155 Commits

Author SHA1 Message Date
Takashi Kajinami
39746b7417 Remove templated catalog driver
The driver was deprecated in 2024.1 release because of the unmaintained
default template[1].

[1] 307296af5e170ca6b0d44fd5ec85a39bd6b5e572

Change-Id: If7b040a39679b2707565ecd0bd8a06b7db7503c1
2025-01-03 10:36:02 +09:00
Zuul
0cc279d2ce Merge "Remove direct dependency on memcache" 2024-11-15 15:50:59 +00:00
Takashi Kajinami
e1b4edb146 Remove Python 3.8 support
Python 3.8 was removed from the tested runtimes for 2024.2[1] and has
not been tested since then.

Also add Python 3.12 which is part of the tested runtimes for 2025.1.
Now unit tests job with Python 3.12 is voting.

[1] https://governance.openstack.org/tc/reference/runtimes/2024.2.html

Change-Id: Ie71dd98911c740b2b3d87157c326eedc40f9f17d
2024-10-24 21:30:05 +09:00
Takashi Kajinami
a59ac9d823 Remove direct dependency on memcache
python-memcached was used by memcache token persistence which was
already removed, is no longer directly used by keystone and it's
required via oslo.cache .

Change-Id: I2e2e6fa12cc8280e1f6a5825764af0b2b48835db
2024-09-29 16:36:50 +09:00
Takashi Kajinami
5afd51e8cf Drop unused pymongodb from requirements
Keystone no longer depends on mongodb after cache implementation was
split to oslo.cache[1]. Also, bandit is not a runtime dependency but
a test dependency, so should live in test requirements.

[1] 4969f66fca37ce9bd654cf74890fa28dd011bc6e

Change-Id: I85f376d0897dd6b4dba758f86882fae70511fb6a
2024-02-04 15:04:55 +00:00
Zuul
4b3efbc026 Merge "Remove babel.cfg" 2024-01-26 17:37:06 +00:00
Ghanshyam Mann
23fbdee5ea Update python classifier in setup.cfg
As per the current release tested runtime, we test
python version from 3.8 to 3.11 so updating the
same in python classifier in setup.cfg

Change-Id: I94d11b7fb1f7111549a16d70581658d8fa17ab62
2024-01-03 23:56:26 -08:00
Takashi Kajinami
e3b3df7974 Remove babel.cfg
Remove babel.cfg and the translation bits from setup.cfg, those are not
needed anymore.

Change-Id: I6c44c8e0b8bf16af2e91ba26b2dbe37c06ea1048
2023-12-21 02:16:12 +09:00
Ghanshyam Mann
5a0fbe975d Update python testing as per zed cycle teting runtime
In Zed cycle, we have dropped the python 3.6/3.7[1] testing
and its support.

[1] https://governance.openstack.org/tc/reference/runtimes/zed.html

Change-Id: I817a4d1506fb7f15e72d37015ae0ba9547e2aa52
2022-05-10 19:30:04 -05:00
YuehuiLei
1703447131 setup.cfg: Replace dashes with underscores
Resolves warnings like the following:

  UserWarning: Usage of dash-separated 'description-file' will not be
  supported in future versions. Please use the underscore name
  'description_file' instead

Change-Id: I81c2a24fbf3341ad73a6f3057e3e47010f2663fa
2021-04-26 15:53:22 +08:00
Andreas Jaeger
35e83918f4 Cleanup py27 support
Make a few cleanups:
- Remove python 2.7 stanza from setup.py
- Add requires on python >= 3.6 to setup.cfg so that pypi and pip
  know about the requirement
- Remove obsolete sections from setup.cfg
- Update classifiers

Change-Id: Id04f2ca5b879ee1f37cd349ff85ebec01389213a
2020-04-08 08:37:30 +02:00
Zuul
af1c1a822a Merge "Stop testing Python 2" 2019-11-14 10:28:52 +00:00
Arthur Dayne
a92885a98b Stop testing Python 2
In Ussuri, Drop support for Python 2 according to [1] and [2]

[1] http://lists.openstack.org/pipermail/openstack-discuss/2019-October/010356.html
[2] https://governance.openstack.org/tc/resolutions/20180529-python2-deprecation-timeline.html

Change-Id: I35e871992dd21e96e7e812e440e6cafdb61d26ac
2019-11-01 08:57:08 +08:00
Colleen Murphy
9607ed3266 Revert "Resource backend is SQL only now"
This reverts commit 3d46c8a5d93529b4050bab635486cfa6b05c9a85.

