[release-announce] barbican 13.0.1 (xena)

no-reply at openstack.org no-reply at openstack.org
Thu Oct 6 09:59:34 UTC 2022 

We are tickled pink to announce the release of:

barbican 13.0.1: OpenStack Secure Key Management

This release is part of the xena stable release series.

The source is available from:

    https://opendev.org/openstack/barbican

Download the package from:

    https://tarballs.openstack.org/barbican/

Please report issues through:

    https://bugs.launchpad.net/barbican/+bugs

For more details, please see below.

13.0.1
^^^^^^


Security Issues
***************

* Part of the fix for Story 2009664 required renaming the policy for
  Container Consumers from "consumers:get" to
  "container_consumers:get", "consumers:post" to
  "container_consumers:post", and "consumers:delete" to
  "container_consumers:delete".  If you are using custom policies to
  override the default policies you will need to update them to use
  the new names.

* Fixed Story #2009791: Users with the "creator" role on a project
  can now delete secrets owned by the project even if the user is
  different than the user that originally created the secret. Previous
  to this fix a user with the "creator" role was only allowed to
  delete a secret owned by the project if they were also the same user
  that originally created, which was inconsistent with the way that
  deletes are handled by other OpenStack projects that integrate with
  Barbican.  This change does not affect private secrets (i.e. secrets
  with the "project-access" flag set to "false").


Bug Fixes
*********

* Fixed Story #2009247 - Fixed the response for POST /v1/secrets
  /{secret-id}/metadata so it matches the documented behavior.

* Fixed Story 2009664 - Fixed the Consumer controller to be able to
  use the associated Container's ownership information in policy
  checks.

* Fixed Story #2009672 - Fixed validator for Container Consumers to
  prevent 500 errors.

Changes in barbican 13.0.0..13.0.1
----------------------------------

3670a0a8 Fix Story 2010258 (CVE-2022-3100)
4cc1070d Fix Barbican gate
74bab1d4 Fix remaining Secure RBAC policies
1ebdd8f5 Fix Secure RBAC policies for Containers API
3b1c6b3d Fix Secure RBAC policies for Consumers
8c44a2f9 Fix Secure RBAC policies for secret_metadata
4271726f Fix Secure RBAC policies for Orders
de65fecd Fix Secure RBAC policies for Secret ACLs
34f1adc0 Fix Secure RBAC policies for Secrets
6328e38a Set versioned jobs to set microversion correctly
bb277947 Allow users with "creator" role to edit ACLs
0cc62e4e Xena-only: Remove TripleO job
811a846a Allow secret delete by users with "creator" role
6a5ab85f Fix container consumers rbac policy
382b5086 Fix policy for Orders
059b4a08 Fix consumer name length validator
bbb87ea8 Fix policy for adding a secret to a container
b1e5386f Fix secret metadata access rules (pt 2)
750a79b4 Fix secret metadata access rules
61aa13e9 Fix POST /v1/secret/{secret-id}/metadata response
698aa1b6 Temporarily disable RBAC tests
1b6cf81c Ignore network errors during C_Finalize
1370c484 Run TripleO jobs on CentOS8 instead of CentOS7
65294a87 Update TOX_CONSTRAINTS_FILE for stable/xena
b9e0b725 Update .gitreview for stable/xena


Diffstat (except docs and test files)
-------------------------------------

.gitreview                                         |   1 +
.zuul.yaml                                         |  29 +--
api-guide/source/acls.rst                          |   3 +-
barbican/api/controllers/__init__.py               |  27 ++-
barbican/api/controllers/acls.py                   |   2 +
barbican/api/controllers/consumers.py              |  73 ++++----
barbican/api/controllers/containers.py             |  17 +-
barbican/api/controllers/orders.py                 |   9 +-
barbican/api/controllers/quotas.py                 |   3 +
barbican/api/controllers/secretmeta.py             |   7 +-
barbican/api/controllers/secrets.py                |  10 +-
barbican/api/controllers/secretstores.py           |   3 +
barbican/api/controllers/transportkeys.py          |   2 +
barbican/common/exception.py                       |   4 +
barbican/common/policies/acls.py                   | 131 +++++++++----
barbican/common/policies/base.py                   | 127 +++++++++----
barbican/common/policies/consumers.py              | 207 ++++++++++++++++-----
barbican/common/policies/containers.py             | 119 +++++++++---
barbican/common/policies/orders.py                 |  63 ++++++-
barbican/common/policies/quotas.py                 |  50 +++--
barbican/common/policies/secretmeta.py             |  77 +++++++-
barbican/common/policies/secrets.py                | 114 ++++++++----
barbican/common/policies/secretstores.py           |  70 +++++--
barbican/common/policies/transportkeys.py          |  50 ++++-
barbican/common/validators.py                      |   4 +-
barbican/plugin/crypto/pkcs11.py                   |  13 +-
.../api/v1/functional/test_secrets_rbac.py         |   2 +-
.../notes/fix-story-2009247-18faf4f2b570dfc0.yaml  |   6 +
.../notes/fix-story-2009664-042ef282c0dd6b6a.yaml  |  13 ++
.../notes/fix-story-2009672-d64ef6c10444f517.yaml  |   5 +
...9791-allow-creator-delete-06dd3eb670d0e624.yaml |  11 ++
tox.ini                                            |   8 +-
38 files changed, 1089 insertions(+), 390 deletions(-)

More information about the Release-announce mailing list