344 Commits

Author SHA1 Message Date
Jenkins
068b1df841 Merge "Fix cloud_admin rule and ensure only project tokens can be cloud admin" 2017-01-02 14:24:49 +00:00
Jenkins
686f9d583e Merge "Handle disk write failure when doing Fernet key rotation" 2016-12-29 14:02:39 +00:00
johnlinp
5b7c9a66f0 Handle disk write failure when doing Fernet key rotation
_create_new_key() is broke down into 2 parts:

1. _create_tmp_new_key()
2. _become_valid_new_key()

This can avoid empty Fernet keys when the write to the
staged key fails. The _become_valid_new_key() is called
only after a successful call to _create_tmp_new_key().

Change-Id: Iaf33e2b291f13b9eb9464ef345a8664a634121ff
Closes-Bug: #1642457
Signed-off-by: John Lin <johnlinp@gmail.com>
2016-12-26 10:17:01 +08:00
Steve Martinelli
ef48072d94 Fix cloud_admin rule and ensure only project tokens can be cloud admin
The current rule fails to load with oslo.policy, the correct
value used to determine the admin project for the cloud_admin should
simply be: `is_admin_project:True`, since that is what is stored
in oslo.context.

This problem was masking a more serious issue that domain admin tokens
could be misinterpreted as cloud admin tokens.

Change-Id: I3ea562c01e06e6c519fdaec3ab6e1dac204ced71
Closes-Bug: 1547684
Closes-Bug: 1651989
2016-12-23 09:31:08 +00:00
Jenkins
a5efb16256 Merge "Add reason to notifications for PCI-DSS" 2016-12-21 18:45:19 +00:00
Gage Hugo
7fe14c8da0 Add reason to notifications for PCI-DSS
This adds a reason to the CADF event notifications that are emitted
for the following events related to PCI-DSS:

- Change user passwords/passphrases at least once every X days
- Limit repeated access attempts by locking out the user ID after
not more than X attempts
- Do not allow an individual to submit a new password/phrase that
is the same as any of the last X passwords/phrases he or she has used
- Passwords/phrases must meet the specificed regex
- User attempting to change password early

Implements: bp pci-dss-notifications
Co-Authored-By: Tin Lam <tinlam@gmail.com>

Change-Id: Ia678d25bdfa151c95483f5fcb77853184fbecfd1
2016-12-19 19:38:47 -06:00
Lance Bragstad
100050184c Implement password requirements API
Add an API for retrieving password requirement information from
``keystone.conf``. This should be used by user interfaces and clients
if/when they enforce PCI-DSS requirements.

Change-Id: I4c405da3a59e510cda5b46222cc3a20d568c7437
implements: bp pci-dss-password-requirements-api
2016-12-15 19:51:41 +00:00
Ken'ichi Ohmichi
3e5ead0a45 Remove CONF.os_inherit.enabled
CONF.os_inherit.enabled is planed to be removed in Ocata as the
deprecated message and this patch removes it.

Partially implements bp: removed-as-of-ocata

Change-Id: I9072419ba1cfcf3cefb814a224fc499c9067ae30
Needed-by: Id3dd322b3a0585ed95eb2dea4ad35a7949bb9b1f
2016-12-05 10:52:35 -08:00
Matt Fischer
7765130bd6 cache_on_issue default to true
If caching is globally enabled and enabled for tokens then we should
default to have cache_on_issue default to True as well. This commit also
adds one clarifying sentence to the config file comments since this
value has no effect unless caching is globally enabled and enabled in
the [token] section.

Closes-Bug: #1641816

Change-Id: I2797964ef0bb5641d8c1a208e1b5dcf567c1437f
2016-11-28 20:47:36 +00:00
Jamie Lennox
fcebc2fa8d Allow fetching an expired token
A service user from auth_token middleware should be able to fetch a
token that has expired within a certain window so that long running
operations can finish.