In the last commit, the foreign key constraints between the project
table and other tables were dropped, which allows us to restore the
configurability of the resource driver.

Change-Id: Iba4951e2d3965be5acec705385967d312456f1c7
2019-10-11 14:13:04 -07:00
Colleen Murphy
7c42f1a7a8 Revert "Add JSON driver for access rules config"
This reverts commit f028ca4edd592c45c100e7cf42cb95fe954604aa.

In the Train PTG[1] we agreed to defer this feature until we had some
kind of traceability or discoverability for APIs and that this wasn't
feasible or useful until then.

This change was merged to master but never released, so I submit that
it is safe to revert.

[1] https://etherpad.openstack.org/p/keystone-train-ptg-application-credentials

Change-Id: I8fc5fcb2b35431882f0d64866765d6b0cd31356f
2019-05-28 08:38:42 -07:00
Jim Rollenhagen
dc3175afb1 Revert "Blacklist bandit 1.6.0"
This reverts commit ebac8330d8ac81c491a1cb0e16eb23b93d7932ee.

Using the glob that I had not yet had enough coffee to do correctly is a
better solution, and allows us to fix new failures in 1.6.0 which would
break us again when 1.6.1 was released.

Change-Id: Ica473ba71b224cdc0acf815f82d534b6c70a7f54
2019-05-14 21:09:32 +00:00
Jim Rollenhagen
ebac8330d8 Blacklist bandit 1.6.0
There's a regression[0] in bandit 1.6.0 which causes bandit to stop
respecting excluded directories, and our tests throw a bunch of
violations. Blacklist this version, but allow newer versions as there is
already a pull request[1] to fix it, and I expect it will be included in
the next release.

[0] https://github.com/PyCQA/bandit/issues/488
[1] https://github.com/PyCQA/bandit/pull/489

Change-Id: Ie4dbfb3f54e4aac00e0537d5760b7a8fc81b35a2
2019-05-09 14:27:19 +00:00
Zuul
ed45883380 Merge "Add JSON driver for access rules config" 2019-03-07 09:43:33 +00:00
Vishakha Agarwal
a022e27307 Drop py35 jobs
Python 3.5 was the target runtime for the Rocky release.
The current target py3 runtime for Stein is Python 3.6,
so there is no reason to keep testing against the older
version.

https://governance.openstack.org/tc/reference/runtimes/stein.html#python-runtime-for-stein

Change-Id: I618c0d263d4c0f497aef59f24215b60169948ea9
2019-03-05 10:56:57 +05:30
Colleen Murphy
f028ca4edd Add JSON driver for access rules config
The access rules config driver will read a JSON file that represents
rules for accessing service APIs. This is to support application
credential access rules, which will be checked against the configured
rules upon creation. The name for this new API is borrowed from Istio's
near identical concept[1].

[1] https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1/#AccessRule

bp whitelist-extension-for-app-creds

Change-Id: If8b9c1e9df55874052dfd9b99fbcea6e06c1ca35
2019-03-03 18:33:11 +01:00
Lance Bragstad
96adccd0ec Implement JWS token provider
This commit introduces a class that implements the JWS token provider
functionality.

bp json-web-tokens

Change-Id: Ie16110894348a83e3a80cba4649e6cccdc3c84b1
2019-02-07 23:04:39 +00:00
Corey Bryant
eca0829c4c PY3: switch to using unicode text values
In Python 3, python-ldap no longer allows bytes for some fields (DNs,
RDNs, attribute names, queries). Instead, text values are represented
as str, the Unicode text type. Compatibility support is provided for
Python 2 by setting bytes_mode=False [1].

