2025.1 Series Release Notes¶

27.0.1-13¶

[bug 2148398] The identity:create_trust policy rule now uses %(target.trust.trustor_user_id)s instead of %(trust.trustor_user_id)s. The trust data from the request body is now passed explicitly via target_attr rather than relying on the JSON body merge. This aligns create_trust with all other trust policy rules which already use the target.trust.* prefix. Deployments that override the identity:create_trust policy and reference %(trust.trustor_user_id)s must update to %(target.trust.trustor_user_id)s.

[bug 2148398] The RBAC enforcer unconditionally merged the raw JSON request body into the policy enforcement dictionary after trusted target data had been set from the database. An attacker could include a target key in the JSON body to overwrite database-sourced RBAC target attributes, causing all %(target.*)s policy substitutions to evaluate against attacker-controlled values. This affected 88 endpoint/method combinations across all Keystone API resource areas. Any authenticated user could exploit this to read every credential secret in the deployment, create EC2 credentials for arbitrary users, or revoke other users’ tokens. A domain administrator could escalate to full cloud admin by creating inherited role grants on other domains. The vulnerability has been present since the Rocky release (14.0.0).

[bug 2148398] The RBAC policy enforcer now namespaces JSON request body data under a request_body key in the policy dictionary instead of merging it at the top level. This prevents user-controlled input from overwriting security-critical keys such as target (populated from the database by build_target or target_attr) and URL path parameters like user_id. All upstream policy rules are unaffected by this change. Deployments with custom policy rules that reference JSON body fields directly via %(field_name)s substitutions (not under target.) will need to update those references to %(request_body.field_name)s.

[bug 2150089] Delegated tokens (trusts, application credentials, OAuth1 access tokens) are now restricted to credentials whose project_id matches the token’s project scope. This closes a cross-project lateral movement vector where a delegated token could read, modify, or delete credentials belonging to a different project, including EC2 keys and TOTP/MFA seed bindings.

Application credential tokens are now blocked from all trust operations (create, delete, list, get). Allowing an application credential to bootstrap a trust creates a new delegation context whose token can access authentication material outside the delegation chain, breaking the audit trail. The unrestricted flag governs credential management, not trust management.

A potential security related issue is fixed where a token of the user from a read-only backend (i.e. LDAP) continues being accepted after the user is disabled in the backend. This is caused by the fact that Keystone does not receive any notification for that and is not able to revoke such tokens. See https://bugs.launchpad.net/keystone/+bug/2122615 for details.

User and group listing supports pagination. Query parameters limit and marker are added and work as described in API-SIG doc

New configuration variable max_db_limit is added to set an absolute limit amount of entries fetched from the database at a single time. It is used in resource pagination. Existing option list_limit is optional and describes preferred count of entries while max_db_limit sets top limit applied to user input and individual list_limit options.

Project and domain listing supports pagination. Query parameters limit and marker are added and work as described in API-SIG doc

Dependency on abandoned library passlib has been dropped in favor of using bcrypt and cryptography directly. It was ensured that passwords hashed with passlib are still supported, but absence of cornercases can not be guaranteed. If users are not able to login using old password such password must be rotated.

Python 3.8 support was dropped. The minimum version of Python now supported is Python 3.9.

The templated catalog driver has been removed. The [catalog] template_file option, which was used by the templated catalog driver has also been removed.

The [DEFAULT] max_param_size option has been deprecated. This option was used in identity v2 APU but identity v2 API was removed in 13.0.0 release.

This is the last release where passwords hashed using sha512_crypt algorithm are supported. Since even support of that is being dropped in python 3.13 it would be physically dropped from Keystone in the next release (Epoxy).

The sha512_crypt password hashing module has been removed, completing the deprecation process and dropping use of the crypt module which has been dropped in Python >= 3.13.