We are gleeful to announce the release of: keystone 15.0.1: OpenStack Identity This release is part of the stein stable release series. The source is available from: https://opendev.org/openstack/keystone Download the package from: https://tarballs.openstack.org/keystone/ Please report issues through: https://bugs.launchpad.net/keystone/+bugs For more details, please see below. 15.0.1 ^^^^^^ Upgrade Notes ************* * [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)] Added a default TTL of 15 minutes for signed EC2 credential requests, where previously an EC2 signed token request was valid indefinitely. This change in behavior is needed to protect against replay attacks. Critical Issues *************** * [bug 1855080 (https://bugs.launchpad.net/keystone/+bug/1855080)] An error in the policy target filtering inadvertently allowed any user to list any credential object with the /v3/credentials API when "[oslo_policy]/enforce_scope" was set to false, which is the default. This has been addressed: users with non-admin roles on a project may not list other users' credentials. However, users with the admin role on a project may still list any users credentials when "[oslo_policy]/enforce_scope" is false due to bug 968696 (https://bugs.launchpad.net/keystone/+bug/968696). * [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)] Fixed a critical security issue in which an authenticated user could escalate their privileges by altering a valid EC2 credential. * [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)] Fixed a security issue in which a trustee or an application credential user could create an EC2 credential or an application credential that would permit them to get a token that elevated their role assignments beyond the subset delegated to them in the trust or application credential. A new attribute "app_cred_id" is now automatically added to the access blob of an EC2 credential and the role list in the trust or application credential is respected. Security Issues *************** * [bug 1855080 (https://bugs.launchpad.net/keystone/+bug/1855080)] An error in the policy target filtering inadvertently allowed any user to list any credential object with the /v3/credentials API when "[oslo_policy]/enforce_scope" was set to false, which is the default. This has been addressed: users with non-admin roles on a project may not list other users' credentials. However, users with the admin role on a project may still list any users credentials when "[oslo_policy]/enforce_scope" is false due to bug 968696 (https://bugs.launchpad.net/keystone/+bug/968696). * [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)] Fixed a critical security issue in which an authenticated user could escalate their privileges by altering a valid EC2 credential. * [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)] Fixed a security issue in which a trustee or an application credential user could create an EC2 credential or an application credential that would permit them to get a token that elevated their role assignments beyond the subset delegated to them in the trust or application credential. A new attribute "app_cred_id" is now automatically added to the access blob of an EC2 credential and the role list in the trust or application credential is respected. * [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)] Fixed an incorrect EC2 token validation implementation in which the timestamp of the signed request was ignored, which made EC2 and S3 token requests vulnerable to replay attacks. The default TTL is 15 minutes but is configurable. * [bug 1872755 (https://bugs.launchpad.net/keystone/+bug/1872755)] Added validation to the EC2 credentials update API to ensure the metadata labels 'trust_id' and 'app_cred_id' are not altered by the user. These labels are used by keystone to determine the scope allowed by the credential, and altering these automatic labels could enable an EC2 credential holder to elevate their access beyond what is permitted by the application credential or trust that was used to create the EC2 credential. * [bug 1873290 (https://bugs.launchpad.net/keystone/+bug/1873290)] [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)] Fixed the token model to respect the roles authorized OAuth1 access tokens. Previously, the list of roles authorized for an OAuth1 access token were ignored, so when an access token was used to request a keystone token, the keystone token would contain every role assignment the creator had for the project. This also fixed EC2 credentials to respect