344 Commits

Author SHA1 Message Date
wangxiyuan
a616462260 Add api-ref for unified limits
This patch added the api-ref for unified limits

bp: unified-limits
Change-Id: Iebf90c4145d34b02e125ab2fb2a2323df22e5b7c
2018-01-25 16:33:25 +08:00
Zuul
9cd5f198da Merge "Move token_formatter to token" 2018-01-23 03:59:06 +00:00
Gage Hugo
de1007a14c Move token_formatter to token
This change moves the token_formatter under fernet to be located
under the token directory. This is to allow for the functionality
of token_formatter to be easily used with other token providers.

Change-Id: I3a1ee30f69c33c9dd98c7e39e552b7908cc836e1
2018-01-19 16:17:47 -06:00
Zuul
0067a52d3b Merge "Remove duplicated release note" 2018-01-17 05:15:38 +00:00
Zuul
5ad764eb02 Merge "Add schema check for authorize request token" 2018-01-17 00:25:02 +00:00
Zuul
8277c693a3 Merge "Expose a get_enforcer method for oslo.policy scripts" 2018-01-16 09:04:07 +00:00
OpenStack Proposal Bot
08b570bc04 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: Ie49f0d1b935eb36a538efb277fb24de5eeeecc66
2018-01-13 06:29:16 +00:00
wangxiyuan
1f0473a597 Add schema check for authorize request token
This patch add the schema check for authorize
request token API. It'll avoiding some 500 error
caused by invalid input format and it will raise
400 error correctly.

This patch also add role name support for
authorize request token

Closes-bug: #1736875
Change-Id: I9d113692702e7aaa0127ffa9405a17908c0c6ff7
2018-01-10 14:32:16 +08:00
Zuul
abb0d552a1 Merge "Add expired_at_int column to trusts" 2018-01-06 01:41:14 +00:00
Colleen Murphy
07b07d5b83 Add expired_at_int column to trusts
We've already converted Password objects to use the DateTimeInt format
for its datetime attributes[1]. This was necessary to cope with
differences in date storage formats between different DBMSs that was
causing intermittent test failures. While we're not experiencing those
CI problems any more, the DateTimeInt format is the way forward for
consistent datetime storage. This patch converts the trust table and
model to use the new format.

[1] https://review.openstack.org/#/c/493259/

Related-bug: #1702211

Change-Id: If524c743170924e5b8cfdafa862ed31b06db018c
2018-01-04 22:28:44 +01:00
Lance Bragstad
85c957c503 Expose a get_enforcer method for oslo.policy scripts
Because we have policy in code, we should be able to use the
oslo.policy CLI scripts to produce sample policy files and render
complete policies based on overrides on disk. This was broken
because keystone wasn't removing unexpected commandline arguments
before passing them to oslo.config to parse. This prevented
people from generating complete policy files like they would for
horizon.

This commit exposes a get_enforcer() that substitutes an empty list
in place of arguments passed in through the system. This makes it
so that oslo.config doesn't choke when processing configuration
values.

Change-Id: I22583258eac5b3a64208355d18ccfa62dba1871d
Closes-Bug: 1740951
2018-01-03 20:47:56 +00:00
Colleen Murphy
c973c8fe70 Deprecate [trust]/enabled option
It's currently possible to disable the trusts API and trusts are
therefore essentially an API extension and not a first-class member of
the keystone API. By now, trusts are a widely-used feature and are
essential for services like Heat. Allowing optional APIs is an
interoperability nightmare that we should discourage. This patch marks
the config flag to enable trusts as deprecated so that in the future it
will not be possible to disable it.

bp deprecated-as-of-queens

Change-Id: Iac454ddf7878b8f2705e7abb44181f1a19af015f
2018-01-02 19:42:21 +01:00
wangxiyuan
05c96d0371 Remove duplicated release note
There are two release note file for removed-as-of-queens.

Merge them into one.