Update the keystone LDAP backend to adhere to this behavior by using
bytes_mode=False for Python 2 and dropping UTF-8 encoding and decoding
fields that are now represented as text in python-ldap.

[1] More details about byte/str usage in python-ldap can be found at:
http://www.python-ldap.org/en/latest/bytes_mode.html#bytes-mode

Note that at a minimum python-ldappool 2.3.1 is required. For more
details see Depends-On's below.

Change-Id: Ifdd0644cd7042407a008c85c0b2c40a971c90bc3
Closes-Bug: #1798184
Depends-On: https://review.openstack.org/611401
Depends-On: https://review.openstack.org/613632
Depends-On: https://review.openstack.org/614052
2019-01-14 14:25:39 -05:00
ZhongShengping
6469f5c316 Change openstack-dev to openstack-discuss
Mailinglists have been updated. Openstack-discuss replaces openstack-dev.

Change-Id: I447cca1b13c8da7a1ff362274b3e3f75cd6b9e48
2018-12-04 10:00:29 +08:00
Adrian Turjak
d9e6c1d4dd Implement auth receipts spec
Adds a new model and provider for receipts which are
very similar to tokens (fernet based), and share the
same fernet mechanisms.

Adds changes to the auth layer to handle the creation,
validation, and consumptions of receipts as part of
the auth process.

Change-Id: Iccb6e6fc7aee57c58a53f90c1d671402b8efcdbb
bp: mfa-auth-receipt
2018-11-02 15:06:19 +01:00
Zuul
d04bb1e7e6 Merge "Remove paste-ini" 2018-10-24 08:29:22 +00:00
Zuul
41078e422e Merge "Internally defined middleware don't use stevedore" 2018-10-19 23:33:03 +00:00
Zuul
f8becfb448 Merge "Implement scaffolding for upgrade checks" 2018-10-19 17:20:55 +00:00
Lance Bragstad
6369796ebe Implement scaffolding for upgrade checks
One of the community goals for Stein is to implement a command-line
tool for operators that runs programmable checks that might impact
upgradability.

This commit lays down the basic structure for the upgrade checks and
ties it up to `keystone-status` command.

Story: 2003657
Task: 26135
Change-Id: I6586827104156ac549217967a1b9171f1a3b32e4
2018-10-17 16:54:53 -04:00
Morgan Fainberg
ea6755a825 Remove paste-ini
Remove the paste-ini for Stein release. It has not been used since
Rocky and was maintained for simplicity of deployment projects.

Change-Id: Iec0c204e8521694e4d48dbef03a72ecdb173e435
2018-10-15 17:57:59 +00:00
Morgan Fainberg
18d597f8e8 Internally defined middleware don't use stevedore
For internally defined middleware (URL Normalizer and AuthContext)
Do not use stevedore to load, apply directly. This also cleans up
a lingering entry in the setup.cfg for token_auth.

Test Changes:

* entry points test no longer looks for url_normalize and
build_auth_context

Change-Id: I58d3c23ad4f70668ada4eae94a94d3f5fe750b3b
Partial-Bug: #1776504
2018-10-11 15:27:46 -07:00
Morgan Fainberg
ee9b035cf1 Replace JSON Body middleware with flask-native func
Replace the JSON Body middleware with flask-native before-request
function.

The body filtering and storing data in
request.environ['openstack.params'] was not used in the code base and
has been dropped.

Test Changes:

* JSON Body middleware has been removed, no testing of the removed code

* JSON Body Before Request Method has been implemented and associated
  testing (mirroring the JSON Body middleware code).

* Test entry points no longer looks for JSON Body middleware.

Change-Id: I84491865870b6bf2b8f094b524ee8b77510f0054
Partial-Bug: #1776504
2018-10-11 15:27:46 -07:00
Zuul
199e9b5238 Merge "Switch to python-ldap" 2018-07-18 17:44:25 +00:00
wangxiyuan
4b4835a01c Strict two level limit model
This patch introduced the hierarchical limit structure
into Keystone.