Implements bp: allow-expired
Change-Id: I784f719be88481048f5aa7a79d34a54907438cf3
2016-11-28 04:07:26 +00:00
Jenkins
7871fbcab1 Merge "Enable CADF notification format by default" 2016-11-22 13:16:11 +00:00
Jenkins
03ba1324c2 Merge "Lockout ignore user list" 2016-11-22 10:18:40 +00:00
Tin Lam
165e5a98f0 Enable CADF notification format by default
The current default notification format is set to ``basic``, the home-brewed
openstack-styled format.  Since all new notifications have adhered to the
CADF format, we should switch to use CADF format by default, which provides
compatibility with the older format.

Also, messages for the following authentication events are squelched due
to their chattiness:

* identity.authenticate.success
* identity.authenticate.pending
* identity.authenticate.failed

Change-Id: I6dd3a52319bd59aa5ef856e6d99b5a1d7c37e371
Closes-Bug: #1641660
2016-11-21 13:28:37 -06:00
Jenkins
778ebeb0db Merge "Remove issue_v3_token in favor of issue_token" 2016-11-20 08:25:48 +00:00
Jenkins
d8775db649 Merge "Remove issue_v2_token" 2016-11-20 08:25:40 +00:00
Ronald De Rose
4f1af9451b Lockout ignore user list
This patch adds a way for operators to ignore the lockout validation for
specific users, such as service users.

Closes-Bug: #1642348
Change-Id: I9d48578bc6b4f84acbaaa4251b59ffef10d58d8e
2016-11-18 22:37:45 +00:00
Steve Martinelli
5d93b99bb5 remove release note about LDAP write removal
this is still in progress, bring back the note when it's ready.

Change-Id: I08fe6affbd0b94b4497eb61d10a1dcbce6e0b27a
2016-11-16 10:55:00 -05:00
Jenkins
cdaf2c77d9 Merge "Replace tenant with project for keystone catalog" 2016-11-14 14:30:29 +00:00
Jenkins
474b762561 Merge "Deprecate endpoint_filter.sql backend" 2016-11-14 14:17:26 +00:00
Lance Bragstad
c0c23fd9df Remove issue_v3_token in favor of issue_token
Since we don't have a reason to hold on to a version specific
token method name, we can rename it to be just issue_token.

Now the token provider interface has two intergral methods,
validate_token and issue_token. From a third-party perspective, this
makes it easier to maintain a proprietary token provider since it
eliminates a lot of version specific things from the provider
implementation. From a keystone perspective, we are isolating the
numerous token validation and issuance paths to a since route. This
will make understanding the code easier for other developers and
eventually easier to optimize.

Change-Id: I71a04b42e931338b8bd59e479636b6199c7c2d76
2016-11-11 17:44:23 +00:00
Lance Bragstad
dd1e705853 Remove issue_v2_token
In a previous commit we made all calls to issue_v2_token use
issue_v3_token instead. Any tokens that needed to be represented
as a v2.0 token we translate using the V2TokenDataHelper class.

At this point nothing really uses the issue_v2_token method and it
can be safely removed. A subsequent patch will rename the
issue_v3_token method to just issue_token since we no longer need
to make a distinction between two different methods.

Depends-On: Ia51f28a70ae099f1ec93851d271db8556aced836
Change-Id: I7d3b583cbec9a095ab8cc20c5d6c0a6127e37068
2016-11-11 17:44:03 +00:00
Jenkins
3047689ce3 Merge "Support nested groups in Active Directory" 2016-11-10 00:30:01 +00:00
Jenkins
e70631edda Merge "Add healthcheck middleware to pipelines" 2016-11-09 22:52:13 +00:00
Adam Young
e8e56dc7c1 Support nested groups in Active Directory
Active Directory has a very specific mechanism to
handle nested groups.  LDAP queries need to look like this:

"(&(objectClass=group)
   (member=member:1.2.840.113556.1.4.1941:=CN=nwalnut,OU=Users,DC=EXAMPLE,DC=COM))"

If a deployment is using nested groups, three queries need to be
modified to support it:

  - list users in a group
  - list groups for a user
  - check if a user is in a group

Since all three are necessary, a single configuration value ensures
that the change is synchronized across all three calls.

