2023.2 Series Release Notes¶

17.0.0-5¶

The [p11_crypto_plugin]hmac_keywrap_mechanism option has been replaced by [p11_crypto_plugin]hmac_mechanism. This option was renamed to avoid confusion since this mechanism is only used to sign encrypted data and never used for key wrap encryption.

The PKCS#11 backend driver has been updated to support newer Key Wrap mechanisms. New deployments should use CKM_AES_KEY_WRAP_KWP, but CKM_AES_KEY_WRAP_PAD and CKM_AES_CBC_PAD are also supported for compatibility with older devices that have not yet implemented PKCS#11 Version 3.0.

Fixed Bug #2036506 - This patch replaces the hard-coded CKM_AES_CBC_PAD mechanism used to wrap pKEKs with an option to configure this mechanism. Two new options have been added to the [p11_crypto_plugin] section of the configuration file: key_wrap_mechanism and key_wrap_generate_iv. These options default to CKM_AES_CBC_PAD and True respectively to preserve backwards compatibility.

This version adds support to the secret consumers and microversions functionalities. The detailed secret consumers specification can be found on <https://specs.openstack.org/openstack/barbican-specs/specs/train/secret-consumers.html>. Microversions allow clients to interact with Barbican server to gather information on minimum and maximum versions supported by the server. More information can be found at <https://docs.openstack.org/barbican/latest/api/microversions.html>.

The secret consumers functionality allows other OpenStack projects, such as Cinder and Glance, to name a few, to register consumers of secrets. This is useful when a project wants to make an end user aware that it is using the secret.

Secret consumers do not block the secret to be deleted by the end user though. When an end user needs to delete a secret that has consumers, it can simply do it. However, deletion of secrets with consumers must be forced using a corresponding parameter, either in the client’s CLI or in the client’s API.

Microversions enable clients to do a server supported version discovery, allowing old clients (not supporting the feature) to interact with newer servers.

Fixed Story #2010258: Fixes a security vulnerability where the contents of a request query string were mistakenly being used in the RBAC policy engine.

System scope has been removed from the RBAC policies as specified in the Consistent and Secure Default RBAC community goal. See: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html APIs that required system-scoped tokens can now be accessed by using a project-scoped token with the “admin” role.