[release-announce] keystone 16.0.2 (train)
no-reply at openstack.org
no-reply at openstack.org
Mon Jun 7 12:45:36 UTC 2021
We contentedly announce the release of:
keystone 16.0.2: OpenStack Identity
This release is part of the train stable release series.
The source is available from:
https://opendev.org/openstack/keystone
Download the package from:
https://tarballs.openstack.org/keystone/
Please report issues through:
https://bugs.launchpad.net/keystone/+bugs
For more details, please see below.
16.0.2
^^^^^^
Security Issues
***************
* [bug 1901207 (https://bugs.launchpad.net/keystone/+bug/1901207)]
Policy enforcement for application credentials has been updated to
protect against invalid ownership checks resulting in unauthorized
users being able to get and delete application credentials for other
users.
Bug Fixes
*********
* [bug 1688137 (https://bugs.launchpad.net/keystone/+bug/1688137)]
Fixed the AccountLocked exception being shown to the end user since
it provides some information that could be exploited by a malicious
user. The end user will now see Unauthorized instead of
AccountLocked, preventing user info oracle exploitation.
* [bug 1878938 (https://bugs.launchpad.net/keystone/+bug/1878938)]
Previously when a user used to have system role assignment and tries
to delete the same role, the system role assignments still existed
in system_assignment table. This causes keystone to return *HTTP 404
Not Found* errors when listing role assignments with names (e.g.,
*--names* or *?include_names*).
If you are affected by this bug, you must remove stale role
assignments manually. The following is an example SQL statement you
can use to fix the issue, but you should verify it's applicability
to your deployment's SQL implementation and version.
SQL:
* delete from system_assignment where role_id not in (select id
from role);
* [bug 1885753 (https://bugs.launchpad.net/keystone/+bug/1885753)]
Keystone's SQL identity backend now retries update user requests to
safely handle stale data when two clients update a user at the same
time.
* [bug 1889936 (https://bugs.launchpad.net/keystone/+bug/1889936)]
Properly decode octet strings, or byte arrays, returned from LDAP.
* [bug 1896125 (https://bugs.launchpad.net/keystone/+bug/1896125)]
Introduced more robust connection handling for asynchronous LDAP
requests to address memory leaks fetching data from LDAP backends
with low page sizes.
* [bug 1901654 (https://bugs.launchpad.net/keystone/+bug/1901654)]
Previously, generate_public_ID() in sha256.py assumed the passed
arguments is str data type. However, python-ldap 3.0 or later
returns bytes data type for attribute values except fields of
distinguished names, relative distinguished names, attribute names,
queries. If keystone running on Python3 is integrated with LDAP and
the LDAP server has local_id variable in its attribute, user login
operations will fail due to the assumption and modifiation of
python-ldap. By this fix, generate_public_ID() properly handles
bytes data type in the parameter.
Changes in keystone 16.0.1..16.0.2
----------------------------------
1b573ae7d Hide AccountLocked exception from end users
328cf33aa Retry update_user when sqlalchemy raises StaleDataErrors
f10ff1c9a Support bytes type in generate_public_ID()
9c879d46b Use app cred user ID in policy enforcement
b49a465ed Drop lower-constraints job
9beb3a580 Properly handle octet (byte) strings when converting LDAP responses
105f95795 Implement more robust connection handling for asynchronous LDAP calls
e8b477847 Delete system role assignments from system_assignment table
28d2dd19e Make opensuse jobs nonvoting
fb7d54543 Fix lower-constraint for PyMySQL
13f965e1f fix link in release note of bug/1794527
247227f3f Change time faking for totp test
7eeb144b7 Stop explicitly requiring pycodestyle
184bb8289 Revert "Temporarily disable k2k tests on train and stein"
93f548a72 Refactor some ldap code to implement TODOs
Diffstat (except docs and test files)
-------------------------------------
.zuul.yaml | 1 -
keystone/api/users.py | 47 +++++-
keystone/assignment/backends/sql.py | 5 +
keystone/identity/backends/ldap/common.py | 161 +++++++++++++--------
keystone/identity/backends/sql.py | 8 +
keystone/identity/id_generators/sha256.py | 10 +-
keystone/notifications.py | 2 +
.../protection/v3/test_application_credential.py | 66 +++++++++
.../unit/identity/backends/test_ldap_common.py | 14 ++
lower-constraints.txt | 8 +-
.../notes/bug-1688137-e4203c9a728690a7.yaml | 8 +
.../notes/bug-1794527-866b1caff67977f3.yaml | 2 +-
.../notes/bug-1878938-70ee2af6fdf66004.yaml | 16 ++
.../notes/bug-1885753-51df25f3ff1d9ae8.yaml | 6 +
.../notes/bug-1889936-78d6853b5212b8f1.yaml | 5 +
.../notes/bug-1896125-b17a4d12730fe493.yaml | 7 +
.../notes/bug-1901207-13762f85b8a04481.yaml | 7 +
.../notes/bug-1901654-69b9f35d11cd0c75.yaml | 10 ++
setup.cfg | 3 +-
test-requirements.txt | 1 -
27 files changed, 397 insertions(+), 85 deletions(-)
Requirements updates
--------------------
diff --git a/test-requirements.txt b/test-requirements.txt
index a86a1fa44..6cdc34d31 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -7 +6,0 @@ pep257==0.7.0 # MIT License
-pycodestyle>=2.0.0 # MIT License
More information about the Release-announce
mailing list