The self-service password API was left intentionally
unprotected in a change during the stable/ocata cycle:
I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1
The default policy was not removed from the same config and as a
result it was migrated into code during the policy-in-code work.
This isn't necessary since it's not used to protect anything. Policy
should still be enforced on administrative password resets, but that
is done using the `update_user` API.
Change-Id: I431f5ef9d6d5d689a06736640d22997fbddb869c
Closes-Bug: 1705485
All users and groups are required to have a name. Prior to this fix,
Keystone was not properly enforcing this for LDAP users and groups.
Keystone will now ignore users and groups that do not have a value for
the LDAP attribute which Keystone has been configured to use for that
entity's name.
Closes-Bug: #1704205
Change-Id: I424813785b7a355514ef42f1e4c6384b8a78b256
When creating an IdP, if a domain was generated for it and a conflict
was raised while effectively creating the IdP in the database, the
auto-generated domain is now cleaned up.
Change-Id: I9b7c3c1fae32b9412f75323a75d9ebe4ad756729
Closes-Bug: #1688188
The default rule no longer applies with the move of policy into code
so this change removes it.
In previous releases, the default rule was used by operators
customizing policy and not wanting to specify every rule in their
policy.json. But with the move of policy into code, all checks that
the code is going to make are defined in code, so there should never
be an occasion for the default rule to be checked. Leaving it defined
would confuse operators since it can no longer be used the way it was
used before.
Change-Id: Idafe1c906f1eb188200eab7af3eae8eb86c8154a
Closes-Bug: #1703392
Changes identity:get_identity_providers policy rule to
identity:get_identity_provider to match what is checked by the code.
Change-Id: I0841abd30fd15c034b5836e42a18938634b509b1
Closes-Bug: #1703369
During a backport patch [0] for this fix
it was found some problems in the previous
approach like, It didn't enabled back the
session.autocommit. Another comment was we should
create a new session and commit on it instead of
disable/enable autocommit.
After this, we should backport this change in order
to fix the previous releases, instead of the other
one.
[0] https://review.openstack.org/#/c/469514
Change-Id: Ifc024ba0e86bb71f4ab8b019917782bc5bf3be7a
Closes-Bug: #1649616
As part of the docs migration work[0] for Pike we need to switch to use
the openstackdocstheme.
[0]https://review.openstack.org/#/c/472275/
Change-Id: I31543b78a1b2d2df685e295d4d011c5e6e4a165b
This change catches the invalid credentials exception
when binding with LDAP and responds with a more clear error
message of "Invalid username or password" instead of just
supplying the default 500 error message.
Change-Id: I523dd816333ad76cde8f18ae0fa43040a4478524
Closes-Bug: #1684994
Now that all GET APIs have a corresponding HEAD API, we can add a
formal statement about support and a release note.
Change-Id: Ia5569311f91d87b40d064595ce2c8d69461fbab7
Closes-Bug: 1696574
This patch addresses a bug that allows rolling upgrades to be run
out of order and without first checking if the previous command
has been run to a higher version before hand.
Change-Id: I55fa4f600d89f3a2fb14868f6886b52fd1ef6c6b
Closes-Bug: 1615014
The `--check` subcommand is suppose to provide useful information
and status codes depending on the state of the keystone database.
Operators and automation use this information to determine what their
next step is in a rolling upgrade. The current logic is broken
becuase it doesn't account for new installations that might be
relying on this information.
This change breaks that case into multiple try/except statements and
handles each appropriately so that the status code and logging
information is accurate for operators and automation using this
information for upgrading a new keystone database.
Change-Id: I331fa663a99f79ea9a79a75e4ae07c45278556bf
Closes-Bug: 1698900
Support bcrypt, pbkdf2_sha512, or scrypt in password hashing for
passwords managed within keystone. sha512_crypt is insufficient to
hash passwords in a secure way for storage in the DB. Keystone defaults
now to using bcrypt but can handle scrypt and pbkdf2_sha512 with a number
of tuning options if desired.
Closes-bug: #1543048
Closes-bug: #1668503
Change-Id: Id05026720839d94de26d0e44631deb34bcc0e610
Direct import of drivers was deprecated in the Liberty release and
planned for removal during Newton.
In other words, identity drivers must be imported from the
`keystone.identity` namespace, assignment drivers from the
`keystone.assignment` namespace, etc.
Also this catches a more specific exception from stevedore
rather than just RuntimeError.
blueprint removed-as-of-pike
Change-Id: If5e581b249700d8e4683ecfab15ba86da85f1052
This patch addresses a few minor comments from review [1].
[1]: https://review.openstack.org/#/c/435757/
Implements blueprint policy-in-code
Change-Id: Ia826d97eaf5d38353254c21999f5acf8f1e35ad8
The libssl-dev package was registered in bindep.txt for both
dpkg and rpm platforms. This patch makes it use:
* libssl-dev [platform:dpkg]
* openssl-devel [platform:rpm]
Change-Id: I4a0982bf2052e193ba48c98f1b38ae569fa41be8
Closes-Bug: 1676497
This is the only release note in that directory.
Additionally revise it to follow our best practices.
Change-Id: Ia7fa933cddc4ad9e670640827fe5cf5e35add578
Fixed issue with translation of keystone error messages which
was not happening in case of any error messages from identity API
with locale being set.
Change-Id: Idc73e86647f2adce9e39387b0c3124431dcac255
Closes-Bug: #1674415
This patch addresses a bug and adds group_members_are_ids to the
whitelist to allow for use in `keystone-manage domain_config_upload`
Change-Id: Ifa8d0d723e90be16888859bfa2b0804a0b183877
Closes-Bug: 1670382
Was deprecated in favor of keystone.identity.backends.ldap.common
Change-Id: I73dddd539b41d089ed48546ff1fb114d5ebbbed2
Implements: bp removed-as-of-pike
Our token model code will return a default of True for
is_admin_project if that attribute is not defined. The
comment next to this says this is for backwards
compatibility, but this seems inherently dangerous.
Closes-Bug: #1652012
Change-Id: I035fe570972764b9c9342d1851654634d681ac5e
The above was deprecated in Ocata in favor of the user option
ignore password expiry.
Implements: bp removed-as-of-pike
Change-Id: Ib69418c797595ec62ee3f2162fbf141c8bd47813