Change-Id: I06234a4585a78050be8a8c8b13a58fed9e34463b
2017-12-29 10:10:30 +08:00
Zuul
3d80ded1da Merge "Remove rolling_upgrade_password_hash_compat" 2017-12-29 01:43:06 +00:00
Zuul
eab432923f Merge "remove "admin_token_auth" related content"" 2017-12-22 22:05:38 +00:00
Zuul
ac1f88eb5e Merge "Deprecate member_role_id and member_role_name" 2017-12-20 16:25:58 +00:00
Zuul
3407ebb5e7 Merge "Add schema check for OS-TRUST:trust authentication" 2017-12-20 01:20:51 +00:00
wangqiangbj
4fc045f820 remove "admin_token_auth" related content"
as "admin_token_auth" is removed from paste file. some related contents
are useless and shoud be removed also.

Change-Id: Ia2263eda93559603a31d9a492e5501424613188e
bp: removed-as-of-queens
2017-12-18 17:02:34 +08:00
wangxiyuan
4783d1f194 Remove rolling_upgrade_password_hash_compat
The config option ``rolling_upgrade_password_hash_compat``
is only used for rolling-upgrade from Ocata release to
Pike release. It should be removed now.

Change-Id: Ic9bb5809b40a120f92c801b8c0d37608a7976105
bp: removed-as-of-queens
2017-12-18 09:20:53 +08:00
wangxiyuan
23d14f5562 Deprecate member_role_id and member_role_name
``member_role_id`` and ``member_role_name`` config options
are only used for V2. Instead of removing, just deprecate
them because that maybe some consumers still use them
for V3.

This patch also removed the usage in
``keystone-manage bootstrap`` as well.

Closes-bug: #1728690

bp: deprecated-as-of-queens
bp: removed-as-of-queens

Change-Id: Ib85479442ec68f9a67615c23e5c39bd217c9b109
2017-12-18 09:15:54 +08:00
Zuul
19451a8e35 Merge "Validate disabled domains and projects online" 2017-11-28 15:52:36 +00:00
Jorge Munoz
8eb29c37d1 Validate disabled domains and projects online
Keystone's performance degrades as the `revocation_event` table grows
in size. This patch reduces the total number of events written to the
table by not persisting events when a domain or project is disabled.

The main reason for persisting a revocation event when a project or
domain is disabled is to make sure tokens associated to those targets
are considered invalid. Instead of relying on revocation events, we
can check if the project or domain is enabled when we validate the
token. We take the same approach when we validate a user's role
assignments instead of relying on an ever-growing database table.

Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>

Closes-Bug: 1524030
Change-Id: I76330567e0df2d9f2af88ef9b6b98b8c379e7406
2017-11-27 23:06:10 +00:00
wangxiyuan
f8e79ab507 Fix 500 error when create trust with invalid role key
When create trust with invalid role key(neither 'id' nor
'name'), Keystone should raise 400 BadRequest, instead of
500 Internal Error.

This patch removed the redundant loops in
_normalize_role_list as well.

Change-Id: I62bd201c1dda7b573e2ee8b97322c1f25275892c
Closes-bug: #1734244
2017-11-27 15:11:34 +00:00
Zuul
25b688e51d Merge "Remove setting of version/release from releasenotes" 2017-11-24 20:36:41 +00:00
wangxiyuan
4c824c8088 Add schema check for OS-TRUST:trust authentication
If the OS-TRUST:trust is not a dict when authenticating,
Keystone will raise 500 error. This patch add the
related schema check to avoid the error.

Change-Id: I575440fa507c5274e0c3bc09f4cfcb9b3d91a28c
Closes-bug: #1733754
2017-11-24 01:35:17 +00:00
wangxiyuan
49d75d668c Update the help message for unique_last_password_count
The help message for unique_last_password_count doesn't tell the
count logic to users, so that the users may misunderstand it.

This patch updated the message to make it more clear.

