Zed Series Release Notes


New Features

  • A new option ‘randomize_urls’ can be used to randomize the order in which keystone connects to the LDAP servers in [ldap] ‘url’ list. It is false by default.


Security Issues

  • Passwords will now be automatically truncated if the max_password_length is greater than the allowed length for the selected password hashing algorithm. Currently only bcrypt has fixed allowed lengths defined which is 54 characters. A warning will be generated in the log if a password is truncated. This will not affect existing passwords, however only the first 54 characters of existing bcrypt passwords will be validated.

  • [bug 1992183] [CVE-2022-2447] Tokens issued with application credentials will now have their expiration validated against that of the application credential. If the application credential expires before the token the token’s expiration will be set to the same expiration as the application credential. Otherwise the token will use the configured value.

Bug Fixes

  • Passwords that are hashed using bcrypt are now truncated properly to the maximum allowed length by the algorythm. This solves regression, when passwords longer then 54 symbols are getting invalidated after the Keystone upgrade.


New Features

  • [blueprint oauth2-client-credentials-ext] Users can now use the OAuth2.0 Access Token API to get an access token from the keystone identity server with application credentials. Then the users can use the access token to access the OpenStack APIs that use the keystone middleware to support OAuth2.0 client credentials authentication through the keystone identity server.

Upgrade Notes

  • Python 3.6 & 3.7 support has been dropped. The minimum version of Python now supported is Python 3.8.

  • The database migration engine has changed from sqlalchemy-migrate to alembic. For most deployments, this should have minimal to no impact and the switch should be mostly transparent. The main user-facing impact is the change in schema versioning. While sqlalchemy-migrate used a linear, integer-based versioning scheme, which required placeholder migrations to allow for potential migration backports, alembic uses a distributed version control-like schema where a migration’s ancestor is encoded in the file and branches are possible. The alembic migration files therefore use a arbitrary UUID-like naming scheme and the keystone-manage db_version command returns such a version.

    When the keystone-manage db_sync command is run without options or with the --expand or --contract options, all remaining sqlalchemy-migrate-based migrations will be automatically applied.

    Data migrations are now included in the expand phase and the --migrate option is now a no-op. It may be removed in a future release.

Bug Fixes

  • [bug 1926483] Keystone will only log warnings about token length for Fernet tokens when the token length exceeds the value of keystone.conf [DEFAULT] max_token_size.