Xena Series Release Notes¶
A new option ‘randomize_urls’ can be used to randomize the order in which keystone connects to the LDAP servers in [ldap] ‘url’ list. It is false by default.
Passwords will now be automatically truncated if the max_password_length is greater than the allowed length for the selected password hashing algorithm. Currently only bcrypt has fixed allowed lengths defined which is 54 characters. A warning will be generated in the log if a password is truncated. This will not affect existing passwords, however only the first 54 characters of existing bcrypt passwords will be validated.
[bug 1992183] [CVE-2022-2447] Tokens issued with application credentials will now have their expiration validated against that of the application credential. If the application credential expires before the token the token’s expiration will be set to the same expiration as the application credential. Otherwise the token will use the configured value.
Passwords that are hashed using bcrypt are now truncated properly to the maximum allowed length by the algorythm. This solves regression, when passwords longer then 54 symbols are getting invalidated after the Keystone upgrade.
[bug 1926483] Keystone will only log warnings about token length for Fernet tokens when the token length exceeds the value of keystone.conf [DEFAULT] max_token_size.
[bug 1929066] Increase the length of the local_id column in the id_mapping table to accommodate LDAP group names that result in names greater than 64 characters.
[bug 1688137] Fixed the AccountLocked exception being shown to the end user since it provides some information that could be exploited by a malicious user. The end user will now see Unauthorized instead of AccountLocked, preventing user info oracle exploitation.
[bug 1885753] Keystone’s SQL identity backend now retries update user requests to safely handle stale data when two clients update a user at the same time.