This change moves the token_formatter under fernet to be located
under the token directory. This is to allow for the functionality
of token_formatter to be easily used with other token providers.
Change-Id: I3a1ee30f69c33c9dd98c7e39e552b7908cc836e1
This patch add the schema check for authorize
request token API. It'll avoiding some 500 error
caused by invalid input format and it will raise
400 error correctly.
This patch also add role name support for
authorize request token
Closes-bug: #1736875
Change-Id: I9d113692702e7aaa0127ffa9405a17908c0c6ff7
We've already converted Password objects to use the DateTimeInt format
for its datetime attributes[1]. This was necessary to cope with
differences in date storage formats between different DBMSs that was
causing intermittent test failures. While we're not experiencing those
CI problems any more, the DateTimeInt format is the way forward for
consistent datetime storage. This patch converts the trust table and
model to use the new format.
[1] https://review.openstack.org/#/c/493259/
Related-bug: #1702211
Change-Id: If524c743170924e5b8cfdafa862ed31b06db018c
Because we have policy in code, we should be able to use the
oslo.policy CLI scripts to produce sample policy files and render
complete policies based on overrides on disk. This was broken
because keystone wasn't removing unexpected commandline arguments
before passing them to oslo.config to parse. This prevented
people from generating complete policy files like they would for
horizon.
This commit exposes a get_enforcer() that substitutes an empty list
in place of arguments passed in through the system. This makes it
so that oslo.config doesn't choke when processing configuration
values.
Change-Id: I22583258eac5b3a64208355d18ccfa62dba1871d
Closes-Bug: 1740951
It's currently possible to disable the trusts API and trusts are
therefore essentially an API extension and not a first-class member of
the keystone API. By now, trusts are a widely-used feature and are
essential for services like Heat. Allowing optional APIs is an
interoperability nightmare that we should discourage. This patch marks
the config flag to enable trusts as deprecated so that in the future it
will not be possible to disable it.
bp deprecated-as-of-queens
Change-Id: Iac454ddf7878b8f2705e7abb44181f1a19af015f
as "admin_token_auth" is removed from paste file. some related contents
are useless and shoud be removed also.
Change-Id: Ia2263eda93559603a31d9a492e5501424613188e
bp: removed-as-of-queens
The config option ``rolling_upgrade_password_hash_compat``
is only used for rolling-upgrade from Ocata release to
Pike release. It should be removed now.
Change-Id: Ic9bb5809b40a120f92c801b8c0d37608a7976105
bp: removed-as-of-queens
``member_role_id`` and ``member_role_name`` config options
are only used for V2. Instead of removing, just deprecate
them because that maybe some consumers still use them
for V3.
This patch also removed the usage in
``keystone-manage bootstrap`` as well.
Closes-bug: #1728690
bp: deprecated-as-of-queens
bp: removed-as-of-queens
Change-Id: Ib85479442ec68f9a67615c23e5c39bd217c9b109
Keystone's performance degrades as the `revocation_event` table grows
in size. This patch reduces the total number of events written to the
table by not persisting events when a domain or project is disabled.
The main reason for persisting a revocation event when a project or
domain is disabled is to make sure tokens associated to those targets
are considered invalid. Instead of relying on revocation events, we
can check if the project or domain is enabled when we validate the
token. We take the same approach when we validate a user's role
assignments instead of relying on an ever-growing database table.
Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>
Closes-Bug: 1524030
Change-Id: I76330567e0df2d9f2af88ef9b6b98b8c379e7406
When create trust with invalid role key(neither 'id' nor
'name'), Keystone should raise 400 BadRequest, instead of
500 Internal Error.
This patch removed the redundant loops in
_normalize_role_list as well.
Change-Id: I62bd201c1dda7b573e2ee8b97322c1f25275892c
Closes-bug: #1734244
If the OS-TRUST:trust is not a dict when authenticating,
Keystone will raise 500 error. This patch add the
related schema check to avoid the error.
