We are stoked to announce the release of: keystone 17.0.1: OpenStack Identity This release is part of the ussuri stable release series. The source is available from: https://opendev.org/openstack/keystone Download the package from: https://tarballs.openstack.org/keystone/ Please report issues through: https://bugs.launchpad.net/keystone/+bugs For more details, please see below. 17.0.1 ^^^^^^ Security Issues *************** * [bug 1901207 (https://bugs.launchpad.net/keystone/+bug/1901207)] Policy enforcement for application credentials has been updated to protect against invalid ownership checks resulting in unauthorized users being able to get and delete application credentials for other users. Bug Fixes ********* * [bug 1688137 (https://bugs.launchpad.net/keystone/+bug/1688137)] Fixed the AccountLocked exception being shown to the end user since it provides some information that could be exploited by a malicious user. The end user will now see Unauthorized instead of AccountLocked, preventing user info oracle exploitation. * [bug 1878938 (https://bugs.launchpad.net/keystone/+bug/1878938)] Previously when a user used to have system role assignment and tries to delete the same role, the system role assignments still existed in system_assignment table. This causes keystone to return *HTTP 404 Not Found* errors when listing role assignments with names (e.g., *--names* or *?include_names*). If you are affected by this bug, you must remove stale role assignments manually. The following is an example SQL statement you can use to fix the issue, but you should verify it's applicability to your deployment's SQL implementation and version. SQL: * delete from system_assignment where role_id not in (select id from role); * [bug 1885753 (https://bugs.launchpad.net/keystone/+bug/1885753)] Keystone's SQL identity backend now retries update user requests to safely handle stale data when two clients update a user at the same time. * [bug 1889936 (https://bugs.launchpad.net/keystone/+bug/1889936)] Properly decode octet strings, or byte arrays, returned from LDAP. * [bug 1896125 (https://bugs.launchpad.net/keystone/+bug/1896125)] Introduced more robust connection handling for asynchronous LDAP requests to address memory leaks fetching data from LDAP backends with low page sizes. * [bug 1901654 (https://bugs.launchpad.net/keystone/+bug/1901654)] Previously, generate_public_ID() in sha256.py assumed the passed arguments is str data type. However, python-ldap 3.0 or later returns bytes data type for attribute values except fields of distinguished names, relative distinguished names, attribute names, queries. If keystone running on Python3 is integrated with LDAP and the LDAP server has local_id variable in its attribute, user login operations will fail due to the assumption and modifiation of python-ldap. By this fix, generate_public_ID() properly handles bytes data type in the parameter. Changes in keystone 17.0.0..17.0.1 ---------------------------------- 8ab4eb27b Hide AccountLocked exception from end users 07d3a3d3f Retry update_user when sqlalchemy raises StaleDataErrors 6b739ffc3 Use app cred user ID in policy enforcement d55c6c705 Drop lower-constraints job f4819fe36 Support bytes type in generate_public_ID() 7ac089137 Delete system role assignments from system_assignment table 35c7406bf Implement more robust connection handling for asynchronous LDAP calls c202bd506 Add vine to lower-constraints d5870f69c Properly handle octet (byte) strings when converting LDAP responses 300e79e93 Fix lower-constraint for PyMySQL 1c37797c5 Port the grenade multinode job to Zuul v3 6b8e036ba Fix UserNotFound exception for expiring groups 1f0603598 Switch to new grenade job name Diffstat (except docs and test files) ------------------------------------- .zuul.yaml | 23 ++-- keystone/api/users.py | 47 +++++++- keystone/assignment/backends/sql.py | 5 + keystone/identity/backends/ldap/common.py | 118 ++++++++++++++------- keystone/identity/backends/sql.py | 8 ++ keystone/identity/id_generators/sha256.py | 10 +- keystone/identity/shadow_backends/sql.py | 2 +- keystone/notifications.py | 2 + .../protection/v3/test_application_credential.py | 66 ++++++++++++ .../unit/identity/backends/test_ldap_common.py | 14 +++ lower-constraints.txt | 2 + .../keystone-dsvm-grenade-multinode/post.yaml | 15 --- .../keystone-dsvm-grenade-multinode/run.yaml | 48 --------- .../notes/bug-1688137-e4203c9a728690a7.yaml | 8 ++ .../notes/bug-1878938-70ee2af6fdf66004.yaml | 16 +++ .../notes/bug-1885753-51df25f3ff1d9ae8.yaml | 6 ++ .../notes/bug-1889936-78d6853b5212b8f1.yaml | 5 + .../notes/bug-1896125-b17a4d12730fe493.yaml | 7 ++ .../notes/bug-1901207-13762f85b8a04481.yaml | 7 ++ .../notes/bug-1901654-69b9f35d11cd0c75.yaml | 10 ++ 25 files changed, 382 insertions(+), 123 deletions(-)