_create_new_key() is broke down into 2 parts:
1. _create_tmp_new_key()
2. _become_valid_new_key()
This can avoid empty Fernet keys when the write to the
staged key fails. The _become_valid_new_key() is called
only after a successful call to _create_tmp_new_key().
Change-Id: Iaf33e2b291f13b9eb9464ef345a8664a634121ff
Closes-Bug: #1642457
Signed-off-by: John Lin <johnlinp@gmail.com>
The current rule fails to load with oslo.policy, the correct
value used to determine the admin project for the cloud_admin should
simply be: `is_admin_project:True`, since that is what is stored
in oslo.context.
This problem was masking a more serious issue that domain admin tokens
could be misinterpreted as cloud admin tokens.
Change-Id: I3ea562c01e06e6c519fdaec3ab6e1dac204ced71
Closes-Bug: 1547684
Closes-Bug: 1651989
This adds a reason to the CADF event notifications that are emitted
for the following events related to PCI-DSS:
- Change user passwords/passphrases at least once every X days
- Limit repeated access attempts by locking out the user ID after
not more than X attempts
- Do not allow an individual to submit a new password/phrase that
is the same as any of the last X passwords/phrases he or she has used
- Passwords/phrases must meet the specificed regex
- User attempting to change password early
Implements: bp pci-dss-notifications
Co-Authored-By: Tin Lam <tinlam@gmail.com>
Change-Id: Ia678d25bdfa151c95483f5fcb77853184fbecfd1
Add an API for retrieving password requirement information from
``keystone.conf``. This should be used by user interfaces and clients
if/when they enforce PCI-DSS requirements.
Change-Id: I4c405da3a59e510cda5b46222cc3a20d568c7437
implements: bp pci-dss-password-requirements-api
CONF.os_inherit.enabled is planed to be removed in Ocata as the
deprecated message and this patch removes it.
Partially implements bp: removed-as-of-ocata
Change-Id: I9072419ba1cfcf3cefb814a224fc499c9067ae30
Needed-by: Id3dd322b3a0585ed95eb2dea4ad35a7949bb9b1f
If caching is globally enabled and enabled for tokens then we should
default to have cache_on_issue default to True as well. This commit also
adds one clarifying sentence to the config file comments since this
value has no effect unless caching is globally enabled and enabled in
the [token] section.
Closes-Bug: #1641816
Change-Id: I2797964ef0bb5641d8c1a208e1b5dcf567c1437f
A service user from auth_token middleware should be able to fetch a
token that has expired within a certain window so that long running
operations can finish.
Implements bp: allow-expired
Change-Id: I784f719be88481048f5aa7a79d34a54907438cf3
The current default notification format is set to ``basic``, the home-brewed
openstack-styled format. Since all new notifications have adhered to the
CADF format, we should switch to use CADF format by default, which provides
compatibility with the older format.
Also, messages for the following authentication events are squelched due
to their chattiness:
* identity.authenticate.success
* identity.authenticate.pending
* identity.authenticate.failed
Change-Id: I6dd3a52319bd59aa5ef856e6d99b5a1d7c37e371
Closes-Bug: #1641660
This patch adds a way for operators to ignore the lockout validation for
specific users, such as service users.
Closes-Bug: #1642348
Change-Id: I9d48578bc6b4f84acbaaa4251b59ffef10d58d8e
Since we don't have a reason to hold on to a version specific
token method name, we can rename it to be just issue_token.
Now the token provider interface has two intergral methods,
validate_token and issue_token. From a third-party perspective, this
makes it easier to maintain a proprietary token provider since it
eliminates a lot of version specific things from the provider
implementation. From a keystone perspective, we are isolating the
numerous token validation and issuance paths to a since route. This
will make understanding the code easier for other developers and
eventually easier to optimize.
Change-Id: I71a04b42e931338b8bd59e479636b6199c7c2d76
In a previous commit we made all calls to issue_v2_token use
issue_v3_token instead. Any tokens that needed to be represented
as a v2.0 token we translate using the V2TokenDataHelper class.
At this point nothing really uses the issue_v2_token method and it
can be safely removed. A subsequent patch will rename the
issue_v3_token method to just issue_token since we no longer need
to make a distinction between two different methods.
