344 Commits

Author SHA1 Message Date
Jenkins
1263feac62 Merge "Remove EndpointFilterCatalog" 2017-03-02 14:51:38 +00:00
Kristi Nikolla
d35f36916e Remove EndpointFilterCatalog
EndpointFilterCatalog was deprecated in Ocata in favor of
sql.Catalog.

Implements: bp removed-as-of-pike

Change-Id: I7f3eea85d4d8668e9e421b06a65086a736211106
2017-02-27 11:21:50 -05:00
Henry Nash
b87cdc28df Give a prospective removal date for all v2 APIs
All the v2 APIs are marked as deprecated, but the v2_auth and v2_ec2
did not have proposed removal dates. In keeping with the general
standards, the earliest we can do this is Pike + 4, although we
specify this as Mitaka + 7 so as not to change the actual release
version we first marked these as deprecated.

Change-Id: I1d8c5e43ff7c8e4256639324db47a64635e217df
Implements: bp removed-as-of-pike
2017-02-27 15:27:58 +00:00
jolie
6168e3afc1 Fix some typo in releasenotes
Change-Id: Ief47447ff7213d6813fd8a09a5d630972df23fef
2017-02-27 10:14:14 +08:00
OpenStack Proposal Bot
f73a2924f8 Imported Translations from Zanata
For more information about this automatic import see:
http://docs.openstack.org/developer/i18n/reviewing-translation-import.html

Change-Id: I5035ae71ff1aece35164f29c7cf1af1729282074
2017-02-25 06:59:01 +00:00
Jenkins
d4b4094dc7 Merge "Deprecate (and slate for removal) UUID tokens" 2017-02-24 16:42:05 +00:00
2ff8c79629 Update reno for stable/ocata
Change-Id: I83168c90eb68935d3a8b983bd94601e91cfbaa74
2017-02-23 14:27:54 +00:00
Jenkins
feb344bfe3 Merge "Remove the file encoding which is unnecessary" 2017-02-16 10:51:00 +00:00
Morgan Fainberg
5896d841df Deprecate (and slate for removal) UUID tokens
Deprecate UUID token provider. With fernet tokens being made the
default, the UUID tokens are much like PKI tokens, an aging relic
of Keystone-Times-Past. Keystone is consolidating token issuance
and validation to the most effective form.

This also deprecates the following:

* token-bind capabilities, as that is a feature that was at best
  partially implemented in UUID and PKI tokens, with explicit
  non-support in Fernet.

* token-persistence driver and explicit token persistence code.

Change-Id: I724169a49ce12d8dd514471c34ac2b752eb98c8a
bp: deprecated-as-of-pike
2017-02-11 06:01:27 +00:00
yuhui_inspur
84789755aa Remove the file encoding which is unnecessary
Basically, the commit removes the file encoding - since jenkins is fine
with it, means it was really unnecessary and the change makes sense.

Change-Id: I0d97104b173b00a383955b5ad5b597e4c6a19780
2017-02-11 01:16:26 +00:00
Jenkins
2d501b267c Merge "Deprecate (and emit message) AdminTokenAuthMiddleware" 2017-02-10 18:33:50 +00:00
“Richard
d5ce8ea0ed Add --check to keystone-manage db_sync command
This patch adds a new command to the db_sync upgrade commands. --check
will check the current state of the users upgrade repos and relay info
back to the user based on what version each command is currently at and
if the user has any outstanding db_sync commands left to run. It will
also notify the user if the db_sync commands were not upgraded in order

Closes-Bug: 1642212
Change-Id: I79d3640a780d624f14059fe311fafa0542c03357
2017-02-09 19:45:02 +00:00
Adam Young
4981da8fb0 Deprecate (and emit message) AdminTokenAuthMiddleware
Officially deprecate the admin_token_auth in the paste-ini. The
functionality has been merged into auth_context_middleware. This allows
for a smoother removal of the admin-token functionality down the line.

The AdminTokenAuthMiddleware now does nothing if in the pipeline
except emitting a log.error.

This also removes the ADMIN token from the paste-pipeline itself

implements bp: removed-as-of-pike
Co-authored-by: Morgan Fainberg <morgan.fainberg@gmail.com>
Change-Id: I57586ccfa0ad1309cc806d95377dc1ecad015914
2017-02-09 18:16:48 +00:00
Jenkins
2db574de6d Merge "use the correct bp link for shadow-mapping rel note" 2017-02-09 10:33:01 +00:00
Steve Martinelli
e19adedc38 use the correct bp link for shadow-mapping rel note
Change-Id: I4531aeea8fd2b3648be1f3f9fab4ed1258be44e4
2017-02-08 00:29:01 -05:00
Jenkins
029476272f Merge "Readability/Typo Fixes in Release Notes" 2017-02-08 05:10:44 +00:00
Kenny Johnston
2fadadbb8c Readability/Typo Fixes in Release Notes
Fixed a number of readability and typo issues with the release notes
found while reviewing them.

