We contentedly announce the release of: keystone 24.1.0 This release is part of the bobcat release series. The source is available from: https://opendev.org/openstack/keystone Download the package from: https://tarballs.openstack.org/keystone/ Please report issues through: https://bugs.launchpad.net/keystone/+bugs For more details, please see below. 24.1.0 ^^^^^^ New Features ************ * Added a new command to the admin cli tool: *keystone-manage reset_last_active*. This new command updates the database to overwritet any NULL values in *last_active_at* in the user table to the current time. This is a necessary step to fix Bug #2074018. See launchpad for details. Security Issues *************** * The new *keystone-manage rest_last_active* command resets all NULL values in *last_active_at* in the user table to help fix Bug #2074018. Running this command may be necessary in environments that have been deployed for a long time and later decide to adopt the *[security_compliance disable_user_account_days_inactive = X* option. See Bug #2074018 for details. A side-effect of this command is that it resets the amount of time that an unused account is active for. Unused accounts will remain active until the configured days have elapsed since the day the command is run. Bug Fixes ********* * Fixed Bug #2074018: Changed the user model to always save the date of the last user activity in *last_active_at*. Previous to this change, the *last_active_at* field was only updated when the option for *[security_compliance] disable_user_account_days_inactive* was set. If your deployment is affected by this bug, you must run *keystone-manage reset_last_active* before setting the *disable_user_account_days_inactive* option. Changes in keystone 24.0.0..24.1.0 ---------------------------------- 1829ce020 Add keystone-manage reset_last_active command fee954e9b Remove reference to devstack-gate 7697140fc Add domain scoping to list_domains f519bcedf Allow domain admin to view roles 4711b36ab Allow domain users to manage credentials 570c19e91 Allow admin to access tokens and credentials 2abaaae89 Add ability to create users and projects from keystone-manage 81dbfd265 Remove unused old job templates and experimental jobs 932863b6d Improve application credential validation speed 5a55e9de1 Normalize policy checks for domain-scoped tokens 7de9f7d49 Allow users with "admin" role to get projects 62858870b Fix policies for groups 991662c66 Consistent and Secure RBAC (Phase 1) 653d82b1b Update TOX_CONSTRAINTS_FILE for stable/2023.2 c0662c87b Update .gitreview for stable/2023.2 Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + .zuul.yaml | 86 ++---------- keystone/api/domains.py | 15 +- keystone/api/role_assignments.py | 21 ++- keystone/assignment/core.py | 5 + keystone/cmd/cli.py | 114 +++++++++++++++- keystone/cmd/idutils.py | 151 +++++++++++++++++++++ keystone/common/policies/application_credential.py | 6 +- keystone/common/policies/base.py | 13 +- keystone/common/policies/consumer.py | 20 +-- keystone/common/policies/credential.py | 20 +-- keystone/common/policies/domain.py | 25 ++-- keystone/common/policies/domain_config.py | 28 ++-- keystone/common/policies/ec2_credential.py | 8 +- keystone/common/policies/endpoint.py | 20 +-- keystone/common/policies/endpoint_group.py | 44 +++--- keystone/common/policies/grant.py | 63 +++++---- keystone/common/policies/group.py | 55 ++++---- keystone/common/policies/identity_provider.py | 20 +-- keystone/common/policies/implied_role.py | 24 ++-- keystone/common/policies/limit.py | 17 +-- keystone/common/policies/mapping.py | 26 ++-- keystone/common/policies/policy.py | 20 +-- keystone/common/policies/policy_association.py | 44 +++--- keystone/common/policies/project.py | 49 ++++--- keystone/common/policies/project_endpoint.py | 24 ++-- keystone/common/policies/protocol.py | 23 ++-- keystone/common/policies/region.py | 12 +- keystone/common/policies/registered_limit.py | 12 +- keystone/common/policies/revoke_event.py | 6 +- keystone/common/policies/role.py | 50 +++---- keystone/common/policies/role_assignment.py | 11 +- keystone/common/policies/service.py | 20 +-- keystone/common/policies/service_provider.py | 26 ++-- keystone/common/policies/token.py | 16 ++- keystone/common/policies/trust.py | 27 ++-- keystone/common/policies/user.py | 30 ++-- keystone/identity/backends/base.py | 10 ++ keystone/identity/backends/ldap/core.py | 3 + keystone/identity/backends/sql.py | 8 ++ keystone/identity/shadow_backends/sql.py | 6 +- keystone/models/revoke_model.py | 5 +- .../unit/identity/shadow_users/test_backend.py | 9 +- .../notes/bug-2074018-28f7bbe8f28f5efe.yaml | 29 ++++ tox.ini | 8 +- 50 files changed, 869 insertions(+), 491 deletions(-)