Ocata Series Release Notes¶
11.0.4¶
Bug Fixes¶
[bug 1704205] All users and groups are required to have a name. Prior to this fix, Keystone was not properly enforcing this for LDAP users and groups. Keystone will now ignore users and groups that do not have a value for the LDAP attribute which Keystone has been configured to use for that entity’s name.
[bug 1718747] Fixes a regression where deleting a domain with users in it caues a server error. This bugfix restores the previous behavior of deleting the users namespaced in the domain. This only applies when using the SQL identity backend.
Other Notes¶
[bug 1718747] As part of solving a regression in the identity SQL backend that prevented domains containing users from being deleted, a notification callback was altered so that users would only be deleted if the identity backend is SQL. If you have a custom identity backend that is not read-only, deleting a domain in keystone will not delete the users in your backend unless your driver has an is_sql property that evaluates to true.
11.0.3¶
Security Issues¶
[bug 1703369] There was a typo for the identity:get_identity_provider rule in the default
policy.json
file in previous releases. The default value for that rule was the same as the default value for the default rule (restricted to admin) so this typo was not readily apparent. Anyone customizing this rule should review their settings and confirm that they did not copy that typo. More context regarding the purpose of this backport can be found in the bug report.
Bug Fixes¶
[bug 1689616] Significant improvements have been made when performing a token flush on massive data sets.
[bug 1687593] Ensure that the URL used to make the request when creating OAUTH1 request tokens is also the URL that verifies the request token.
11.0.1¶
Bug Fixes¶
[bug 1674415] Fixed issue with translation of keystone error messages which was not happening in case of any error messages from identity API with locale being set.
11.0.0¶
Prelude¶
The default token provider is now Fernet.
The PKI and PKIz token format has been removed. See
Other Notes
for more details.Support for writing to LDAP has been removed. See
Other Notes
for more details.
New Features¶
[blueprint allow-expired] An allow_expired flag is added to the token validation call (
GET/HEAD /v3/auth/tokens
) that allows fetching a token that has expired. This allows for validating tokens in long running operations.
[blueprint password-expires-validation] Token responses will now have a
password_expires_at
field in theuser
object, this can be expressed briefly as:{"token": {"user": {"password_expires_at": null}}}
If PCI support is enabled, via the
[security_compliance]
configuration options, then thepassword_expires_at
field will be populated with a timestamp. Otherwise, it will default tonull
, indicating the password does not expire.
[blueprint pci-dss-notifications] CADF notifications now extend to PCI-DSS events. A
reason
object is added to the notification. Areason
object has both areasonType
(a short description of the reason) andreasonCode
(the HTTP return code). The following events will be impacted:If a user does not change their passwords at least once every X days. See
[security_compliance] password_expires_days
.If a user is locked out after many failed authentication attempts. See
[security_compliance] lockout_failure_attempts
.If a user submits a new password that was recently used. See
[security_compliance] unique_last_password_count
.If a password does not meet the specified criteria. See
[security_compliance] password_regex
.If a user attempts to change their password too often. See
[security_compliance] minimum_password_age
.
For additional details see: event notifications
[blueprint pci-dss-password-requirements-api] Added a new API (
/v3/domains/{domain_id}/config/security_compliance
) to retrieve regular expression requirements for passwords. Specifically,[security_compliance] password_regex
and[security_compliance] password_regex_description
will be returned. Note that these options are only meaningful if PCI support is enabled, via various[security_compliance]
configuration options.
- [blueprint pci-dss-query-password-expired-users] Added a
password_expires_at
query to/v3/users
and/v3/groups/{group_id}/users
. Thepassword_expires_at
query is comprised of two parts, anoperator
(valid choices listed below) and atimestamp
(of formYYYY-MM-DDTHH:mm:ssZ
). The APIs will filter the list of users based on theoperator
andtimestamp
given. lt - password expires before the timestamp
lte - password expires at or before timestamp
gt - password expires after the timestamp
gte - password expires at or after the timestamp
eq - password expires at the timestamp
neq - password expires not at the timestamp
- [blueprint pci-dss-query-password-expired-users] Added a
[blueprint per-user-auth-plugin-reqs] Per-user Multi-Factor-Auth rules (MFA Rules) have been implemented. These rules define which auth methods can be used (e.g. Password, TOTP) and provides the ability to require multiple auth forms to successfully get a token.
