Yoga Series Release Notes


New Features

  • A new option ‘randomize_urls’ can be used to randomize the order in which keystone connects to the LDAP servers in [ldap] ‘url’ list. It is false by default.


Security Issues

  • Passwords will now be automatically truncated if the max_password_length is greater than the allowed length for the selected password hashing algorithm. Currently only bcrypt has fixed allowed lengths defined which is 54 characters. A warning will be generated in the log if a password is truncated. This will not affect existing passwords, however only the first 54 characters of existing bcrypt passwords will be validated.

  • [bug 1992183] [CVE-2022-2447] Tokens issued with application credentials will now have their expiration validated against that of the application credential. If the application credential expires before the token the token’s expiration will be set to the same expiration as the application credential. Otherwise the token will use the configured value.

Bug Fixes

  • Passwords that are hashed using bcrypt are now truncated properly to the maximum allowed length by the algorythm. This solves regression, when passwords longer then 54 symbols are getting invalidated after the Keystone upgrade.

  • [bug 1926483] Keystone will only log warnings about token length for Fernet tokens when the token length exceeds the value of keystone.conf [DEFAULT] max_token_size.


Upgrade Notes

  • The --extension option of keystone-manage db_sync has been deprecated since 10.0.0 (Newton) and raised an error when provided. It has now been removed entirely.

  • The legacy migrations that existed before the split into separate expand schema, contract schema, and data migration migration have now been removed. These have been deprecated since 10.0.0 (Newton). This should have no user-facing impact.

Deprecation Notes

  • The following options in the [memcache] section have been deprecated because these options have had no effect since Pike. Please use memcache_* options in the [cache] section instead.

    • dead_retry

    • pool_maxsize

    • pool_unused_timeout

    • pool_connection_get_timeout

Bug Fixes

  • [ Bug 1897230] Allows s3 tokens with service types sts and iam to authenticate. This is necessary when using assumed role features of Ceph object storage and keystone is providing the authentication service for Rados Gateway.

  • Change the min value of pool_retry_max to 1. Setting this value to 0 caused the pool to fail before connecting to ldap, always raising MaxConnectionReachedError.