Ussuri Series Release Notes


New Features

  • The default maximum secret size has been increased from 10 kB to 20 kb, and the default maximum request size has been increased from 15 kB to 25 kB.

Security Issues

  • Fixed Story #2009791: Users with the “creator” role on a project can now delete secrets owned by the project even if the user is different than the user that originally created the secret. Previous to this fix a user with the “creator” role was only allowed to delete a secret owned by the project if they were also the same user that originally created, which was inconsistent with the way that deletes are handled by other OpenStack projects that integrate with Barbican. This change does not affect private secrets (i.e. secrets with the “project-access” flag set to “false”).

Bug Fixes

  • Fixed Story #2009247 - Fixed the response for POST /v1/secrets/{secret-id}/metadata so it matches the documented behavior.

  • Fixed Story #2009672 - Fixed validator for Container Consumers to prevent 500 errors.


New Features

  • Added two options for the PKCS#11 Crypto Plugin: [p11_crypto_plugin]/token_serial_number and [p11_crypto_plugin]/token_label. Both are optional and can be used instead of [p11_crypto_plugin]/slot_id to identify the Token to be used by the PKCS#11 plugin. When either one of the new options is defined the plugin will search all slots on the PKCS#11 device for a token that matches the given value. token_serial_number has the highest precendence and other values will be ignored when this value is set. If token_serial_number is not set, then token_label has the next highest precedence and slot_id will be ignored. slot_id will be used when neither one of the new options is set.

  • Added a new boolean option to the PKCS#11 backend: os_locking_ok. When set to True, the flag CKF_OS_LOCKING_OK will be passed to the C_Initialize function. The new option defaults to False.

  • A new “token_labels” option has been added to the PKCS#11 driver which supersedes the previous “token_label” option. The new option is used to specify a list of tokens that can be used by Barbican. This is required for some HSM devices that use separate tokens for load balancing. For most use cases the new option will just have a single token. The old option is deprecated, but will still be used if present.

  • The hsm subcommand for the barbican-manage command line tool no longer requires any parameters at run time. If any value used by the PKCS#11 value is needed it will be taken from /etc/barbican/barbican.conf. You may continue to specify any values on the command line, and those will take precedence over the values specified in barbican.conf, so any existing scripts that use barbican-manage should continue to work as expected.

Deprecation Notes

  • The “token_label” option in the PKCS#11 driver is deprecated. Th new “token_labels” option should be used instead. If present, “token_label” will still be used by appending it to “token_labels”.

Bug Fixes

  • Fixed Story #2008649: Correctly reinitialize PKCS11 object after secondary failures.

  • Fixed Story # 2007732: Migrations broken on MySQL 8.x.


New Features

  • It is now possible for barbican-keystone-listener to listen on the same standard notification topic without interfering with other services by using the notification listener pools feature of oslo.messaging. To use it, set the new [keystone_notifications]pool_name option to some unique value (but the same for all instances of barbican-keystone-listener service). This feature is available only for those messaging transports of oslo.messaging that support it. At the moment those are rabbitmq and kafka. For more details see oslo.messagind docs

Upgrade Notes

  • Python 2.7 support has been dropped. Last release of Barbican to support python 2.7 is OpenStack Train. The minimum version of Python now supported by Barbican is Python 3.6.