Commit Graph

167 Commits

Author SHA1 Message Date
Zuul b6edfda344 Merge "Drop all remaining logics for certificate resources" 2024-03-08 16:18:59 +00:00
Zuul 33d188e0af Merge "Prohibit certificate order resource" 2024-03-08 16:18:58 +00:00
Takashi Kajinami 9833751613 Drop all remaining logics for certificate resources
Since we removed certificate order, we no longer have to maintain
these logics.

This also removes the release note for deprecation of symantec
certificate plugin, which was added during this cycle, because
the plugin is also being removed by this change.

Change-Id: I8e901024677e889d05ad8653389fb46487bc7745
2024-02-27 23:33:47 +09:00
Takashi Kajinami 901cf2cc39 Prohibit certificate order resource
It was announced that this resource will be removed in Pike release.
Multiple cycles have passed since then, so we may be really ready to
remove it.

Note that this is the first step and removes only API layer logic.
Further logic removal will be done in the subsequent change.

Change-Id: Ib0eb3b11815b40237d42735097076b7c89cf9516
2024-02-22 13:16:49 +09:00
Takashi Kajinami 0dbc19b6a1 Fix releasenotes build of yoga moved to unmaintained
The stable/yoga branch has been deleted and replaced with the
unmaintained/yoga branch, update the reno config accordingly.

Co-Authored-By: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I442eb5dcdb04d2dbeb5925f200257524abb53868
2024-02-05 10:58:23 +00:00
Zuul 04f91f01d3 Merge "pkcs11: Remove deprecated token_label option" 2023-12-15 16:09:01 +00:00
Zuul 7decf74ae5 Merge "Enable Secure RBAC by default" 2023-12-15 16:08:57 +00:00
Zuul a3c0df0435 Merge "Use consistent [database] options" 2023-12-15 16:03:09 +00:00
Takashi Kajinami 20b4b34299 pkcs11: Remove deprecated token_label option
It was deprecated in favor of the token_labels option some cycles
ago[1].

[1] 1ca03610d7

Change-Id: I20b15e23f06af8df86d888e86081058b8c96a77a
2023-12-15 16:54:45 +09:00
Takashi Kajinami 12aa8a9339 Use consistent [database] options
Currently Barbican is not using oslo.db to set up database connection
but it's own implementation directly using sqlalchemy. Because of this
the database parameters were not updated and these are based on
the names in quite old oslo.db library.

This change updates the database options so that the name of these
parameters become consistent with oslo.db.

This would help us replace current own implementation by oslo.db in
the future.

Change-Id: I36926e62842780068f7e66564233c121c37565d0
2023-11-27 10:15:56 +09:00
Zuul 6dc5a6c8d3 Merge "Deprecate Symantec certificate plugin" 2023-11-22 09:42:44 +00:00
Takashi Kajinami f1b68658d4 Deprecate Symantec certificate plugin
This plugin has never been updated for 7 years. This plugin requires
the symantecssl library but the library can't be found in the Internet
and is not generally available. We have never tested it in upstream
CI because of lack of that dependent library.

Change-Id: I26493c2b0130f3cb86d866bd08fa5bbacbcc4725
2023-11-11 08:10:09 +00:00
OpenStack Release Bot 475e23708c Update master for stable/2023.2
Add file to the reno documentation build to show release notes for
stable/2023.2.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.2.

Sem-Ver: feature
Change-Id: I78055f46d39df17cb373de1e56fe9ef4598ecfe9
2023-09-15 14:06:13 +00:00
Douglas Mendizábal 6dcb00f8b9 Enable Secure RBAC by default
This patch sets both `enforce_new_defaults` and `enforce_scope` to the
default value of `True` as the next step in the implementation of Secure
RBAC [1].

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

Change-Id: I935cb34877c8edf62f33f1ba1fe31c942780b3a0
2023-08-31 13:52:27 -05:00
OpenStack Proposal Bot c961268e7d Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: Id60394f3259cb1e0c3f5bc3295bbd2b58fafb81c
2023-08-21 04:02:21 +00:00
OpenStack Proposal Bot 2726129022 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I167ffeb71a1c1148ce000ddd41011056ce09701d
2023-07-29 03:29:41 +00:00
OpenStack Proposal Bot fb9e98577f Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: Ibe0cfb66cc7199c9024abd780ae56282282a25a8
2023-07-22 03:20:11 +00:00
Douglas Mendizábal 116a9045eb Remove System scope from policy
As specified in Phase 1 of the Consistent and Secure Default RBAC
goal [1] policies have been updated to remove "system" scope and
only use "project" scope in all policies.

