ca_related_tables.py | 116 -----
...95d7_remove_size_limits_on_meta_table_values.py | 41 --
.../30dba269cc64_update_order_retry_tasks_table.py | 64 ---
.../39a96e67e990_add_missing_constraints.py | 47 --
...f2e645cba_model_for_multiple_backend_support.py | 75 ---
.../versions/39cf2e645cba_ocata_rebase.py | 530 +++++++++++++++++++++
...040bfe_add_owning_project_and_creator_to_cas.py | 38 --
...36a26b88af_add_order_barbican_metadata_table.py | 48 --
...6f6972_add_orders_plugin_metadata_table_and_.py | 48 --
...f4a69ac_added_secret_type_column_to_secrets_.py | 32 --
.../46b98cde536_add_project_quotas_table.py | 58 ---
...9e523451_made_plugin_names_in_kek_datum_non_.py | 32 --
...3a72a_add_cas_column_to_project_quotas_table.py | 33 --
...457517a3_rename_acl_creator_only_to_project_.py | 45 --
.../795737bb3c3_change_tenants_to_projects.py | 95 ----
.../versions/aa2cf96a1d5_add_orderretrytask.py | 43 --
.../cd4106a1a0_add_cert_to_container_type.py | 34 --
.../versions/d2780d5aa510_change_url_length.py | 35 --
.../dce488646127_add_secret_user_metadata.py | 52 --
.../alembic_migrations/versions/juno_initial.py | 44 --
.../alembic_migrations/versions/kilo_release.py | 31 --
barbican/plugin/crypto/p11_crypto.py | 85 +++-
barbican/plugin/crypto/pkcs11.py | 150 +++++-
devstack/settings | 2 +
.../api/v1/functional/test_consumers.py | 2 +-
.../api/v1/functional/test_containers.py | 4 +-
.../add-new-pkcs11-options-fc7bb625998e91fc.yaml | 14 +
.../add-os-locking-ok-option-d0cfc5883355632a.yaml | 6 +
...tiple-pkcs11-token-labels-61b63e34b7c8cc1a.yaml | 14 +
...einitialize-pkcs11-object-4c0dc51c83288c21.yaml | 5 +
.../fixed-mysql-migrations-23221671ba17ea5e.yaml | 4 +
...n-conf-in-barbican-manage-52035c1cdbfc5a26.yaml | 10 +
tox.ini | 3 +-
60 files changed, 1210 insertions(+), 1950 deletions(-)
More information about the Release-announce
mailing list