Closed-Bug: #1638603
Change-Id: Ia66f81f86d7c43fbc5ba7f18ada91c77d047f7a2
2016-11-09 20:34:33 +00:00
Jesse Keating
eeac2cb6d1 Add healthcheck middleware to pipelines
This introduces the oslo healt check middleware
http://docs.openstack.org/developer/oslo.middleware/healthcheck_plugins.html
into the pipelines. This middleware is useful for load balancers and
http servers, which can use it to validate that the keystone services are
operational. This middleware is being used in other services such as
glance and magnum. This patch provides it for keystone, in an effort to
spread the usage across all major projects.

This is one less item that operators will have to patch locally.

DocImpact

Change-Id: I19e4fc8f6c6a227068ba7191c1e9c453fc08f061
2016-11-09 19:39:41 +00:00
Jenkins
748eb41904 Merge "Add release note for fernet tokens" 2016-11-01 16:21:59 +00:00
Jenkins
d8400fe79c Merge "Faster id mapping lookup" 2016-11-01 00:08:36 +00:00
Dave Chen
707b023630 Clarifying on the remove of build_auth_context middleware
Keystone just remove the check of admin token from
`build_auth_context` middleware, not the middleware itself.

bp removed-as-of-ocata
Change-Id: I9aa7a4dafb7f9a3333832d81923e4f11390dad14
2016-10-27 16:45:12 +08:00
Ronald De Rose
de8fbcf9a0 Validate mapping exists when creating/updating a protocol
This patch validates that a mapping exists when adding or updating
a federation protocol.

Change-Id: I996f94d26eb0f2c679542ba13a03bbaa4442486a
Closes-Bug: #1571878
2016-10-20 19:12:04 +00:00
Lance Bragstad
e5add63637 Add release note for fernet tokens
Let's add a release note for switching the default token provider.
This will need to merge before we can make any upgrade changes to
grenade for the Newton to Ocata upgrade.

Change-Id: I7208bf6cb9329d6ca1f49409da44b0537c74aea9
2016-10-19 18:28:22 +00:00
Jenkins
7a78ac0999 Merge "Enable release notes translation" 2016-10-18 01:25:23 +00:00
Dave Chen
4f92ac0461 Replace tenant with project for keystone catalog
Change-Id: I46113ba17f86b07545584aeddd2d92dc1f67dc98
Partial-Bug: #1017606
2016-10-16 11:20:12 +08:00
Jenkins
d59973e628 Merge "Invalidate trust when the related project is deleted" 2016-10-14 20:04:20 +00:00
Dave Chen
f0319c752a Invalidate trust when the related project is deleted
The trust without a valid project is useless and will no longer
be active since the id of project is a random number and only
assigned when it created.

The patch invalidate the trust if the related project is deleted.

Change-Id: I51214c46ef5332c159b1e18bbd7046d12aba4a65
Closes-Bug: #1622310
2016-10-14 16:55:06 +00:00
Jenkins
c1fd67deb5 Merge "Return password_expires_at during auth" 2016-10-14 06:42:24 +00:00
Jenkins
613aafc836 Merge "Move the token abstract base class out of core" 2016-10-14 05:48:55 +00:00
Ronald De Rose
02452d02c4 Return password_expires_at during auth
The new user attribute, password_expires_at, is not being returned
during auth; this patch adds it.

bp password-expires-validation
Change-Id: I1f17a849d9da4067d6be7d612c5a561bcb247ebb
2016-10-14 00:25:57 -04:00
Ronald De Rose
d49f2b1e64 Move the token abstract base class out of core
This patch moves the token abstract base class out of core and
into providers/base.py, which is consistent with the other
backend drivers.

