EndpointFilterCatalog was deprecated in Ocata in favor of
sql.Catalog.
Implements: bp removed-as-of-pike
Change-Id: I7f3eea85d4d8668e9e421b06a65086a736211106
All the v2 APIs are marked as deprecated, but the v2_auth and v2_ec2
did not have proposed removal dates. In keeping with the general
standards, the earliest we can do this is Pike + 4, although we
specify this as Mitaka + 7 so as not to change the actual release
version we first marked these as deprecated.
Change-Id: I1d8c5e43ff7c8e4256639324db47a64635e217df
Implements: bp removed-as-of-pike
Deprecate UUID token provider. With fernet tokens being made the
default, the UUID tokens are much like PKI tokens, an aging relic
of Keystone-Times-Past. Keystone is consolidating token issuance
and validation to the most effective form.
This also deprecates the following:
* token-bind capabilities, as that is a feature that was at best
partially implemented in UUID and PKI tokens, with explicit
non-support in Fernet.
* token-persistence driver and explicit token persistence code.
Change-Id: I724169a49ce12d8dd514471c34ac2b752eb98c8a
bp: deprecated-as-of-pike
Basically, the commit removes the file encoding - since jenkins is fine
with it, means it was really unnecessary and the change makes sense.
Change-Id: I0d97104b173b00a383955b5ad5b597e4c6a19780
This patch adds a new command to the db_sync upgrade commands. --check
will check the current state of the users upgrade repos and relay info
back to the user based on what version each command is currently at and
if the user has any outstanding db_sync commands left to run. It will
also notify the user if the db_sync commands were not upgraded in order
Closes-Bug: 1642212
Change-Id: I79d3640a780d624f14059fe311fafa0542c03357
Officially deprecate the admin_token_auth in the paste-ini. The
functionality has been merged into auth_context_middleware. This allows
for a smoother removal of the admin-token functionality down the line.
The AdminTokenAuthMiddleware now does nothing if in the pipeline
except emitting a log.error.
This also removes the ADMIN token from the paste-pipeline itself
implements bp: removed-as-of-pike
Co-authored-by: Morgan Fainberg <morgan.fainberg@gmail.com>
Change-Id: I57586ccfa0ad1309cc806d95377dc1ecad015914
KVS Code (core) and items depending on it was deprecated in Newton slated
for removal in Pike.
implements bp removed-as-of-pike
Closes-Bug: 1077282
Change-Id: I6ed4e3688f2a63b0fc439527957bc027db8d5d66
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I30a462e03d1fd7852511e22cac34c6bc0e8917f4
Deprecate [security_compliance]\password_expires_ignore_user_ids in
favor of using the new user-option 'ignore_password_expiry'.
This allows setting the value for ignoring password expiration on
individual users without needing to restart keystone for each change
to the list.
Partial-Bug: 1659995
Change-Id: Ib4b422ab07f91c312f3268ade926db1638052587
"PCI-DSS 8.2.6 Set passwords/passphrases for first-time use and
upon reset to a unique value for each user, and change immediately after
the first use" [1].
I'll update the docs in a subsequent patch.
[1] https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
Closes-Bug: #1645487
Change-Id: I5575dbd6d63d41014a7468acd6bdf0175d791618
We had a single deprecation warning for KVS functionality being
removed in Pike, located at keystone/common/kvs/core.py [1]
This change adds deprecation warnings to the various config
options and backends that used core.py.
[1] https://github.com/openstack/keystone/blob/master/keystone/common/kvs/core.py#L98-L101
Related-Bug: 1077282
bp deprecated-as-of-ocata
Change-Id: Ia63f0ac8543cf1e938baa712e21f08f582dc26ed
This patch updates the domain for federated users to be the domain of
the Identity Provider (IdP).
Closes-Bug: #1642687
Partially-Implements: bp support-federated-attr
Depends-On: If8c8ad39c4c55a2d800bf4432411db59799e84e6
Change-Id: Iccfad6f39dc339ca054bedf3c6882c3701dcf0ec
New query added for determining when passwords will expire.
The following are the new queries:
/v3/groups/{group_id}/users?password_expires_at={operator}:{timestamp}
- Lists users belonging to a group whose password will expire based
on the operator given.
/v3/users?password_expires_at={operator}:{timestamp}
- Lists users whose password will expire based on the operator given.
{timestamp} is a datetime in the format "YYYY-MM-DDTHH:mm:ssZ".
{operator} is one of lt, lte, gt gte, eq, and neq to filter in.
If no operator is given, it is treated as eq.
Examples:
- GET /v3/users?password_expires_at=lt:2016-11-06T15:32:17Z
- GET /v3/groups/079c578fd99b428ab61fcd4c9bd88ecd/users?password_expires_at=gt:2016-12-08T22:02:00Z
Partially-Implements: bp pci-dss-query-password-expired-users
Change-Id: If0b9cc3c8af92b2ea5d41a0e8afeb78e12b7689c
This patch adds filters to list_user that enable the user to query for
unique_id, idp_id, protocol_id, or a mix of these to get back the
corresponding users of the federated attributes.
Partially-Implements: bp support-federated-attr
Change-Id: Iea5681791e521e9b8d96137fe30c388c10a02b30
Removed LDAP write support and removed the configuration options
*_allow_create, use_dumb_member, dumb_member, allow_subtree_delete.
Also removed the driver logic related to dumb_members, tree deletion
and their respective tests.
