On to, 26 maalis 2020, François Cami via FreeIPA-devel wrote:
Hi,
On Thu, Mar 26, 2020 at 11:16 AM Alexander Bokovoy via FreeIPA-devel
<freeipa-devel@lists.fedorahosted.org> wrote:
Hi,
below is a release notes draft for FreeIPA 4.8.6 release I'm intending
to do today. I modified release-notes script to pick up release notes
from the commits to complement Pagure tickets' changelog custom field.
Please add your highlights in response to this email.
{{ReleaseDate|2020-03-27}}
The FreeIPA team would like to announce FreeIPA 4.8.6 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora distributions will be available from the official repository soon.
== Highlights in 4.8.6 ==
'''TODO RELEASE NOTES - put release notes (if any) to proper categories'''
* 8236: Enforce a check to prevent adding objects from IPA as external members
of external groups
:: Command 'ipa group-add-member' allowed to specify any user or group
:: for '--external' option. A stricter check is added to verify that
:: a group or user to be added as an external member does not come
:: from IPA domain.
--------
'''END TODO'''
=== Enhancements ===
=== Known Issues ===
If the first KRA instance is installed on a hidden replica, more KRA
instances cannot be added to the cluster. As a workaround, temporarily
make the the hidden replica with the KRA role visible before adding
more KRA instances. The previously-hidden replica can be hidden again
as soon as ipa-kra-install is complete.
Added.
I've extended the tool to pick up 'knownissue' field from Pagure tickets
and move release notes between highlights and known issues.
Now, if you want to document something in the release notes, you can:
- add 'RN: ' prefixed lines to the commit message, along with a
reference to a ticket,
or
- add content 'changelog' field to the Pagure issue
If 'knownissue' field in Pagure issue is set to 'true' (it is a
checkbox), then release note will be placed in 'known issues' section
automatically.
I also added ability to skip milestone tickets because they would be
repeating from one minor release to another.
Below is current set of release notes I'm intending to use for the
4.8.6 release. It is entirely autogenerated, I only removed TODO marks:
{{ReleaseDate|2020-03-27}}
The FreeIPA team would like to announce FreeIPA 4.8.6 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora distributions will be available from the official repository soon.
== Highlights in 4.8.6 ==
* 5662: ID Views: do not allow custom Views for the masters
:: Custom ID views cannot be applied to IPA masters. A check was added to both
IPA CLI and Web UI to prevent applying custom ID views to avoid confusion and
unintended side-effects.
--------
* 7181: ipa-replica-prepare fails for 2nd replica when passwordHistory is
enabled
:: FreeIPA password policy plugin in 389-ds was extended to exempt non-Kerberos
LDAP objects from checking Kerberos policy during password changes by the
Directory Manager or a password synchronization manager. This issue affected,
among others, an integrated CA administrator account during deployment of more
than one replica in some cases.
--------
* 8233: 4.8.5 master Installation error
:: On Debian and ALT Linux setup of AJP connector did restart Apache instance
before it was configured. The restart wasn't actually needed and thus was
removed.
--------
* 8236: Enforce a check to prevent adding objects from IPA as external members
of external groups
:: Command 'ipa group-add-member' allowed to specify any user or group for
'--external' option. A stricter check is added to verify that a group or user
to be added as an external member does not come from IPA domain.
--------
* 8239: Actualize Bootstrap version
:: Bootstrap Javascript framework used by FreeIPA web UI was updated to version
3.4.1.
--------
* 8241: Build fails on Fedora 30
:: SELinux rules for ipa-custodia were merged into FreeIPA SELinux policy. The
policy relied on an SELinux interface that is not available in Fedora 30. The
logic was changed to allow better portability across SELinux versions.
--------
=== Enhancements ===
=== Known Issues ===
* 8240: KRA install fails if all KRA members are Hidden Replicas
:: If the first KRA instance is installed on a hidden replica, more KRA
instances cannot be added to the cluster. As a workaround, temporarily make the
the hidden replica with the KRA role visible before adding more KRA instances.
The previously-hidden replica can be hidden again as soon as ipa-kra-install is
complete.
--------
=== Bug fixes ===
FreeIPA 4.8.6 is a stabilization release for the features delivered as a
part of 4.8 version series.