APIs with policies that previously required "system" scope have been
updated to accept "project" scoped tokens with the "admin" role instead.

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1

Change-Id: I3b781112fc6ced7b73196f973cefd6a30ef99dd3
2023-06-05 15:03:06 -04:00
OpenStack Proposal Bot 7b57e5b47b Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I372ea04414fdf050e167bb0fb2b712ec58d18a74
2023-05-09 03:10:36 +00:00
Zuul aedb1d895a Merge "Update master for stable/2023.1" 2023-03-10 15:23:12 +00:00
Zuul ed5dbc6d48 Merge "Release notes for secret consumers, microversions and CVE fix" 2023-03-07 10:53:53 +00:00
Mauricio Harley 60e6b7e64d Release notes for secret consumers, microversions and CVE fix
Change-Id: Iaea5b454ad7a594eeac2b346fc2c713271c80a61
2023-03-03 14:52:08 +01:00
OpenStack Release Bot 04cc4e0165 Update master for stable/2023.1
Add file to the reno documentation build to show release notes for
stable/2023.1.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.1.

Sem-Ver: feature
Change-Id: I41c7de258154994cf428a817da3f8f83d9b3abb6
2023-03-01 10:50:10 +00:00
OpenStack Proposal Bot f8c2947a58 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I8b04a2ff4edcde5d270f9eb2bb061c023d18dad1
2023-02-16 04:41:20 +00:00
OpenStack Proposal Bot 155817a181 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: Iad4dd85cd3131df0f8640716192e7b1146a21e60
2022-10-01 02:59:40 +00:00
OpenStack Release Bot 7578118d65 Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.

Sem-Ver: feature
Change-Id: I0d8e850ace6480e04cba922e26e697643c4418e1
2022-09-26 15:24:51 +00:00
OpenStack Proposal Bot 55cc970bc7 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I67dc7101fa4861d6539ce301b3a8521f65a15e65
2022-09-16 03:56:19 +00:00
OpenStack Proposal Bot bf82d41e11 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: Icff31c12583d257b83199ca5215fb12dc1aeab38
2022-09-13 03:54:48 +00:00
OpenStack Proposal Bot 2ac710eb6e Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I307006ec863ee795b736cb2b415b29ee87d48e5a
2022-06-21 02:11:27 +00:00
OpenStack Proposal Bot 40ef6c8b4a Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I853cd063273cdc2ae52babf9989bbe66b33882a6
2022-05-07 02:09:36 +00:00
OpenStack Release Bot 271aeb9421 Update master for stable/yoga
Add file to the reno documentation build to show release notes for
stable/yoga.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/yoga.

Sem-Ver: feature
Change-Id: Ibf5116796e53b70424a7c3fc45e1c91b345ec1a9
2022-03-11 11:29:10 +00:00
Zuul ffea7f79c9 Merge "Allow secret delete by users with "creator" role" 2022-02-14 15:42:14 +00:00
Douglas Mendizábal 9601593328 Fix container consumers rbac policy
This patch modifies the Consumer controller to enable the use of
ownership information in policy checks. e.g. policies that use a target
container:

   project_id:%(target.container.project_id)

Story: 2009664
Task: 43872

Depends-On: I8698fc7a9ac849b8c24adfe824ca44dd3e42b999
Change-Id: I1724152839f0f5850f8d32d40b36d1670c0ad996
2022-02-07 16:21:38 -06:00
Douglas Mendizábal 2620d14c5f Allow secret delete by users with "creator" role
Users with the "creator" role on a project can now delete secrets owned
by the project even if the user is different than the user that
originally created the secret.  Previous to this fix a user with the
"creator" role was only allowed to delete a secret owned by the project
if they were also the same user that originally created, which was
inconsistent with the way that deletes are handled by other OpenStack
projects that integrate with Barbican.

This change does not affect the policy for delting private secrets
(i.e. secrets with the "project-access" flag set to "false").

Story: 2009791
Task: 44324
Change-Id: Ie3e3adc1ee02d770de050f5cfa8110774bb1f661
2022-01-31 14:21:58 -06:00
OpenStack Proposal Bot 45e257b0af Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I2aa0e23030d96a1f8891940aa0d2fece3a0f6961
2021-12-08 02:37:48 +00:00
Douglas Mendizábal 31aa926175 Fix consumer name length validator
This patch fixes a mismatch between the size of the column for a
consumer "name" in the database and the value being checked by the api
validator.

