Security Issues¶

• Part of the fix for Story 2009664 required renaming the policy forContainer Consumers from “consumers:get” to “container_consumers:get”,“consumers:post” to “container_consumers:post”, and “consumers:delete”to “container_consumers:delete”. If you are using custom policies tooverride the default policies you will need to update them to use thenew names.

• Fixed Story #2009791: Users with the “creator” role on a project can nowdelete secrets owned by the project even if the user is different thanthe user that originally created the secret. Previous to this fix a userwith the “creator” role was only allowed to delete a secret owned by theproject if they were also the same user that originally created, whichwas inconsistent with the way that deletes are handled by other OpenStackprojects that integrate with Barbican. This change does not affect privatesecrets (i.e. secrets with the “project-access” flag set to “false”).

Bug Fixes¶

• Fixed Story #2009247 - Fixed the response forPOST /v1/secrets/{secret-id}/metadata so it matches the documentedbehavior.

• Fixed Story 2009664 - Fixed the Consumer controller to be able to use theassociated Container’s ownership information in policy checks.

• Fixed Story #2009672 - Fixed validator for Container Consumers to prevent500 errors.

New Features¶

• The default maximum secret size has been increased from 10 kB to 20 kb, andthe default maximum request size has been increased from 15 kB to 25 kB.

Bug Fixes¶

• Fixed Story 2008335: Fixed a data encoding issue in the Hashicorp Vaultbackend that was causing errors when retrieving keys that were generatedby the Vault Key Manager in Castellan.