We are excited to announce the release of: keystone 17.0.0: OpenStack Identity This release is part of the ussuri release series. The source is available from: https://opendev.org/openstack/keystone Download the package from: https://tarballs.openstack.org/keystone/ Please report issues through: https://bugs.launchpad.net/keystone/+bugs For more details, please see below. 17.0.0 ^^^^^^ Upgrade Notes ************* * [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)] Added a default TTL of 15 minutes for signed EC2 credential requests, where previously an EC2 signed token request was valid indefinitely. This change in behavior is needed to protect against replay attacks. Critical Issues *************** * [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)] Fixed a critical security issue in which an authenticated user could escalate their privileges by altering a valid EC2 credential. * [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)] Fixed a security issue in which a trustee or an application credential user could create an EC2 credential or an application credential that would permit them to get a token that elevated their role assignments beyond the subset delegated to them in the trust or application credential. A new attribute "app_cred_id" is now automatically added to the access blob of an EC2 credential and the role list in the trust or application credential is respected. Security Issues *************** * [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)] Fixed a critical security issue in which an authenticated user could escalate their privileges by altering a valid EC2 credential. * [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)] Fixed a security issue in which a trustee or an application credential user could create an EC2 credential or an application credential that would permit them to get a token that elevated their role assignments beyond the subset delegated to them in the trust or application credential. A new attribute "app_cred_id" is now automatically added to the access blob of an EC2 credential and the role list in the trust or application credential is respected. * [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)] Fixed an incorrect EC2 token validation implementation in which the timestamp of the signed request was ignored, which made EC2 and S3 token requests vulnerable to replay attacks. The default TTL is 15 minutes but is configurable. * [bug 1872755 (https://bugs.launchpad.net/keystone/+bug/1872755)] Added validation to the EC2 credentials update API to ensure the metadata labels 'trust_id' and 'app_cred_id' are not altered by the user. These labels are used by keystone to determine the scope allowed by the credential, and altering these automatic labels could enable an EC2 credential holder to elevate their access beyond what is permitted by the application credential or trust that was used to create the EC2 credential. * [bug 1873290 (https://bugs.launchpad.net/keystone/+bug/1873290)] [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)] Fixed the token model to respect the roles authorized OAuth1 access tokens. Previously, the list of roles authorized for an OAuth1 access token were ignored, so when an access token was used to request a keystone token, the keystone token would contain every role assignment the creator had for the project. This also fixed EC2 credentials to respect those roles as well. Bug Fixes ********* * [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)] Fixed a critical security issue in which an authenticated user could escalate their privileges by altering a valid EC2 credential. * [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)] Fixed a security issue in which a trustee or an application credential user could create an EC2 credential or an application credential that would permit them to get a token that elevated their role assignments beyond the subset delegated to them in the trust or application credential. A new attribute "app_cred_id" is now automatically added to the access blob of an EC2 credential and the role list in the trust or application credential is respected. * [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)] Fixed an incorrect EC2 token validation implementation in which