If there is any request from client with any invalid request
parameters, invalid signature for example, keystone should
capture that and raise the exception.
It was `NotImplementedError`, `TypeError` thrown out and
presented directly to end user, and nothing helpful message
is given.
This patch fix that and show as many exception message that
is helpful for diagnosis as possible.
Change-Id: I112d0cd0c8a460c7b4d8d0e1c0b9c742aab9fde7
Closes-Bug: #1616424
In order to support automatically updating the release notes when we
create stable branches, we want the pages to be in a standard order.
This patch updates the order to be reverse chronological, so the most
recent notes appear at the top.
Change-Id: Ib364dcc8eb31275a31c83b68d7914263b183e393
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
When assigning a Domain specific role to a user it is OK if the user
is from a different domain, but the project's domain must match the
role's domain.
Closes-Bug: 1590587
Change-Id: I1d63415de0130794939998c3e142ebdce9ddf39d
Fixed some more trivial doc items missed in the previous patch.
* Removed extra underlining characters
* Removed extra blank lines at the end of the file
Change-Id: Ida511ff6fc0d28ee68c1ded1e272ed9cba1be4d7
Added the driver interface 'base.EndpointPolicyDriverV8' as super class
of the sql driver implementation.
Removed unused methods from driver interface and added release notes.
Change-Id: I198dcbda7591e0dafb1da3a72e3f32b258c0e299
Closes-Bug: #1611102
The 105 migration added a password created_at column that was left as
nullable. This patch sets a default value for password created_at and
makes this column not nullable.
Closes-Bug: #1596500
Change-Id: I394467d554c786ecd9bf55367435c856c6723042
Since tokens are most often used right after being created,
cache them to bypass redundant validation.
The patch uses dogpile.cache internal functionality so some
calls may look strange
Implements bp pre-cache-tokens
Change-Id: I2e720eed6b0066738181afd1cbf73c5ff4d876f5
id_mapping_api was designed to make a query per entity to fetch
public ids. This lead to a very poor performance when there were many
entries in LDAP. For example, for 15k entries 15k MySQL queries were
required. For the first run 15k INSERTs were required, which makes
things even worse.
Change this behavior to fetch related mappings from MySQL as a list and
perform the necessary join in-memory.
bp ldap-preprocessing
Partial-Bug: 1582585
Change-Id: I2c266e91f2f05be760f8a3eea3738868243cc9c6
Fetching users from LDAP requires creating public ids for them.
id_mapping_api does that. Creating public ids is slow, because it
requires performing N INSERTs for N users, and there is no way to
work around that. It leads to very slow responses to queries like
"list users".
By pre-creating these public ids we improve API users' experience.
Add keystone-manage mapping_populate command that creates id mapping entries
for users.
bp ldap-preprocessing
Partial-Bug: 1582585
Change-Id: I98f795854aee26f9e7f668372c47572d2b6d4f0f
It was possible to create a credential without providing a project_id
and later updating it to the ec2 type.
This patch fixes the issue by adding a manual checking in the
manager layer since it needs to check the old credential contents
prior failing the request.
Change-Id: I1eb28a46c89e17d9c990cc798867d1a59714fe5f
Closes-Bug: #1613466
3 new migration repos are added, one for each of the new phases.
The existing "migrate_repo" is now frozen (except for backports).
The sql_banned operations tests are now applied both to the
frozen legacy repo and the expand repo.
This patch contains a null first migration in each repo (some
of our support methods don't handle empty repos) - follow on
patches will add actual migration scripts to these repos.
Implements: blueprint manage-migration
Change-Id: Ie68b463b7a3acbf39486d75026b80bf5dcbc5288
The minimum password age is the period at which a password must be used
before it can be changed. This prevents users from immediately wiping
out their password history in order to use an old password.
Partially-implements: blueprint pci-dss
Change-Id: Ib1367bc69b791ef35de8f18704437e8fc233afdf
This patch adds a new user response attribute, password_expires_at,
to the Identity API v3 documentation.
Passord expires validation implementation:
https://review.openstack.org/333360
Depends-On: I07c10de627898d6ac79578dc24292ded4a2190f1
Partially-implements: blueprint pci-dss
Change-Id: I37136f79488d7469f0b8b24e3f5628899e40cac0
The domain config via API is marked stable. Tests are updated
and the cli for updating domain configs is marked deprecated.
implements bp domain-config-as-stable
Change-Id: I7bf0a914be13f88313c14bc196369de49cc7413f
"Shadow users: unified identity" implementation:
Allow concrete role assignments for federated users. Currently,
federated users get roles from mapped group assignments. However, with
the shadow users implementation, federated users are mapped to
identities in the backend; thus, can be assigned roles.
