344 Commits

Author SHA1 Message Date
David Stanek
b1b4350017 Removes KVS catalog backend
The templated backend relied on the KVS backend to implement some
functionality. The functionality (CRUD for endpoint, services, etc.) is
arguably incorrect since it won't actually change the contents of the
catalog. The read only methods have been fixed to use the templated data
and the write methods raise NotImplemented.

bp: removed-as-of-mitaka
Partial-Bug: #1077282
Closes-Bug: #1367113
Closes-Bug: #1269789
Change-Id: Iaa68b18f0b6d7e9f5dc0cbf7d21a3d90dcdc1ea4
2016-01-19 21:26:30 -05:00
Jenkins
fbf4eccb29 Merge "Add support for strict url safe option on new projects and domains" 2016-01-19 22:58:55 +00:00
Jenkins
cf03c0d1b1 Merge "Enable id, enabled attributes filtering for list IdP API" 2016-01-19 17:45:50 +00:00
Raildo Mascena
e63a8311fa Deprecating API v2.0
Keystone team decided to deprecate v2.0 on Mitaka.

DocImpact: The keystone team recommends using v3 of our Identity API, so we
decided to formally deprecate API v2.0 on Mitaka. Authentication
routes and EC2 routes will not be deprecated for now, they will be kept
around indefinitely.

Partially implements: bp deprecated-as-of-mitaka

Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>
Change-Id: Ie3e484f08edd5acd3c89e76ba6a5c24d660a116d
2016-01-19 14:00:25 +00:00
Henry Nash
60b52c1248 Add support for strict url safe option on new projects and domains
Building on the earlier patch that provdided the 'new' url name
restriction, this patch adds the 'strict' open that prevents
authenticating to projects and domains with unsafe names.

A release note and config documentation is also added that covers
both this and the earlier patch.

Partially Implements: blueprint url-safe-naming

Change-Id: Ie69025e7759bae1067e05d9190bede192a5e6830
2016-01-19 03:47:31 +00:00
Morgan Fainberg
39f6fefca1 Add release note for revert of c4723550aa95be403ff591dd132c9024549eff10
Change-Id: I5d3a235c0b4c8ba934795c92bccb207393974ad3
2016-01-17 20:42:36 +00:00
Dave Chen
cdd3ac454c Enable id, enabled attributes filtering for list IdP API
list IdP currently doesn't support to filter records by any
attributes, but this is used somewhere, such as OpenStack
Client using `name` to filter the record.

IdP doesn't has `name` attribute but has `id`, `enabled`
attributes instead.

This patch enables the filtering of Identity Provider based
on `id`, `enabled` attributes so that OpenStack Client or the
CURL query can benefit from it.

Change-Id: Ib672ba759d26bdd0eecd48451994b3451fb8648a
Related-Bug: #1479837
Closes-Bug: #1525317
2016-01-16 11:58:05 +08:00
Henry Nash
a06bfe8be3 Support the reading of default values of domain configuration options
The whitelisted configuration options, that are supported as part
of the domain specific configuration functionality, can now have
their defualt values read via the Identity API.

DocImpact
Change-Id: I9b1073f4d43c69f03fc920eee2712305524c1300
Implements: blueprint domain-config-default
2016-01-15 06:20:38 +00:00
Jenkins
ef342b1a2b Merge "Tidy up release notes for V9 drivers" 2016-01-13 08:41:57 +00:00
Henry Nash
d252c7cdd5 Tidy up release notes for V9 drivers
The release notes included with the Assignment and Role V9 driver
patches included a line in the prelude section. This doesn't read
well when these are combined together.

Change-Id: Ib14f5994fdd72925aecc40470095fbef834f729c
2016-01-12 21:39:56 +00:00
Henry Nash
6be9f8c2f2 Create V9 version of resource driver interface
In preparation for projects acting as domains (which will result
in driver interface changes), a V9 version of the resource
interface is created, along with the wrapper support scaffolding
for V8 drivers.

Partially Implements: blueprint reseller

Change-Id: Iec6f7fe2347b64c8f721e968b816e6c1b4332d0a
2016-01-12 10:52:36 -03:00
Jenkins
9794489b1b Merge "Create V9 version of federation driver interface" 2016-01-12 11:19:18 +00:00
Jenkins
196b786305 Merge "Add audit IDs to revocation events" 2016-01-09 03:29:32 +00:00
Jenkins
a4adca6c50 Merge "Config option for insecure responses" 2016-01-06 09:08:58 +00:00
Henry Nash
2774d53355 Create V9 version of federation driver interface
In preparation for api changes for filtering, a V9 version of
the federation driver interface is created.

This patch also stops trying to load any of the contrib sql
models in our test runs - since these were a duplicative load
of the same models, since all contrib sql backends have moved
to the core tree. Not loading the contrib models is a
requirement for being able to test the V8 federation interface,
since otherwise two different models get loaded.

In addition, this patch fixes up the setup of restful test cases
to allow legacy driver overrides to be used in such tests. This
is useful for components (such as federation) that do not have
good manager level testing due to their single backend driver.