those roles as well. Bug Fixes ********* * [bug 1773967 (https://bugs.launchpad.net/keystone/+bug/1773967)] Fixes an issue where users who had role assignments only via a group membership and not via direct assignment could create but not use application credentials. It is important to note that federated users who only have role assignments via a mapped group membership still cannot create application credentials. * [bug 1782922 (https://bugs.launchpad.net/keystone/+bug/1782922)] Fixed the problem where Keystone indiscriminately return the first RDN as the user ID, regardless whether it matches the configured 'user_id_attribute' or not. This will break deployments where 'group_members_are_ids' are set to False and 'user_id_attribute' is not in the DN. This patch will perform a lookup by DN if the first RND does not match the configured 'user_id_attribute'. * [bug 1831918 (https://bugs.launchpad.net/keystone/+bug/1831918)] Credentials now logs cadf audit messages. * [bug 1832265 (https://bugs.launchpad.net/keystone/+bug/1832265)] Binary msgpack payload types are now consistently and correctly decoded when running Keystone under Python 3, avoiding any TypeErrors when attempting to convert binary encoded strings into UUID's. * [bug 1840291 (https://bugs.launchpad.net/keystone/+bug/1840291)] Adds retries for "delete_credential_for_user" method to avoid DBDeadlocks when deleting large number of credentials concurrently. * [*bug 1843609 <https://bugs.launchpad.net/keystone/+bug/1843609>*] Fixed an issue where system-scoped tokens couldn't be used to list users and groups (e.g., GET /v3/users or GET /v3/groups) if "keystone.conf [identity] domain_specific_drivers_enabled=True" and the API would return an "HTTP 401 Unauthorized". These APIs now recognize system-scoped tokens when using domain-specific drivers. * [bug 1856881 (https://bugs.launchpad.net/keystone/+bug/1856881)] "keystone-manage bootstrap" can be run in upgrade scenarios where pre-existing domain-specific roles exist named "admin", "member", and "reader". * [Bug 1856904 (https://bugs.launchpad.net/keystone/+bug/1856904)] The initiator object for CADF notifications now will always contain the username for the user who initated the action. Previously, the initator object only contained the user_id, which lead to issues mapping to users when using LDAP-backed identity providers. This also helps the initiator object better conform to the OpenStack standard for CADF. * [bug 1858012 (https://bugs.launchpad.net/keystone/+bug/1858012)] Fixes a bug in the /v3/role_assignments filtering where the *role.id* query parameter didn't properly filter role assignments by role in cases where there were multiple system role assignments. * [bug 1872733 (https://bugs.launchpad.net/keystone/+bug/1872733)] Fixed a critical security issue in which an authenticated user could escalate their privileges by altering a valid EC2 credential. * [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)] Fixed a security issue in which a trustee or an application credential user could create an EC2 credential or an application credential that would permit them to get a token that elevated their role assignments beyond the subset delegated to them in the trust or application credential. A new attribute "app_cred_id" is now automatically added to the access blob of an EC2 credential and the role list in the trust or application credential is respected. * [bug 1872737 (https://bugs.launchpad.net/keystone/+bug/1872737)] Fixed an incorrect EC2 token validation implementation in which the timestamp of the signed request was ignored, which made EC2 and S3 token requests vulnerable to replay attacks. The default TTL is 15 minutes but is configurable. * [bug 1872755 (https://bugs.launchpad.net/keystone/+bug/1872755)] Added validation to the EC2 credentials update API to ensure the metadata labels 'trust_id' and 'app_cred_id' are not altered by the user. These labels are used by keystone to determine the scope allowed by the credential, and altering these automatic labels could enable an EC2 credential holder to elevate their access beyond what is permitted by the application credential or trust that was used to create the EC2 credential. * [bug 1873290 (https://bugs.launchpad.net/keystone/+bug/1873290)] [bug 1872735 (https://bugs.launchpad.net/keystone/+bug/1872735)] Fixed the token model to respect the roles authorized OAuth1 access tokens. Previously, the list of roles authorized for an OAuth1 access token were ignored, so when an access token was used to request a