There are more than 10 bug-fixes details of which can be seen in
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list
(https://lists.fedoraproject.org/archives/list/freeipa-us...@lists.fedorahosted.org/)
or #freeipa channel on Freenode.
== Resolved tickets ==
* [https://pagure.io/freeipa/issue/5662 #5662] ID Views: do not allow custom
Views for the masters
* [https://pagure.io/freeipa/issue/6891 #6891] Move FreeIPA SELinux policy from
system policy to project policy
* [https://pagure.io/freeipa/issue/7181 #7181] ipa-replica-prepare fails for
2nd replica when passwordHistory is enabled
* [https://pagure.io/freeipa/issue/7895 #7895] ipa trust fetch-domains, server
parameter ignored
* [https://pagure.io/freeipa/issue/8159 #8159] please migrate to the new Fedora
translation platform
* [https://pagure.io/freeipa/issue/8193 #8193] Re-order
50-externalmembers.update to be after 80-schema_compat.update
* [https://pagure.io/freeipa/issue/8228 #8228] Nightly failure in
backup/restore while calling 'id admin'
* [https://pagure.io/freeipa/issue/8233 #8233] 4.8.5 master Installation error
* [https://pagure.io/freeipa/issue/8236 #8236] Enforce a check to prevent
adding objects from IPA as external members of external groups
* [https://pagure.io/freeipa/issue/8239 #8239] Actualize Bootstrap version
* [https://pagure.io/freeipa/issue/8240 #8240] KRA install fails if all KRA
members are Hidden Replicas
* [https://pagure.io/freeipa/issue/8241 #8241] Build fails on Fedora 30
== Detailed changelog since 4.8.5 ==
=== Alexander Bokovoy (34) ===
* ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM
or a passsync manager
[https://pagure.io/freeipa/c/bcbf64b1bf287d2b0b23bc7ac0cca9e8b789ba4a commit]
[https://pagure.io/freeipa/issue/7181 #7181]
* ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN
[https://pagure.io/freeipa/c/5bae736bc81eaa1167ec64a69a32506dad2ca286 commit]
[https://pagure.io/freeipa/issue/7181 #7181]
* ipatests: test sysaccount password change with a password policy applied
[https://pagure.io/freeipa/c/313542e8a125c4904750826ef9eabdead7d874bd commit]
[https://pagure.io/freeipa/issue/7181 #7181]
* ipatests: allow changing sysaccount passwords as cn=Directory Manager
[https://pagure.io/freeipa/c/f4dc10b8caac44f5c2a8edbb4c647e6dcf71c3bd commit]
[https://pagure.io/freeipa/issue/7181 #7181]
* Fix indentation levels [https://pagure.io/freeipa/c/c62b9e7f6ab0dec54540dc6cd389fe58f8858275 commit]
* ipatests: always skip additional input for group-add-member --external [https://pagure.io/freeipa/c/74f36e7c2f7f6d17b56e06b5f05205edb8a286d7 commit] [https://pagure.io/freeipa/issue/8236 #8236]
* po: update Chinese (China) translation [https://pagure.io/freeipa/c/c6adee04068ce946f8c9b8ad5db19721db13c602 commit]
* po: update Ukrainian translation [https://pagure.io/freeipa/c/855a36b6c093fd21af7cf87524acc5d297692de3 commit]
* po: update Tajik translation timestamp [https://pagure.io/freeipa/c/3d411cf29f29e1d391ed8f6eb159b88d450a332b commit]
* po: update Slovak translation timestamp [https://pagure.io/freeipa/c/3c15e47a7c2212aab0ecdc320093bee2afa0bfdc commit]
* po: update Russian translation [https://pagure.io/freeipa/c/db433fbe4e521d08dee2cdc2e65344d8203e03a4 commit]
* po: update Portuguese (Brazil) translation timestamp [https://pagure.io/freeipa/c/eab195ff3884b482279279326b3a84ced4723b7e commit]
