This patch adds a new user response attribute, password_expires_at,
to the Identity API v3 documentation.
Passord expires validation implementation:
https://review.openstack.org/333360
Depends-On: I07c10de627898d6ac79578dc24292ded4a2190f1
Partially-implements: blueprint pci-dss
Change-Id: I37136f79488d7469f0b8b24e3f5628899e40cac0
A number of the examples are also updated, since not all of
them were valid combinations of domain_id, parent_id and
is_domain.
Change-Id: Id642762cd6acfdf6142b24caf3de1d16db599065
This small change make it clear that the API can also disable a
user and the request body with `enabled` attribute is always needed.
Change-Id: I4e242d36e9830fd162634c5a864f6a787a4de9d7
Related-Bug: #1603905
user_id was listed twice under the update user request parameters.
This fix removes the duplicated parameter.
Change-Id: I9c70aff00f151c4907101335174adf3624d4f686
When using a identity driver without providing uuid, and using default
sql id mapping driver, if there are lots of users, then it may take
minutes to list users. Adding cache to the id mapping manager can
improve the performance.
After adding the cache, when listing 12000 users though the keystone
api, and the time is reduced from about 75 seconds to 20 seconds.
Closes-Bug: #1582585
Change-Id: I72eeb88926d8babb09a61e99f6f594371987f393
Since the Python 3.5 gate job builds cleanly now, we should claim
support for Python 3.5 in the metadata's classifier.
Change-Id: I215313560d6bb3501093c95870c12cde1f11b5a5
In 3.5, the ast module returns the correct value for the col_offset
of a function definition whereas earlier versions did not. The value
is off by one column.
Closes-Bug: #1603236
Change-Id: I7835d7ed8d652a6bd585e8e0372fab402424038d
These options should have been deprecated in Mitaka (when LDAP
write support was deprecated), but were missed. Mark them as
deprecated now.
bp deprecated-as-of-newton
Change-Id: I683c1cb27ff28d7600e743fe9a17ceab112a5ad3
This introduces a new keystone-manage command called 'doctor' which
attempts to diagnose and report on various ill-advised configurations
and deployment states.
The number of checks we could perform is basically endless, so this is
just a random sampling of checks to get the ball rolling. The idea is
that as new features are introduced, as default configurations change,
as we have new recommendations to make to deployers, etc, we can
implement new checks in keystone-manage doctor and communicate our
concerns directly to those operated affected deployments.
Change-Id: Ib6660c1a885c439ca03357870628b2ea52e39e9d
Implements: bp keystone-manage-doctor
Previously, AuthTokenTests inherited the test structure and ran the tests with
the default keystone configuration. This commit breaks AuthTokenTests to
inherit from `object` and sets up FernetAuthTokenTests and UUIDAuthTokenTests
to setup configuration appropriately and run the tests.
This fix was originally a part of https://review.openstack.org/#/c/258650 but
this is an attempt to break 258650 into smaller, more reviewable, pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: I9acacfe7db4997add5505a9ee1972139af11979e
Partial-Bug: 1561054
In preparation for making Fernet the default token provider, we must freeze and
increment the clock in certain tests. This is because Fernet does not support
sub-second precision and if a Fernet token is validated in the same second that
a revocation event has occured, it will be considered invalid.
This commit makes it so that we freeze the clock in
test_list_users_filtered_by_funny_name() and increment it by one second when we
go to list users by name.
This fix was originally a part of https://review.openstack.org/#/c/258650 but
this is an attempt to break 258650 into smaller, more reviewable, pieces.
Partial-Bug: 1561054
Change-Id: I3ea4af702e6914775156c605799992a41e8e75c5
The mapping has unique constraint and creating a mapping with the same
local entity will fail. Creation of mapping with the same local entity
might happen because of race condition, that would happen if 2 processes
start mapping of the same local entity at the same time.
Return the existing public_id if creation failed due to duplicate.
Change-Id: Ic6e6ec9614e16a49c791dc6c06a4464d18be09be
Related-Bug: 1582585
Keystone has the code to prevent `None` value to be returned in the
revoke event, but there is wrong check condition that leads to
the `access_token_id` with None will be returned to end user.
Closes-Bug: #1603861
Change-Id: Ifc2908ffb6b8353d24a6416338d8fadb0e0b2a21
