344 Commits

Author SHA1 Message Date
OpenStack Proposal Bot
75acc806f2 Imported Translations from Zanata
For more information about this automatic import see:
http://docs.openstack.org/developer/i18n/reviewing-translation-import.html

Change-Id: Ib63e1d53ef3895e051d9c3cd3dd5b86cb98fe346
2017-08-07 07:37:31 +00:00
Lance Bragstad
77bf1ad0b8 Remove policy for self-service password changes
The self-service password API was left intentionally
unprotected in a change during the stable/ocata cycle:

  I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1

The default policy was not removed from the same config and as a
result it was migrated into code during the policy-in-code work.
This isn't necessary since it's not used to protect anything. Policy
should still be enforced on administrative password resets, but that
is done using the `update_user` API.

Change-Id: I431f5ef9d6d5d689a06736640d22997fbddb869c
Closes-Bug: 1705485
2017-08-04 13:56:59 +00:00
Jenkins
41fd4ca376 Merge "Imported Translations from Zanata" 2017-08-03 00:24:04 +00:00
Jenkins
0d554db265 Merge "Handle auto-generated domains when creating IdPs" 2017-08-03 00:19:19 +00:00
Jenkins
68f1043ce2 Merge "Filter users and groups in ldap" 2017-08-02 16:20:57 +00:00
OpenStack Proposal Bot
8914ef1650 Imported Translations from Zanata
For more information about this automatic import see:
http://docs.openstack.org/developer/i18n/reviewing-translation-import.html

Change-Id: I94376c1a3df51a305a521e1bdfe9567dfdf96fc5
2017-08-02 07:49:09 +00:00
prashkre
bb2b215b53 Filter users and groups in ldap
All users and groups are required to have a name. Prior to this fix,
Keystone was not properly enforcing this for LDAP users and groups.
Keystone will now ignore users and groups that do not have a value for
the LDAP attribute which Keystone has been configured to use for that
entity's name.

Closes-Bug: #1704205

Change-Id: I424813785b7a355514ef42f1e4c6384b8a78b256
2017-08-01 01:18:40 +05:30
yangweiwei
6e60948c20 Handle auto-generated domains when creating IdPs
When creating an IdP, if a domain was generated for it and a conflict
was raised while effectively creating the IdP in the database, the
auto-generated domain is now cleaned up.

Change-Id: I9b7c3c1fae32b9412f75323a75d9ebe4ad756729
Closes-Bug: #1688188
2017-07-27 20:20:00 +00:00
Jenkins
847997aa02 Merge "remove default rule" 2017-07-22 01:34:14 +00:00
Lance Bragstad
5303ef6e88 Add a release note for bug 1687593
A fix was merged for bug 1687593 but we forgot to add a release note.

Change-Id: Ib8571d155ca526b0b4fb536ceff7c3b5752281c6
2017-07-13 22:43:44 +00:00
Jenkins
367360d583 Merge "Validate rolling upgrade is run in order" 2017-07-12 20:15:27 +00:00
Matthew Edmonds
fbec857384 remove default rule
The default rule no longer applies with the move of policy into code
so this change removes it.

In previous releases, the default rule was used by operators
customizing policy and not wanting to specify every rule in their
policy.json. But with the move of policy into code, all checks that
the code is going to make are defined in code, so there should never
be an occasion for the default rule to be checked. Leaving it defined
would confuse operators since it can no longer be used the way it was
used before.

Change-Id: Idafe1c906f1eb188200eab7af3eae8eb86c8154a
Closes-Bug: #1703392
2017-07-12 14:26:51 -04:00
Jenkins
9b3d99ea24 Merge "fix identity:get_identity_providers typo" 2017-07-12 05:56:00 +00:00
Matthew Edmonds
b7119637a0 fix identity:get_identity_providers typo
Changes identity:get_identity_providers policy rule to
identity:get_identity_provider to match what is checked by the code.

Change-Id: I0841abd30fd15c034b5836e42a18938634b509b1
Closes-Bug: #1703369
2017-07-11 17:51:57 -04:00
Jenkins
77642b088c Merge "Fixing flushing tokens workflow" 2017-07-11 06:19:41 +00:00
Raildo Mascena
0b5c5c03ec Fixing flushing tokens workflow
During a backport patch [0] for this fix
it was found some problems in the previous
approach like, It didn't enabled back the
session.autocommit. Another comment was we should
create a new session and commit on it instead of
disable/enable autocommit.

After this, we should backport this change in order
to fix the previous releases, instead of the other
one.