the timestamp of the signed request was ignored, which made EC2 and S3 token requests vulnerable to replay attacks. The default TTL is 15 minutes but is configurable. * [bug 1872755 (https://bugs.launchpad.net/keystone/+bug/1872755)] Added validation to the EC2 credentials update API to ensure the metadata labels 'trust_id' and 'app_cred_id' are not altered by the user. These labels are used by keystone to determine the scope allowed by the credential, and altering these automatic labels could enable an EC2 credential holder to elevate their access beyond what is permitted by the application credential or trust that was used to create the EC2 credential. * [bug 1873290 (https://bugs.launchpad.net/keystone/+bug/1873290)] [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)] Fixed the token model to respect the roles authorized OAuth1 access tokens. Previously, the list of roles authorized for an OAuth1 access token were ignored, so when an access token was used to request a keystone token, the keystone token would contain every role assignment the creator had for the project. This also fixed EC2 credentials to respect those roles as well. Changes in keystone 16.0.0.0rc1..17.0.0 --------------------------------------- 2f2736ebb Fix security issues with EC2 credentials ba89d2779 Ensure OAuth1 authorized roles are respected 8d5becbe4 Check timestamp of signed EC2 token request aef912187 Imported Translations from Zanata 61f60ed4c Update TOX_CONSTRAINTS_FILE for stable/ussuri 961b39c3e Update .gitreview for stable/ussuri e45a75d62 Add schema placeholders for Ussuri af916d9ba Remove Babel as requirement f7c1a8494 Remove a note related to UUID tokens from example configuration d23965aaf Update api-ref for federated objects in user c18956f19 Expiring Group Memberships API - Allow set idp authorization_ttl e723a1c16 Add federated support for updating a user 39d66ac78 Update contributors document keystone 1627c2828 Add federated support for creating a user 121ee8ce7 Stop configuring install_command in tox. 35e83918f Cleanup py27 support 652f02c8b Add federated support for get user 8153a9d59 Add expiring user group memberships on mapped authentication d8938514f Expiring Group Membership Driver - Add, List Groups ee54ba0ce Expiring User Group Membership Model 143f07f54 Community goal: Adding contributing.rst ba8dd06e1 Parse cli args in get_enforcer dda426b61 Add openstack_groups to assertion 6525203c1 Change time faking for totp test 34f6144a4 Document the "immutable" resource option e5bab15a0 remove oslo-concurrency from requirements b35459b29 drop mock from test-requirements 271c09bb5 Correcting api-ref for users ba2e4b83e NIT: Fix spelling 0bbd2dd6f Copy shibboleth logs in federation jobs a183badaa Ignore SQLAlchemy RemovedIn20Warning 8c99a90f3 Switch from mock to unittest.mock use a6bb81146 Refactor some ldap code to implement TODOs e715a4bbd Doc Cleanup 175cb0b64 Tell reno to ignore the kilo branch 13410383c Constraint dependencies for docs build 9ee3d337f Removing tempest-full from gate 5544bca8e Check if content-type contains http, not equals 2e97ec577 Add docs about bootstrapping immutable roles 3aacc4dfe Add domain admin grant test cases da2804694 Default to bootstrapping roles as immutable 527b1587e Use inspect instead of Inspector.from_engine() 453004193 Remove six usage 9fed446b0 Updating tox -e all-plugin command 1db57944d Capture output from test run of policy generator 6dbf3a68b Cleanup doc/requirements.txt 95edaaab0 Always have username in CADF initiator a4b7a6106 Fix duplicated words issue like "each each user_id" 25cf359e5 Ensure bootstrap handles multiple roles with the same name c2d883066 Fix role_assignments role.id filter 150d3ef8b Fix release note link formatting f0d964e66 Fix token auth error if federated_groups_id is empty list 01a8c1fca Update OIDC documentation to handle bearer access token flow a950f9c37 Imported Translations from Zanata 58790d9dc Add docs for app cred access rules 90f6ff727 Remove python 2.7 specific library 2c0623bab Add name in GET API of application credentials 7597ecc13 Stop adding entry in local_user while updating ephemerals 5d6b8cb3d Fix api-ref roles response description 17c337dbd Fix credential list for project members 8c58b5b75 Fix application credential doc