Queens Series Release Notes

13.0.4-9

Upgrade Notes

  • [bug 1872737] Added a default TTL of 15 minutes for signed EC2 credential requests, where previously an EC2 signed token request was valid indefinitely. This change in behavior is needed to protect against replay attacks.

  • As a performance improvement, the base mapping driver’s method get_domain_mapping_list now accepts an optional named argument entity_type that can be used to get the mappings for a given entity type only. As this new call signature is already used in the identity.core module, authors/maintainers of out-of-tree custom mapping drivers are expected to update their implementations of get_domain_mapping_list method accordingly.

Critical Issues

  • [bug 1872733] Fixed a critical security issue in which an authenticated user could escalate their privileges by altering a valid EC2 credential.

  • [bug 1872735] Fixed a security issue in which a trustee or an application credential user could create an EC2 credential or an application credential that would permit them to get a token that elevated their role assignments beyond the subset delegated to them in the trust or application credential. A new attribute app_cred_id is now automatically added to the access blob of an EC2 credential and the role list in the trust or application credential is respected.

Security Issues

  • [bug 1872733] Fixed a critical security issue in which an authenticated user could escalate their privileges by altering a valid EC2 credential.

  • [bug 1872735] Fixed a security issue in which a trustee or an application credential user could create an EC2 credential or an application credential that would permit them to get a token that elevated their role assignments beyond the subset delegated to them in the trust or application credential. A new attribute app_cred_id is now automatically added to the access blob of an EC2 credential and the role list in the trust or application credential is respected.

  • [bug 1872737] Fixed an incorrect EC2 token validation implementation in which the timestamp of the signed request was ignored, which made EC2 and S3 token requests vulnerable to replay attacks. The default TTL is 15 minutes but is configurable.

  • [bug 1872755] Added validation to the EC2 credentials update API to ensure the metadata labels ‘trust_id’ and ‘app_cred_id’ are not altered by the user. These labels are used by keystone to determine the scope allowed by the credential, and altering these automatic labels could enable an EC2 credential holder to elevate their access beyond what is permitted by the application credential or trust that was used to create the EC2 credential.

Bug Fixes

  • [bug 1773967] Fixes an issue where users who had role assignments only via a group membership and not via direct assignment could create but not use application credentials. It is important to note that federated users who only have role assignments via a mapped group membership still cannot create application credentials.

  • [bug 1831918] Credentials now logs cadf audit messages.

  • [bug 1856881] keystone-manage bootstrap can be run in upgrade scenarios where pre-existing domain-specific roles exist named admin, member, and reader.

  • [bug 1872733] Fixed a critical security issue in which an authenticated user could escalate their privileges by altering a valid EC2 credential.

  • [bug 1872735] Fixed a security issue in which a trustee or an application credential user could create an EC2 credential or an application credential that would permit them to get a token that elevated their role assignments beyond the subset delegated to them in the trust or application credential. A new attribute app_cred_id is now automatically added to the access blob of an EC2 credential and the role list in the trust or application credential is respected.

  • [bug 1872737] Fixed an incorrect EC2 token validation implementation in which the timestamp of the signed request was ignored, which made EC2 and S3 token requests vulnerable to replay attacks. The default TTL is 15 minutes but is configurable.

  • [bug 1872755] Added validation to the EC2 credentials update API to ensure the metadata labels ‘trust_id’ and ‘app_cred_id’ are not altered by the user. These labels are used by keystone to determine the scope allowed by the credential, and altering these automatic labels could enable an EC2 credential holder to elevate their access beyond what is permitted by the application credential or trust that was used to create the EC2 credential.

  • [bug 1885753] Keystone’s SQL identity backend now retries update user requests to safely handle stale data when two clients update a user at the same time.

13.0.3

Bug Fixes

  • [bug 1780503] The notification wrapper now sets the initiator’s id to the given user id. This fixes an issue where identity.authentication event would result in the initiator id being a random default UUID, rather than the user’s id when said user would authenticate against keystone.

  • [bug 1782922] Fixed the problem where Keystone indiscriminately return the first RDN as the user ID, regardless whether it matches the configured ‘user_id_attribute’ or not. This will break deployments where ‘group_members_are_ids’ are set to False and ‘user_id_attribute’ is not in the DN. This patch will perform a lookup by DN if the first RND does not match the configured ‘user_id_attribute’.

