344 Commits

Author SHA1 Message Date
Dave Chen
be5385c538 Handle the exception from creating access token properly
If there is any request from client with any invalid request
parameters, invalid signature for example, keystone should
capture that and raise the exception.

It was `NotImplementedError`, `TypeError` thrown out and
presented directly to end user, and nothing helpful message
is given.

This patch fix that and show as many exception message that
is helpful for diagnosis as possible.

Change-Id: I112d0cd0c8a460c7b4d8d0e1c0b9c742aab9fde7
Closes-Bug: #1616424
2016-09-21 11:18:19 +00:00
Jenkins
38b7620d27 Merge "Update reno for stable/newton" 2016-09-16 13:20:07 +00:00
Jenkins
fd07435385 Merge "EndpointPolicy driver doesn't inherit interface" 2016-09-15 19:33:38 +00:00
Davanum Srinivas
981b46c33a Update reno for stable/newton
Change-Id: Iad242afa4a71b546b2a78c5a22ddfa3b5b22c2fd
2016-09-15 10:23:06 -04:00
Doug Hellmann
06b050cfa3 standardize release note page ordering
In order to support automatically updating the release notes when we
create stable branches, we want the pages to be in a standard order.
This patch updates the order to be reverse chronological, so the most
recent notes appear at the top.

Change-Id: Ib364dcc8eb31275a31c83b68d7914263b183e393
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
2016-09-08 14:53:59 -04:00
Jenkins
470a8a50c0 Merge "Project domain must match role domain for assignment" 2016-09-08 03:46:04 +00:00
Sean Perry
73bdbe1f87 Project domain must match role domain for assignment
When assigning a Domain specific role to a user it is OK if the user
is from a different domain, but the project's domain must match the
role's domain.

Closes-Bug: 1590587
Change-Id: I1d63415de0130794939998c3e142ebdce9ddf39d
2016-09-07 11:43:53 -07:00
Eric Brown
3c3df9049b More nit doc fixes
Fixed some more trivial doc items missed in the previous patch.

* Removed extra underlining characters
* Removed extra blank lines at the end of the file

Change-Id: Ida511ff6fc0d28ee68c1ded1e272ed9cba1be4d7
2016-09-07 11:27:14 -07:00
Harini
97585c15a6 EndpointPolicy driver doesn't inherit interface
Added the driver interface 'base.EndpointPolicyDriverV8' as super class
of the sql driver implementation.

Removed unused methods from driver interface and added release notes.

Change-Id: I198dcbda7591e0dafb1da3a72e3f32b258c0e299
Closes-Bug: #1611102
2016-09-07 15:07:51 +05:30
Jenkins
9a87dd509c Merge "Fixes migration where password created_at is nullable" 2016-09-01 20:50:08 +00:00
Jenkins
cae712d530 Merge "Document credential encryption" 2016-09-01 17:58:52 +00:00
Ronald De Rose
2b70175282 Fixes migration where password created_at is nullable
The 105 migration added a password created_at column that was left as
nullable. This patch sets a default value for password created_at and
makes this column not nullable.

Closes-Bug: #1596500
Change-Id: I394467d554c786ecd9bf55367435c856c6723042
2016-09-01 17:15:47 +00:00
Werner Mendizabal
0e7ab57241 Document credential encryption
Add documentation on how credential encryption work and a release note.

bp credential-encryption

Change-Id: Ib06c86a17e585f43bfa8aedf3d5e89d3163cc9da
2016-08-31 21:28:42 +00:00
Alexander Makarov
7260b55cfc Pre-cache new tokens
Since tokens are most often used right after being created,
cache them to bypass redundant validation.
The patch uses dogpile.cache internal functionality so some
calls may look strange

Implements bp pre-cache-tokens

Change-Id: I2e720eed6b0066738181afd1cbf73c5ff4d876f5
2016-08-31 20:14:53 +03:00
Boris Bobrov
f534f36246 Faster id mapping lookup
id_mapping_api was designed to make a query per entity to fetch
public ids. This lead to a very poor performance when there were many
entries in LDAP. For example, for 15k entries 15k MySQL queries were
required. For the first run 15k INSERTs were required, which makes
things even worse.

