Since we removed certificate order, we no longer have to maintain
these logics.
This also removes the release note for deprecation of symantec
certificate plugin, which was added during this cycle, because
the plugin is also being removed by this change.
Change-Id: I8e901024677e889d05ad8653389fb46487bc7745
It was announced that this resource will be removed in Pike release.
Multiple cycles have passed since then, so we may be really ready to
remove it.
Note that this is the first step and removes only API layer logic.
Further logic removal will be done in the subsequent change.
Change-Id: Ib0eb3b11815b40237d42735097076b7c89cf9516
The stable/yoga branch has been deleted and replaced with the
unmaintained/yoga branch, update the reno config accordingly.
Co-Authored-By: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I442eb5dcdb04d2dbeb5925f200257524abb53868
Currently Barbican is not using oslo.db to set up database connection
but it's own implementation directly using sqlalchemy. Because of this
the database parameters were not updated and these are based on
the names in quite old oslo.db library.
This change updates the database options so that the name of these
parameters become consistent with oslo.db.
This would help us replace current own implementation by oslo.db in
the future.
Change-Id: I36926e62842780068f7e66564233c121c37565d0
This plugin has never been updated for 7 years. This plugin requires
the symantecssl library but the library can't be found in the Internet
and is not generally available. We have never tested it in upstream
CI because of lack of that dependent library.
Change-Id: I26493c2b0130f3cb86d866bd08fa5bbacbcc4725
Add file to the reno documentation build to show release notes for
stable/2023.2.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.2.
Sem-Ver: feature
Change-Id: I78055f46d39df17cb373de1e56fe9ef4598ecfe9
As specified in Phase 1 of the Consistent and Secure Default RBAC
goal [1] policies have been updated to remove "system" scope and
only use "project" scope in all policies.
APIs with policies that previously required "system" scope have been
updated to accept "project" scoped tokens with the "admin" role instead.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1
Change-Id: I3b781112fc6ced7b73196f973cefd6a30ef99dd3
Add file to the reno documentation build to show release notes for
stable/2023.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.1.
Sem-Ver: feature
Change-Id: I41c7de258154994cf428a817da3f8f83d9b3abb6
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I0d8e850ace6480e04cba922e26e697643c4418e1
Add file to the reno documentation build to show release notes for
stable/yoga.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/yoga.
Sem-Ver: feature
Change-Id: Ibf5116796e53b70424a7c3fc45e1c91b345ec1a9
This patch modifies the Consumer controller to enable the use of
ownership information in policy checks. e.g. policies that use a target
container:
project_id:%(target.container.project_id)
Story: 2009664
Task: 43872
Depends-On: I8698fc7a9ac849b8c24adfe824ca44dd3e42b999
Change-Id: I1724152839f0f5850f8d32d40b36d1670c0ad996
Users with the "creator" role on a project can now delete secrets owned
by the project even if the user is different than the user that
originally created the secret. Previous to this fix a user with the
"creator" role was only allowed to delete a secret owned by the project
if they were also the same user that originally created, which was
inconsistent with the way that deletes are handled by other OpenStack
projects that integrate with Barbican.
This change does not affect the policy for delting private secrets
(i.e. secrets with the "project-access" flag set to "false").
Story: 2009791
Task: 44324
Change-Id: Ie3e3adc1ee02d770de050f5cfa8110774bb1f661
This patch fixes a mismatch between the size of the column for a
consumer "name" in the database and the value being checked by the api
validator.
The maximum size in the database is 36 chars [1], so we must use that value
in the validator.
[1] https://opendev.org/openstack/barbican/src/branch/stable/xena/barbican/model/models.py#L826
Story: 2009672
Task: 43939
Change-Id: I76f075a94056aa65cd44fd1d7f5d4b24109b6ed1
Add file to the reno documentation build to show release notes for
stable/xena.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/xena.
Sem-Ver: feature
Change-Id: I5c5eaf3b4603ceed6c53811f9e9ebd6c84ee09ae
This patch fixes the Castellan secret store use of SecretDTO objects,
which require that the "secret" member be base64 encoded. [1]
Prior to this fix all secrets that were generated were stored in
plaintext, but secrets coming in through the API were base64 encoded
before being stored in the backend.
On secret retreival the Castellan plugin wrongly assumed everything in
the backend was encoded, so attempts to retrieve generated keys failed.
This patch fixes this inconsistency by always storing data un-encoded in
the backend.
A helper method was added to sort out the inconsistent data stored prior
to this fix.
A "version" property was added to the Castellan plugin metadata that is
stored in barbican to help differentiate secrets stored prior to this
fix vs secrets stored after this fix.
Story: 2008335
Task: 41236
[1]
https://opendev.org/openstack/barbican/src/tag/12.0.0/barbican/plugin/interface/secret_store.py#L356
Change-Id: I46fe77a471bf7927a24ca4d64dfccb385cd6402e
The default maximum allowed size is too small for some certificates.
This patch doubles the allowed size from 10Kb to 20Kb, and raises the
maximum request size by the same amount.
Change-Id: I59d11c5c9c32128ab9d71eaecdf46dd2d789a8d1
Add file to the reno documentation build to show release notes for
stable/wallaby.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/wallaby.
Sem-Ver: feature
Change-Id: I759f186c485a75afa88edc72c28ed121292a1029
Add new system scope specific RBAC rules for the secretstore API.
The new rules allow all roles to list and get secret stores.
Change-Id: Ibb19e9854e8bafd2a454c0792503c6f4360e7cf7