The templated backend relied on the KVS backend to implement some
functionality. The functionality (CRUD for endpoint, services, etc.) is
arguably incorrect since it won't actually change the contents of the
catalog. The read only methods have been fixed to use the templated data
and the write methods raise NotImplemented.
bp: removed-as-of-mitaka
Partial-Bug: #1077282
Closes-Bug: #1367113
Closes-Bug: #1269789
Change-Id: Iaa68b18f0b6d7e9f5dc0cbf7d21a3d90dcdc1ea4
Keystone team decided to deprecate v2.0 on Mitaka.
DocImpact: The keystone team recommends using v3 of our Identity API, so we
decided to formally deprecate API v2.0 on Mitaka. Authentication
routes and EC2 routes will not be deprecated for now, they will be kept
around indefinitely.
Partially implements: bp deprecated-as-of-mitaka
Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>
Change-Id: Ie3e484f08edd5acd3c89e76ba6a5c24d660a116d
Building on the earlier patch that provdided the 'new' url name
restriction, this patch adds the 'strict' open that prevents
authenticating to projects and domains with unsafe names.
A release note and config documentation is also added that covers
both this and the earlier patch.
Partially Implements: blueprint url-safe-naming
Change-Id: Ie69025e7759bae1067e05d9190bede192a5e6830
list IdP currently doesn't support to filter records by any
attributes, but this is used somewhere, such as OpenStack
Client using `name` to filter the record.
IdP doesn't has `name` attribute but has `id`, `enabled`
attributes instead.
This patch enables the filtering of Identity Provider based
on `id`, `enabled` attributes so that OpenStack Client or the
CURL query can benefit from it.
Change-Id: Ib672ba759d26bdd0eecd48451994b3451fb8648a
Related-Bug: #1479837
Closes-Bug: #1525317
The whitelisted configuration options, that are supported as part
of the domain specific configuration functionality, can now have
their defualt values read via the Identity API.
DocImpact
Change-Id: I9b1073f4d43c69f03fc920eee2712305524c1300
Implements: blueprint domain-config-default
The release notes included with the Assignment and Role V9 driver
patches included a line in the prelude section. This doesn't read
well when these are combined together.
Change-Id: Ib14f5994fdd72925aecc40470095fbef834f729c
In preparation for projects acting as domains (which will result
in driver interface changes), a V9 version of the resource
interface is created, along with the wrapper support scaffolding
for V8 drivers.
Partially Implements: blueprint reseller
Change-Id: Iec6f7fe2347b64c8f721e968b816e6c1b4332d0a
In preparation for api changes for filtering, a V9 version of
the federation driver interface is created.
This patch also stops trying to load any of the contrib sql
models in our test runs - since these were a duplicative load
of the same models, since all contrib sql backends have moved
to the core tree. Not loading the contrib models is a
requirement for being able to test the V8 federation interface,
since otherwise two different models get loaded.
In addition, this patch fixes up the setup of restful test cases
to allow legacy driver overrides to be used in such tests. This
is useful for components (such as federation) that do not have
good manager level testing due to their single backend driver.
Change-Id: I179c5b86e42b8ac67b630b6871f1819c6f62c96b
Partial-Bug: #1525317
The revoked tokens' audit ID is now included in the data returned in
the revocation list.
Closes-Bug: 1490804
Change-Id: Ifcf88f1158bebddc4f927121fbf4136fb53b659f
the newest version of reno now includes support for a `deprecations`
section. move the previously marked "others" to the right spot.
Change-Id: I23eb2501c18e07d99e785bace7607f426e1fd53e
Add the keystone-manage bootstrap command so that admin_token can
be deprecated/removed in the future. This will allow for bootstrapping
an initial user into the cloud instead of needing a global-admin
token to perform initial actions.
Change-Id: I113c6934b6b83ceff23a94101967a6df1126873f
bp: bootstrap
The assignment manager method list_user_ids_for_projects fails to
honor either group or inherited assignments. Since this is used
to generate token invalidations, we could be leaving tokens out there
which should be killed.
Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
Change-Id: I0ad41a635ea060be351a3cb37fb42e5ab46a40df
Closes-Bug: #1513893
Now that list_role_assignments is paramaterized, we can use it
to replace bespoke code that also tries to evaluate assignments
and inheritance, such as getting projects and domains for a user.