The maximum size in the database is 36 chars [1], so we must use that value
in the validator.

[1] https://opendev.org/openstack/barbican/src/branch/stable/xena/barbican/model/models.py#L826

Story: 2009672
Task: 43939

Change-Id: I76f075a94056aa65cd44fd1d7f5d4b24109b6ed1
2021-11-10 15:24:16 -06:00
Zuul 2d912de1c3 Merge "Fix POST /v1/secret/{secret-id}/metadata response" 2021-10-09 02:05:21 +00:00
Douglas Mendizábal 8bd16953eb Fix POST /v1/secret/{secret-id}/metadata response
This patch fixes the response to POST requests in the metadata API so it
actually matches the documentation. [1]

Story: 2009247
Task: 43424

[1]
https://docs.openstack.org/barbican/latest/api/reference/secret_metadata.html#post-v1-secrets-uuid-metadata

Change-Id: I5505a8c56ed7274519cac8ad1e6d7adf5086c8d1
2021-09-23 21:16:41 +00:00
OpenStack Proposal Bot ba2f6fe304 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: Ia137aebb8536efbb0030f47fdeaf61b290aec9c7
2021-09-23 06:17:41 +00:00
OpenStack Release Bot 57d39b1dfb Update master for stable/xena
Add file to the reno documentation build to show release notes for
stable/xena.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/xena.

Sem-Ver: feature
Change-Id: I5c5eaf3b4603ceed6c53811f9e9ebd6c84ee09ae
2021-09-16 11:02:53 +00:00
Douglas Mendizábal b9daa100d0 Fix Castellan Secret Store inconsistent encoding
This patch fixes the Castellan secret store use of SecretDTO objects,
which require that the "secret" member be base64 encoded. [1]

Prior to this fix all secrets that were generated were stored in
plaintext, but secrets coming in through the API were base64 encoded
before being stored in the backend.

On secret retreival the Castellan plugin wrongly assumed everything in
the backend was encoded, so attempts to retrieve generated keys failed.

This patch fixes this inconsistency by always storing data un-encoded in
the backend.

A helper method was added to sort out the inconsistent data stored prior
to this fix.

A "version" property was added to the Castellan plugin metadata that is
stored in barbican to help differentiate secrets stored prior to this
fix vs secrets stored after this fix.

Story: 2008335
Task: 41236

[1]
https://opendev.org/openstack/barbican/src/tag/12.0.0/barbican/plugin/interface/secret_store.py#L356

Change-Id: I46fe77a471bf7927a24ca4d64dfccb385cd6402e
2021-09-15 08:42:25 -05:00
Zuul 2e9d3ae6b8 Merge "Raise maximum allowed secret size" 2021-04-29 14:47:08 +00:00
Douglas Mendizábal c59f2a6bbb Raise maximum allowed secret size
The default maximum allowed size is too small for some certificates.
This patch doubles the allowed size from 10Kb to 20Kb, and raises the
maximum request size by the same amount.

Change-Id: I59d11c5c9c32128ab9d71eaecdf46dd2d789a8d1
2021-04-27 15:49:39 -05:00
OpenStack Proposal Bot 6d0df1148f Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I503641691f8414c4c4562cbedc31dc8047054f0c
2021-04-27 06:11:21 +00:00
OpenStack Release Bot a567702c65 Update master for stable/wallaby
Add file to the reno documentation build to show release notes for
stable/wallaby.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/wallaby.

Sem-Ver: feature
Change-Id: I759f186c485a75afa88edc72c28ed121292a1029
2021-03-26 10:15:57 +00:00
Zuul 5408a62802 Merge "Implement secure RBAC for quota API" 2021-03-11 22:46:57 +00:00
Zuul ad76802f6a Merge "Implement secure RBAC for secretstore API" 2021-03-11 22:46:16 +00:00
Ade Lee a0bc52c81a Implement secure RBAC for quota API
Add new system scope specific RBAC rules for the quota API.

Change-Id: I4fd1676e8ead673b91bad1cc9749147ac5d62d7f
2021-03-11 11:38:40 -05:00
Ade Lee 060ca2ee36 Implement secure RBAC for secretstore API
Add new system scope specific RBAC rules for the secretstore API.
    The new rules allow all roles to list and get secret stores.

Change-Id: Ibb19e9854e8bafd2a454c0792503c6f4360e7cf7
2021-03-11 11:30:28 -05:00
Zuul 0c9c99f421 Merge "Implement secure RBAC for ACLs API" 2021-03-11 11:14:16 +00:00