Current Series Release Notes

Current Series Release Notes¶

16.0.0.0rc1-14¶

Upgrade Notes¶

A new cyborg-dbsync online_data_migrations subcommand backfills the project_id column on existing accelerator requests (ARQs). Expected operator order:
1. Upgrade the cyborg-dbsync package (and related shared code) so cyborg-dbsync upgrade can apply pending schema migrations.
2. Run cyborg-dbsync online_data_migrations to backfill project_id on existing ARQ rows using Nova instance data.
3. Upgrade Cyborg services, starting with conductor and API, then agents.
The cyborg-conductor service also heals remaining NULL project_id values on startup as a safety net.

Nova GET /servers/{id} calls for this migration pass microversion 2.82 explicitly so the tenant_id field shape used for backfill stays consistent.

Nova must be configured with [service_user] send_service_user_token = true for Cyborg to accept bound-ARQ operations (bind, unbind, delete). This is the same requirement as for Cinder volume attachments since OSSA-2023-003.

Cyborg now defaults [keystone_authtoken] service_token_roles_required to true so that keystonemiddleware validates the service token roles. Operators who have not already set this should ensure the service user has the service role in Keystone.

Cyborg API policies now declare scope_types=['project'] and reject Keystone system-scoped tokens via oslo.policy scope enforcement. Keep [oslo_policy] enforce_scope=True. Disabling it weakens project isolation and is discouraged; prefer custom policy rules if you need different access behavior.

Security Issues¶

This issue is assigned CVE-2026-40214.

Fixed a cross-tenant access control vulnerability in accelerator request (ARQ) management. The project_id field was never populated on ARQ records, which meant non-admin users could list, view, and delete ARQs belonging to other projects. This could lead to information disclosure (leaking instance UUIDs across tenants) and denial of service (deleting another tenant’s ARQ prevents their instance from restarting).

ARQs are now scoped to the requesting project. Non-admin users can only see and manage their own project’s ARQs.

Additionally, binding, unbinding, and deleting bound ARQs now require a service token. Only Nova, identified by a valid service token with the service role, may set or clear the instance_uuid on an ARQ or delete a bound ARQ. This prevents users from directly manipulating ARQs that Nova is managing, following the same pattern as the Cinder OSSA-2023-003 fix.

This issue is assigned CVE-2026-40213.

Replaced permissive rule:allow defaults with rule:admin_api on device, deployable, and attribute API policies so authenticated low-privilege users cannot read or change hardware topology and management data without the admin role. System-scoped tokens are not supported by Cyborg. Deployments that relied on the old defaults must grant admin or define custom policy rules for these APIs.

this page last updated: 2026-05-11 17:46:28

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.