Change this behavior to fetch related mappings from MySQL as a list and
perform the necessary join in-memory.

bp ldap-preprocessing
Partial-Bug: 1582585
Change-Id: I2c266e91f2f05be760f8a3eea3738868243cc9c6
2016-08-26 16:39:32 +03:00
Jenkins
6d8ad9c27e Merge "Add mapping_populate command" 2016-08-25 00:38:40 +00:00
Boris Bobrov
b1fdad9875 Add mapping_populate command
Fetching users from LDAP requires creating public ids for them.
id_mapping_api does that. Creating public ids is slow, because it
requires performing N INSERTs for N users, and there is no way to
work around that. It leads to very slow responses to queries like
"list users".

By pre-creating these public ids we improve API users' experience.

Add keystone-manage mapping_populate command that creates id mapping entries
for users.

bp ldap-preprocessing
Partial-Bug: 1582585
Change-Id: I98f795854aee26f9e7f668372c47572d2b6d4f0f
2016-08-23 20:52:10 +00:00
Rodrigo Duarte Sousa
8144e28336 Fix credential update to ec2 type
It was possible to create a credential without providing a project_id
and later updating it to the ec2 type.

This patch fixes the issue by adding a manual checking in the
manager layer since it needs to check the old credential contents
prior failing the request.

Change-Id: I1eb28a46c89e17d9c990cc798867d1a59714fe5f
Closes-Bug: #1613466
2016-08-23 06:58:03 +00:00
Jenkins
ed9aa5ba34 Merge "Add expand, data migration and contract logic to keystone-manage" 2016-08-20 00:50:10 +00:00
Jenkins
c4d4c5bca8 Merge "Replace the content type with correct one" 2016-08-19 19:28:57 +00:00
Henry Nash
96ec431aa0 Add expand, data migration and contract logic to keystone-manage
3 new migration repos are added, one for each of the new phases.
The existing "migrate_repo" is now frozen (except for backports).
The sql_banned operations tests are now applied both to the
frozen legacy repo and the expand repo.

This patch contains a null first migration in each repo (some
of our support methods don't handle empty repos) - follow on
patches will add actual migration scripts to these repos.

Implements: blueprint manage-migration
Change-Id: Ie68b463b7a3acbf39486d75026b80bf5dcbc5288
2016-08-18 10:37:56 +01:00
Ronald De Rose
b4ff783989 PCI-DSS Minimum password age requirements
The minimum password age is the period at which a password must be used
before it can be changed. This prevents users from immediately wiping
out their password history in order to use an old password.

Partially-implements: blueprint pci-dss
Change-Id: Ib1367bc69b791ef35de8f18704437e8fc233afdf
2016-08-16 21:47:49 +00:00
Dave Chen
72b274defc Replace the content type with correct one
The content type `application/x-www-urlformencoded` used in
OAuth1 extension is not spelled correctly, the correct one
should be `application/x-www-form-urlencoded` according to
W3C recommendation [1] and implementaion in oauth1 lib [2].

[1] https://www.w3.org/TR/html401/interact/forms.html#h-17.13.4.1
[2] https://github.com/idan/oauthlib/blob/master/oauthlib/oauth1/rfc5849/__init__.py#L39

Change-Id: I9ead0a633e3801f5150685c44b1174d3b4dc408c
2016-08-16 21:26:06 +08:00
Ronald De Rose
dfd5d25910 PCI-DSS Adds password_expires_at to API docs
This patch adds a new user response attribute, password_expires_at,
to the Identity API v3 documentation.

Passord expires validation implementation:
https://review.openstack.org/333360

Depends-On: I07c10de627898d6ac79578dc24292ded4a2190f1
Partially-implements: blueprint pci-dss
Change-Id: I37136f79488d7469f0b8b24e3f5628899e40cac0
2016-07-22 17:47:27 +00:00
Brad Topol
a5c5f5bce8 Mark the domain config via API as stable
The domain config via API is marked stable. Tests are updated
and the cli for updating domain configs is marked deprecated.

implements bp domain-config-as-stable

Change-Id: I7bf0a914be13f88313c14bc196369de49cc7413f
2016-07-08 14:44:30 -07:00
Jenkins
7460877945 Merge "Concrete role assignments for federated users" 2016-06-29 23:24:15 +00:00
Ronald De Rose
eed233cac8 Concrete role assignments for federated users
"Shadow users: unified identity" implementation:
Allow concrete role assignments for federated users. Currently,
federated users get roles from mapped group assignments. However, with
the shadow users implementation, federated users are mapped to
identities in the backend; thus, can be assigned roles.