The MFA rules are set via the user create and update API (
POST/PATCH /v3/users
) call; the options allow an admin to force a user to use specific forms of authentication or combinations of forms of authentication to get a token. The rules are specified as follows:user["options"]["multi_factor_auth_rules"] = [["password", "totp"], ["password", "custom-auth-method"]]
The rules are specified as a list of lists. The elements of the sub-lists must be strings and are intended to mirror the required authentication method names (e.g.
password
,totp
, etc) as defined in thekeystone.conf
file in the[auth] methods
option.Each list of methods specifies a rule. If the auth methods provided by a user match (or exceed) the auth methods in the list, that rule is used. The first rule found (rules will not be processed in a specific order) that matches will be used. If a user has the ruleset defined as
[["password", "totp"]]
the user must provide both password and totp auth methods (and both methods must succeed) to receive a token. However, if a user has a ruleset defined as[["password"], ["password", "totp"]]
the user may use thepassword
method on it’s own but would be required to use bothpassword
andtotp
iftotp
is specified at all.Any auth methods that are not defined in
keystone.conf
in the[auth] methods
option are ignored when the rules are processed. Empty rules are not allowed. If a rule is empty due to no-valid auth methods existing within it, the rule is discarded at authentication time. If there are no rules or no valid rules for the user, authentication occurs in the default manner: any single configured auth method is sufficient to receive a token.In the case a user should be exempt from MFA Rules, regardless if they are set, the User-Option
multi_factor_auth_enabled
may be set toFalse
for that user via the user create and update API (POST/PATCH /v3/users
) call. If this option is set toFalse
the MFA rules will be ignored for the user. Any other value exceptFalse
will result in the MFA Rules being processed; the option can only be a boolean (True
orFalse
) or “None” (which will result in the default behavior (same asTrue
) but the option will no longer be shown in theuser["options"]
dictionary.To mark a user exempt from the MFA Rules:
user["options"]["multi_factor_auth_enabled"] = False
The
token
auth method typically should not be specified in any MFA Rules. Thetoken
auth method will include all previous auth methods for the original auth request and will match the appropriate ruleset. This is intentional, as thetoken
method is used for rescoping/changing active projects.SECURITY INFO: The MFA rules are only processed when authentication happens through the V3 authentication APIs. If V2 Auth is enabled it is possible to circumvent the MFA rules if the user can authenticate via V2 Auth API. It is recommended to disable V2 authentication for full enforcement of the MFA rules.
[blueprint shadow-mapping] The federated identity mapping engine now supports the ability to automatically provision
projects
forfederated users
. A role assignment will automatically be created for the user on the specified project. If the project specified within the mapping does not exist, it will be automatically created in thedomain
associated with theidentity provider
. This behavior can be triggered using a specific syntax within thelocal
rules section of a mapping. For more information see: mapping combinations
[blueprint support-federated-attr] Added new filters to the list user API (
GET /v3/users
) to support querying federated identity attributes:idp_id
,protocol_id
, andunique_id
.
[bug 1638603] Add support for nested groups in Active Directory. A new boolean option
[ldap] group_ad_nesting
has been added, it defaults toFalse
. Enable the option is using Active Directory with nested groups. This option will impact thelist_users_in_group
,list_groups_for_user
, andcheck_user_in_group
operations.
[bug 1641645] RBAC protection was removed from the Self-service change user password API (
/v3/user/$user_id/password
), meaning, a user can now change their password without a token specified in theX-Auth-Token
header. This change will allow a user, with an expired password, to update their password without the need of an administrator.
[bug 1641654] The
healthcheck
middleware from oslo.middleware has been added to the keystone application pipelines by default. This middleware provides a common method to check the health of keystone. Refer to the example paste provided inkeystone-paste.ini
to see how to include thehealthcheck
middleware.
[bug 1641816] The
[token] cache_on_issue
option is now enabled by default. This option has no effect unless global caching and token caching are enabled.
[bug 1642348] Added new option
[security_compliance] lockout_ignored_user_ids
to allow deployers to specify users that are exempt from PCI lockout rules.
[Bug 1645487] Added a new PCI-DSS feature that will require users to immediately change their password upon first use for new users and after an administrative password reset. The new feature can be enabled by setting [security_compliance]
change_password_upon_first_use
toTrue
.