  • [bug 1801873] This fixes an issue where an LDAP-backed domain could not be deleted due to the existence of shadow users in the SQL database.

  • [bug 1840291] Adds retries for delete_credential_for_user method to avoid DBDeadlocks when deleting large number of credentials concurrently.

  • [bug 1843609 <https://bugs.launchpad.net/keystone/+bug/1843609>] Fixed an issue where system-scoped tokens couldn’t be used to list users and groups (e.g., GET /v3/users or GET /v3/groups) if keystone.conf [identity] domain_specific_drivers_enabled=True and the API would return an HTTP 401 Unauthorized. These APIs now recognize system-scoped tokens when using domain-specific drivers.

13.0.2

Bug Fixes

13.0.1

Bug Fixes

  • [bug 1763824] JSON Schema implementation nullable in keystone.common.validation now properly adds None to the enum if the enum exists.

13.0.0

Prelude

This release adds support for Application Credentials, a new way to allow applications and automated tooling to authenticate with keystone. Rather than storing a username and password in an application’s config file, which can pose security risks, you can now create an application credential to allow an application to authenticate and acquire a preset scope and role assignments. This is especially useful for LDAP and federated users, who can now delegate their cloud management tasks to a keystone-specific resource, rather than share their externally managed credentials with keystone and risk a compromise of those external systems. Users can delegate a subset of their role assignments to an application credential, allowing them to strategically limit their application’s access to the minimum needed. Unlike passwords, a user can have more than one active application credential, which means they can be rotated without causing downtime for the applications using them.

New Features

  • [blueprint unified-limit] Keystone now supports unified limits. Two resouces called registered limit and limit are added and a batch of related APIs are supported as well. These APIs are experimental now. It means that they are not stable enough and may be changed without backward compatibility. Once unified limit feature are ready for consuming, the APIs will be marked as stable.

  • [blueprint application-credentials] Users can now create Application Credentials, a new keystone resource that can provide an application with the means to get a token from keystone with a preset scope and role assignments. To authenticate with an application credential, an application can use the normal token API with the ‘application_credential’ auth method.

  • [blueprint system-scope] Keystone now supports the ability to assign roles to users and groups on the system. As a result, users and groups with system role assignment will be able to request system-scoped tokens. Additional logic has been added to keystone-manage bootstrap to ensure the administrator has a role on the project and system.

  • [blueprint project-tags] Projects have a new property called tags. These tags are simple strings that can be used to allow projects to be filtered/searched. Project tags will have the following properties:

    • Tags are case sensitive

    • ‘/’ and ‘,’ are not allowed to be in a tag

    • Each project can have up to 100 tags

    • Each tag can be up to 255 characters

    See Project Tags

    Project tags are implemented following the guidelines set by the API Working Group

  • The token_formatter utility class has been moved from under fernet to the default token directory. This is to allow for the reuse of functionality with other token providers. Any deployments that are specifically using the fernet utils may be affected and will need to adjust accordingly.

Upgrade Notes

  • The trusts table now has an expires_at_int column that represents the expiration time as an integer instead of a datetime object. This will prevent rounding errors related to the way date objects are stored in some versions of MySQL. The expires_at column remains, but will be dropped in Rocky.

  • [bug 1702211] Password created_at field under some versions/deployments of MySQL would lose sub-second precision. This means that it was possible for passwords to be returned out-of-order when changed within one second (especially common in testing). This change stores password created_at and expires_at as an integer instead of as a DATETIME data-type.

  • The resource backend cannot be configured to anything but SQL if the SQL Identity backend is being used. The resource backend must now be SQL which allows for the use of Foreign Keys to domains/projects wherever desired. This makes managing project relationships and such much more straight forward. The inability to configure non-SQL resource backends has been in Keystone since at least Ocata. This is eliminating some complexity and preventing the need for some really ugly back-port SQL migrations in favor of a better model. Resource is highly relational and should be SQL based.

Deprecation Notes

  • The policies API is deprecated. Keystone is not a policy management service.

