[release-announce] keystone 18.1.0 (victoria)

no-reply at openstack.org no-reply at openstack.org
Mon Jan 31 15:34:01 UTC 2022


We high-spiritedly announce the release of:

keystone 18.1.0: OpenStack Identity

This release is part of the victoria stable release series.

The source is available from:

    https://opendev.org/openstack/keystone

Download the package from:

    https://tarballs.openstack.org/keystone/

Please report issues through:

    https://bugs.launchpad.net/keystone/+bugs

For more details, please see below.

18.1.0
^^^^^^


Security Issues
***************

* [bug 1901207 (https://bugs.launchpad.net/keystone/+bug/1901207)]
  Policy enforcement for application credentials has been updated to
  protect against invalid ownership checks resulting in unauthorized
  users being able to get and delete application credentials for other
  users.


Bug Fixes
*********

* [bug 1688137 (https://bugs.launchpad.net/keystone/+bug/1688137)]
  Fixed the AccountLocked exception being shown to the end user since
  it provides some information that could be exploited by a malicious
  user. The end user will now see Unauthorized instead of
  AccountLocked, preventing user info oracle exploitation.

* [bug 1878938 (https://bugs.launchpad.net/keystone/+bug/1878938)]
  Previously when a user used to have system role assignment and tries
  to delete the same role, the system role assignments still existed
  in system_assignment table. This causes keystone to return *HTTP 404
  Not Found* errors when listing role assignments with names (e.g.,
  *--names* or *?include_names*).

  If you are affected by this bug, you must remove stale role
  assignments manually. The following is an example SQL statement you
  can use to fix the issue, but you should verify it's applicability
  to your deployment's SQL implementation and version.

  SQL:
     * delete from system_assignment where role_id not in (select id
       from role);

* [bug 1885753 (https://bugs.launchpad.net/keystone/+bug/1885753)]
  Keystone's SQL identity backend now retries update user requests to
  safely handle stale data when two clients update a user at the same
  time.

* [bug 1896125 (https://bugs.launchpad.net/keystone/+bug/1896125)]
  Introduced more robust connection handling for asynchronous LDAP
  requests to address memory leaks fetching data from LDAP backends
  with low page sizes.

* [bug 1901654 (https://bugs.launchpad.net/keystone/+bug/1901654)]
  Previously, generate_public_ID() in sha256.py assumed the passed
  arguments is str data type. However, python-ldap 3.0 or later
  returns bytes data type for attribute values except fields of
  distinguished names, relative distinguished names, attribute names,
  queries. If keystone running on Python3 is integrated with LDAP and
  the LDAP server has local_id variable in its attribute, user login
  operations will fail due to the assumption and modifiation of
  python-ldap. By this fix, generate_public_ID() properly handles
  bytes data type in the parameter.

Changes in keystone 18.0.0..18.1.0
----------------------------------

4063ad98e Fix typos in application credential policies
65c99d6ef Fix typos in ec2 credential policies
f742fadef Fix typo in identity provider policies
4649fe6bf Hide AccountLocked exception from end users
5b7d4c80d Retry update_user when sqlalchemy raises StaleDataErrors
5b860e0b3 Support bytes type in generate_public_ID()
66c3bd8d2 Use app cred user ID in policy enforcement
665948998 Update TOX_CONSTRAINTS_FILE for stable/victoria
42faeb277 Drop lower-constraints job
6f93063ff Delete system role assignments from system_assignment table
a26a40d44 Implement more robust connection handling for asynchronous LDAP calls
5680b482c Update .gitreview for stable/victoria


Diffstat (except docs and test files)
-------------------------------------

.gitreview                                         |   1 +
.zuul.yaml                                         |   1 -
keystone/api/users.py                              |  47 ++++++++-
keystone/assignment/backends/sql.py                |   5 +
keystone/common/policies/application_credential.py |   4 +-
keystone/common/policies/ec2_credential.py         |  12 +--
keystone/common/policies/identity_provider.py      |   8 +-
keystone/identity/backends/ldap/common.py          | 106 +++++++++++++--------
keystone/identity/backends/sql.py                  |   8 ++
keystone/identity/id_generators/sha256.py          |  10 +-
keystone/notifications.py                          |   2 +
.../protection/v3/test_application_credential.py   |  66 +++++++++++++
.../notes/bug-1688137-e4203c9a728690a7.yaml        |   8 ++
.../notes/bug-1878938-70ee2af6fdf66004.yaml        |  16 ++++
.../notes/bug-1885753-51df25f3ff1d9ae8.yaml        |   6 ++
.../notes/bug-1896125-b17a4d12730fe493.yaml        |   7 ++
.../notes/bug-1901207-13762f85b8a04481.yaml        |   7 ++
.../notes/bug-1901654-69b9f35d11cd0c75.yaml        |  10 ++
tox.ini                                            |   6 +-
24 files changed, 352 insertions(+), 64 deletions(-)







More information about the Release-announce mailing list