Upgrade Notes¶
[blueprint allow-expired] To allow long running operations to complete services must be able to fetch expired tokens via the
allow_expired
flag. The length of time a token is retrievable for beyond its traditional expiry is managed by the[token] allow_expired_window
option and so the data must be retrievable for this about of time. When using fernet tokens this means that the key rotation period must exceed this time so that older tokens are still decrytable. Ensure that you do not rotate fernet keys faster than[token] expiration
+[token] allow_expired_window
seconds.
[bug 1547684] A minor change to the
policy.v3cloudsample.json
sample file was performed so the sample file loads correctly. Thecloud_admin
rule has changed from:"role:admin and (token.is_admin_project:True or domain_id:admin_domain_id)"
To the properly written:
"role:admin and (is_admin_project:True or domain_id:admin_domain_id)"
Adjust configuration tools as necessary, see the
fixes
section for more details on this change.
[bug 1561054] The default token provider has switched from UUID to Fernet. Please note that Fernet requires a key repository to be in place prior to running Ocata, this can be done running
keystone-manage fernet_setup
. Additionally, for multi-node deployments, it is imperative that a key distribution process be in use before upgrading. Once a key repository has been created it should be distributed to all keystone nodes in the deployment. This ensures that each keystone node will be able to validate tokens issued across the deployment. If you do not wish to switch token formats, you will need to explicitly set the token provider for each node in the deployment by setting[token] provider
touuid
inkeystone.conf
. Documentation can be found at fernet-tokens.
[bug 1641654] The
healthcheck
middleware from oslo.middleware has been added to the keystone application pipelines by default. The following section has been added tokeystone-paste.ini
:[filter:healthcheck] use = egg:oslo.middleware#healthcheck
It is recommended to have the
healthcheck
middleware first in the pipeline:pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler ...
[bug 1641660] The default value for
[DEFAULT] notification_format
has been changed frombasic
tocadf
. The CADF notifications have more information about the user that initiated the request.
[bug 1641660] The default value for
[DEFAULT] notification_opt_out
has been changed to include:identity.authenticate.success
,identity.authenticate.pending
andidentity.authenticate.failed
. If a deployment relies on these notifications, then override the default setting.
[bug 1642687] Upon a successful upgrade, all existing
identity providers
will now be associated with a automatically created domain. Eachidentity provider
that existed prior to the Ocata release will now have adomain_id
field. The new domain will have anid
(random UUID), aname
(that will match theidentity provider
ID , and beenabled
by default.
[Related to Bug 1649446] The
identity:list_revoke_events
rule has been changed in both sample policy files,policy.json
andpolicy.v3cloudsample.json
. From:"identity:list_revoke_events": ""
To:
"identity:list_revoke_events": "rule:service_or_admin"
Deprecation Notes¶
[bug 1659995] The config option
[security_compliance] password_expires_ignore_user_ids
has been deprecated in favor of using the option value set, available via the user create and update API call
[blueprint deprecated-as-of-ocata] The catalog backend
endpoint_filter.sql
has been deprecated in the Ocata release, it has been consolidated with thesql
backend. It is recommended to replace theendpoint_filter.sql
catalog backend with thesql
backend. Theendpoint_filter.sql
backend will be removed in the Pike release.
[blueprint deprecated-as-of-ocata] Various KVS backends and config options have been deprecated and will be removed in the Pike release. This includes:
keystone.common.kvs.backends.inmemdb.MemoryBackend
keystone.common.kvs.backends.memcached.MemcachedBackend
keystone.token.persistence.backends.kvs.Token
all config options under
[kvs]
in keystone.confthe config option
[memcached] servers
in keystone.conf
Critical Issues¶
[bug 1561054] If upgrading to Fernet tokens, you must have a key repository and key distribution mechanism in place, otherwise token validation may not work. Please see the upgrade section for more details.
Security Issues¶
[bug 1650676] Authentication plugins now required
AuthContext
objects to be used. This has added security features to ensure information such as theuser_id
does not change between authentication methods being processed by the server. Thekeystone.controllers.Auth.authenticate
method now requires the argumentauth_context
to be an actualAuthContext
object.
Bug Fixes¶
[bug 1524030] During token validation we have reduced the number of revocation events returned, only returning a subset of events relevant to the token. Thus, improving overall token validation performance.
[bug 1651989] Due to
bug 1547684
, when using thepolicy.v3cloudsample.json
sample file, a domain admin token was being treated as a cloud admin. Since theis_admin_project
functionality only supports project-scoped tokens, we automatically set any domain scoped token to have the propertyis_admin_project
toFalse
.[bug 1547684] A typo in the
policy.v3cloudsample.json
sample file was causing oslo.policy to not load the file. See theupgrades
section for more details.