Change-Id: I8ab1db5c07b199a3a0ef86a79e9895be48c0a1db
Closes-bug: #1727099
2017-11-24 08:52:12 +08:00
deepakmourya
c0968ed48e Remove setting of version/release from releasenotes
Release notes are version independent, so remove version/release
values. We've found that projects now require the service package
to be installed in order to build release notes, and this is entirely
due to the current convention of pulling in the version information.

Release notes should not need installation in order to build, so this
unnecessary version setting needs to be removed.

This is needed for new release notes publishing, see
I56909152975f731a9d2c21b2825b972195e48ee8 and the discussion starting
at
http://lists.openstack.org/pipermail/openstack-dev/2017-November/124480.html
.

Change-Id: I0efc7889825a7d5b93f51919b9cc5bc86a1d28e6
2017-11-17 05:06:34 +00:00
Zuul
c191747a2a Merge "Filter users/groups in ldap with whitespaces" 2017-11-14 20:26:47 +00:00
prashkre
789573a0f1 Filter users/groups in ldap with whitespaces
All users and groups are required to have a name. With this fix,
Keystone will ignore users and groups that do have only white
spaces as value for the LDAP attribute which Keystone has been
configured to use for that entity's name.

Change-Id: Id539e1b7e1cea8b05cd9bb753707e1fc98244d29
Closes-Bug: #1727726
2017-11-03 20:52:41 +05:30
Matthew Edmonds
621ea65b96 Deprecate policies API
The policies API should never be used. This marks it deprecated in
the API reference so that operators do not waste time looking at it.
It also logs a deprecation warning if the API is called.

Change-Id: I816997826e931a253777145e2c5f894e39182a8f
2017-11-02 14:59:53 -04:00
Zuul
2f4540fb23 Merge "Emit deprecation warning for federated domain/project APIs" 2017-10-20 20:28:47 +00:00
Gage Hugo
0579dec0b9 Add project tags api-ref documentation and reno
This change creates a new page describing the usage of project tags
as well as adds in project tag information into existing projects
refs. The added document highlights the properties of a project
tag, the new API calls created, filtering/searching uses, and examples
for each.

This change also creates a release note for the changes made
that add project tags.

Change-Id: Icff11da9412378ae59c6f392f98b05475c7c501d
Partially-Implements: bp project-tags
2017-10-17 17:56:29 -05:00
Lance Bragstad
67967c84fd Emit deprecation warning for federated domain/project APIs
Before the identity API documentation lived in-tree, it lived in the
openstack/keystone-specs project. Before that it lived in it's own
identity-api repository. A long time ago we merged a patch [0] to that
project to deprecate the project and domain APIs in the federation
path. That documentation has since been copied and migrated to the
keystone-specs repository and now keystone itself.

Even though we've deprecated those API in the documentation, we never
formally deprecated them in code using ``versionutils``. This commit
does that. Now a message will be logged anytime that API is used
instead of GET /auth/domains or GET /auth/projects. This makes the
implementation of keystone consistent with documentation we merged
ages ago.

[0] If0c010119512d6a159ce82147a87c4698205a648

Change-Id: I88cb587c7cd69fef400b2eaf7dffda655355b710
2017-10-11 19:16:45 +00:00
OpenStack Proposal Bot
785d8fe405 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I8810af7b31edfb67d3b0b92c4bef5bb5fa64248d
2017-08-26 08:09:42 +00:00
Lance Bragstad
2373cfbbf9 Ignore release notes for pike and master
These notes were modified [0] and reverted [1] during the Pike
cycle. This commit ensures they don't get rendered for the Pike
release:

[0] https://review.openstack.org/#/c/493479/
[1] https://review.openstack.org/#/c/496367/

Change-Id: I04395b469bff4ca27825d589f1b85637fa09e69f
2017-08-23 21:45:53 +00:00
Jenkins
4950c24bdd Merge "Revert "Fix wrong links"" 2017-08-23 00:03:23 +00:00
Jenkins
3e8f16dec4 Merge "Remove missing release note from previous revert" 2017-08-22 20:59:29 +00:00
Lance Bragstad
6a20aa8587 Revert "Fix wrong links"
This reverts commit 77500b3615ae94ea45837f3fc0d503c8aadcc462.

