openstack/swift
Code Issues Proposed changes

CHANGELOG for 2.35.2

Browse Source 
Signed-off-by: Tim Burke <tim.burke@gmail.com>
Change-Id: Ie1f5b5629a4680f95dbaae5ac569f51d748d0c82
This commit is contained in:
Tim Burke
2026-01-27 09:36:35 -08:00
parent 097aad341a
commit 7fd6c1fd40
2 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
CHANGELOG
View File

@@ -1,3 +1,21 @@
swift (2.35.2, epoxy stable backports)
* The s3token middleware now passes service auth tokens to Keystone
if credentials are provided. This is required to enable S3 API
access for Keystone users when using Keystone >25.0.0, !=26.0.0,
!=26.0.1, !=27.0.0, !=28.0.0. See etc/proxy-server.conf-sample for
configuration details. For more information, see
https://security.openstack.org/ossa/OSSA-2025-002.html and
https://bugs.launchpad.net/keystone/+bug/2119646
* The s3token middleware now caches credential secrets for one minute
by default, if credentials are provided. Secret-caching typically
reduces the load on Keystone and is required for Keystone users to
be able to use signed aws-chunked transfers. To return to prior
behavior, explicitly set `secret_cache_duration = 0` in the
`[filter:s3api]` section of your proxy-server.conf.
swift (2.35.1, epoxy stable backports)
* S3 API

18
releasenotes/notes/release-2.35.2-45d782fba98d426f.yaml Normal file
View File

@@ -0,0 +1,18 @@
---
features:
- |
The s3token middleware now passes service auth tokens to Keystone
if credentials are provided. This is required to enable S3 API
access for Keystone users when using Keystone >25.0.0, !=26.0.0,
!=26.0.1, !=27.0.0, !=28.0.0. See etc/proxy-server.conf-sample for
configuration details. For more information, see
`OSSA-2025-002 <https://security.openstack.org/ossa/OSSA-2025-002.html>`__ and
`bug #2119646 <https://bugs.launchpad.net/keystone/+bug/2119646>`__.
- |
The s3token middleware now caches credential secrets for one minute
by default, if credentials are provided. Secret-caching typically
reduces the load on Keystone and is required for Keystone users to
be able to use signed aws-chunked transfers. To return to prior
behavior, explicitly set ``secret_cache_duration = 0`` in the
``[filter:s3api]`` section of your proxy-server.conf.