[bug 1571878] A valid
mapping_id
is now required when creating or updating a federation protocol. If themapping_id
does not exist, a400 - Bad Request
will be returned.
[bug 1616424] Provide better exception messages when creating OAuth request tokens and OAuth access tokens via the
/v3/OS-OAUTH1/request_token
and/v3/OS-OAUTH1/access_token
APIs, respectively.
[bug 1622310] Trusts will now be invalidated if: the project to which the trust is scoped, or the user (trustor or trustee) for which the delegation is assigned, has been deleted.
[bug 1636950] New option
[ldap] connection_timeout
allows a deployer to set aOPT_NETWORK_TIMEOUT
value to use with the LDAP server. This allows the LDAP server to return aSERVER_DOWN
exception, if the LDAP URL is incorrect or if there is a connection failure. By default, the value for[ldap] connection_timeout
is -1, meaning it is disabled. Set a positive value (in seconds) to enable the option.
[bug 1642457] Handle disk write and IO failures when rotating keys for Fernet tokens. Rather than creating empty keys, properly catch and log errors when unable to write to disk.
[bug 1642687] When registering an
identity provider
via the OS-FEDERATION API, it is now recommended to include adomain_id
to associate with theidentity provider
in the request. Federated users that authenticate with theidentity provider
will now be associated with thedomain_id
specified. If nodomain_id
is specified, then a domain will be automatically created.
[bug 1642687] Users that authenticate with an
identity provider
will now have adomain_id
attribute, that is associated with theidentity provider
.
[bug 1642692] When a federation protocol is deleted, all users that authenticated with the federation protocol will also be deleted.
[bug 1649138] When using LDAP as an identity backend, the initial bind will now occur upon creation of a connection object, i.e. early on when performing LDAP queries, no matter whether the bind is authenticated or anonymous, so that any connection errors can be handled correctly and early.
[Bug 1649446] The default policy for listing revocation events has changed. Previously, any authenticated user could list revocation events; it is now, by default, an admin or service user only function. This can be changed by modifying the policy file being used by keystone.
[bug 1656076] The various plugins under
keystone.controllers.Auth.authenticate
now requireAuthContext
objects to be returned.
[bug 1659995] New options have been made available via the user create and update API (
POST/PATCH /v3/users
) call, the options will allow an admin to mark users as exempt from certain PCI requirements via an API.Set the following user attributes to
True
orFalse
in an API request. To mark a user as exempt from the PCI password lockout policy:user['options']['ignore_lockout_failure_attempts']
To mark a user as exempt from the PCI password expiry policy:
user['options']['ignore_password_expiry']
To mark a user as exempt from the PCI reset policy:
user['options']['ignore_change_password_upon_first_use']
Other Notes¶
[bug 1017606] The signature on the
get_catalog
andget_v3_catalog
methods ofkeystone.catalog.backends.base.CatalogDriverBase
have been updated. Third-party extensions that extend the abstract class (CatalogDriverBase
) should be updated according to the new parameter names. The method signatures have changed from:get_catalog(self, user_id, tenant_id) get_v3_catalog(self, user_id, tenant_id)
to:
get_catalog(self, user_id, project_id) get_v3_catalog(self, user_id, project_id)
[bug 1524030] The signature on the
list_events
method ofkeystone.revoke.backends.base.RevokeDriverBase
has been updated. Third-party extensions that extend the abstract class (RevokeDriverBase
) should update their code according to the new parameter names. The method signature has changed from:list_events(self, last_fetch=None)
to:
list_events(self, last_fetch=None, token=None)
[bug 1563101] The token provider driver interface has moved from
keystone.token.provider.Provider
tokeystone.token.providers.base.Provider
. If implementing a custom token provider, subclass from the new location.
[bug 1582585] A new method
get_domain_mapping_list
was added tokeystone.identity.mapping_backends.base.MappingDriverBase
. Third-party extensions that extend the abstract class (MappingDriverBase
) should implement this new method. The method has the following signature:get_domain_mapping_list(self, domain_id)
and will return a list of mappings for a given domain ID.
[bug 1611102] The methods
list_endpoints_for_policy()
andget_policy_for_endpoint()
have been removed from thekeystone.endpoint_policy.backends.base.EndpointPolicyDriverBase
abstract class, they were unused.
