2023.2 Series Release Notes

24.0.0-15

New Features

  • Added a new command to the admin cli tool: keystone-manage reset_last_active. This new command updates the database to overwritet any NULL values in last_active_at in the user table to the current time. This is a necessary step to fix Bug #2074018. See launchpad for details.

Security Issues

  • The new keystone-manage rest_last_active command resets all NULL values in last_active_at in the user table to help fix Bug #2074018. Running this command may be necessary in environments that have been deployed for a long time and later decide to adopt the [security_compliance disable_user_account_days_inactive = X option. See Bug #2074018 for details.

    A side-effect of this command is that it resets the amount of time that an unused account is active for. Unused accounts will remain active until the configured days have elapsed since the day the command is run.

Bug Fixes

  • Fixed Bug #2074018: Changed the user model to always save the date of the last user activity in last_active_at. Previous to this change, the last_active_at field was only updated when the option for [security_compliance] disable_user_account_days_inactive was set. If your deployment is affected by this bug, you must run keystone-manage reset_last_active before setting the disable_user_account_days_inactive option.

24.0.0

New Features

  • [bug 1951632] Support has been added for deploying `service` role during the bootstrap process in addition to the `admin`, `member` and `reader` role.

  • A new option ‘randomize_urls’ can be used to randomise the order in which Keystone connects to the LDAP servers in [ldap] ‘url’ list. It is false by default.

Upgrade Notes

  • The legacy sqlalchemy-migrate migrations, which have been deprecated since Zed, have been removed. There should be no end-user impact.

Bug Fixes

  • Passwords that are hashed using bcrypt are now truncated properly to the maximum allowed length by the algorythm. This solves regression, when passwords longer then 54 symbols are getting invalidated after the Keystone upgrade.