The keystone doesn't use 5000 port anymore from Newton version. And all
the references should be changed together.
Change-Id: I3f02686ab5b3abf48f129fde92e90427ca148317
oslo.policy doesn't handle Permission Denied error during file
parsing. This patch just ignores IOError exceptions to fallback to
the default behaviour.
Closes-Bug: #1845523
Change-Id: I87c2862e6e3a3f42d231552b00dc02364d6fa14f
In Train cycle, we moved the definition of default values
to openstack_dashboard/defaults.py. The current code accesses
a dict member using []. It requires operators to define a dict
setting with a full member.
This commit allows to use dict-type settings with partial members.
A new function is introduced to retrieve a dict-type setting
considering default values defined in
{openstack_dashboard,horizon,openstack_auth}/defaults.py
Change-Id: I7ff0ad4bca698aef9c0eba370b0570200a14367a
Closes-Bug: #1843104
If the expiration date of a password is in the past, don't display the
expiration warning, as it's not helpful and confuses the user.
This can happen after a user whose password was set to be changed on the
first login changes it, but probably also in other situations, depending
on how many more bugs in Keystone there are around expiring passwords.
Change-Id: Ib79f6ef354c456bbdc2d7c1d4371ae15e825b557
Unfortunately the only way we can know the user_id at this point is
by parsing the error message.
I also refactored the exceptions in openstack_auth to make them use
different classes (but one common superclass).
Partially implements blueprint: allow-users-change-expired-password
Change-Id: Ieceee09db21040b96577db19bd195dc3799e3892
Keystone V2 API was deprecated in Stein release in Horizon and
removed from Keystone in Queens release.
Change-Id: I917e273d3174adf0874e516b3d635ccb8ba58a27
Keystone's API for changing the user password doesn't require
authentication, so we can have a page that doesn't require it too.
In order to change the password, the user has to provide their old
password. This is needed for when the password is expired or when
it has to be changed on first use.
The next step will be adding a redirect to this page when a password
is expired or required to be changed.
Part of blueprint: allow-users-change-expired-password
Change-Id: I3b207ef6c5a3095022a2acb64d3988e127f0f49a
This commit also moves descriptions of settings defined in openstack_auth
from openstack_dashboard/settings.py and local_settings.py(.example)
to openstack_auth/settings.py.
Note that if openstack_dashboard has different default settings
from openstack_auth defaults, they are now moved to
openstack_dashboard/defaults.py.
Part of blueprint ini-based-configuration
Change-Id: I59eebc388de0bcbd4d1fe35c6138efbd3e04c5b8
This has been present since at least Django 1.6 [1], though the comment
on the removed function suggests it might have been earlier (pre-Git
days, perhaps?).
[1] https://github.com/django/django/commit/a2f2a399566
Change-Id: Ib6978ffa8d3962383fbc0a1c3cfd9da9e162f7dd
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
These are going the way of the dinosaur and will eventually need to be
replaced, some of them in coming patches.
Change-Id: I3a1d514c8770478349b4f91b128c8230b108d979
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
We only support Django >= 1.11 now. Who cares about Django < 1.7.
Change-Id: I3576b921b976ef9e5bb1561bda85348112e4b6e8
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Took me a while to figure out this wasn't part of the API for an auth
backend. Make that more obvious.
Change-Id: Idb5efd850426b41d638c6d8c7112735d1423fdab
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
As noted in the Django 2.1 release notes [1]:
The authenticate() method of authentication backends requires request
as the first positional argument.
This can be seen here [2]. Simple enough, though it took me ages to
figure this out because Django gave me *zero* warning that a backend
because of this change. Heck, raising the TypeError would have helped :(
[1] https://docs.djangoproject.com/en/2.2/releases/2.1/#features-removed-in-2-1
[2] https://github.com/django/django/commit/5e31be1b96f
Change-Id: I0dd37d33c8e42a70c00a9f1460c1cec86c5b6006
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This is the larger change. We could attempt to rewrite this whole thing
to a class-based view but that's more work that it's worth right now.
Instead, we simply do what the now-removed 'login' function-based view
was doing, as seen at [1].
A lot of never-used customizability is removed because it's not needed
and made things more complicated than it needed to be.
[1] https://github.com/django/django/blob/1.11/django/contrib/auth/views.py#L133-L139
Change-Id: Ib934d8a2c32cb32761558a68f061f415bb8737c4
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
There are a lot of util funtions that are not used neither in Horizon,
nor in plugins. This patch removes them.
Change-Id: I987b39d620a037834cb2d05a234a1ad089276108
Token is not used in policies,
and json.dumps can't dump it when http rules are used.
Closes-Bug: 1823977
Change-Id: Id1b0b94d27d24d7dfdd2f1542973088947d83ada
Signed-off-by: George Melikov <mail@gmelikov.ru>
The `openstack_auth login` view uses `request.build_absolute_uri` function
to build an origin uri when websso is enabled and
the WEBSSO_DEFAULT_REDIRECT_PROTOCOL is set.
This function doesn't insert the `WEBROOT` variable into uri what causes an
error:
http://domain.name/auth/websso/ is not a trusted dashboard host
Using the `build_absolute_uri` from `utils` module fixes this problem. It
generates the right uri:
http://domain.name/dashboard/auth/websso/
Change-Id: I94100f66a9f07eb8da75d344cbd120838fe25d1e