We enthusiastically announce the release of: barbican 12.0.1: OpenStack Secure Key Management This release is part of the wallaby stable release series. The source is available from: https://opendev.org/openstack/barbican Download the package from: https://tarballs.openstack.org/barbican/ Please report issues through: https://bugs.launchpad.net/barbican/+bugs For more details, please see below. 12.0.1 ^^^^^^ New Features ************ * The default maximum secret size has been increased from 10 kB to 20 kb, and the default maximum request size has been increased from 15 kB to 25 kB. Security Issues *************** * Part of the fix for Story 2009664 required renaming the policy for Container Consumers from "consumers:get" to "container_consumers:get", "consumers:post" to "container_consumers:post", and "consumers:delete" to "container_consumers:delete". If you are using custom policies to override the default policies you will need to update them to use the new names. * Fixed Story #2009791: Users with the "creator" role on a project can now delete secrets owned by the project even if the user is different than the user that originally created the secret. Previous to this fix a user with the "creator" role was only allowed to delete a secret owned by the project if they were also the same user that originally created, which was inconsistent with the way that deletes are handled by other OpenStack projects that integrate with Barbican. This change does not affect private secrets (i.e. secrets with the "project-access" flag set to "false"). Bug Fixes ********* * Fixed Story #2009247 - Fixed the response for POST /v1/secrets /{secret-id}/metadata so it matches the documented behavior. * Fixed Story 2009664 - Fixed the Consumer controller to be able to use the associated Container's ownership information in policy checks. * Fixed Story #2009672 - Fixed validator for Container Consumers to prevent 500 errors. Changes in barbican 12.0.0..12.0.1 ---------------------------------- 486e6072 Allow users with "creator" role to edit ACLs 09d184de Fix stable/wallaby gates 0b453212 Allow secret delete by users with "creator" role 92375781 Fix container consumers rbac policy a66d1765 Add FIPS gate job ea7451e3 Fix policy for Orders c1204779 Fix consumer name length validator a8226fcf Fix policy for adding a secret to a container b30cb63d Fix secret metadata access rules (pt 2) 64a42424 Fix secret metadata access rules 49f3b2f0 Fix POST /v1/secret/{secret-id}/metadata response 2792aca7 Ignore network errors during C_Finalize 6cb7a730 Run TripleO jobs on CentOS8 instead of CentOS7 2f058e49 Return 403 instead of 500 when policy check fails bac7d220 Raise maximum allowed secret size Diffstat (except docs and test files) ------------------------------------- .zuul.yaml | 16 ++- api-guide/source/acls.rst | 3 +- barbican/api/__init__.py | 2 +- barbican/api/controllers/__init__.py | 16 ++- barbican/api/controllers/acls.py | 2 + barbican/api/controllers/consumers.py | 73 ++++++-------- barbican/api/controllers/containers.py | 17 +--- barbican/api/controllers/orders.py | 9 +- barbican/api/controllers/quotas.py | 3 + barbican/api/controllers/secretmeta.py | 7 +- barbican/api/controllers/secrets.py | 10 +- barbican/api/controllers/secretstores.py | 3 + barbican/api/controllers/transportkeys.py | 2 + barbican/common/config.py | 4 +- barbican/common/exception.py | 4 + barbican/common/policies/acls.py | 16 ++- barbican/common/policies/base.py | 6 ++ barbican/common/policies/consumers.py | 111 +++++++++++++++------ barbican/common/policies/containers.py | 10 +- barbican/common/policies/orders.py | 8 +- barbican/common/policies/secretmeta.py | 33 +++++- barbican/common/policies/secrets.py | 2 + barbican/common/validators.py | 4 +- barbican/plugin/crypto/pkcs11.py | 13 ++- bindep.txt | 9 +- .../api/v1/functional/test_secrets_rbac.py | 2 +- playbooks/enable-fips.yaml | 4 + .../notes/fix-story-2009247-18faf4f2b570dfc0.yaml | 6 ++ .../notes/fix-story-2009664-042ef282c0dd6b6a.yaml | 13 +++ .../notes/fix-story-2009672-d64ef6c10444f517.yaml | 5 + ...9791-allow-creator-delete-06dd3eb670d0e624.yaml | 11 ++ .../increase-max-secret-size-da90164d8b328727.yaml | 5 + 40 files changed, 467 insertions(+), 175 deletions(-)