Depends-On: Ia51f28a70ae099f1ec93851d271db8556aced836
Change-Id: I7d3b583cbec9a095ab8cc20c5d6c0a6127e37068
Active Directory has a very specific mechanism to
handle nested groups. LDAP queries need to look like this:
"(&(objectClass=group)
(member=member:1.2.840.113556.1.4.1941:=CN=nwalnut,OU=Users,DC=EXAMPLE,DC=COM))"
If a deployment is using nested groups, three queries need to be
modified to support it:
- list users in a group
- list groups for a user
- check if a user is in a group
Since all three are necessary, a single configuration value ensures
that the change is synchronized across all three calls.
Closed-Bug: #1638603
Change-Id: Ia66f81f86d7c43fbc5ba7f18ada91c77d047f7a2
This introduces the oslo healt check middleware
http://docs.openstack.org/developer/oslo.middleware/healthcheck_plugins.html
into the pipelines. This middleware is useful for load balancers and
http servers, which can use it to validate that the keystone services are
operational. This middleware is being used in other services such as
glance and magnum. This patch provides it for keystone, in an effort to
spread the usage across all major projects.
This is one less item that operators will have to patch locally.
DocImpact
Change-Id: I19e4fc8f6c6a227068ba7191c1e9c453fc08f061
Keystone just remove the check of admin token from
`build_auth_context` middleware, not the middleware itself.
bp removed-as-of-ocata
Change-Id: I9aa7a4dafb7f9a3333832d81923e4f11390dad14
This patch validates that a mapping exists when adding or updating
a federation protocol.
Change-Id: I996f94d26eb0f2c679542ba13a03bbaa4442486a
Closes-Bug: #1571878
Let's add a release note for switching the default token provider.
This will need to merge before we can make any upgrade changes to
grenade for the Newton to Ocata upgrade.
Change-Id: I7208bf6cb9329d6ca1f49409da44b0537c74aea9
The trust without a valid project is useless and will no longer
be active since the id of project is a random number and only
assigned when it created.
The patch invalidate the trust if the related project is deleted.
Change-Id: I51214c46ef5332c159b1e18bbd7046d12aba4a65
Closes-Bug: #1622310
The new user attribute, password_expires_at, is not being returned
during auth; this patch adds it.
bp password-expires-validation
Change-Id: I1f17a849d9da4067d6be7d612c5a561bcb247ebb
This patch moves the token abstract base class out of core and
into providers/base.py, which is consistent with the other
backend drivers.
Change-Id: Icf22adb2ccfa0470bb61ceb7d6c90467f44da6c8
Closes-Bug: #1563101
This patch improves check_token validation performance by only pulling
revocation events based on the token issued_at value, taking advantage
of the table index. In this way, only a subset of relevant events will
be returned for validation.
Benchmarks can be seen at [1], but included here as well:
Time per Request for Old Method
-------------------------------
10 revokes at 7.908
100 revokes at 18.224
1,000 revokes at 110.155
10,000 revokes at 1998.220
Time per Request New Method
---------------------------
10 revokes at 17.636ms,
100 revokes at 17.279ms,
1,000 revokes at 17.370,
10,000 revokes w/all revokes issued before token at 17.263 (best case)
10,000 revokes w/all revokes after token creation 44.934ms (worst case)
[1] https://gist.github.com/csrichard1/4b7b8527ee5a6565a84956cff33cf29b
Change-Id: I9c2f067d870d542ec5909eaf8b24ded07b75f433
Partial-Bug: 1524030
Regardless of persistence requirements or format, let's perform
token validation one way.
This simplifies the validation path of the token provider API.
Change-Id: Idb5de4459fd8bf83973ed74fccc275a64873c88c
Instead of using validate_v2_token, we can effectively use the
validate_v3_token method and translate the v3 response to a v2 one.
This is a step towards simplifying the token provider API.
Change-Id: Iccb8349e0710288adb107d55437a4ff50d074b1c
`endpoint_filter.sql` backend is the only left-over from
endpoint filter extension, all others has been moved into
keystone catalog dir.
This patch deprecate `endpoint_filter.sql` backend and
consolidate the backend with SQL backend.
This patch also update some related testcases to make sure
project id exists instead of some random uuids since original
logic from endpoint filter extension has the constraint and
this is make sense to inherent into SQL backend as well.
Partially implements: bp deprecated-as-of-ocata
Change-Id: I28b37fc98cf63da11c0dd200b5f657507c0bca6a
Releasenote translation publishing is being prepared. 'locale_dirs'
needs to be defined in conf.py to generate translated version of the
release notes.
Note that this repository might not get translated release notes - or
no translations at all - but we add the entry here nevertheless to
prepare for it.
Change-Id: I371da7d4185a14a59d959b02b1301a71f5fb2551