[0] https://review.openstack.org/#/c/469514

Change-Id: Ifc024ba0e86bb71f4ab8b019917782bc5bf3be7a
Closes-Bug: #1649616
2017-07-10 17:10:38 -03:00
Jenkins
3088420ece Merge "Switch from oslosphinx to openstackdocstheme" 2017-07-07 17:46:54 +00:00
Jenkins
25c54f999f Merge "Clarify LDAP invalid credentials exception" 2017-07-03 18:04:21 +00:00
Van Hung Pham
6e631db558 Switch from oslosphinx to openstackdocstheme
As part of the docs migration work[0] for Pike we need to switch to use
the openstackdocstheme.

[0]https://review.openstack.org/#/c/472275/

Change-Id: I31543b78a1b2d2df685e295d4d011c5e6e4a165b
2017-06-30 14:07:10 +07:00
Gage Hugo
91f3a2044b Clarify LDAP invalid credentials exception
This change catches the invalid credentials exception
when binding with LDAP and responds with a more clear error
message of "Invalid username or password" instead of just
supplying the default 500 error message.

Change-Id: I523dd816333ad76cde8f18ae0fa43040a4478524
Closes-Bug: #1684994
2017-06-29 16:17:06 -05:00
Jenkins
e4c0c8deef Merge "Improve handling of database migration checks" 2017-06-28 04:14:04 +00:00
Lance Bragstad
eb274afdb4 Document and add release note for HEAD APIs
Now that all GET APIs have a corresponding HEAD API, we can add a
formal statement about support and a release note.

Change-Id: Ia5569311f91d87b40d064595ce2c8d69461fbab7
Closes-Bug: 1696574
2017-06-27 21:15:44 +00:00
Richard Avelar
6bab551cd8 Validate rolling upgrade is run in order
This patch addresses a bug that allows rolling upgrades to be run
out of order and without first checking if the previous command
has been run to a higher version before hand.

Change-Id: I55fa4f600d89f3a2fb14868f6886b52fd1ef6c6b
Closes-Bug: 1615014
2017-06-27 20:54:04 +00:00
Lance Bragstad
2a2f8535e2 Improve handling of database migration checks
The `--check` subcommand is suppose to provide useful information
and status codes depending on the state of the keystone database.
Operators and automation use this information to determine what their
next step is in a rolling upgrade. The current logic is broken
becuase it doesn't account for new installations that might be
relying on this information.

This change breaks that case into multiple try/except statements and
handles each appropriately so that the status code and logging
information is accurate for operators and automation using this
information for upgrading a new keystone database.

Change-Id: I331fa663a99f79ea9a79a75e4ae07c45278556bf
Closes-Bug: 1698900
2017-06-19 21:41:26 +00:00
Jenkins
011f4bd517 Merge "Remove loading drivers outside of their expected namespaces" 2017-06-06 00:20:13 +00:00
Morgan Fainberg
8ad765e023 Support new hashing algorithms for securely storing password hashes
Support bcrypt, pbkdf2_sha512, or scrypt in password hashing for
passwords managed within keystone. sha512_crypt is insufficient to
hash passwords in a secure way for storage in the DB. Keystone defaults
now to using bcrypt but can handle scrypt and pbkdf2_sha512 with a number
of tuning options if desired.

Closes-bug: #1543048
Closes-bug: #1668503
Change-Id: Id05026720839d94de26d0e44631deb34bcc0e610
2017-05-18 20:03:25 -05:00
Kristi Nikolla
711855cd9e Remove loading drivers outside of their expected namespaces
Direct import of drivers was deprecated in the Liberty release and
planned for removal during Newton.

In other words, identity drivers must be imported from the
`keystone.identity` namespace, assignment drivers from the
`keystone.assignment` namespace, etc.

Also this catches a more specific exception from stevedore
rather than just RuntimeError.

blueprint removed-as-of-pike

Change-Id: If5e581b249700d8e4683ecfab15ba86da85f1052
2017-05-18 18:08:26 +00:00
OpenStack Proposal Bot
f4941319ff Imported Translations from Zanata
For more information about this automatic import see:
http://docs.openstack.org/developer/i18n/reviewing-translation-import.html

Change-Id: Id6f8467c7470dca0e7d3413d4733298cad20639a
2017-04-11 07:33:00 +00:00
Jenkins
69d03670d1 Merge "Address comments from Policy in Code 5" 2017-04-10 20:56:35 +00:00
XieYingYun
6831aa5be7 Add Apache License Content in index.rst
Add Apache License 2.0 Content which is necessary
for ./releasenotes/source/index.rst.

Change-Id: I158aaf00936ec6010778cef281aca436de41de44
2017-04-10 19:30:43 +08:00
Richard Avelar
08feb508a8 Address comments from Policy in Code 5
This patch addresses a few minor comments from review [1].

