Current Series Release Notes¶
29.0.0-21¶
Upgrade Notes¶
[bug 2150089] Two new
[security_compliance]options control opt-in insecure behaviour for operators with workflows that break after this upgrade:allow_insecure_admin_trust_cross_project_credentials_access(defaultFalse): set toTrueif admin-role trusts or application credentials need to access credentials across multiple projects (e.g. Mistral cron triggers syncing EC2 credentials system-wide).allow_insecure_application_credential_trust_escalation(defaultFalse): set toTrueif application credentials must create or manage trusts (e.g. Heat stacks authenticated via application credentials). Use OIDC federation flows (v3oidcclientcredentials,v3oidcdeviceauthz) as the proper long-term alternative.Both options are intentionally named to signal that enabling them is insecure. Migrate affected workflows away from these options.
Security Issues¶
[bug 2150089] Delegated tokens (trusts, application credentials, OAuth1 access tokens) are now restricted to credentials whose
project_idmatches the token’s project scope. This closes a cross-project lateral movement vector where a delegated token could read, modify, or delete credentials belonging to a different project, including EC2 keys and TOTP/MFA seed bindings.Application credential tokens are now blocked from all trust operations (create, delete, list, get). Allowing an application credential to bootstrap a trust creates a new delegation context whose token can access authentication material outside the delegation chain, breaking the audit trail. The
unrestrictedflag governs credential management, not trust management.
Bug Fixes¶
[bug 2134925] Fixed a crash (HTTP 500) when listing sub-resource endpoints with a
limitquery parameter (e.g.GET /v3/users/{user_id}/projects?limit=1). Thewrap_collectionmethod now includes URL path parameters fromflask.request.view_argswhen building thenextpagination link, so thatflask.url_for()can correctly resolve sub-resource routes.