Change-Id: Iff20bce313e93192f9e0c6d2df3bb0e9908a21d4
2017-02-08 00:31:19 +00:00
Morgan Fainberg
b8b1e18930 Remove KVS code
KVS Code (core) and items depending on it was deprecated in Newton slated
for removal in Pike.

implements bp removed-as-of-pike
Closes-Bug: 1077282
Change-Id: I6ed4e3688f2a63b0fc439527957bc027db8d5d66
2017-02-03 02:25:19 +00:00
Jenkins
4c83fb0f13 Merge "Add MFA Rules Release Note" 2017-02-01 20:51:25 +00:00
Jenkins
8dad51e903 Merge "Use https for docs.openstack.org references" 2017-02-01 16:36:44 +00:00
Morgan Fainberg
a64b474ef4 Add MFA Rules Release Note
Add the release note for MFA Rules.

Change-Id: Id4aff9ba57d5b60110df1a7c752950d022ed58ec
bp: per-user-auth-plugin-reqs
2017-01-31 22:07:37 +00:00
Eric Brown
30d9095d28 Use https for docs.openstack.org references
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.

Change-Id: I30a462e03d1fd7852511e22cac34c6bc0e8917f4
2017-01-30 16:05:08 -08:00
Steve Martinelli
28945a1a83 cleanup release notes from PCI options
Change-Id: I9bc637b0c7434153cfd93b8bf30676a4427418eb
2017-01-29 13:19:44 -08:00
Jenkins
781db8e67a Merge "Deprecate [security_compliance]\password_expires_ignore_user_ids" 2017-01-28 08:59:08 +00:00
Jenkins
e90296a44f Merge "add additional deprecation warnings for KVS options" 2017-01-28 03:01:05 +00:00
Jenkins
dfdb223693 Merge "PCI-DSS Force users to change password upon first use" 2017-01-28 02:18:56 +00:00
Morgan Fainberg
930728a57e Deprecate [security_compliance]\password_expires_ignore_user_ids
Deprecate [security_compliance]\password_expires_ignore_user_ids in
favor of using the new user-option 'ignore_password_expiry'.

This allows setting the value for ignoring password expiration on
individual users without needing to restart keystone for each change
to the list.

Partial-Bug: 1659995

Change-Id: Ib4b422ab07f91c312f3268ade926db1638052587
2017-01-27 20:30:34 -05:00
Ronald De Rose
0b3e59e041 PCI-DSS Force users to change password upon first use
"PCI-DSS 8.2.6 Set passwords/passphrases for first-time use and
upon reset to a unique value for each user, and change immediately after
the first use" [1].

I'll update the docs in a subsequent patch.

[1] https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

Closes-Bug: #1645487
Change-Id: I5575dbd6d63d41014a7468acd6bdf0175d791618
2017-01-27 18:47:15 +00:00
Steve Martinelli
5e2cc88ce7 clean up release notes for ocata
Change-Id: I9f4d47518f1a1ab184d6cefb2b251aaad38e113a
2017-01-27 14:36:54 +00:00
Steve Martinelli
c2fdd3b3bf add additional deprecation warnings for KVS options
We had a single deprecation warning for KVS functionality being
removed in Pike, located at keystone/common/kvs/core.py [1]

This change adds deprecation warnings to the various config
options and backends that used core.py.

[1] https://github.com/openstack/keystone/blob/master/keystone/common/kvs/core.py#L98-L101

Related-Bug: 1077282

bp deprecated-as-of-ocata

Change-Id: Ia63f0ac8543cf1e938baa712e21f08f582dc26ed
2017-01-27 03:21:31 +00:00
Ronald De Rose
c19f243152 Set the domain for federated users
This patch updates the domain for federated users to be the domain of
the Identity Provider (IdP).

Closes-Bug: #1642687
Partially-Implements: bp support-federated-attr
Depends-On: If8c8ad39c4c55a2d800bf4432411db59799e84e6
Change-Id: Iccfad6f39dc339ca054bedf3c6882c3701dcf0ec
2017-01-25 22:03:52 +00:00
Samuel Pilla
28c70f48dd Add password expiration queries for PCI-DSS
New query added for determining when passwords will expire.
The following are the new queries:

/v3/groups/{group_id}/users?password_expires_at={operator}:{timestamp}
- Lists users belonging to a group whose password will expire based
  on the operator given.
/v3/users?password_expires_at={operator}:{timestamp}
- Lists users whose password will expire based on the operator given.

