Victoria Series Release Notes¶
18.1.0-11¶
New Features¶
A new option ‘randomize_urls’ can be used to randomise the order in which Keystone connects to the LDAP servers in [ldap] ‘url’ list. It is false by default.
Upgrade Notes¶
[bug 1929066] Increase the length of the local_id column in the id_mapping table to accommodate LDAP group names that result in names greater than 64 characters.
Security Issues¶
Passwords will now be automatically truncated if the max_password_length is greater than the allowed length for the selected password hashing algorithm. Currently only bcrypt has fixed allowed lengths defined which is 54 characters. A warning will be generated in the log if a password is truncated. This will not affect existing passwords, however only the first 54 characters of existing bcrypt passwords will be validated.
[bug 1992183] [CVE-2022-2447] Tokens issued with application credentials will now have their expiration validated against that of the application credential. If the application credential expires before the token the token’s expiration will be set to the same expiration as the application credential. Otherwise the token will use the configured value.
Bug Fixes¶
Passwords that are hashed using bcrypt are now truncated properly to the maximum allowed length by the algorythm. This solves regression, when passwords longer then 54 symbols are getting invalidated after the Keystone upgrade.
18.1.0¶
Security Issues¶
[bug 1901207] Policy enforcement for application credentials has been updated to protect against invalid ownership checks resulting in unauthorized users being able to get and delete application credentials for other users.
Bug Fixes¶
[bug 1688137] Fixed the AccountLocked exception being shown to the end user since it provides some information that could be exploited by a malicious user. The end user will now see Unauthorized instead of AccountLocked, preventing user info oracle exploitation.
[bug 1878938] Previously when a user used to have system role assignment and tries to delete the same role, the system role assignments still existed in system_assignment table. This causes keystone to return HTTP 404 Not Found errors when listing role assignments with names (e.g., –names or ?include_names).
If you are affected by this bug, you must remove stale role assignments manually. The following is an example SQL statement you can use to fix the issue, but you should verify it’s applicability to your deployment’s SQL implementation and version.
- SQL:
delete from system_assignment where role_id not in (select id from role);
[bug 1885753] Keystone’s SQL identity backend now retries update user requests to safely handle stale data when two clients update a user at the same time.
[bug 1896125] Introduced more robust connection handling for asynchronous LDAP requests to address memory leaks fetching data from LDAP backends with low page sizes.
[bug 1901654] Previously, generate_public_ID() in sha256.py assumed the passed arguments is str data type. However, python-ldap 3.0 or later returns bytes data type for attribute values except fields of distinguished names, relative distinguished names, attribute names, queries. If keystone running on Python3 is integrated with LDAP and the LDAP server has local_id variable in its attribute, user login operations will fail due to the assumption and modifiation of python-ldap. By this fix, generate_public_ID() properly handles bytes data type in the parameter.
18.0.0¶
New Features¶
[bug 1332058]
keystone-manage doctor
now checks that keystone can establish connections to Memcached, if configured.
[bug 1827431] Added a new user option ‘ignore_user_inactivity’ (defaults to False). When set to True, it overrides disabling the user after being inactive for certain time as set in
[security_compliance]disable_user_account_days_inactive
option in Keystone configuration file.
- [bug 1872732] ‘user_limit’ is added to config file of credentials that allows user to set
maximum number of credentials a user is permitted to create.
Mappings can now specify “whitelist” and “blacklist” conditionals as regular expressions. Prior, only “not_any_of” and “any_one_of” conditionals supported regular expression matching.
Upgrade Notes¶
[bug 1872737] Added a default TTL of 15 minutes for signed EC2 credential requests, where previously an EC2 signed token request was valid indefinitely. This change in behavior is needed to protect against replay attacks.
Critical Issues¶
[bug 1872733] Fixed a critical security issue in which an authenticated user could escalate their privileges by altering a valid EC2 credential.
[bug 1872735] Fixed a security issue in which a trustee or an application credential user could create an EC2 credential or an application credential that would permit them to get a token that elevated their role assignments beyond the subset delegated to them in the trust or application credential. A new attribute
app_cred_id
is now automatically added to the access blob of an EC2 credential and the role list in the trust or application credential is respected.
Security Issues¶
[bug 1872733] Fixed a critical security issue in which an authenticated user could escalate their privileges by altering a valid EC2 credential.
[bug 1872735] Fixed a security issue in which a trustee or an application credential user could create an EC2 credential or an application credential that would permit them to get a token that elevated their role assignments beyond the subset delegated to them in the trust or application credential. A new attribute
app_cred_id
is now automatically added to the access blob of an EC2 credential and the role list in the trust or application credential is respected.
[bug 1872737] Fixed an incorrect EC2 token validation implementation in which the timestamp of the signed request was ignored, which made EC2 and S3 token requests vulnerable to replay attacks. The default TTL is 15 minutes but is configurable.
[bug 1872755] Added validation to the EC2 credentials update API to ensure the metadata labels ‘trust_id’ and ‘app_cred_id’ are not altered by the user. These labels are used by keystone to determine the scope allowed by the credential, and altering these automatic labels could enable an EC2 credential holder to elevate their access beyond what is permitted by the application credential or trust that was used to create the EC2 credential.
[bug 1873290] [bug 1872735] Fixed the token model to respect the roles authorized OAuth1 access tokens. Previously, the list of roles authorized for an OAuth1 access token were ignored, so when an access token was used to request a keystone token, the keystone token would contain every role assignment the creator had for the project. This also fixed EC2 credentials to respect those roles as well.
Bug Fixes¶
[bug 1754677] When you setup a user with a role assignment on a domain and then a role assignment on a project “acting as a domain”, you can’t actually remove them. This fixes it by filtering the query by “type” i.e either a USER_DOMAIN or a USER_PROJECT in role assignment table.
[bug 1872733] Fixed a critical security issue in which an authenticated user could escalate their privileges by altering a valid EC2 credential.
[bug 1872735] Fixed a security issue in which a trustee or an application credential user could create an EC2 credential or an application credential that would permit them to get a token that elevated their role assignments beyond the subset delegated to them in the trust or application credential. A new attribute
app_cred_id
is now automatically added to the access blob of an EC2 credential and the role list in the trust or application credential is respected.
[bug 1872737] Fixed an incorrect EC2 token validation implementation in which the timestamp of the signed request was ignored, which made EC2 and S3 token requests vulnerable to replay attacks. The default TTL is 15 minutes but is configurable.
[bug 1872753] Added validation to the EC2 credential API to prevent altering the
access_id
field in the blob attribute. This prevents accidentally orphaning an EC2 credential resource when an alteredaccess_id
no longer resolves to the credential’s resource ID.
[bug 1872755] Added validation to the EC2 credentials update API to ensure the metadata labels ‘trust_id’ and ‘app_cred_id’ are not altered by the user. These labels are used by keystone to determine the scope allowed by the credential, and altering these automatic labels could enable an EC2 credential holder to elevate their access beyond what is permitted by the application credential or trust that was used to create the EC2 credential.
[bug 1873290] [bug 1872735] Fixed the token model to respect the roles authorized OAuth1 access tokens. Previously, the list of roles authorized for an OAuth1 access token were ignored, so when an access token was used to request a keystone token, the keystone token would contain every role assignment the creator had for the project. This also fixed EC2 credentials to respect those roles as well.
[bug 1880252] Regexes are not allowed in “whitelist” and “blacklist” conditionals
[bug 1886017] JWT validation now supports allow_expired query parameters.
[bug 1889936] Properly decode octet strings, or byte arrays, returned from LDAP.