[bug 1622310] A new method
delete_trusts_for_project
has been added tokeystone.trust.backends.base.TrustDriverBase
. Third-party extensions that extend the abstract class (TrustDriverBase
) should be updated according to the new parameter names. The signature for the new method is:delete_trusts_for_project(self, project_id)
[bug 1642687] The signature on the
create_federated_user
method ofkeystone.identity.shadow_backends.base.ShadowUsersDriverBase
has been updated.Third-party extensions that extend the abstract class (
ShadowUsersDriverBase
) should be updated according to the new parameter names.The method signature has changed from:
create_federated_user(self, federated_dict)
to:
create_federated_user(self, domain_id, federated_dict)
[bug 1659730] The signature on the
authenticate
method ofkeystone.auth.plugins.base.AuthMethodHandler
has been updated. Third-party extensions that extend the abstract class (AuthMethodHandler
) should update their code according to the new parameter names. The method signature has changed from:authenticate(self, context, auth_payload, auth_context)
to:
authenticate(self, request, auth_payload, auth_context)
PKI and PKIz token formats have been removed in favor of Fernet tokens.
Write support for the LDAP has been removed in favor of read-only support. The following operations are no longer supported for LDAP:
create user
create group
delete user
delete group
update user
update group
add user to group
remove user from group
Routes and SQL backends for the contrib extensions have been removed, they have been incorporated into keystone and are no longer optional. This affects:
keystone/contrib/admin_crud
keystone/contrib/endpoint_filter
keystone/contrib/federation
keystone/contrib/oauth1
keystone/contrib/revoke
keystone/contrib/simple_cert
keystone/contrib/user_crud
Keystone cache backends have been removed in favor of their oslo.cache counter-part. This affects:
keystone/common/cache/backends/mongo
keystone/common/cache/backends/memcache_pool
keystone/common/cache/backends/noop
Several token validation methods from the abstract class
keystone.token.providers.base.Provider
were removed (see below) in favor of a single method to validate tokens (validate_token
), that has the signaturevalidate_token(self, token_ref)
. If using a custom token provider, update the custom provider accordingly.validate_v2_token
validate_v3_token
validate_non_persistent_token
Several token issuance methods from the abstract class
keystone.token.providers.base.Provider
were removed (see below) in favor of a single method to issue tokens (issue_token
). If using a custom token provider, updated the custom provider accordingly.issue_v2_token
issue_v3_token
The
[DEFAULT] domain_id_immutable
configuration option has been removed in favor of strictly immutable domain IDs.
The
[endpoint_policy] enabled
configuration option has been removed in favor of always enabling the endpoint policy extension.
The auth plugin
keystone.auth.plugins.saml2.Saml2
has been removed in favor of the auth pluginkeystone.auth.plugins.mapped.Mapped
.
The
memcache
andmemcache_pool
token persistence backends have been removed in favor of using Fernet tokens (which require no persistence).
The
httpd/keystone.py
file has been removed in favor of thekeystone-wsgi-admin
andkeystone-wsgi-public
scripts.
The
keystone/service.py
file has been removed, the logic has been moved to thekeystone/version/service.py
.
The check for admin token from
build_auth_context
middleware has been removed. If your deployment requires the use of admin token, updatekeystone-paste.ini
so thatadmin_token_auth
is beforebuild_auth_context
in the paste pipelines, otherwise remove theadmin_token_auth
middleware fromkeystone-paste.ini
entirely.
The
[assignment] driver
now defaults tosql
. Logic to determine the default assignment driver if one wasn’t supplied through configuration has been removed. Keystone only supports one assignment driver and it shouldn’t be changed unless you’re deploying a custom assignment driver.
The
[resource] driver
now defaults tosql
. Logic to determine the default resource driver if one wasn’t supplied through configuration has been removed. Keystone only supports one resource driver and it shouldn’t be changed unless you’re deploying a custom resource driver.
The
[os_inherit] enabled
config option has been removed, the OS-INHERIT extension is now always enabled.
The
[DEFAULT] domain_id_immutable
option has been removed. This removes the ability to change thedomain_id
attribute of users, groups, and projects. The behavior was introduced to allow deployers to migrate entities from one domain to another by updating thedomain_id
attribute of an entity. This functionality was deprecated in the Mitaka release is now removed.