This patch returns locally assigned roles with the mapped group roles
for federated users; allowing for authorization for those roles.

bp shadow-users-newton

Change-Id: I9a150ded6c4b556627147d2671be15d6a3794ba5
2016-06-29 02:24:03 +00:00
Roxana Gherle
6a9a9f002f /services?name=<name> API fails when using list_limit
When using list_limit configuration option in Default section of
keystone.conf, the /services?name=<service_name> API fails to find
the service if list_limit value is smaller than the total number
of services and the searched service is not among the first
'list_limit' services. The API should first filter by name and
only afterwards truncate the result list.

Also, this patch fixes setting the 'truncated' attribute of the
driver's hint.limit object when truncating the list outside of
driver_hints.truncated decorator, problem exposed by fixing the
problem described in the first paragraph.

Closes-Bug: #1594482
Change-Id: I832f542c3cb0faf94a1e5bce5a894f7f4d26a8de
2016-06-21 14:22:19 -07:00
Steve Martinelli
3965fbef4d remove deprecated revoke_by_expiration function
revoke_by_expiration is only useful if a token does not have an
audit_id or audit_chain_id. tokens always have an audit ID, so
this function seems redundant. it was also deprecated in the
J release, with no timeline for its removal

Change-Id: Ieb92a70ab782fa8ceb59dc807ea8647587be9e2b
bp: removed-as-of-newton
2016-05-22 14:39:58 +00:00
Jenkins
80de69ae9d Merge "reorganize mitaka release notes" 2016-05-21 20:34:01 +00:00
Morgan Fainberg
4025cb617e Add python 3 release note.
Add release note indicating the support for python 3

Change-Id: I9301b2a216fb7c6141fe436c3a920aa5c1063979
2016-05-20 21:54:54 +00:00
Steve Martinelli
363920bfb7 reorganize mitaka release notes
- make sure v2 deprecation and PKI deprecation are
  front and centre

Change-Id: I90e125258db39662231d2631b491e557710306da
2016-05-18 17:33:32 +00:00
Morgan Fainberg
f6fdda62ae Use PyLDAP instead of python-ldap
For py3 compatibility use the pyldap library instead of python-ldap.

Change-Id: I01315fe6798eeebd7f5bf0c727dac780c9a1a12e
2016-05-18 02:38:34 -04:00
Morgan Fainberg
108310bf54 Deprecate keystone.common.kvs
Since only the memcache backends (that are being removed) use the
kvs system in keystone now, this can be safely deprecated.

Change-Id: I395e66bc957465df0f38ccfc3c48900e1b3a3320
bp: deprecated-as-of-newton
2016-05-12 23:30:15 -07:00
Steve Martinelli
20b851b240 Remove support for generating ssl certs
these config options and it's supporting command are only useful
when deploying keystone under eventlet, with that removed these
are redundant.

Change-Id: I7c602805bba2c658d3280811ed8919f78ed3aa0d
implements: bp removed-as-of-newton
2016-04-19 08:58:36 -03:00
Steve Martinelli
ac039414ce Remove eventlet support
Eventlet has been deprecated since the Kilo release and is
being removed in Newton.

A follow on patch will be proposed to remove the [ssl] section
since it is now redundant.