Change-Id: I179c5b86e42b8ac67b630b6871f1819c6f62c96b
Partial-Bug: #1525317
2016-01-06 08:28:19 +00:00
Jenkins
ffe45ebb42 Merge "fix up release notes, file deprecations under right title" 2015-12-30 00:28:13 +00:00
Jenkins
4ebf58566e Merge "Add keystone-manage bootstrap command" 2015-12-23 00:30:48 +00:00
Jenkins
6237d3c27e Merge "Enable os_inherit of Keystone v3 API" 2015-12-21 18:26:52 +00:00
Brant Knudson
d5378f173d Add audit IDs to revocation events
The revoked tokens' audit ID is now included in the data returned in
the revocation list.

Closes-Bug: 1490804
Change-Id: Ifcf88f1158bebddc4f927121fbf4136fb53b659f
2015-12-17 10:46:23 -06:00
Ken'ichi Ohmichi
5ae155a3de Enable os_inherit of Keystone v3 API
os_inherit extension has been implemented since 2 years ago, and the
API doc[1] also contains it. However os_inherit extension is disabled
on the default. So it is nice to enable the extension for productions,
development and testing.
This patch comes from the discussion[2].

NOTE: This patch removes a test class which tests the enabled os_inherit
      because os_inherit becomes enabled on the default.

[1]: http://developer.openstack.org/api-ref-identity-v3-ext.html#identity_v3_OS-INHERIT-ext
[2]: http://lists.openstack.org/pipermail/openstack-dev/2015-December/081822.html

Closes-Bug: 1526660

Change-Id: Ifac71f7415f21c402f6e00c5264e972b0e80388c
2015-12-17 08:35:42 +00:00
Steve Martinelli
d1b7510797 fix up release notes, file deprecations under right title
the newest version of reno now includes support for a `deprecations`
section. move the previously marked "others" to the right spot.

Change-Id: I23eb2501c18e07d99e785bace7607f426e1fd53e
2015-12-14 22:27:47 -05:00
Morgan Fainberg
d446e15285 Add keystone-manage bootstrap command
Add the keystone-manage bootstrap command so that admin_token can
be deprecated/removed in the future. This will allow for bootstrapping
an initial user into the cloud instead of needing a global-admin
token to perform initial actions.

Change-Id: I113c6934b6b83ceff23a94101967a6df1126873f
bp: bootstrap
2015-12-12 12:56:49 -08:00
Henry Nash
1c40fe4c04 Fix defect in list_user_ids that only lists direct user assignments
The assignment manager method list_user_ids_for_projects fails to
honor either group or inherited assignments. Since this is used
to generate token invalidations, we could be leaving tokens out there
which should be killed.

Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>

Change-Id: I0ad41a635ea060be351a3cb37fb42e5ab46a40df
Closes-Bug: #1513893
2015-12-11 14:16:54 +00:00
Henry Nash
05c5f71b1f Use list_role_assignments to get projects/domains for user
Now that list_role_assignments is paramaterized, we can use it
to replace bespoke code that also tries to evaluate assignments
and inheritance, such as getting projects and domains for a user.

This not only makes assignment manager easier to maintain, but
will also simplify upcoming changes to inheritance.

Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>

Partially Implements: blueprint assignment-manager-cleanup

Change-Id: Ie5441ab469668aa23418ca2290c43693e04142dc
2015-12-11 14:09:00 +00:00
Jenkins
9c79319cf2 Merge "Ensure endpoints returned is filtered correctly" 2015-12-10 00:52:45 +00:00
Jenkins
c7fbb783e8 Merge "Create V9 Role Driver" 2015-12-10 00:50:51 +00:00
Jenkins
e6d8901109 Merge "Create new version of assignment driver interface" 2015-12-10 00:41:02 +00:00
Jenkins
3ac286897f Merge "Deprecate the pki and pkiz token providers." 2015-12-09 07:52:34 +00:00
Henry Nash
3f888260a7 Create V9 Role Driver
In preparation for new role driver methods for implied roles, this
patch creates a new version of the role driver.

Partially Implements@ blueprint implied-roles

Change-Id: I00cc57a77a23ed30d86fce8e309f6b27c4ae26a1
2015-12-08 23:21:24 -05:00
Henry Nash
8913cd8299 Create new version of assignment driver interface
In preparation for removing a series of driver methods in
the rationalization of assignment in follow-on patches, we
first create a V9 version of the driver interface. In this
patch, both V8 and V9 are identical.

To create the new V9 driver we:

1) Copy the sql V8 driver into its own directory to provide a
test for support of a legacy driver
2) Increase the version of the (new) standard driver to V9
3) Create a wrapper for V8 legacy drivers, so that the latest
manager can be driver version-less
4) Create tests that run the standard sql Identity tests
against the V8 driver to show, going forward, it is still working.
Since our existing test strategy assumes that we never change the
sqlalchemy models during a test run, this turned out to be slight
more complex than anticipated - so a new tox envlist target for legacy
drivers is added.