{timestamp} is a datetime in the format "YYYY-MM-DDTHH:mm:ssZ".
{operator} is one of lt, lte, gt gte, eq, and neq to filter in.
If no operator is given, it is treated as eq.

Examples:
- GET /v3/users?password_expires_at=lt:2016-11-06T15:32:17Z
- GET /v3/groups/079c578fd99b428ab61fcd4c9bd88ecd/users?password_expires_at=gt:2016-12-08T22:02:00Z

Partially-Implements: bp pci-dss-query-password-expired-users
Change-Id: If0b9cc3c8af92b2ea5d41a0e8afeb78e12b7689c
2017-01-24 09:01:12 -06:00
Jenkins
f7bc5bad7d Merge "Add queries for federated attributes in list_users" 2017-01-24 09:56:30 +00:00
“Richard
19c6530b1a Add queries for federated attributes in list_users
This patch adds filters to list_user that enable the user to query for
unique_id, idp_id, protocol_id, or a mix of these to get back the
corresponding users of the federated attributes.

Partially-Implements: bp support-federated-attr
Change-Id: Iea5681791e521e9b8d96137fe30c388c10a02b30
2017-01-23 22:25:52 +00:00
Jenkins
fa63f893d4 Merge "Remove LDAP write support" 2017-01-22 05:23:34 +00:00
Kristi Nikolla
a7b393b1f6 Remove LDAP write support
Removed LDAP write support and removed the configuration options
*_allow_create, use_dumb_member, dumb_member, allow_subtree_delete.

Also removed the driver logic related to dumb_members, tree deletion
and their respective tests.

Write functionality is still present because our tests depend on it,
but it's hidden behind a toggle which the tests set to enable it.

Co-Authored-By: Gage Hugo <gagehugo@gmail.com>
Co-Authored-By: Steve Martinelli <s.martinelli@gmail.com>

Implements: bp removed-as-of-ocata

Change-Id: I13eada3d5c3a166223c3e3ce70b7054eaed1003a
2017-01-21 21:32:07 -05:00
Gage Hugo
3ae73b6752 Allow user to change own expired password
Currently, if a users password expires, they must contact an
administrator in order to have their password reset for them.

This change allows a user to perform the change_password call
without a token, which will allow a user with an expired password
to change it if they are using PCI-DSS related features. This
removes the issue of needing an administrator to reset any
user's password that has expired.

Also updated the api-ref with the related changes.

Change-Id: I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1
Closes-Bug: #1641645
2017-01-20 17:45:56 +00:00
Jenkins
5dc7af8fb5 Merge "Implement federated auto-provisioning" 2017-01-19 20:44:35 +00:00
Lance Bragstad
9e830dbe02 Implement federated auto-provisioning
Provide a way to provision projects and assignments when a federated
user authenticates for the first time for an unscoped token.

implements bp shadow-mapping

Change-Id: I6029dac8294e8cfc4bf622ac71b5e731956389db
2017-01-19 16:58:08 +00:00
Jenkins
d6410bf60b Merge "Force use of AuthContext object in .authentcate()" 2017-01-14 10:35:16 +00:00
Jenkins
4e31ab988e Merge "Cascade delete federated_user fk" 2017-01-13 18:40:01 +00:00
Morgan Fainberg
0f3f08c3df Force use of AuthContext object in .authentcate()
Force the keystone.auth.controllers.Auth.authenticate method to
require the use of an AuthContext object instead of something
duck-typed (dictionary). This is done to ensure the security and
integrity of IDENTITY_KEYS are covered and values are not changed
by a plugin due to the security built into AuthContext being
circumvented since it was not used. This is not pythonic, this
is being done for hardening purposes.

Change-Id: I013846af59587d17b15ca4cf546e6372231f576e
Closes-Bug: #1656076
2017-01-13 17:29:23 +00:00
Rodrigo Duarte Sousa
45f7ff3918 Cascade delete federated_user fk
The bug was caused by a foreign key in the federated_user table. This
key prevents a protocol from being deleted after a successful
authentication has happened (so the creation of a federated user
via shadowing). We take advantage of the same foreign key by adding the
cascade delete behavior to it.