Co-Authored-By: Grzegorz Grasza <grzegorz.grasza@intel.com>
Partially implements: bp removed-as-of-newton

Change-Id: I963d94bbd188dbb6eba68623a42c5bc3f2289da4
2016-04-18 18:07:28 +00:00
Alexander Makarov
3306dc20ba OSprofiler release notes
Change-Id: Ic642caac9fd03548b513ba557212383798853135
2016-04-13 23:47:45 +00:00
Steve Martinelli
00bfbb938c remove endpoint_policy from contrib
this has been deprecated for 2 releases and can now be removed.

implements bp: removed-as-of-newton

Change-Id: I9a7b225d15953cec3f597a04c45020aff0bd60a8
2016-03-19 15:03:21 -04:00
Boris Bobrov
1041d3340c Add release note for list_limit support
Change-Id: I8a91f681b4d1c1c018bf5d6faf75d2d841ac0383
Related-Bug: 1501698
2016-03-18 18:15:41 +03:00
Doug Hellmann
50ffcbfdc5 Update reno for stable/mitaka
Change-Id: I995b6395852853ad3e838020cc2a3e0560025367
2016-03-16 16:41:31 -04:00
Steve Martinelli
cecf6048f2 Support id and enabled attributes when listing service providers
list SPs currently doesn't support to filter records by any
attributes, but this is used somewhere, such as OpenStack
Client using `name` to filter the record.

SP doesn't has `name` attribute but has `id`, `enabled`
attributes instead.

This patch enables the filtering of Service Provider based
on `id`, `enabled` attributes so that OpenStack Client or the
CURL query can benefit from it.

based off of: Ib672ba759d26bdd0eecd48451994b3451fb8648a

Closes-Bug: 1555830

Change-Id: Icdecaa44415786397ee8bb22de16d25cb8fe603a
2016-03-16 13:27:12 -04:00
Brant Knudson
ee2724a2a2 Release note cleanup
Removed info that's internal to keystone and therefore not relevant
to deployers.

Consistent references to config option names. `` should be used for
literal string values, not references.

Change-Id: Ia7e11683ed3ae7f19fe6680848bdcbaed954f424
2016-03-14 19:04:58 +00:00
Lance Bragstad
90c15100c4 Add notifications to user/group membership
When a user is added or removed from a group we should emit a notification. The
notification has group as the resource type and the group ID as the
resource ID. The notification also includes the user, user ID, and the
operation that was done ('removed' or 'added').

This way consumers are notified of user and group memberships.

Change-Id: I93ca3a0cb2fe9b93f5370e5871be1f1b30d87f72
Closes-Bug: 1552639
2016-03-09 17:20:33 +00:00
Henry Nash
2a3a1eb019 Add release notes for projects acting as domains.
Change-Id: I94473e096b040106498f7d2ce1df290b62b68f45
Partially-Implements: blueprint reseller
2016-03-02 15:15:59 +00:00
Dolph Mathews
22b114f647 Enable LDAP connection pooling by default
There should be no reason to leave these settings disabled by default.
By enabling them, keystones runs faster and consumes fewer resources.

Change-Id: I9f8d27b1f6dba19067f38e940632dcf3420c2bfa
2016-02-26 14:19:10 +00:00
Jenkins
f699ca93fc Merge "db_sync doesn't create default domain" 2016-02-24 21:06:37 +00:00
Brant Knudson
a7b7fea7a3 db_sync doesn't create default domain
The reason db_sync needed to create the default domain is because we
needed a domain for existing v2 users. Since the migrations don't
add the domain_id to users anymore there's no need to create the
default domain.

DocImpact -- The install guide should be updated to say to use
 keystone-manage bootstrap or to create the default domain if the
 deployment is going to support v2.

Change-Id: I65860fe989ac2456b73bcc12fd02643564b24574
2016-02-23 22:07:39 +00:00
David Stanek
c9da61f70d Updates TOTP release note
Adds a link as suggested in Ic0ccf89b9f35d3167a413b10f43be43cf892aead

bp totp-auth

Change-Id: I818273856dfccb9a08ad45fa1fc3fd449460ef26
2016-02-23 11:35:12 +00:00
werner mendizabal
900c2a6d0b Time-based One-time Password
Support TOTP as a distinct authentication mechanism from Password.

bp totp-auth

Co-Authored-By: David Stanek <dstanek@dstanek.com>
Change-Id: Ic0ccf89b9f35d3167a413b10f43be43cf892aead
2016-02-19 10:42:29 -08:00
Jenkins
303f681b16 Merge "Adds user_description_attribute mapping support to the LDAP backend" 2016-02-19 00:20:36 +00:00