12542 Commits

Author SHA1 Message Date
Zuul
249316ddfb Merge "Add scope_types to domain config policies" 2018-01-27 00:35:55 +00:00
Zuul
1a0cc370ad Merge "Add scope_types to service provider policies" 2018-01-27 00:35:53 +00:00
Zuul
872b5b286c Merge "Add scope_types to oauth policies" 2018-01-27 00:35:50 +00:00
Zuul
9ecc0c668e Merge "Add scope_types for revoke event policies" 2018-01-27 00:16:14 +00:00
Zuul
db764b18a6 Merge "Add scope_types to group policies" 2018-01-26 22:11:56 +00:00
Zuul
e25371f2a4 Merge "Add scope_types to role assignment policies" 2018-01-26 22:10:46 +00:00
Zuul
4031020150 Merge "Add scope_types to grant policies" 2018-01-26 21:48:27 +00:00
Zuul
a886dd256e Merge "Document scope_types for ec2 policies" 2018-01-26 20:51:25 +00:00
Zuul
2db1d2562c Merge "Add scope_types to identity provider policies" 2018-01-26 17:55:02 +00:00
Zuul
981990627b Merge "Add scope_types to protocol policies" 2018-01-26 17:34:47 +00:00
Zuul
1930e7d34c Merge "Add scope_types to region policies" 2018-01-26 15:22:40 +00:00
Zuul
f113b2d458 Merge "Relay system information in RoleAssignmentNotFound" 2018-01-26 13:33:10 +00:00
Zuul
ba4764b679 Merge "Add scope_types to implied role policies" 2018-01-26 13:22:09 +00:00
Zuul
6191c26c16 Merge "Add api-ref for unified limits" 2018-01-26 13:08:49 +00:00
Zuul
b012d9dd33 Merge "Expose unified limit APIs" 2018-01-26 13:08:45 +00:00
Zuul
d8a0c5e3d0 Merge "Implement policies for limits" 2018-01-26 13:08:41 +00:00
Zuul
bb4ffdafbe Merge "Add limit provider" 2018-01-26 12:48:17 +00:00
Zuul
25fe3ef38c Merge "Improve limit sql backend" 2018-01-26 12:48:14 +00:00
Zuul
5417457bb0 Merge "Remove foreign key for registered limit" 2018-01-26 09:21:05 +00:00
Zuul
9b085e604c Merge "Implement GET /v3/auth/system" 2018-01-26 07:07:46 +00:00
Zuul
328a3017cd Merge "Add scope_types to endpoint policies" 2018-01-26 04:12:32 +00:00
wangxiyuan
a616462260 Add api-ref for unified limits
This patch added the api-ref for unified limits

bp: unified-limits
Change-Id: Iebf90c4145d34b02e125ab2fb2a2323df22e5b7c
2018-01-25 16:33:25 +08:00
wangxiyuan
4606183c8d Expose unified limit APIs
This patch exposed all the unified limit APIs.

Change-Id: Iceb85e5c4cb92a4b393b373ccf6b41fc22d1c4c6
bp: unified-limits
2018-01-25 16:33:11 +08:00
wangxiyuan
9ba24b91a4 Implement policies for limits
This commit lays down the policies needed to protect the unified limit
API. A subsequent patch will expose the implementation.

bp unified-limits

Change-Id: I952fe6213adce86a92d7d607c9b639076b279f6c
2018-01-25 15:45:51 +08:00
wangxiyuan
0b241dcea5 Add limit provider
This patch adds the registered limit and project limit provider
Class.

Change-Id: I636cd9555ae6434b0e6dec958ae41ef852a48285
bp: unified-limits
2018-01-25 15:45:44 +08:00
wangxiyuan
0cde8da14e Improve limit sql backend
This patch does:
1. Improve the error message as Morgan suggested before.
2. Add a new error type: RegisteredLimitError.
3. Catch the DBReferenceError in update/delete resigtered limit
functions.
4. Handle the case that region_id=None for update/delete
registered limits.
5. Fix a code error in create_limits function.

Change-Id: Id572348ca7867d7ce6f258cb3132b05a313624bd
bp: unified-limits
2018-01-25 14:18:27 +08:00
Zuul
48486544f3 Merge "Introduce assertions for system-scoped token testing" 2018-01-25 02:33:44 +00:00
Zuul
5ba9da6fe6 Merge "Implement system-scope in the token provider API" 2018-01-25 02:33:41 +00:00
Zuul
f2292445eb Merge "Teach TokenFormatter how to handle system scope" 2018-01-25 02:33:38 +00:00
Zuul
2353425985 Merge "Add scope_types to domain policies" 2018-01-24 17:12:51 +00:00
Lance Bragstad
a50fafd246 Implement GET /v3/auth/system
Keystone has APIs for retrieving projects and domains based on the
role assignments a user has on projects and domains. We should
introduce similar functionality for system assignments. This will
make discovering system access for users and client easier.

bp system-scope

Change-Id: Iab577fcd1b57b8b5593c3f9d50a772466383a999
2018-01-24 01:09:16 +00:00
Lance Bragstad
7dbf84c024 Add scope_types to grant policies
Since grants can exist on either the system or a project, it makes
sense to have them associated to both `system` and `project` scopes.
But until we have logic in keystone that can enforce those checks, we
keep the scope_types set to `system`. This ensures backwards
compatibility and helps resolve admin-ness issues until we get to
that point.