The strict two level enforcement model is added as well.

Change-Id: Ic80e435a14ad7d6d4eccd4cd6365fb2d99fd26c1
bp: strict-two-level-model
2018-07-17 11:59:58 +08:00
Dirk Mueller
0fa6f97891 Switch to python-ldap
pyldap is deprecated and merged with python-ldap, so we should depend
on it directly instead of the deprecated wrapper. For details see
https://pypi.org/project/pyldap/

Change-Id: I2c8ee2c792a476fe12c234a55af24144e6b511cd
Depends-On: https://review.openstack.org/#/c/582973/
2018-07-16 17:33:38 +02:00
Morgan Fainberg
bb3b15bbf0 Implement base for new RBAC Enforcer
Create the base implementation of the RBAC enforcer with compat code
for the legacy mechanism via @protected decorators.

Change-Id: I80662d9b23e706b720d56670cb849318e951a3b4
Parital-Bug: #1776504
2018-06-27 22:38:06 +00:00
Morgan Fainberg
8bf335bb01 Remove pastedeploy
This patchset removes the lingering code that supported paste.deploy
that is obsolted by the loader wrapped around keystone's use of Flask.

 * The keystone-paste.ini file has been removed.

 * All options have been removed (without deprecation) as they are no
   longer referenced.

 * The TokenAuthMiddleware code (with deprecation warning) has been
   removed as it was only provided to ensure compatibility with paste.ini
   files that were not updated (ensuring not breaking a deployer that
   did not update paste.ini file to remove it from the pipeline).

 * Paste deploy entrypoints have been removed.

Change-Id: I35064a440ef718f50c7e644e8b2d56a99c3ec74f
2018-06-06 19:30:26 +00:00
Morgan Fainberg
a11d6ca0eb Flaskification cleanup
Cleaning up 2 minor changes that were missed in the initial
flaskification change.

Change-Id: I27e7a506a9fd03fd1fb9efd8666d187cba965769
2018-06-06 19:30:20 +00:00
Morgan Fainberg
4ec6bc5a44 Convert Keystone to use Flask
Basic conversion of Keystone's core application to flask framework.

This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.

Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7
2018-06-04 20:14:41 -07:00
Nguyen Hai
a04a1dc782 Follow the new PTI for document build
- Follow new PTI for docs build
- Add sphinxcontrib.apidoc to replace pbr autodoc

REF:
https://governance.openstack.org/tc/reference/project-testing-interface.html
http://lists.openstack.org/pipermail/openstack-dev/2017-December/125710.html
http://lists.openstack.org/pipermail/openstack-dev/2018-March/128594.html

Depends-On: https://review.openstack.org/#/c/559334/
Change-Id: I1d5f01cf49f36567f5a891c69c7269d3e966b9c5
2018-04-09 01:13:58 +09:00
Zuul
3eeb4901b3 Merge "Remove domains *-log-* from compile_catalog" 2018-02-14 21:41:08 +00:00
Lance Bragstad
032dd49db2 Remove the sql token driver and uuid token provider
Both of these drivers were staged for removal in Rocky. Now that
Rocky is open for development we can remove them. This commit removes
just the bare-bones aspects of each. Subsequent patches will do the
following:

  - Remove test class that were only meant for sql or uuid scenarios
  - Refactor the notification framework to not hint at token storage
  - Refactor the token provider API interfaces to be simpler and
    cleaner
  - Remove the needs_persistence property from the token provider API
    and document the ability to push that logic into individual
    providers that require it
  - Return 403 Forbidden for all requests to fetch a revocation list
  - Remove the signing directory configuration options

These changes will result in simpler interfaces which will be
important for people implementing their own token providers and
storage layers.

bp removed-as-of-rocky

Change-Id: I76d5c29f6b1572ee3ec7f2b1af63ff31572de2ce
2018-02-12 17:32:47 +00:00
Colleen Murphy
29280b1f68 Add application credential auth plugin
Add an auth plugin for application credentials and update the common
auth utilities to understand an auth method of 'application_credential'
and validate and scope accordingly.