example 48f70150b Migrate grenade jobs to py3 72cbaa91f Start README.rst with a better title f421a0f07 Drop old neutron-grenade job a92885a98 Stop testing Python 2 d6977a0e9 Remove group deletion for non-sql driver when removing domains. d75b2552b Refresh "how can I help?" doc e2d83ae95 Re-enable line-length linter 19d4831da Fix line-length PEP8 errors for c7fae97 fb0be8e59 Add voting k2k tests 7debb1a30 Fix K2K auth flow diagram 5c71ebd7a Stop explicitly requiring pycodestyle 1d40b2e61 Add Source links to readme acfb60249 Switch to opensuse-15 nodeset 5d54d2d93 Switch to official Ussuri jobs 9607ed326 Revert "Resource backend is SQL only now" c4d609778 Drop project.id foreign keys 1f860f939 Fix sql migrate repo prefix check e4626f4bc Add schema placeholders for Train 9d949e494 Overhaul the RBAC documentation for administrators c7331ccd2 Fix wrong interface description 52ab0cf57 Import LDAP job into project e894842a0 Update getting started guide 5f5f10630 Remove legacy protection tests 3b6accf18 Update token definitions d4a6023de Remove policy.v3cloudsample.json e383fb7e5 Imported Translations from Zanata 5b2b67f64 Fix misspell word d435995c4 Update master for stable/train Diffstat (except docs and test files) ------------------------------------- .gitignore | 2 + .gitreview | 1 + .zuul.yaml | 49 +- README.rst | 16 +- api-ref/source/conf.py | 5 - .../v3-ext/federation/identity-provider/idp.inc | 6 +- .../federation/identity-provider/parameters.yaml | 9 + .../identity-provider/samples/get-response.json | 3 +- .../identity-provider/samples/update-response.json | 3 +- api-ref/source/v3/application-credentials.inc | 1 + api-ref/source/v3/domains.inc | 5 + api-ref/source/v3/index.rst | 9 + api-ref/source/v3/parameters.yaml | 115 +- api-ref/source/v3/projects.inc | 7 +- api-ref/source/v3/roles.inc | 13 +- .../v3/samples/admin/domain-create-response.json | 3 +- .../v3/samples/admin/domain-show-response.json | 3 +- .../v3/samples/admin/domain-update-response.json | 3 +- .../v3/samples/admin/project-create-request.json | 3 +- .../v3/samples/admin/project-create-response.json | 3 +- .../admin/project-show-parents-response.json | 1 + .../v3/samples/admin/project-show-response.json | 3 +- .../admin/project-show-subtree-response.json | 1 + .../v3/samples/admin/project-update-response.json | 3 +- .../v3/samples/admin/role-create-response.json | 3 +- .../v3/samples/admin/role-show-response.json | 3 +- .../v3/samples/admin/role-update-response.json | 3 +- .../v3/samples/admin/user-create-request.json | 11 + .../v3/samples/admin/user-create-response.json | 11 + .../samples/admin/user-groups-list-response.json | 2 + .../v3/samples/admin/user-show-response.json | 1 + .../v3/samples/admin/user-update-response.json | 1 + api-ref/source/v3/service-catalog.inc | 2 +- api-ref/source/v3/users.inc | 23 +- devstack/files/federation/attribute-map.xml | 1 + devstack/lib/federation.sh | 9 + .../admin/federation/configure_federation.rst | 13 +- .../admin/federation/mapping_combinations.rst | 57 +- etc/policy.v3cloudsample.json | 30 - keystone/api/_shared/EC2_S3_Resource.py | 84 +- keystone/api/_shared/authentication.py | 5 +- keystone/api/_shared/saml.py | 24 +- keystone/api/auth.py | 18 +- keystone/api/credentials.py | 108 +- keystone/api/discovery.py | 8 +- keystone/api/domains.py | 22 +- keystone/api/ec2tokens.py | 4 +- keystone/api/endpoints.py | 6 +- keystone/api/groups.py | 12 +- keystone/api/limits.py | 6 +- keystone/api/os_ep_filter.py | 16 +- keystone/api/os_federation.py | 25 +- keystone/api/os_inherit.py | 26 +- keystone/api/os_oauth1.py | 12 +- keystone/api/policy.py | 24 +- keystone/api/projects.py | 26 +- keystone/api/regions.py | 8 +- keystone/api/registered_limits.py | 6 +- keystone/api/roles.py | 12 +- keystone/api/s3tokens.py | 10 +- keystone/api/services.py | 6 +- keystone/api/system.py | 14 +- keystone/api/trusts.py | 25 +- keystone/api/users.py | 42 +- keystone/application_credential/backends/base.py | 5 +- keystone/application_credential/backends/sql.py | 9 +- keystone/assignment/backends/base.py | 5 +- keystone/assignment/core.py | 12 +- keystone/assignment/role_backends/base.py | 5 +- keystone/auth/core.py | 20 +- keystone/auth/plugins/base.py | 6 +- keystone/auth/plugins/core.py | 17 +- keystone/auth/plugins/external.py | 4 +- keystone/auth/plugins/mapped.py | 12 +- keystone/auth/plugins/token.py | 3 +- keystone/auth/plugins/totp.py | 3 +- keystone/catalog/backends/base.py | 6 +- keystone/cmd/bootstrap.py | 18 +- keystone/cmd/cli.py | 17 +- keystone/cmd/doctor/ldap.py | 2 +- keystone/common/manager.py | 4 +- keystone/common/policies/endpoint_group.py | 8 +- keystone/common/policies/grant.py | 28 +- keystone/common/policies/policy_association.py | 39 +- keystone/common/policies/trust.py | 12 +- keystone/common/rbac_enforcer/enforcer.py | 2 +- keystone/common/rbac_enforcer/policy.py | 7 +- keystone/common/resource_options/core.py | 6 +- .../014_contract_add_domain_id_to_user_table.py | 3 +- ...e_service_and_region_fk_for_registered_limit.py | 2 +- ..._contract_expand_update_pk_for_unified_limit.py | 2 +- .../sql/contract_repo/versions/067_placeholder.py | 18 + .../sql/contract_repo/versions/068_placeholder.py | 18 + .../sql/contract_repo/versions/069_placeholder.py | 18 + .../sql/contract_repo/versions/070_placeholder.py | 18 + .../sql/contract_repo/versions/071_placeholder.py | 18 + .../versions/072_contract_drop_domain_id_fk.py | 47 + .../073_contract_expiring_group_membership.py | 15 + .../sql/contract_repo/versions/074_placeholder.py | 18 + .../sql/contract_repo/versions/075_placeholder.py | 18 + .../sql/contract_repo/versions/076_placeholder.py | 18 + .../sql/contract_repo/versions/077_placeholder.py | 18 + .../sql/contract_repo/versions/078_placeholder.py | 18 + keystone/common/sql/core.py | 9 +- .../versions/067_placeholder.py | 18 + .../versions/068_placeholder.py | 18 + .../versions/069_placeholder.py | 18 + .../versions/070_placeholder.py | 18 + .../versions/071_placeholder.py | 18 + .../versions/072_migrate_drop_domain_id_fk.py | 20 + .../073_migrate_expiring_group_membership.py | 15 + .../versions/074_placeholder.py | 18 + .../versions/075_placeholder.py | 18 + .../versions/076_placeholder.py | 18 + .../versions/077_placeholder.py | 18 + .../versions/078_placeholder.py | 18 + ...pand_add_application_credential_access_rules.py | 3 +- ...te_id_attribute_to_federation_protocol_table.py | 3 +- .../sql/expand_repo/versions/067_placeholder.py | 18 + .../sql/expand_repo/versions/068_placeholder.py | 18 + .../sql/expand_repo/versions/069_placeholder.py | 18 + .../sql/expand_repo/versions/070_placeholder.py | 18 + .../sql/expand_repo/versions/071_placeholder.py | 18 + .../versions/072_expand_drop_domain_id_fk.py | 20 + .../073_expand_expiring_group_membership.py | 47 + .../sql/expand_repo/versions/074_placeholder.py | 18 + .../sql/expand_repo/versions/075_placeholder.py | 18 + .../sql/expand_repo/versions/076_placeholder.py | 18 + .../sql/expand_repo/versions/077_placeholder.py | 18 + .../sql/expand_repo/versions/078_placeholder.py | 18 + keystone/common/sql/upgrades.py | 3 +- keystone/common/utils.py | 22 +- keystone/common/validation/parameter_types.py | 5 + keystone/common/validation/validators.py | 9 +- keystone/conf/credential.py | 11 +- keystone/conf/default.py | 3 +- keystone/conf/federation.py | 10 + keystone/conf/memcache.py | 5 +- keystone/conf/resource.py | 8 - keystone/credential/backends/base.py | 4 +- keystone/credential/backends/sql.py | 3 +- keystone/credential/providers/core.py | 5 +- keystone/credential/providers/fernet/core.py | 5 +- keystone/endpoint_policy/backends/base.py | 4 +- keystone/exception.py | 56 +- keystone/federation/backends/base.py | 5 +- keystone/federation/backends/sql.py | 19 +- keystone/federation/core.py | 2 +- keystone/federation/idp.py | 26 +- keystone/federation/schema.py | 2 + keystone/federation/utils.py | 79 +- keystone/identity/backends/base.py | 5 +- keystone/identity/backends/ldap/common.py | 74 +- keystone/identity/backends/ldap/core.py | 3 +- keystone/identity/backends/resource_options.py | 4 +- keystone/identity/backends/sql.py | 54 +- keystone/identity/backends/sql_model.py | 46 +- keystone/identity/core.py | 152 +- keystone/identity/generator.py | 5 +- keystone/identity/mapping_backends/base.py | 6 +- keystone/identity/schema.py | 24 + keystone/identity/shadow_backends/base.py | 60 +- keystone/identity/shadow_backends/sql.py | 54 + keystone/limit/backends/base.py | 5 +- keystone/limit/models/base.py | 4 +- keystone/locale/de/LC_MESSAGES/keystone.po | 123 +- keystone/locale/en_GB/LC_MESSAGES/keystone.po | 237 +- keystone/locale/es/LC_MESSAGES/keystone.po | 72 +- keystone/locale/fr/LC_MESSAGES/keystone.po | 75 +- keystone/locale/it/LC_MESSAGES/keystone.po | 73 +- keystone/locale/ja/LC_MESSAGES/keystone.po | 74 +- keystone/locale/ko_KR/LC_MESSAGES/keystone.po | 68 +- keystone/locale/pt_BR/LC_MESSAGES/keystone.po | 73 +- keystone/locale/ru/LC_MESSAGES/keystone.po | 71 +- keystone/locale/tr_TR/LC_MESSAGES/keystone.po | 47 +- keystone/locale/zh_CN/LC_MESSAGES/keystone.po | 67 +- keystone/locale/zh_TW/LC_MESSAGES/keystone.po | 67 +- keystone/models/receipt_model.py | 5 +- keystone/models/token_model.py | 23 +- keystone/notifications.py | 18 + keystone/oauth1/backends/base.py | 5 +- keystone/oauth1/validator.py | 4 +- keystone/policy/backends/base.py | 4 +- keystone/receipt/handlers.py | 4 +- keystone/receipt/provider.py | 3 +- keystone/receipt/providers/base.py | 5 +- keystone/receipt/receipt_formatters.py | 32 +- keystone/resource/backends/base.py | 5 +- keystone/resource/backends/sql.py | 2 - keystone/resource/backends/sql_model.py | 3 +- keystone/resource/config_backends/base.py | 5 +- keystone/resource/core.py | 14 +- keystone/revoke/backends/base.py | 4 +- keystone/server/flask/application.py | 7 +- keystone/server/flask/common.py | 10 +- .../request_processing/middleware/auth_context.py | 19 +- .../protection/v3/test_application_credential.py | 24 +- .../unit/application_credential/test_backends.py | 9 +- .../unit/identity/backends/test_ldap_common.py | 2 +- .../unit/receipt/test_receipt_serialization.py | 3 +- .../test_associate_project_endpoint_extension.py | 114 +- keystone/token/provider.py | 8 +- keystone/token/providers/base.py | 5 +- keystone/token/token_formatters.py | 48 +- keystone/trust/backends/base.py | 5 +- keystone/trust/backends/sql.py | 1 - keystone/trust/core.py | 2 - keystone/version.py | 2 +- lower-constraints.txt | 4 +- .../keystone-dsvm-grenade-multinode/run.yaml | 1 + .../notes/bug-1641625-fe463874dc5edb10.yaml | 7 + .../notes/bug-1806762-08ff9eecdc03c554.yaml | 21 + .../notes/bug-1809116-b65502f3b606b060.yaml | 19 + .../notes/bug-1816076-ba39508e6ade529e.yaml | 15 + .../notes/bug-1823258-9649b56a440b5ae1.yaml | 10 + .../notes/bug-1848238-f6533644f7907358.yaml | 6 + .../notes/bug-1848342-317c9e4afa65a3ff.yaml | 23 + .../notes/bug-1855080-08b28181b7cb2470.yaml | 23 + .../notes/bug-1856881-277103af343187f1.yaml | 7 + .../notes/bug-1856904-101af15bb48eb3ca.yaml | 9 + .../notes/bug-1856962-2c87d541da61c727.yaml | 6 + .../notes/bug-1858012-584267ada7e33f2c.yaml | 7 + .../notes/bug-1872733-2377f456a57ad32c.yaml | 16 + .../notes/bug-1872735-0989e51d2248ce1e.yaml | 31 + .../notes/bug-1872737-f8e1ad3b6705b766.yaml | 28 + .../notes/bug-1872755-2c81d3267b89f124.yaml | 19 + .../notes/bug-1873290-ff7f8e4cee15b75a.yaml | 19 + .../notes/drop-project-id-fk-b683b414e1585be8.yaml | 9 + .../removed-as-of-ussuri-d2f6ef8901ef54ed.yaml | 6 + .../notes/resource-driver-33793dd5080ee4d2.yaml | 6 + .../use-correct-inspect-8142e317c1e39c2a.yaml | 8 + releasenotes/source/conf.py | 13 +- releasenotes/source/index.rst | 1 + .../locale/en_GB/LC_MESSAGES/releasenotes.po | 1699 ---------- .../source/locale/ja/LC_MESSAGES/releasenotes.po | 3423 -------------------- releasenotes/source/train.rst | 6 + reno.yaml | 4 + requirements.txt | 8 +- setup.cfg | 18 +- setup.py | 9 - test-requirements.txt | 3 - tools/fast8.sh | 2 +- tox.ini | 30 +- 356 files changed, 7282 insertions(+), 11229 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index 36a0cdc68..2fa9509f8 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,4 +4,0 @@ -# Temporarily add Babel reference to avoid problem -# in keystone-coverage-db CI job -Babel!=2.4.0,>=2.3.4 # BSD - @@ -14 +9,0 @@ cryptography>=2.1 # BSD/Apache-2.0 -six>=1.10.0 # MIT @@ -24 +18,0 @@ oslo.cache>=1.26.0 # Apache-2.0 -oslo.concurrency>=3.26.0 # Apache-2.0 @@ -32 +26 @@ oslo.middleware>=3.31.0 # Apache-2.0 -oslo.policy>=2.3.0 # Apache-2.0 +oslo.policy>=3.0.2 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index a86a1fa44..3e53e2553 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -7 +6,0 @@ pep257==0.7.0 # MIT License -pycodestyle>=2.0.0 # MIT License @@ -23,2 +21,0 @@ lxml!=3.7.0,>=3.4.1 # BSD -# mock object framework -mock>=2.0.0 # BSD