  • The /OS-FEDERATION/projects and /OS-FEDERATION/domains APIs are deprecated in favor of the /v3/auth/projects and /v3/auth/domains APIs. These APIs were originally marked as deprecated during the Juno release cycle, but we never deprecated using versionutils from oslo. More information regarding this deprecation can be found in the patch that proposed the deprecation.

  • [bug 1728690] The member_role_id and member_role_name config options were used to create a default member role for keystone v2 role assignments, but with the removal of the v2 API it is no longer necessary to create this default role. This option is deprecated and will be removed in the S release. If you are depending on having a predictable role name and ID for this member role you will need to update your tooling.

  • The enabled config option of the trust feature is deprecated and will be removed in the next release. Trusts will then always be enabled.

Bug Fixes

  • [bug 1749268] The keystone-manage bootstrap command now ensures that an administrator has a system role assignment. This prevents the ability for operators to lock themselves out of system-level APIs.

  • [bug 1291157] Identity provider information is now validated in during token validation. If an identity provider is removed from a keystone service provider, tokens associated to that identity provider will be considered invalid.

  • [bug 1524030] Revocation records are no longer written to the revocation_event table when a domain or project is disabled. These records were only ever used during the token validation process. In favor of revocation events, the project or domain will be validated online when the token is validated. This results in less database bloat while maintaining security during token validation.

  • [bug 1701324] Token bodies now contain only unique roles in the authentication response.

  • [bug 1718747] Fixes a regression where deleting a domain with users in it caues a server error. This bugfix restores the previous behavior of deleting the users namespaced in the domain. This only applies when using the SQL identity backend.

  • [bug 1727099] When users try to changes their password, the total number which includes the new password should not be greater or equal to the unique_last_password_count config options. But the help and error messages for this scenario are not described clearly. Now the messges are updated to be more clear.

  • [bug 1727726] All users and groups are required to have a name. Prior to this fix, Keystone was allowing LDAP users and groups whose name has only empty white spaces. Keystone will now ignore users and groups that do have only white spaces as value for the LDAP attribute which Keystone has been configured to use for that entity’s name.

  • [bug 1733754] Keystone didn’t validate the OS-TRUST:trust key of the authentication request is actually a dictionary. This results in a 500 Internal Server Error when it should really be a 400 Bad Request.

  • [bug 1734244] Return a 400 status code instead of a 500 when creating a trust with extra attributes in the roles parameter.

  • [bug 1736875] Add schema check to return a 400 status code instead of a 500 when authorize a request token with non-id attributes in the roles parameter.

  • [bug 1738895] Fixed the bug that federated users can’t be listed by name filter. Now when list users by name, Keystone will query both local user backend and shadow user backend.

  • [bug 1740951] A new method was added that made it so oslo.policy sample generation scripts can be used with keystone. The oslopolicy-policy-generator script will now generate a policy file containing overrides and defaults registered in code.

  • [bug 1747694] The trust API reference declared support for page and per_page query parameters, when the actual trust API didn’t support them. The API reference has been updated accordingly.

  • [bug 1748970] A bug was introduced in Queens that resulted in system role assignments being returned when querying the role assignments API for a specific role. The issue is fixed and the list of roles returned from GET /v3/role_assignments?role.id={role_id} respects system role assignments.

  • [bug 1749264] A user’s system role assignment will be removed when the user is deleted.

  • [bug 1749267] A group’s system role assignments are removed when the group is deleted.

  • [bug 1750415] Fixes an implementation fault in application credentials where the application credential reference was not populated in the token data, causing problems with the token validation when caching was disabled.

Other Notes

  • [bug 1718747] As part of solving a regression in the identity SQL backend that prevented domains containing users from being deleted, a notification callback was altered so that users would only be deleted if the identity backend is SQL. If you have a custom identity backend that is not read-only, deleting a domain in keystone will not delete the users in your backend unless your driver has an is_sql property that evaluates to true.

  • Keystone now supports authorizing a request token by providing a role name. A role in the roles parameter can include either a role name or role id, but not both.

  • [bug 1728690] The keystone-manage bootstrap command will only create the admin role and will no longer create a default member role. Please create any additional roles you need after running bootstrap by using the openstack role create command.

  • The config option rolling_upgrade_password_hash_compat is removed. It is only used for rolling-upgrade from Ocata release to Pike release.