Change-Id: I575440fa507c5274e0c3bc09f4cfcb9b3d91a28c
Closes-bug: #1733754
The help message for unique_last_password_count doesn't tell the
count logic to users, so that the users may misunderstand it.
This patch updated the message to make it more clear.
Change-Id: I8ab1db5c07b199a3a0ef86a79e9895be48c0a1db
Closes-bug: #1727099
Release notes are version independent, so remove version/release
values. We've found that projects now require the service package
to be installed in order to build release notes, and this is entirely
due to the current convention of pulling in the version information.
Release notes should not need installation in order to build, so this
unnecessary version setting needs to be removed.
This is needed for new release notes publishing, see
I56909152975f731a9d2c21b2825b972195e48ee8 and the discussion starting
at
http://lists.openstack.org/pipermail/openstack-dev/2017-November/124480.html
.
Change-Id: I0efc7889825a7d5b93f51919b9cc5bc86a1d28e6
All users and groups are required to have a name. With this fix,
Keystone will ignore users and groups that do have only white
spaces as value for the LDAP attribute which Keystone has been
configured to use for that entity's name.
Change-Id: Id539e1b7e1cea8b05cd9bb753707e1fc98244d29
Closes-Bug: #1727726
The policies API should never be used. This marks it deprecated in
the API reference so that operators do not waste time looking at it.
It also logs a deprecation warning if the API is called.
Change-Id: I816997826e931a253777145e2c5f894e39182a8f
This change creates a new page describing the usage of project tags
as well as adds in project tag information into existing projects
refs. The added document highlights the properties of a project
tag, the new API calls created, filtering/searching uses, and examples
for each.
This change also creates a release note for the changes made
that add project tags.
Change-Id: Icff11da9412378ae59c6f392f98b05475c7c501d
Partially-Implements: bp project-tags
Before the identity API documentation lived in-tree, it lived in the
openstack/keystone-specs project. Before that it lived in it's own
identity-api repository. A long time ago we merged a patch [0] to that
project to deprecate the project and domain APIs in the federation
path. That documentation has since been copied and migrated to the
keystone-specs repository and now keystone itself.
Even though we've deprecated those API in the documentation, we never
formally deprecated them in code using ``versionutils``. This commit
does that. Now a message will be logged anytime that API is used
instead of GET /auth/domains or GET /auth/projects. This makes the
implementation of keystone consistent with documentation we merged
ages ago.
[0] If0c010119512d6a159ce82147a87c4698205a648
Change-Id: I88cb587c7cd69fef400b2eaf7dffda655355b710
This was merged without a link to the bug that it fixed. This should
be backported to stable/pike so that it's rendered properly in the
release notes.
Change-Id: I7230b48ba232f3f6807689f82efda4a010924d1c
We were using a one-liner to prune duplicate role references from a
list of roles, but it didn't work in all cases. This reworks the
logic to pass the existing test case. I also added a comment
explaining why the logic we used previously doesn't work so we can
hopefully avoid the pattern in the future.
Change-Id: Id786d6463364ad8f4f02c22bb83221baac4b83d0
Closes-Bug: 1701324
Due to MySQL (in some versions) not storing datetime resolution below
one second, keystone occasionally ends up with weird behavior such as
a New password not being valid. The password created at and expires at
columns now store both datetime (for rolling upgrades) and integers.
Keystone from Pike and beyond leans on the new created_at_int column
and expires_at_int column.
Change-Id: I2c219b4b9b353f1e2cce6088849a773196f0e443
Closes-Bug: #1702211
This change has been implemented to avoid the need to backport
signficantly impactful Foreign Key dropping backports.
Resource is highly relational data and it makes sense to allow the
use of FKs from other subsystems to project/domains.
Change-Id: Ic3831d1c7ae41fe4d406d60a013770cc1258584f
Listing projects and domains for a user based on their role
assignments was noted as being really slow, especially when users
have a lot of assignments. This commit implements caching to mitigate
the issue while we continue to investigate ways to speed up the
assignment API.
Change-Id: I72e398c65f01aa4f9a37f817d184a13ed01089ce
Closes-Bug: 1700852