Write functionality is still present because our tests depend on it,
but it's hidden behind a toggle which the tests set to enable it.
Co-Authored-By: Gage Hugo <gagehugo@gmail.com>
Co-Authored-By: Steve Martinelli <s.martinelli@gmail.com>
Implements: bp removed-as-of-ocata
Change-Id: I13eada3d5c3a166223c3e3ce70b7054eaed1003a
Currently, if a users password expires, they must contact an
administrator in order to have their password reset for them.
This change allows a user to perform the change_password call
without a token, which will allow a user with an expired password
to change it if they are using PCI-DSS related features. This
removes the issue of needing an administrator to reset any
user's password that has expired.
Also updated the api-ref with the related changes.
Change-Id: I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1
Closes-Bug: #1641645
Provide a way to provision projects and assignments when a federated
user authenticates for the first time for an unscoped token.
implements bp shadow-mapping
Change-Id: I6029dac8294e8cfc4bf622ac71b5e731956389db
Force the keystone.auth.controllers.Auth.authenticate method to
require the use of an AuthContext object instead of something
duck-typed (dictionary). This is done to ensure the security and
integrity of IDENTITY_KEYS are covered and values are not changed
by a plugin due to the security built into AuthContext being
circumvented since it was not used. This is not pythonic, this
is being done for hardening purposes.
Change-Id: I013846af59587d17b15ca4cf546e6372231f576e
Closes-Bug: #1656076
The bug was caused by a foreign key in the federated_user table. This
key prevents a protocol from being deleted after a successful
authentication has happened (so the creation of a federated user
via shadowing). We take advantage of the same foreign key by adding the
cascade delete behavior to it.
Closes-Bug: 1642692
Change-Id: I3b3e265d20f0cfe0ee10c6a274d9bdf4e840b742
If no username and password is specified in the keystone ldap
configuration, it may still be possible to bind to an LDAP server
anonymously if the LDAP server is configured to allow it. Currently,
upon creating a connection object, keystone only attempts to bind to
the LDAP server if a username and password has been provided to it.
This would rarely be an issue because pyldap attempts a reconnect upon
executing any ldap command, if necessary, and hence the anonymous bind
just happens later. It is a problem now because logic was added[1] to
check if the server errored during that initial connection, and for it
to work correctly the initial connection needs to happen in a
predictable place. This patch adds an anonymous bind to the
get_connection method so that no matter the credential configuration
the initial connection is consistent.
This required adding mocks to many of the LDAP backend tests since
every LDAP interaction now attempts a simple_bind_s() regardless of
whether credentials are configured in keystone.
[1] https://review.openstack.org/#/c/390948
Closes-bug: #1649138
Change-Id: I193c9537c107092e48f7ea1d25ff9c17f872c15b
Presently the Identity LDAP driver does not set a connection timeout
option which has the disadvantage of causing the Identity LDAP backend
handler to stall indefinitely (or until TCP timeout) on LDAP bind, if
a) the LDAP URL is incorrect, or b) there is a connection failure/link
loss.
This commit add a new option to set the LDAP connection timeout to
set a new OPT_NETWORK_TIMEOUT option on the LDAP object. This will
raise ldap.SERVER_DOWN exceptions on timeout.
Signed-off-by: Kam Nasim <kam.nasim@windriver.com>
Closes-Bug: #1636950
Change-Id: I574e6368169ad60bef2cc990d2d410a638d1b770
There are several classes that inherit from the abstract method
AuthMethodHandler.authenticate. In some cases those classes are
not using matching parameter names.
This patch changes all classes such that the signatures match.
Prior to this there were four different signatures:
authenticate(self, context, auth_payload, auth_context)
authenticate(self, request, auth_info, auth_context)
authenticate(self, request, auth_payload, auth_context)
authenticate(self, request, auth_payload, user_context)
The new common signature will be:
authenticate(self, request, auth_payload, auth_context)
Change-Id: I2846af0528dbb638436fdd0731d99c6a627608d7
Currently any user can list revocation events, this data contains
IDs for users and projects. It should not be made available to
any user that is able to authenticate, it should be an admin
only API call.
Change-Id: I4290163c67c84ef0e1a2f6ee967ddf2acb2c3212
Closes-Bug: 1649446
An Identity Provider (IdP) should be mapped to a domain. This patch
updates the documentation and creates a release note recommending the
domain_id parameter.
Depends-On: Id18b8b2fe853b97631bc990df8188ed64a6e1275
Partial-Bug: #1642687
Change-Id: I1cb749371175169662dbb5fa8feafe403fb1c39b
We deprecated this functionality during the Mitaka release and staged
it for removal in Ocata. Let's remove it!
A note for reviewers. Some of the logic for allowing projects to
update their domain_id was implemented in the resource Manager().
As a result, there were several tests that tested the manager
directly. Now that we're removing the logic for allowing
``domain_id`` to be update, we can rely solely on the
``_require_matching_domain_id()`` method in the
keystone.common.controller module. This short-circuit check will
return a 4XX response code for all requests attempting to update the
``domain_id`` of an entity. Since this is all completely isolated
in the controller layer, we can remove the logic from the resource
Manager specifically as well as the tests. This change looks like
we're removing a bunch of tests from
keystone.tests.unit.resource.test_backends but we're actually just
relying on more basic tests in test_v3_resource.
Change-Id: Iad0eba66e7ddc9497205af60671451a385d0de58
Closes-Bug: 1653472