We are pleased to announce the release of: keystone 16.0.1: OpenStack Identity This release is part of the train stable release series. The source is available from: https://opendev.org/openstack/keystone Download the package from: https://tarballs.openstack.org/keystone/ Please report issues through: https://bugs.launchpad.net/keystone/+bugs For more details, please see below. 16.0.1 ^^^^^^ Upgrade Notes ************* * [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)] Added a default TTL of 15 minutes for signed EC2 credential requests, where previously an EC2 signed token request was valid indefinitely. This change in behavior is needed to protect against replay attacks. Critical Issues *************** * [bug 1855080 (https://bugs.launchpad.net/keystone/+bug/1855080)] An error in the policy target filtering inadvertently allowed any user to list any credential object with the /v3/credentials API when "[oslo_policy]/enforce_scope" was set to false, which is the default. This has been addressed: users with non-admin roles on a project may not list other users' credentials. However, users with the admin role on a project may still list any users credentials when "[oslo_policy]/enforce_scope" is false due to bug 968696 (https://bugs.launchpad.net/keystone/+bug/968696). * [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)] Fixed a critical security issue in which an authenticated user could escalate their privileges by altering a valid EC2 credential. * [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)] Fixed a security issue in which a trustee or an application credential user could create an EC2 credential or an application credential that would permit them to get a token that elevated their role assignments beyond the subset delegated to them in the trust or application credential. A new attribute "app_cred_id" is now automatically added to the access blob of an EC2 credential and the role list in the trust or application credential is respected. Security Issues *************** * [bug 1855080 (https://bugs.launchpad.net/keystone/+bug/1855080)] An error in the policy target filtering inadvertently allowed any user to list any credential object with the /v3/credentials API when "[oslo_policy]/enforce_scope" was set to false, which is the default. This has been addressed: users with non-admin roles on a project may not list other users' credentials. However, users with the admin role on a project may still list any users credentials when "[oslo_policy]/enforce_scope" is false due to bug 968696 (https://bugs.launchpad.net/keystone/+bug/968696). * [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)] Fixed a critical security issue in which an authenticated user could escalate their privileges by altering a valid EC2 credential. * [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)] Fixed a security issue in which a trustee or an application credential user could create an EC2 credential or an application credential that would permit them to get a token that elevated their role assignments beyond the subset delegated to them in the trust or application credential. A new attribute "app_cred_id" is now automatically added to the access blob of an EC2 credential and the role list in the trust or application credential is respected. * [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)] Fixed an incorrect EC2 token validation implementation in which the timestamp of the signed request was ignored, which made EC2 and S3 token requests vulnerable to replay attacks. The default TTL is 15 minutes but is configurable. * [bug 1872755 (https://bugs.launchpad.net/keystone/+bug/1872755)] Added validation to the EC2 credentials update API to ensure the metadata labels 'trust_id' and 'app_cred_id' are not altered by the user. These labels are used by keystone to determine the scope allowed by the credential, and altering these automatic labels could enable an EC2 credential holder to elevate their access beyond what is permitted by the application credential or trust that was used to create the EC2 credential. * [bug 1873290 (https://bugs.launchpad.net/keystone/+bug/1873290)] [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)] Fixed the token model to respect the roles authorized OAuth1 access tokens. Previously, the list of roles authorized for an OAuth1 access token were ignored, so when an access token was used to request a keystone token, the keystone token would contain every role assignment the creator had for the project. This also fixed EC2 credentials to respect those roles as well. Bug Fixes ********* * [bug 1856881 (https://bugs.launchpad.net/keystone/+bug/1856881)] "keystone-manage bootstrap" can be run in upgrade scenarios where pre-existing domain-specific roles exist named "admin", "member", and "reader". * [Bug 1856904 (https://bugs.launchpad.net/keystone/+bug/1856904)] The