Change-Id: I310c88bae7986e3163408f621e266f96fd255edc
2018-01-23 16:01:46 +00:00
Lance Bragstad
de7e79fdf3 Add scope_types to role assignment policies
Change-Id: Ia56c7fc32607c2893ba172d528f29a34e32573a1
2018-01-23 15:54:24 +00:00
Colleen Murphy
59b1aacdba Fix column rename migration for mariadb 10.2
MariaDB 10.2 introduced an issue where an automatic check constraint is
applied to boolean columns and is not automatically updated on a column
rename alter operation[1]. A similar issue preventing dropping such a
column was already fixed[2], so this patch changes the migration to drop
and readd the column instead of attempting a column rename.

Unfortunately since the mistake was already made, it is possible for
deployments out in the wild to have made it past the expand step and be
currently stuck in the contract step. To accomodate them, we add the new
column as part of the contract step if necessary. Again, since there
should be no data in this table, we don't need to worry about online
upgrades here.

[1] https://jira.mariadb.org/browse/MDEV-13508
[2] https://jira.mariadb.org/browse/MDEV-11114

Change-Id: Icbd58464182b082854fb5d73ccc93c900ede020c
Closes-bug: #1744948
2018-01-23 16:43:31 +01:00
wangxiyuan
2176eb4a5e Remove foreign key for registered limit
Now registered limit table has two foreign keys, one for service
id, another for region id. But catalog and limit may use different
backend, in that case, the fks will lead error. Such as, if catalog
use file based backend, registered limit will can never be created.

So we should drop the fks in the table and add the resouce existence
check logic in code.

Change-Id: Ic98e069a03931bb3eaaad63cd2db7e6a822a3546
bp: unified-limits
2018-01-23 14:39:25 +00:00
Lance Bragstad
19a2ccb51e Introduce assertions for system-scoped token testing
This commit consists of some utilities that we can use when testing
system-scoped tokens. A subsequent patch will use them when
implementing the tests.

bp system-scope

Change-Id: If011ff7630cda1f7330a7657dd8e6249f0af5442
2018-01-23 13:50:20 +00:00
Lance Bragstad
0a9867f912 Implement system-scope in the token provider API
This change incorporates system-scope changes into the token provider
API. A subsequent patch will wire up the necessary controller bits
that expose the functionality via the API.

bp system-scope

Change-Id: I15ed4b96d3e0d78f85ca61a3d85274c770c4c7cf
2018-01-23 13:50:20 +00:00
Lance Bragstad
265076ac58 Teach TokenFormatter how to handle system scope
This commit adds a new payload type that is meant to allow
system-scoped token. A subsequent patch will actually wire this up
to the token provider API and another patch to expose it via the
authentication API.

bp system-scope

Change-Id: I26357b6d62ce88ad116e0231145b2367dda62fa2
2018-01-23 13:50:20 +00:00
Zuul
9cd5f198da Merge "Move token_formatter to token" 2018-01-23 03:59:06 +00:00
Zuul
6e6b818ba9 Merge "Rename application credential restriction column" 2018-01-22 22:22:27 +00:00
Zuul
360fe67e1e Merge "Add system column to app cred table" 2018-01-22 22:22:21 +00:00
Lance Bragstad
705ff135da Relay system information in RoleAssignmentNotFound
Since it's possible to have a role assignment on the system now, we
should make sure we handle that case in the RoleAssignmentNotFound
exception

bp system-scope

Change-Id: I2388d65ffa5b68690d9c4f0dd16f16e158f5a091
2018-01-22 21:51:25 +00:00
Colleen Murphy
5fe9e3761d Rename application credential restriction column
In the application credential spec[1] we decided to add on a parameter
that would control whether an application credential could be used to
create other application credentials. This parameter is also used to
control whether it can be used to delete other application credentials
and whether it can create and delete trusts. Therefore the name
`allow_application_credential_creation` is misleading. Moreover, giving
a property of the resource a name that is an imperative verb is not
great. It makes more sense for a property to be a noun, an adjective, or
a passive verb.

This change renames the `allow_application_credential_creation`` column
to ``unrestricted``. This maintains the same boolean context, i.e. a
"true" value for the old name maintains the same meaning as a "true"
value for the new name.

At this point, the application credential API has not yet been exposed,
so there should be no data in this table and no need for complicated
migration triggers. In general, we only need to do a column alter to
rename it. Sqlite is special because it does not support column alters,
so in order to accomodate our tests the migration involves copying the
whole table, minus the old column, and recreating it with the new
column.

Change-Id: Id26a2790acae25f80bd28a8cb121c80cb5064645
2018-01-22 14:42:08 +01:00
Zuul
bca46a6f45 Merge "Reorganize api-ref: v3-ext revoke.inc" 2018-01-21 04:44:27 +00:00
Zuul
53ffe6388d Merge "Reorganize api-ref: v3-ext simple-cert.inc" 2018-01-21 01:24:16 +00:00
Zuul
c2d316b631 Merge "Reorganize api-ref: v3-ext ep-filter.inc" 2018-01-21 01:24:13 +00:00
Zuul
fcf54e9f68 Merge "Reorganize api-ref: v3-ext federation projects-domains.inc" 2018-01-21 01:24:11 +00:00
Zuul
48105bd6da Merge "Use log debug instead of warning" 2018-01-20 21:53:57 +00:00
Suramya Shah
f063cb0b44 Reorganize api-ref: v3-ext revoke.inc
Reorganize as per the documentation session at PTG:
https://etherpad.openstack.org/p/queens-ptg-keystone-doc-cleanup

Change-Id: I60377b12999f0a9270722d1b01c40759067b96a8
2018-01-20 08:48:43 +05:30
Suramya Shah
7d4c366c91 Reorganize api-ref: v3-ext ep-filter.inc
Reorganize as per the documentation session at PTG:
https://etherpad.openstack.org/p/queens-ptg-keystone-doc-cleanup

Change-Id: Iaa732e613178243c76f0570c4832d91f0538a6da
2018-01-20 08:40:01 +05:30