* po: update Portuguese translation timestamp [https://pagure.io/freeipa/c/31a9da8efa793d492352f646fc804b902beec088 commit]
* po: update Polish translation [https://pagure.io/freeipa/c/4e3867fcc49a8d2ff1085e630abd77666a06d838 commit]
* po: update Punjabi translation timestamp [https://pagure.io/freeipa/c/e4dfb7409bd25dc5bc2cc1e99562f912a98509f8 commit]
* po: update Dutch translation timestamp [https://pagure.io/freeipa/c/e7945284906998da0a798a1ff15a42dd3fdb96d9 commit]
* po: update Marathi translation timestamp [https://pagure.io/freeipa/c/28a963eed0f27c214543b02fc34e15182e6fcc04 commit]
* po: update Kannada translation timestamp [https://pagure.io/freeipa/c/89b048d1408834dde38321ac4f402083ebd30247 commit]
* po: update Japanese translation timestamp [https://pagure.io/freeipa/c/89dbf88abb108cad7f44f92b4e94e66f21746cd3 commit]
* po: update Indonesian translation timestamp [https://pagure.io/freeipa/c/124a563eb64d7f9a2190a13e9d68a7b608be2d22 commit]
* po: update Hungarian translation timestamp [https://pagure.io/freeipa/c/595d5062b9e770a946156f69df2fe522d4745d9e commit]
* po: update Hindi translation timestamp [https://pagure.io/freeipa/c/c4dd8b226ae97011bcc0546209f8473fbcd75ab8 commit]
* po: update French translation [https://pagure.io/freeipa/c/a2ca393d35a1f34b2dbbd54c9c1d24b9f20960f0 commit]
* po: update Basque translation timestamp [https://pagure.io/freeipa/c/92fb5c5268b8b1b02b7a1d12b9a6417c893a18f1 commit]
* po: update Spanish translation [https://pagure.io/freeipa/c/7af52df7a8e54afe36649c5436fcfce759111751 commit]
* po: update English (United Kingdom) translation timestamp [https://pagure.io/freeipa/c/37a1e927a1f123b8b9fdbaf815003cb04726f72c commit]
* po: update German translation [https://pagure.io/freeipa/c/0d053d8b1df33f5602ae0e154743f1d1dce2c72d commit]
* po: update Czech translation timestamp [https://pagure.io/freeipa/c/c8ba436c0dad467bf12dec4d4f141916d0b3fbbd commit]
* po: update Catalan translation timestamp [https://pagure.io/freeipa/c/29e3ade05c8bea23c07ed1a1b5612af01f924d2d commit]
* po: update Bengali translation timestamp [https://pagure.io/freeipa/c/16d9556c6f3d19f73256d6698a7659f78961a378 commit]
* po: update ipa.pot template [https://pagure.io/freeipa/c/e23ba779d3aefd871e348b91e7b0fa003d97c96e commit]
* Update translation infrastructure [https://pagure.io/freeipa/c/831f4dd320a93d01df6b06058c3ab618a98c9fd8 commit] [https://pagure.io/freeipa/issue/8159 #8159]
* Keep ipa.pot translation file in git for weblate
[https://pagure.io/freeipa/c/9ff7b4a411d13ca148d2f53603dbcc812d92380a commit]
[https://pagure.io/freeipa/issue/8159 #8159]
* Prevent adding IPA objects as external members of external groups
[https://pagure.io/freeipa/c/127b8d9cf23bf65aa42e6ee9ed8d7f8628bbac19 commit]
[https://pagure.io/freeipa/issue/8236 #8236]
=== Christian Heimes (5) ===
* po: fix LINGUAS to use whitespace separation
[https://pagure.io/freeipa/c/616ad399c99292542638e9e8f0995873e5c4f311 commit]
[https://pagure.io/freeipa/issue/8159 #8159]
* SELinux: apache_manage_pid_files for F30
[https://pagure.io/freeipa/c/f08ced1b25e14f91526c82610a8219ae8ed898a3 commit]
[https://pagure.io/freeipa/issue/8241 #8241]
* Add pytest OpenSSH transport with password [https://pagure.io/freeipa/c/42aa86fadd7a7f2209e05291be9c76a8497998dd commit]