keystone token, the keystone token would contain every role assignment the creator had for the project. This also fixed EC2 credentials to respect those roles as well. Changes in keystone 15.0.0..15.0.1 ---------------------------------- af9927479 Temporarily disable k2k tests on train and stein 206392a40 Fix security issues with EC2 credentials 330911cee Ensure OAuth1 authorized roles are respected 1ef382851 Check timestamp of signed EC2 token request e57e44c0e Add cadf auditing to credentials 2de401b79 Tell reno to ignore the kilo branch 615fe2138 Always have username in CADF initiator f2f79a9a6 Constraint dependencies for docs build 8f537ed54 Add voting k2k tests 0e6c07e46 Added keystone identity provider installation to Devstack plugin 1ba238e49 Ensure bootstrap handles multiple roles with the same name af470fd63 Fix role_assignments role.id filter 17947516b Fix credential list for project members ac3d3125a token: consistently decode binary types ccd9c7b2a Switch to the opensuse-15 nodeset cebed4114 Docs: Make robust with using real links e9612a672 Make system tokens work with domain-specific drivers 929c6a4d7 Switch to opensuse-15 nodeset 429923fbb Import LDAP job into project 52ef61868 Add retry for DBDeadlock in credential delete 10cc1ff64 Update broken links to dogpile.cache docs 933ea511d Allows to use application credentials through group membership 6e8be2a0d Fix python3 compatibility on LDAP search DN from id 909cc9fa8 Fixing dn_to_id function for cases were id is not in the DN 90f9da82a Revert "Blacklist bandit 1.6.0" a7f5e7a91 [docs] remove deprecated ubuntu package from installation 1828d0612 Blacklist bandit 1.6.0 03946c50b OpenDev Migration Patch 46dcd7ffe Update UPPER_CONSTRAINTS_FILE for stable/stein fda8e84b6 Update .gitreview for stable/stein Diffstat (except docs and test files) ------------------------------------- .gitignore | 2 + .gitreview | 3 +- .zuul.yaml | 39 +- devstack/files/federation/shib_apache_handler.txt | 12 + devstack/files/federation/shibboleth2.xml | 11 +- devstack/lib/federation.sh | 72 +++- .../admin/{caching-layer.rst => caching-layer.inc} | 10 +- ...cific-config.rst => domain-specific-config.inc} | 4 + ...dpoint-filtering.rst => endpoint-filtering.inc} | 2 + .../{endpoint-policy.rst => endpoint-policy.inc} | 2 + .../admin/federation/configure_federation.rst | 52 ++- .../admin/federation/{mellon.rst => mellon.inc} | 8 +- .../admin/federation/{openidc.rst => openidc.inc} | 12 +- .../federation/{shibboleth.rst => shibboleth.inc} | 8 +- ...grate-with-ldap.rst => integrate-with-ldap.inc} | 4 + .../{limit-list-size.rst => limit-list-size.inc} | 2 + .../admin/{performance.rst => performance.inc} | 2 + ...rity-compliance.rst => security-compliance.inc} | 4 + .../admin/{troubleshoot.rst => troubleshoot.inc} | 2 + .../{url-safe-naming.rst => url-safe-naming.inc} | 2 + keystone/api/_shared/EC2_S3_Resource.py | 75 +++- keystone/api/credentials.py | 101 +++-- keystone/api/users.py | 22 +- keystone/assignment/core.py | 10 +- keystone/cmd/bootstrap.py | 8 + keystone/common/authorization.py | 4 +- keystone/common/policies/base.py | 5 +- .../097_drop_user_name_domainid_constraint.py | 2 +- .../104_drop_user_name_domainid_constraint.py | 2 +- keystone/conf/credential.py | 11 +- keystone/credential/backends/sql.py | 3 + keystone/credential/core.py | 17 +- keystone/identity/backends/ldap/common.py | 34 +- keystone/identity/backends/ldap/core.py | 7 +- keystone/identity/backends/sql_model.py | 2 +- keystone/models/token_model.py | 34 +- keystone/notifications.py | 20 +- keystone/oauth1/core.py | 4 +- keystone/server/flask/common.py | 2 + keystone/token/token_formatters.py | 104 ++--- .../keystone-dsvm-grenade-multinode/run.yaml | 10 +- .../notes/bug-1773967-b59517a09e0e6141.yaml | 9 + .../notes/bug-1782922-db822fda486ac773.yaml | 10 + .../notes/bug-1831918-c70cf87ef086d871.yaml | 6 + .../notes/bug-1832265-cb76ccf505c2d9d1.yaml | 7 + .../notes/bug-1840291-35af1ac7ba06e166.yaml | 6 + .../notes/bug-1843609-8498b132222596b7.yaml | 9 + .../notes/bug-1855080-08b28181b7cb2470.yaml | 23 + .../notes/bug-1856881-277103af343187f1.yaml | 7 + .../notes/bug-1856904-101af15bb48eb3ca.yaml | 9 + .../notes/bug-1858012-584267ada7e33f2c.yaml | 7 + .../notes/bug-1872733-2377f456a57ad32c.yaml | 16 + .../notes/bug-1872735-0989e51d2248ce1e.yaml | 31 ++ .../notes/bug-1872737-f8e1ad3b6705b766.yaml | 28 ++ .../notes/bug-1872755-2c81d3267b89f124.yaml | 19 + .../notes/bug-1873290-ff7f8e4cee15b75a.yaml | 19 + reno.yaml | 4 + tox.ini | 11 +- 93 files changed, 1753 insertions(+), 322 deletions(-)