[1]: https://review.openstack.org/#/c/435757/
Implements blueprint policy-in-code

Change-Id: Ia826d97eaf5d38353254c21999f5acf8f1e35ad8
2017-04-10 04:09:17 +00:00
Jenkins
5d70b1b50d Merge "Differentiate between dpkg and rpm for libssl-dev" 2017-04-03 07:25:21 +00:00
Jenkins
df99a45276 Merge "Removed the deprecated pki_setup command" 2017-03-31 19:34:48 +00:00
Kristi Nikolla
34168ef38b Differentiate between dpkg and rpm for libssl-dev
The libssl-dev package was registered in bindep.txt for both
dpkg and rpm platforms. This patch makes it use:
* libssl-dev [platform:dpkg]
* openssl-devel [platform:rpm]

Change-Id: I4a0982bf2052e193ba48c98f1b38ae569fa41be8
Closes-Bug: 1676497
2017-03-31 11:27:25 -04:00
Jenkins
6d77eefaac Merge "Add group_members_are_ids to whitelisted options" 2017-03-30 05:50:30 +00:00
David Stanek
928d23db02 Removed the deprecated pki_setup command
bp removed-as-of-pike

Change-Id: Ib39d21ed547e3be7a3a2c333a7193f990043a80b
2017-03-29 00:15:09 +00:00
Jenkins
30faacc5d0 Merge "Move release note from /keystone/releasenotes to /releasenotes" 2017-03-28 14:46:09 +00:00
Kristi Nikolla
9034755743 Move release note from /keystone/releasenotes to /releasenotes
This is the only release note in that directory.
Additionally revise it to follow our best practices.

Change-Id: Ia7fa933cddc4ad9e670640827fe5cf5e35add578
2017-03-24 16:41:36 -04:00
prashkre
2126bd5765 Error messages are not translating with locale.
Fixed issue with translation of keystone error messages which
was not happening in case of any error messages from identity API
with locale being set.

Change-Id: Idc73e86647f2adce9e39387b0c3124431dcac255
Closes-Bug: #1674415
2017-03-24 20:08:17 +00:00
Ubuntu
53a47b779e Add group_members_are_ids to whitelisted options
This patch addresses a bug and adds group_members_are_ids to the
whitelist to allow for use in `keystone-manage domain_config_upload`

Change-Id: Ifa8d0d723e90be16888859bfa2b0804a0b183877
Closes-Bug: 1670382
2017-03-20 12:09:26 +00:00
Kristi Nikolla
cd642d2d4e Remove keystone.common.ldap
Was deprecated in favor of keystone.identity.backends.ldap.common

Change-Id: I73dddd539b41d089ed48546ff1fb114d5ebbbed2
Implements: bp removed-as-of-pike
2017-03-10 11:47:14 -05:00
Jenkins
eed29f236e Merge "Change is_admin_project to False by default" 2017-03-09 18:19:17 +00:00
Jenkins
1ec73f3b97 Merge "Revise conf param in releasenotes" 2017-03-07 05:20:38 +00:00
OpenStack Proposal Bot
99b107909b Imported Translations from Zanata
For more information about this automatic import see:
http://docs.openstack.org/developer/i18n/reviewing-translation-import.html

Change-Id: I5582e4d57844a8ba0395425573342b8df2e3b577
2017-03-05 07:28:30 +00:00
Jenkins
0d2997d9b9 Merge "Remove password_expires_ignore_user_ids" 2017-03-03 23:05:19 +00:00
Jenkins
624d94648c Merge "Give a prospective removal date for all v2 APIs" 2017-03-03 23:01:44 +00:00
Gage Hugo
dc449dfd63 Change is_admin_project to False by default
Our token model code will return a default of True for
is_admin_project if that attribute is not defined. The
comment next to this says this is for backwards
compatibility, but this seems inherently dangerous.

Closes-Bug: #1652012

Change-Id: I035fe570972764b9c9342d1851654634d681ac5e
2017-03-03 14:51:23 -06:00
Kristi Nikolla
88cc5cff87 Remove password_expires_ignore_user_ids
The above was deprecated in Ocata in favor of the user option
ignore password expiry.

Implements: bp removed-as-of-pike

Change-Id: Ib69418c797595ec62ee3f2162fbf141c8bd47813
2017-03-03 11:02:29 -05:00
jolie
d339e97bb5 Revise conf param in releasenotes
Change-Id: Idd0dfc7e15f86651b8771610fdcdbdb07849bb6e
2017-03-03 09:58:02 +08:00
Jenkins
900349583c Merge "Fix some typo in releasenotes" 2017-03-02 16:38:13 +00:00