We are tickled pink to announce the release of: barbican 13.0.1: OpenStack Secure Key Management This release is part of the xena stable release series. The source is available from: https://opendev.org/openstack/barbican Download the package from: https://tarballs.openstack.org/barbican/ Please report issues through: https://bugs.launchpad.net/barbican/+bugs For more details, please see below. 13.0.1 ^^^^^^ Security Issues *************** * Part of the fix for Story 2009664 required renaming the policy for Container Consumers from "consumers:get" to "container_consumers:get", "consumers:post" to "container_consumers:post", and "consumers:delete" to "container_consumers:delete". If you are using custom policies to override the default policies you will need to update them to use the new names. * Fixed Story #2009791: Users with the "creator" role on a project can now delete secrets owned by the project even if the user is different than the user that originally created the secret. Previous to this fix a user with the "creator" role was only allowed to delete a secret owned by the project if they were also the same user that originally created, which was inconsistent with the way that deletes are handled by other OpenStack projects that integrate with Barbican. This change does not affect private secrets (i.e. secrets with the "project-access" flag set to "false"). Bug Fixes ********* * Fixed Story #2009247 - Fixed the response for POST /v1/secrets /{secret-id}/metadata so it matches the documented behavior. * Fixed Story 2009664 - Fixed the Consumer controller to be able to use the associated Container's ownership information in policy checks. * Fixed Story #2009672 - Fixed validator for Container Consumers to prevent 500 errors. Changes in barbican 13.0.0..13.0.1 ---------------------------------- 3670a0a8 Fix Story 2010258 (CVE-2022-3100) 4cc1070d Fix Barbican gate 74bab1d4 Fix remaining Secure RBAC policies 1ebdd8f5 Fix Secure RBAC policies for Containers API 3b1c6b3d Fix Secure RBAC policies for Consumers 8c44a2f9 Fix Secure RBAC policies for secret_metadata 4271726f Fix Secure RBAC policies for Orders de65fecd Fix Secure RBAC policies for Secret ACLs 34f1adc0 Fix Secure RBAC policies for Secrets 6328e38a Set versioned jobs to set microversion correctly bb277947 Allow users with "creator" role to edit ACLs 0cc62e4e Xena-only: Remove TripleO job 811a846a Allow secret delete by users with "creator" role 6a5ab85f Fix container consumers rbac policy 382b5086 Fix policy for Orders 059b4a08 Fix consumer name length validator bbb87ea8 Fix policy for adding a secret to a container b1e5386f Fix secret metadata access rules (pt 2) 750a79b4 Fix secret metadata access rules 61aa13e9 Fix POST /v1/secret/{secret-id}/metadata response 698aa1b6 Temporarily disable RBAC tests 1b6cf81c Ignore network errors during C_Finalize 1370c484 Run TripleO jobs on CentOS8 instead of CentOS7 65294a87 Update TOX_CONSTRAINTS_FILE for stable/xena b9e0b725 Update .gitreview for stable/xena Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + .zuul.yaml | 29 +-- api-guide/source/acls.rst | 3 +- barbican/api/controllers/__init__.py | 27 ++- barbican/api/controllers/acls.py | 2 + barbican/api/controllers/consumers.py | 73 ++++---- barbican/api/controllers/containers.py | 17 +- barbican/api/controllers/orders.py | 9 +- barbican/api/controllers/quotas.py | 3 + barbican/api/controllers/secretmeta.py | 7 +- barbican/api/controllers/secrets.py | 10 +- barbican/api/controllers/secretstores.py | 3 + barbican/api/controllers/transportkeys.py | 2 + barbican/common/exception.py | 4 + barbican/common/policies/acls.py | 131 +++++++++---- barbican/common/policies/base.py | 127 +++++++++---- barbican/common/policies/consumers.py | 207 ++++++++++++++++----- barbican/common/policies/containers.py | 119 +++++++++--- barbican/common/policies/orders.py | 63 ++++++- barbican/common/policies/quotas.py | 50 +++-- barbican/common/policies/secretmeta.py | 77 +++++++- barbican/common/policies/secrets.py | 114 ++++++++---- barbican/common/policies/secretstores.py | 70 +++++-- barbican/common/policies/transportkeys.py | 50 ++++- barbican/common/validators.py | 4 +- barbican/plugin/crypto/pkcs11.py | 13 +- .../api/v1/functional/test_secrets_rbac.py | 2 +- .../notes/fix-story-2009247-18faf4f2b570dfc0.yaml | 6 + .../notes/fix-story-2009664-042ef282c0dd6b6a.yaml | 13 ++ .../notes/fix-story-2009672-d64ef6c10444f517.yaml | 5 + ...9791-allow-creator-delete-06dd3eb670d0e624.yaml | 11 ++ tox.ini | 8 +- 38 files changed, 1089 insertions(+), 390 deletions(-)