Change-Id: Icf22adb2ccfa0470bb61ceb7d6c90467f44da6c8
Closes-Bug: #1563101
2016-10-14 04:09:14 +00:00
Jenkins
1254ac0283 Merge "Improve check_token validation performance" 2016-10-13 20:47:42 +00:00
Jenkins
5ed77daf0a Merge "One validate method to rule them all..." 2016-10-13 17:07:01 +00:00
“Richard
9e84371461 Improve check_token validation performance
This patch improves check_token validation performance by only pulling
revocation events based on the token issued_at value, taking advantage
of the table index. In this way, only a subset of relevant events will
be returned for validation.

Benchmarks can be seen at [1], but included here as well:

Time per Request for Old Method
-------------------------------
10 revokes at 7.908
100 revokes at 18.224
1,000 revokes at 110.155
10,000 revokes at 1998.220

Time per Request New Method
---------------------------
10 revokes at 17.636ms,
100 revokes at 17.279ms,
1,000 revokes at 17.370,
10,000 revokes w/all revokes issued before token at 17.263 (best case)
10,000 revokes w/all revokes after token creation 44.934ms (worst case)

[1] https://gist.github.com/csrichard1/4b7b8527ee5a6565a84956cff33cf29b

Change-Id: I9c2f067d870d542ec5909eaf8b24ded07b75f433
Partial-Bug: 1524030
2016-10-13 15:39:54 +00:00
Jenkins
396cc4d1e8 Merge "Remove validate_v2_token() method" 2016-10-12 17:19:24 +00:00
Lance Bragstad
71134fbe1c One validate method to rule them all...
Regardless of persistence requirements or format, let's perform
token validation one way.

This simplifies the validation path of the token provider API.

Change-Id: Idb5de4459fd8bf83973ed74fccc275a64873c88c
2016-10-12 15:03:12 +00:00
Lance Bragstad
52bde3cf08 Remove validate_v2_token() method
Instead of using validate_v2_token, we can effectively use the
validate_v3_token method and translate the v3 response to a v2 one.

This is a step towards simplifying the token provider API.

Change-Id: Iccb8349e0710288adb107d55437a4ff50d074b1c
2016-10-12 14:34:23 +00:00
Dave Chen
fd3e6276a3 Deprecate endpoint_filter.sql backend
`endpoint_filter.sql` backend is the only left-over from
endpoint filter extension, all others has been moved into
keystone catalog dir.

This patch deprecate `endpoint_filter.sql` backend and
consolidate the backend with SQL backend.

This patch also update some related testcases to make sure
project id exists instead of some random uuids since original
logic from endpoint filter extension has the constraint and
this is make sense to inherent into SQL backend as well.

Partially implements: bp deprecated-as-of-ocata
Change-Id: I28b37fc98cf63da11c0dd200b5f657507c0bca6a
2016-10-09 09:26:07 +08:00
Jenkins
d90e926a83 Merge "create release notes for removed functionality" 2016-10-07 15:51:27 +00:00
Steve Martinelli
3e0242c157 create release notes for removed functionality
bp removed-as-of-ocata

Change-Id: I67ec3a86f4b3f42db3bfb645be4bc884e7d235ba
2016-10-07 03:58:32 +00:00
Andreas Jaeger
a82d799472 Enable release notes translation
Releasenote translation publishing is being prepared. 'locale_dirs'
needs to be defined in conf.py to generate translated version of the
release notes.

Note that this repository might not get translated release notes - or
no translations at all - but we add the entry here nevertheless to
prepare for it.

Change-Id: I371da7d4185a14a59d959b02b1301a71f5fb2551
2016-10-06 20:28:17 +02:00
gengchc2
e828d591e7 Fix a typo in core.py and bp-domain-config-default-82e42d946ee7cb43.yaml
TrivialFix

Change-Id: I589825617f2b191a91bcf16915678e779d905749
2016-09-29 09:25:59 +08:00
Jenkins
77213e6c0d Merge "Handle the exception from creating access token properly" 2016-09-21 18:24:06 +00:00