* Move freeipa-selinux dependency to freeipa-common [https://pagure.io/freeipa/c/7d525ab4308060435808a311de55a76fb26a28c6 commit] [https://pagure.io/freeipa/issue/6891 #6891]
* Integrate ipa_custodia policy
[https://pagure.io/freeipa/c/04cc0450125e3c9e989c3e769a25ba2f1f336060 commit]
[https://pagure.io/freeipa/issue/6891 #6891]
=== François Cami (1) ===
* ipatests: test_replica_promotion.py: test KRA on Hidden Replica
[https://pagure.io/freeipa/c/a692212e3bee36fbccba73ed21f7825381eeade4 commit]
[https://pagure.io/freeipa/issue/8240 #8240]
=== Florence Blanc-Renaud (3) ===
* ipatests: wait for SSSD to become online in backup/restore tests
[https://pagure.io/freeipa/c/ebb3c22ddb998997eb05e7bd4da2157e88b6c8f3 commit]
[https://pagure.io/freeipa/issue/8228 #8228]
* xmlrpc tests: add a test for idview-apply on a master
[https://pagure.io/freeipa/c/c37a84628601d369f83546085b7e29be8fe11a59 commit]
[https://pagure.io/freeipa/issue/5662 #5662]
* idviews: prevent applying to a master
[https://pagure.io/freeipa/c/7905891341197cb90faf635cf93ce63ae7a7a38b commit]
[https://pagure.io/freeipa/issue/5662 #5662]
=== Mohammad Rizwan Yusuf (3) ===
* ipatests: Skip test using paramiko when FIPS is enabled [https://pagure.io/freeipa/c/45507c1e86b634507fdc21dbb88ea9edd43e4166 commit]
* Test if schema-compat-entry-attribute is set [https://pagure.io/freeipa/c/3f3fa403a944035cf5531939fe3a2e338da99612 commit] [https://pagure.io/freeipa/issue/8193 #8193]
* Test if schema-compat-entry-attribute is set
[https://pagure.io/freeipa/c/210619a98f0d8a042a181bab5891bdd595aa5351 commit]
[https://pagure.io/freeipa/issue/8193 #8193]
=== Rob Crittenden (4) ===
* Test that pwpolicy only applied on Kerberos entries [https://pagure.io/freeipa/c/b34063e700ac4c65b117705bafb0255c26bca060 commit]
* Add ability to change a user password as the Directory Manager [https://pagure.io/freeipa/c/840671b1cdc508ea86f8412e6423f00b8c3bf809 commit]
* Don't save password history on non-Kerberos accounts [https://pagure.io/freeipa/c/8b7bb96b327207284c8c0a45cf2979843482cf48 commit]
* Test that ipa-healthcheck human output translates error strings [https://pagure.io/freeipa/c/7974ac9f8c7969df85f689d94f5b30c18e661daa commit]
=== Stanislav Levin (1) ===
* pki-proxy: Don't rely on running apache until it's configured
[https://pagure.io/freeipa/c/24c6ea3c9f2df757b3d714044c16083716e377ca commit]
[https://pagure.io/freeipa/issue/8233 #8233]
=== Sergey Orlov (2) ===
* ipatests: provide AD admin password when trying to establish trust
[https://pagure.io/freeipa/c/814b47e85c87bc3c80c91ebd0aa9085ac06b521e commit]
[https://pagure.io/freeipa/issue/7895 #7895]
* ipatests: remove test_ordering [https://pagure.io/freeipa/c/0e9b020db201ff5797f0dabff05c3fc16a9bf79a commit]
=== Serhii Tsymbaliuk (1) ===
* Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1
[https://pagure.io/freeipa/c/f1855dd51e1544a77f1b4a3d4c90f173c29fbed4 commit]
[https://pagure.io/freeipa/issue/8239 #8239]
=== Sudhir Menon (1) ===
* ipatests: Added testcase to check logrotate is added for healthcheck tool [https://pagure.io/freeipa/c/7d4687926e9866c378db8075dd7b55b3c40e71a9 commit]
=== Vit Mojzis (1) ===
* selinux: disable ipa_custodia when installing custom policy
[https://pagure.io/freeipa/c/f99cfa1443dfa33422eb4a7613d3dd9e921ccacd commit]
[https://pagure.io/freeipa/issue/6891 #6891]
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