Change-Id: I44a3f47329b06d4b85fa0bb944ce3bc8084fffa3
2017-08-22 18:54:25 +00:00
Gage Hugo
94e3e9803d Remove missing release note from previous revert
This change removes a release note that was added as part of [0] but
the change was later reverted [1], however the note was missed
as part of the revert.

[0] https://review.openstack.org/#/c/438035/
[1] https://review.openstack.org/#/c/464009/

Change-Id: I4a9041ad1c1d12a328f8c5951b5a7df8c0d7e390
2017-08-22 12:56:28 -05:00
Lance Bragstad
d1562fbccb Include a link in release note for bug 1698900
This was merged without a link to the bug that it fixed. This should
be backported to stable/pike so that it's rendered properly in the
release notes.

Change-Id: I7230b48ba232f3f6807689f82efda4a010924d1c
2017-08-22 17:14:23 +00:00
Jenkins
682cfa5c6d Merge "Remove duplicate roles from federated auth" 2017-08-16 21:04:36 +00:00
Jenkins
d20a3e971f Merge "Resource backend is SQL only now" 2017-08-16 19:55:53 +00:00
Lance Bragstad
058a23c087 Remove duplicate roles from federated auth
We were using a one-liner to prune duplicate role references from a
list of roles, but it didn't work in all cases. This reworks the
logic to pass the existing test case. I also added a comment
explaining why the logic we used previously doesn't work so we can
hopefully avoid the pattern in the future.

Change-Id: Id786d6463364ad8f4f02c22bb83221baac4b83d0
Closes-Bug: 1701324
2017-08-16 15:20:58 +00:00
Morgan Fainberg
38974af24c Add int storage of datetime for password created/expires
Due to MySQL (in some versions) not storing datetime resolution below
one second, keystone occasionally ends up with weird behavior such as
a New password not being valid. The password created at and expires at
columns now store both datetime (for rolling upgrades) and integers.

Keystone from Pike and beyond leans on the new created_at_int column
and expires_at_int column.

Change-Id: I2c219b4b9b353f1e2cce6088849a773196f0e443
Closes-Bug: #1702211
2017-08-15 16:29:18 +00:00
Jenkins
2164d0550c Merge "Imported Translations from Zanata" 2017-08-14 21:57:52 +00:00
Morgan Fainberg
3d46c8a5d9 Resource backend is SQL only now
This change has been implemented to avoid the need to backport
signficantly impactful Foreign Key dropping backports.

Resource is highly relational data and it makes sense to allow the
use of FKs from other subsystems to project/domains.

Change-Id: Ic3831d1c7ae41fe4d406d60a013770cc1258584f
2017-08-14 19:01:02 +00:00
yfzhao
77500b3615 Fix wrong links
Some docs links have changed. We should update the wrong links in our codes.

Change-Id: I54587d1ca9a3b1628fc5437ca49b468a4e4107bc
Closes-Bug: #1710572
2017-08-14 16:26:42 +08:00
OpenStack Proposal Bot
5fbe54054a Imported Translations from Zanata
For more information about this automatic import see:
http://docs.openstack.org/developer/i18n/reviewing-translation-import.html

Change-Id: Ia1144e7677067832875cc46b8b27216d90d3813a
2017-08-12 07:47:36 +00:00
f57a318e5c Update reno for stable/pike
Change-Id: I0f18c1e309dbde610a13b1f4299337a9ae7b94ae
2017-08-11 02:50:55 +00:00
Lance Bragstad
63124f703a Cache list projects and domains for user
Listing projects and domains for a user based on their role
assignments was noted as being really slow, especially when users
have a lot of assignments. This commit implements caching to mitigate
the issue while we continue to investigate ways to speed up the
assignment API.

Change-Id: I72e398c65f01aa4f9a37f817d184a13ed01089ce
Closes-Bug: 1700852
2017-08-09 14:45:58 +00:00