This patch returns locally assigned roles with the mapped group roles
for federated users; allowing for authorization for those roles.
bp shadow-users-newton
Change-Id: I9a150ded6c4b556627147d2671be15d6a3794ba5
When using list_limit configuration option in Default section of
keystone.conf, the /services?name=<service_name> API fails to find
the service if list_limit value is smaller than the total number
of services and the searched service is not among the first
'list_limit' services. The API should first filter by name and
only afterwards truncate the result list.
Also, this patch fixes setting the 'truncated' attribute of the
driver's hint.limit object when truncating the list outside of
driver_hints.truncated decorator, problem exposed by fixing the
problem described in the first paragraph.
Closes-Bug: #1594482
Change-Id: I832f542c3cb0faf94a1e5bce5a894f7f4d26a8de
revoke_by_expiration is only useful if a token does not have an
audit_id or audit_chain_id. tokens always have an audit ID, so
this function seems redundant. it was also deprecated in the
J release, with no timeline for its removal
Change-Id: Ieb92a70ab782fa8ceb59dc807ea8647587be9e2b
bp: removed-as-of-newton
Since only the memcache backends (that are being removed) use the
kvs system in keystone now, this can be safely deprecated.
Change-Id: I395e66bc957465df0f38ccfc3c48900e1b3a3320
bp: deprecated-as-of-newton
these config options and it's supporting command are only useful
when deploying keystone under eventlet, with that removed these
are redundant.
Change-Id: I7c602805bba2c658d3280811ed8919f78ed3aa0d
implements: bp removed-as-of-newton
Eventlet has been deprecated since the Kilo release and is
being removed in Newton.
A follow on patch will be proposed to remove the [ssl] section
since it is now redundant.
Co-Authored-By: Grzegorz Grasza <grzegorz.grasza@intel.com>
Partially implements: bp removed-as-of-newton
Change-Id: I963d94bbd188dbb6eba68623a42c5bc3f2289da4
this has been deprecated for 2 releases and can now be removed.
implements bp: removed-as-of-newton
Change-Id: I9a7b225d15953cec3f597a04c45020aff0bd60a8
list SPs currently doesn't support to filter records by any
attributes, but this is used somewhere, such as OpenStack
Client using `name` to filter the record.
SP doesn't has `name` attribute but has `id`, `enabled`
attributes instead.
This patch enables the filtering of Service Provider based
on `id`, `enabled` attributes so that OpenStack Client or the
CURL query can benefit from it.
based off of: Ib672ba759d26bdd0eecd48451994b3451fb8648a
Closes-Bug: 1555830
Change-Id: Icdecaa44415786397ee8bb22de16d25cb8fe603a
Removed info that's internal to keystone and therefore not relevant
to deployers.
Consistent references to config option names. `` should be used for
literal string values, not references.
Change-Id: Ia7e11683ed3ae7f19fe6680848bdcbaed954f424
When a user is added or removed from a group we should emit a notification. The
notification has group as the resource type and the group ID as the
resource ID. The notification also includes the user, user ID, and the
operation that was done ('removed' or 'added').
This way consumers are notified of user and group memberships.
Change-Id: I93ca3a0cb2fe9b93f5370e5871be1f1b30d87f72
Closes-Bug: 1552639
There should be no reason to leave these settings disabled by default.
By enabling them, keystones runs faster and consumes fewer resources.
Change-Id: I9f8d27b1f6dba19067f38e940632dcf3420c2bfa
The reason db_sync needed to create the default domain is because we
needed a domain for existing v2 users. Since the migrations don't
add the domain_id to users anymore there's no need to create the
default domain.
DocImpact -- The install guide should be updated to say to use
keystone-manage bootstrap or to create the default domain if the
deployment is going to support v2.
Change-Id: I65860fe989ac2456b73bcc12fd02643564b24574
Support TOTP as a distinct authentication mechanism from Password.
bp totp-auth
Co-Authored-By: David Stanek <dstanek@dstanek.com>
Change-Id: Ic0ccf89b9f35d3167a413b10f43be43cf892aead