Partially Implements: blueprint assignment-manager-cleanup
Change-Id: Iefa13b64084b8e71c881ae08e1ec434d24756c17
2015-12-08 23:13:33 -05:00
Jenkins
3843a8f1c6 Merge "Deprecate ldap Role" 2015-12-08 10:52:13 +00:00
Jenkins
0cc113b09f Merge "Cleans up code for is_admin in tokens" 2015-12-08 09:15:42 +00:00
Samuel de Medeiros Queiroz
e923a14afd Cleans up code for is_admin in tokens
This patch cleans up the code [1] based on comments left in the review.

[1] https://review.openstack.org/#/c/240719/

Change-Id: I972621c22afefa9bd5f32caf67fd1bf3b6822a3d
2015-12-07 19:30:37 -03:00
Brad Topol
22ab08fb25 Deprecate ldap Role
The LDAP backend for assignment and resource drivers has been
deprecated since the 'K' release. It's been decided that its time
to deprecate LDAP role, since without the support for assignment
and resource, the role backend is likely broken.

The LDAP role backend was split from assignment backend and should
have also been deprecated according to the agreement from the keystone
team, but it looks like it was missed [1].

[1] http://lists.openstack.org/pipermail/openstack/2015-January/011337.html

Change-Id: I390f5c2fb36d617a83fce618708febca3da9f1d2
implements: bp deprecated-as-of-mitaka
2015-12-07 13:19:54 -08:00
Jenkins
fcff3f4c6d Merge "set is_admin on tokens for admin project" 2015-12-05 00:37:37 +00:00
Lance Bragstad
8304ffadc1 Deprecate the pki and pkiz token providers.
Upon making fernet the default token provider, we
should deprecate pki and pkiz due to a security
vulnerability. Deprecation should be in favor of fernet.

implements: bp deprecated-as-of-mitaka
Change-Id: I469758029a9e89e7cdcbac4445eab8eedd6c2859
Depends-On: I34b7b7c34fa34551c0fdf9bdeb1ffaa432c10adc
2015-12-04 03:28:29 +00:00
Dave Chen
f86448a311 Ensure endpoints returned is filtered correctly
This patch move some logic to manager layer, so that endpoints
filtered by endpoint_group project association will be included
in catalog when issue a project scoped token and using
`endpoint_filter.sql` as catalog's backend driver.

This make sure that call `list_endpoints_for_project` API has
the same endpoints with that in catalog returned for project
scoped token.

Change-Id: I56f4eb6fc524650677b627295dd4338d55164c39
Closes-Bug: #1516469
2015-12-03 11:00:45 +08:00
Steve Martinelli
d120187f53 Add release notes for mitaka-1
Create release notes for mitaka-1

Change-Id: If12c87469ddf7d01f901331c569731cd011a71f0
2015-12-01 17:32:49 -05:00
Adam Young
e7023697a8 set is_admin on tokens for admin project
Adds two new configuration value:

admin_project_name
admin_project_domain_name

If both values are set, and tokens requested for
projects (only, not domains) that match both will have an
additional value in them;  `is_admin_project=true`

DocImpact
-- Configuration changes need documentation
APIImpact
-- Adds optional return values in token validation calls
SecurityImpact
-- Should be helpful in making access control decisions

Implements: blueprint is-admin-project
Partial-Bug: #968696

Change-Id: Ic9cf9862739381a30130b4be87075f726736ff88
2015-12-01 10:33:27 -05:00
Jenkins
84f6214104 Merge "Add release notes for mitaka thus far" 2015-11-24 18:08:55 +00:00
Steve Martinelli
770264f239 Add release notes for mitaka thus far
Add release notes for patches that have landed in mitaka prior to
using reno for release notes management.

Change-Id: Icaa875c344e75888764a94aff941f442126403df
2015-11-23 16:29:39 -05:00
Steve Martinelli
10cf8cfd42 deprecate enabled option for endpoint-policy extension
the endpoint-policy extension, like the other recently moved
extensions, should be always enabled. Since this option made
its way into the liberty release we need to mark the option
as deprecated in M and remove it in O

implements bp: move-extensions

Change-Id: I5c01da0663c636bc6e2d9f12ac02b53edb9a277f
2015-11-19 15:15:18 +00:00
Brant Knudson
2afad4dc30 Config option for insecure responses
oslo.log's "debug" option was co-opted to also indicate that the
responses should include more information. A separate config
option should be used instead so that deployers don't mistakenly
expose themselves to security issues.

The debug option still is used for what it does in oslo.log and
how it works on all other projects -- if you're not using a log
config file it sets the base logger to debug.

SecurityImpact

Change-Id: Icf8dd2f0b88abc89092d487bbcefb525960c4ec6
Closes-Bug: 1479523
2015-11-19 08:16:07 -06:00
Steve Martinelli
a18e359ad7 Add reno for release notes management
An initial patch to add reno and create a base directory for
release notes

Change-Id: I187f63dff3603fa9690f7bfa2dc6d5b53193b21a
2015-11-10 16:10:00 -05:00