initiator object for CADF notifications now will always contain the username for the user who initated the action. Previously, the initator object only contained the user_id, which lead to issues mapping to users when using LDAP-backed identity providers. This also helps the initiator object better conform to the OpenStack standard for CADF. * [bug 1856962 (https://bugs.launchpad.net/keystone/+bug/1856962)] Fixes an issue where federated users could not authenticate if their mapped group membership was empty. * [bug 1858012 (https://bugs.launchpad.net/keystone/+bug/1858012)] Fixes a bug in the /v3/role_assignments filtering where the *role.id* query parameter didn't properly filter role assignments by role in cases where there were multiple system role assignments. * [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)] Fixed a critical security issue in which an authenticated user could escalate their privileges by altering a valid EC2 credential. * [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)] Fixed a security issue in which a trustee or an application credential user could create an EC2 credential or an application credential that would permit them to get a token that elevated their role assignments beyond the subset delegated to them in the trust or application credential. A new attribute "app_cred_id" is now automatically added to the access blob of an EC2 credential and the role list in the trust or application credential is respected. * [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)] Fixed an incorrect EC2 token validation implementation in which the timestamp of the signed request was ignored, which made EC2 and S3 token requests vulnerable to replay attacks. The default TTL is 15 minutes but is configurable. * [bug 1872755 (https://bugs.launchpad.net/keystone/+bug/1872755)] Added validation to the EC2 credentials update API to ensure the metadata labels 'trust_id' and 'app_cred_id' are not altered by the user. These labels are used by keystone to determine the scope allowed by the credential, and altering these automatic labels could enable an EC2 credential holder to elevate their access beyond what is permitted by the application credential or trust that was used to create the EC2 credential. * [bug 1873290 (https://bugs.launchpad.net/keystone/+bug/1873290)] [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)] Fixed the token model to respect the roles authorized OAuth1 access tokens. Previously, the list of roles authorized for an OAuth1 access token were ignored, so when an access token was used to request a keystone token, the keystone token would contain every role assignment the creator had for the project. This also fixed EC2 credentials to respect those roles as well. Changes in keystone 16.0.0..16.0.1 ---------------------------------- 5c34cb6c7 Temporarily disable k2k tests on train and stein 54590544f Fix security issues with EC2 credentials fe4d48d55 Ensure OAuth1 authorized roles are respected e3f65d6fb Check timestamp of signed EC2 token request 40b7de87e Tell reno to ignore the kilo branch 3a59d3e28 Constraint dependencies for docs build ac7432087 Add voting k2k tests bd983f0c7 Always have username in CADF initiator 4d413f1eb Fix role_assignments role.id filter 51ff7be73 Ensure bootstrap handles multiple roles with the same name c0d516228 Fix token auth error if federated_groups_id is empty list bd3f63787 Fix credential list for project members a16400f02 Fix line-length PEP8 errors for c7fae97 d5f9c681f Switch to opensuse-15 nodeset 0f6c6061b Import LDAP job into project 4752cd3fa Remove legacy protection tests 8f58ade5a Update TOX/UPPER_CONSTRAINTS_FILE for stable/train e60f6ac2f Update .gitreview for stable/train Diffstat (except docs and test files) ------------------------------------- .gitignore | 2 + .gitreview | 1 + .zuul.yaml | 25 +- devstack/lib/federation.sh | 9 + keystone/api/_shared/EC2_S3_Resource.py | 75 +- keystone/api/credentials.py | 99 +- keystone/api/users.py | 22 +- keystone/assignment/core.py | 8 +- keystone/cmd/bootstrap.py | 8 + keystone/conf/credential.py | 11 +- keystone/identity/backends/ldap/common.py | 6 +- keystone/models/token_model.py | 18 + keystone/notifications.py | 18 + keystone/token/provider.py | 2 +- .../notes/bug-1855080-08b28181b7cb2470.yaml | 23 + .../notes/bug-1856881-277103af343187f1.yaml | 7 + .../notes/bug-1856904-101af15bb48eb3ca.yaml | 9 + .../notes/bug-1856962-2c87d541da61c727.yaml | 6 + .../notes/bug-1858012-584267ada7e33f2c.yaml | 7 + .../notes/bug-1872733-2377f456a57ad32c.yaml | 16 + .../notes/bug-1872735-0989e51d2248ce1e.yaml | 31 + .../notes/bug-1872737-f8e1ad3b6705b766.yaml | 28 + .../notes/bug-1872755-2c81d3267b89f124.yaml | 19 + .../notes/bug-1873290-ff7f8e4cee15b75a.yaml | 19 + reno.yaml | 4 + tox.ini | 5 +- 41 files changed, 1297 insertions(+), 1765 deletions(-)