Closes-Bug: 1642692

Change-Id: I3b3e265d20f0cfe0ee10c6a274d9bdf4e840b742
2017-01-13 12:55:33 -03:00
Colleen Murphy
f8ee249bf0 Add anonymous bind to get_connection method
If no username and password is specified in the keystone ldap
configuration, it may still be possible to bind to an LDAP server
anonymously if the LDAP server is configured to allow it. Currently,
upon creating a connection object, keystone only attempts to bind to
the LDAP server if a username and password has been provided to it.
This would rarely be an issue because pyldap attempts a reconnect upon
executing any ldap command, if necessary, and hence the anonymous bind
just happens later. It is a problem now because logic was added[1] to
check if the server errored during that initial connection, and for it
to work correctly the initial connection needs to happen in a
predictable place. This patch adds an anonymous bind to the
get_connection method so that no matter the credential configuration
the initial connection is consistent.

This required adding mocks to many of the LDAP backend tests since
every LDAP interaction now attempts a simple_bind_s() regardless of
whether credentials are configured in keystone.

[1] https://review.openstack.org/#/c/390948

Closes-bug: #1649138

Change-Id: I193c9537c107092e48f7ea1d25ff9c17f872c15b
2017-01-12 04:02:24 +00:00
Kam Nasim
2d239cfbc3 Set connection timeout for LDAP configuration
Presently the Identity LDAP driver does not set a connection timeout
option which has the disadvantage of causing the Identity LDAP backend
handler to stall indefinitely (or until TCP timeout) on LDAP bind, if
a) the LDAP URL is incorrect, or b) there is a connection failure/link
loss.

This commit add a new option to set the LDAP connection timeout to
set a new OPT_NETWORK_TIMEOUT option on the LDAP object. This will
raise ldap.SERVER_DOWN exceptions on timeout.

Signed-off-by: Kam Nasim <kam.nasim@windriver.com>

Closes-Bug: #1636950
Change-Id: I574e6368169ad60bef2cc990d2d410a638d1b770
2017-01-11 23:50:38 +00:00
Jenkins
910f525b7c Merge "Invalid parameter name on interface" 2017-01-10 18:10:52 +00:00
Eric Brown
872939d8ee Invalid parameter name on interface
There are several classes that inherit from the abstract method
AuthMethodHandler.authenticate. In some cases those classes are
not using matching parameter names.

This patch changes all classes such that the signatures match.
Prior to this there were four different signatures:

authenticate(self, context, auth_payload, auth_context)
authenticate(self, request, auth_info, auth_context)
authenticate(self, request, auth_payload, auth_context)
authenticate(self, request, auth_payload, user_context)

The new common signature will be:

authenticate(self, request, auth_payload, auth_context)

Change-Id: I2846af0528dbb638436fdd0731d99c6a627608d7
2017-01-09 22:28:57 -08:00
Steve Martinelli
d4a890a6c8 listing revoke events should be admin only
Currently any user can list revocation events, this data contains
IDs for users and projects. It should not be made available to
any user that is able to authenticate, it should be an admin
only API call.

Change-Id: I4290163c67c84ef0e1a2f6ee967ddf2acb2c3212
Closes-Bug: 1649446
2017-01-09 21:12:47 +00:00
Ronald De Rose
74af136478 Update docs to require domain_id when registering Identity Providers
An Identity Provider (IdP) should be mapped to a domain. This patch
updates the documentation and creates a release note recommending the
domain_id parameter.

Depends-On: Id18b8b2fe853b97631bc990df8188ed64a6e1275
Partial-Bug: #1642687
Change-Id: I1cb749371175169662dbb5fa8feafe403fb1c39b
2017-01-06 19:09:36 +00:00
Lance Bragstad
663865dfec Remove CONF.domain_id_immutable
We deprecated this functionality during the Mitaka release and staged
it for removal in Ocata. Let's remove it!

A note for reviewers. Some of the logic for allowing projects to
update their domain_id was implemented in the resource Manager().
As a result, there were several tests that tested the manager
directly. Now that we're removing the logic for allowing
``domain_id`` to be update, we can rely solely on the
``_require_matching_domain_id()`` method in the
keystone.common.controller module. This short-circuit check will
return a 4XX response code for all requests attempting to update the
``domain_id`` of an entity. Since this is all completely isolated
in the controller layer, we can remove the logic from the resource
Manager specifically as well as the tests. This change looks like
we're removing a bunch of tests from
keystone.tests.unit.resource.test_backends but we're actually just
relying on more basic tests in test_v3_resource.

Change-Id: Iad0eba66e7ddc9497205af60671451a385d0de58
Closes-Bug: 1653472
2017-01-03 22:51:15 +00:00