This not only makes assignment manager easier to maintain, but
will also simplify upcoming changes to inheritance.
Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
Partially Implements: blueprint assignment-manager-cleanup
Change-Id: Ie5441ab469668aa23418ca2290c43693e04142dc
In preparation for new role driver methods for implied roles, this
patch creates a new version of the role driver.
Partially Implements@ blueprint implied-roles
Change-Id: I00cc57a77a23ed30d86fce8e309f6b27c4ae26a1
In preparation for removing a series of driver methods in
the rationalization of assignment in follow-on patches, we
first create a V9 version of the driver interface. In this
patch, both V8 and V9 are identical.
To create the new V9 driver we:
1) Copy the sql V8 driver into its own directory to provide a
test for support of a legacy driver
2) Increase the version of the (new) standard driver to V9
3) Create a wrapper for V8 legacy drivers, so that the latest
manager can be driver version-less
4) Create tests that run the standard sql Identity tests
against the V8 driver to show, going forward, it is still working.
Since our existing test strategy assumes that we never change the
sqlalchemy models during a test run, this turned out to be slight
more complex than anticipated - so a new tox envlist target for legacy
drivers is added.
Partially Implements: blueprint assignment-manager-cleanup
Change-Id: Iefa13b64084b8e71c881ae08e1ec434d24756c17
This patch cleans up the code [1] based on comments left in the review.
[1] https://review.openstack.org/#/c/240719/
Change-Id: I972621c22afefa9bd5f32caf67fd1bf3b6822a3d
The LDAP backend for assignment and resource drivers has been
deprecated since the 'K' release. It's been decided that its time
to deprecate LDAP role, since without the support for assignment
and resource, the role backend is likely broken.
The LDAP role backend was split from assignment backend and should
have also been deprecated according to the agreement from the keystone
team, but it looks like it was missed [1].
[1] http://lists.openstack.org/pipermail/openstack/2015-January/011337.html
Change-Id: I390f5c2fb36d617a83fce618708febca3da9f1d2
implements: bp deprecated-as-of-mitaka
Upon making fernet the default token provider, we
should deprecate pki and pkiz due to a security
vulnerability. Deprecation should be in favor of fernet.
implements: bp deprecated-as-of-mitaka
Change-Id: I469758029a9e89e7cdcbac4445eab8eedd6c2859
Depends-On: I34b7b7c34fa34551c0fdf9bdeb1ffaa432c10adc
This patch move some logic to manager layer, so that endpoints
filtered by endpoint_group project association will be included
in catalog when issue a project scoped token and using
`endpoint_filter.sql` as catalog's backend driver.
This make sure that call `list_endpoints_for_project` API has
the same endpoints with that in catalog returned for project
scoped token.
Change-Id: I56f4eb6fc524650677b627295dd4338d55164c39
Closes-Bug: #1516469
Adds two new configuration value:
admin_project_name
admin_project_domain_name
If both values are set, and tokens requested for
projects (only, not domains) that match both will have an
additional value in them; `is_admin_project=true`
DocImpact
-- Configuration changes need documentation
APIImpact
-- Adds optional return values in token validation calls
SecurityImpact
-- Should be helpful in making access control decisions
Implements: blueprint is-admin-project
Partial-Bug: #968696
Change-Id: Ic9cf9862739381a30130b4be87075f726736ff88
Add release notes for patches that have landed in mitaka prior to
using reno for release notes management.
Change-Id: Icaa875c344e75888764a94aff941f442126403df
the endpoint-policy extension, like the other recently moved
extensions, should be always enabled. Since this option made
its way into the liberty release we need to mark the option
as deprecated in M and remove it in O
implements bp: move-extensions
Change-Id: I5c01da0663c636bc6e2d9f12ac02b53edb9a277f
oslo.log's "debug" option was co-opted to also indicate that the
responses should include more information. A separate config
option should be used instead so that deployers don't mistakenly
expose themselves to security issues.
The debug option still is used for what it does in oslo.log and
how it works on all other projects -- if you're not using a log
config file it sets the base logger to debug.
SecurityImpact
Change-Id: Icf8dd2f0b88abc89092d487bbcefb525960c4ec6
Closes-Bug: 1479523