By default, application credentials should not be allowed to be used for
creating other application credentials or trusts. If a user creates an
application credential with flag `allow_application_credential_creation`
then that application should be allowed to be used for creating and
deleting other application credentials and trusts. Ensure a flag is set
in the token if this property is set to allow this behavior.

bp application-credentials

Change-Id: I15a03e79128a11314d06751b94343f22d533243a
2018-01-27 12:00:19 +01:00
wangxiyuan
0b241dcea5 Add limit provider
This patch adds the registered limit and project limit provider
Class.

Change-Id: I636cd9555ae6434b0e6dec958ae41ef852a48285
bp: unified-limits
2018-01-25 15:45:44 +08:00
Colleen Murphy
52a32aa583 Add application credentials driver
Add a sql model and driver for application credential CRUD operations
and authentication.

bp application-credentials

Change-Id: I192052434c0b0d49d1612824aec1034507dfd233
2018-01-17 20:56:53 +01:00
Lance Bragstad
85c957c503 Expose a get_enforcer method for oslo.policy scripts
Because we have policy in code, we should be able to use the
oslo.policy CLI scripts to produce sample policy files and render
complete policies based on overrides on disk. This was broken
because keystone wasn't removing unexpected commandline arguments
before passing them to oslo.config to parse. This prevented
people from generating complete policy files like they would for
horizon.

This commit exposes a get_enforcer() that substitutes an empty list
in place of arguments passed in through the system. This makes it
so that oslo.config doesn't choke when processing configuration
values.

Change-Id: I22583258eac5b3a64208355d18ccfa62dba1871d
Closes-Bug: 1740951
2018-01-03 20:47:56 +00:00
wangqiangbj
4fc045f820 remove "admin_token_auth" related content"
as "admin_token_auth" is removed from paste file. some related contents
are useless and shoud be removed also.

Change-Id: Ia2263eda93559603a31d9a492e5501424613188e
bp: removed-as-of-queens
2017-12-18 17:02:34 +08:00
Jesse Pretorius
0502d749a6 Add default configuration files to data_files
In order to make it simpler to use the default
configuration files when deploying services
from source, the files are added to pbr's
data_files section so that the files are
included in the built wheels and therefore
deployed with the code. Packaging and deployment
tools can then more easily use the default files
if they wish to.

This pattern is already established with similar
files for neutron and the glance metadefs as has
been mentioned in the related bug report.

Change-Id: I505a2cdff3ec699dcb4a37106765ef889872d367
Closes-Bug: #1718356
2017-09-21 13:53:41 +01:00
Morgan Fainberg
3d46c8a5d9 Resource backend is SQL only now
This change has been implemented to avoid the need to backport
signficantly impactful Foreign Key dropping backports.

Resource is highly relational data and it makes sense to allow the
use of FKs from other subsystems to project/domains.

Change-Id: Ic3831d1c7ae41fe4d406d60a013770cc1258584f
2017-08-14 19:01:02 +00:00
Samriddhi Jain
82785553dd Updated URLs in docs
With the docs migration and re-arrangement, some docs
have been shifted to new places, however the referenced
links are still old. Some of them give 404 error or
just point to the home page. This patch fixes those URLs.

Change-Id: Ie6b18ab3d4aa346dac8436dd426277fee4f07fcd
2017-08-09 23:46:33 +05:30
Colleen Murphy
e08e7ccad7 Fix man page builds
Since Sphinx 1.6 released, pbr's build_sphinx extension has been broken.
Specifically, pbr's [build_sphinx]/builders option is ignored. Luckily,
sphinx itself ipmlemented the feature but called it just 'builder'[1].
This patch fixes the config setting name and then cleans up a Sphinx
extension inclusion that is now automatically included.

[1] http://lists.openstack.org/pipermail/openstack-dev/2017-July/119396.html

Change-Id: I5da6a996ed442524ddb108a890df2d024ee07c4d
2017-08-06 16:05:03 +02:00