[release-announce] barbican 12.0.1 (wallaby)

no-reply at openstack.org no-reply at openstack.org
Thu Aug 18 09:46:47 UTC 2022 

We enthusiastically announce the release of:

barbican 12.0.1: OpenStack Secure Key Management

This release is part of the wallaby stable release series.

The source is available from:

    https://opendev.org/openstack/barbican

Download the package from:

    https://tarballs.openstack.org/barbican/

Please report issues through:

    https://bugs.launchpad.net/barbican/+bugs

For more details, please see below.

12.0.1
^^^^^^


New Features
************

* The default maximum secret size has been increased from 10 kB to
  20 kb, and the default maximum request size has been increased from
  15 kB to 25 kB.


Security Issues
***************

* Part of the fix for Story 2009664 required renaming the policy for
  Container Consumers from "consumers:get" to
  "container_consumers:get", "consumers:post" to
  "container_consumers:post", and "consumers:delete" to
  "container_consumers:delete".  If you are using custom policies to
  override the default policies you will need to update them to use
  the new names.

* Fixed Story #2009791: Users with the "creator" role on a project
  can now delete secrets owned by the project even if the user is
  different than the user that originally created the secret. Previous
  to this fix a user with the "creator" role was only allowed to
  delete a secret owned by the project if they were also the same user
  that originally created, which was inconsistent with the way that
  deletes are handled by other OpenStack projects that integrate with
  Barbican.  This change does not affect private secrets (i.e. secrets
  with the "project-access" flag set to "false").


Bug Fixes
*********

* Fixed Story #2009247 - Fixed the response for POST /v1/secrets
  /{secret-id}/metadata so it matches the documented behavior.

* Fixed Story 2009664 - Fixed the Consumer controller to be able to
  use the associated Container's ownership information in policy
  checks.

* Fixed Story #2009672 - Fixed validator for Container Consumers to
  prevent 500 errors.

Changes in barbican 12.0.0..12.0.1
----------------------------------

486e6072 Allow users with "creator" role to edit ACLs
09d184de Fix stable/wallaby gates
0b453212 Allow secret delete by users with "creator" role
92375781 Fix container consumers rbac policy
a66d1765 Add FIPS gate job
ea7451e3 Fix policy for Orders
c1204779 Fix consumer name length validator
a8226fcf Fix policy for adding a secret to a container
b30cb63d Fix secret metadata access rules (pt 2)
64a42424 Fix secret metadata access rules
49f3b2f0 Fix POST /v1/secret/{secret-id}/metadata response
2792aca7 Ignore network errors during C_Finalize
6cb7a730 Run TripleO jobs on CentOS8 instead of CentOS7
2f058e49 Return 403 instead of 500 when policy check fails
bac7d220 Raise maximum allowed secret size


Diffstat (except docs and test files)
-------------------------------------

.zuul.yaml                                         |  16 ++-
api-guide/source/acls.rst                          |   3 +-
barbican/api/__init__.py                           |   2 +-
barbican/api/controllers/__init__.py               |  16 ++-
barbican/api/controllers/acls.py                   |   2 +
barbican/api/controllers/consumers.py              |  73 ++++++--------
barbican/api/controllers/containers.py             |  17 +---
barbican/api/controllers/orders.py                 |   9 +-
barbican/api/controllers/quotas.py                 |   3 +
barbican/api/controllers/secretmeta.py             |   7 +-
barbican/api/controllers/secrets.py                |  10 +-
barbican/api/controllers/secretstores.py           |   3 +
barbican/api/controllers/transportkeys.py          |   2 +
barbican/common/config.py                          |   4 +-
barbican/common/exception.py                       |   4 +
barbican/common/policies/acls.py                   |  16 ++-
barbican/common/policies/base.py                   |   6 ++
barbican/common/policies/consumers.py              | 111 +++++++++++++++------
barbican/common/policies/containers.py             |  10 +-
barbican/common/policies/orders.py                 |   8 +-
barbican/common/policies/secretmeta.py             |  33 +++++-
barbican/common/policies/secrets.py                |   2 +
barbican/common/validators.py                      |   4 +-
barbican/plugin/crypto/pkcs11.py                   |  13 ++-
bindep.txt                                         |   9 +-
.../api/v1/functional/test_secrets_rbac.py         |   2 +-
playbooks/enable-fips.yaml                         |   4 +
.../notes/fix-story-2009247-18faf4f2b570dfc0.yaml  |   6 ++
.../notes/fix-story-2009664-042ef282c0dd6b6a.yaml  |  13 +++
.../notes/fix-story-2009672-d64ef6c10444f517.yaml  |   5 +
...9791-allow-creator-delete-06dd3eb670d0e624.yaml |  11 ++
.../increase-max-secret-size-da90164d8b328727.yaml |   5 +
40 files changed, 467 insertions(+), 175 deletions(-)

More information about the Release-announce mailing list