This patch allows adds new config option 'user_limit'
to credentials to set maximum number of credentials a
user is permitted to create.
Closes-Bug: #1872732
Change-Id: Ic9dc9a4a9ec1ecbf01842c865e19a7a100e5041d
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* parallelizing building of documents
Update Sphinx version as well.
openstackdocstheme renames some variables, so follow the renames. A
couple of variables are also not needed anymore, remove them.
Set openstackdocs_auto_name to use project as name.
Set openstackdocs_pdf_link to link to PDF file.
Remove docs requirements from lower-constraints, they are not installed.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: I320a69816b4101bb76b88448881f3177c892ea92
This change addresses several issues in the creation and use of EC2/S3
credentials with keystone tokens.
1. Disable altering credential owner attributes or metadata
Without this patch, an authenticated user can create an EC2 credential
for themself for a project they have a role on, then update the
credential to target a user and project completely unrelated to them. In
the worst case, this could be the admin user and a project the admin
user has a role assignment on. A token granted for an altered credential
like this would allow the user to masquerade as the victim user. This
patch ensures that when updating a credential, the new form of the
credential is one the acting user has access to: if the system admin
user is changing the credential, the new user ID or project ID could be
anything, but regular users may only change the credential to be one
that they still own.
Relatedly, when a user uses an application credential or a trust to
create an EC2 credential, keystone automatically adds the trust ID or
application credential ID as metadata in the EC2 access blob so that it
knows how the token can be scoped when it is used. Without this patch, a
user who has created a credential in this way can update the access blob
to remove or alter this metadata and escalate their privileges to be
fully authorized for the trustor's, application credential creator's, or
OAuth1 access token authorizor's privileges on the project. This patch
fixes the issue by simply disallowing updates to keystone-controlled
metadata in the credential.
2. Respect token roles when creating EC2 credentials
Without this patch, a trustee, an application credential user, or an
OAuth1 access token holder could create an EC2 credential or an
application credential using any roles the trustor, application
credential creator, or access token authorizor had on the project,
regardless of whether the creator had delegated only a limited subset of
roles. This was because the trust_id attribute of the EC2 access blob
was ignored, and no metadata for the application credential or access
token was recorded either. This change ensures that the access
delegation resource is recorded in the metadata of the EC2 credential
when created and passed to the token provider when used for
authentication so that the token provider can look up the correct roles
for the request.
Change-Id: I39d0d705839fbe31ac518ac9a82959e108cb7c1d
Closes-bug: #1872733
Closes-bug: #1872755
Closes-bug: #1872735
Without this patch, when an OAuth1 request token is authorized with a
limited set of roles, the roles for the access token are ignored when
the user uses it to request a keystone token. This means that user of an
access token can use it to escallate their role assignments beyond what
was authorized by the creator. This patch fixes the issue by ensuring
the token model accounts for an OAuth1-scoped token and correctly
populating the roles for it.
Change-Id: I02f9836fbd4d7e629653977fc341476cfd89859e
Closes-bug: #1873290
EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.
The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].
Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.
[1] https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html
[2] https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html
Change-Id: Idb10267338b4204b435df233c636046a1ce5711f
Closes-bug: #1872737
Add file to the reno documentation build to show release notes for
stable/ussuri.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/ussuri.
Change-Id: Ia08507c8c15ff556af254e9eb1cf9b49e9cd04d6
Sem-Ver: feature
When a federated user authenticates, they are added to their
mapped groups during shadowing.
Closes-Bug: 1809116
Change-Id: I19dc400b2a7aa46709b242cdeef82beaca975ff3
Currently, a keystone IdP does not provide the
groups to which user belong when generating SAML
assertions.This patch adds an additional attribute
called "openstack_groups" in the assertion.
Change-Id: I205e8bbf9a4579b16177f57e29e363f4205a2b48
Closes-Bug: #1641625
Remove unused git_cmd from api-ref.
Remove html_last_updated_fmt and latex_engine setting,
these are done by openstackdocstheme nowadays.
Change-Id: I1c63f83b3fa074f9fa136e0b89bba0586756bc56
SQLAlchemy is likely going to deprecate
Inspector.from_engine() which will start emitting a deprecation
warning in 1.4. Use sqlalchemy.inspect() instead.
Change-Id: I287ba10f2e3308950b9caf6f51f3ee1db29a6448
The current initiator object for CADF notifications does not include
the username of the user who initiated the action, which leads to
issues when using an LDAP backend and not having a direct way to
map a username to a user id.
This change makes it so that the initiator object for CADF
notifications always contains the username for a user as well
as the user id. This follows along with the CADF standard
for OpenStack[0].
[0] https://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf#page=12
Closes-Bug: #1856904
Change-Id: I833e6e0d7792acf49f816050ad7a63e8ea4f702f
The bootstrap logic doesn't take into consideration multiple roles
with the same name. If bootstrap is unable to determine which role to
use and accidentally uses a domain-specific role with the same name
as a default role, bootstrap will fail in unexpected ways.
Closes-Bug: 1856881
Change-Id: Iddc364d8c934b6e54d1e8c75b8b159faadbf865d
Without this patch, if there are multiple role assignments on the system
and they are not all the same role, querying for role assignments with
/v3/role_assignments?role.id={role_id} may leak some role assignments
that don't match the role_id, making the returned results incorrect.
This patch fixes the issue by using a list comprehension instead of a
for loop over a list that was being modified within the loop.
Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
Closes-bug: #1858012
Corrects the RST link formatting for a bugfix release note. This note
was added during the current cycle so it is fine to modify it on the
master branch.
Change-Id: Id552e936b780f8bc31523a771937b9f9307cbda1
`federation_group_ids` could be zero length list, so deciding whether
a token is federated by checking if it is none.
Change-Id: I0f4b9e24d949aa4838ee721a165999b29c684d32
Closes-Bug: #1856962
Problem description
===================
Today we have a consistency problem when updating federated
users via OpenStack. When I update a ephemeral user via OpenStack,
a registry in the local_user table is created, making this user
having entries in user, local_user and federated_user tables in
the database.
Furthermore, if I try to do some operations using this user
(that has entries in all three tables), I get a "More than one
user exists with the name ..." error from the OpenStack
Keystone API. It happens because the user has an entry in both
local_user and federated_user tables.
I fix the persistence in the local_user table for ephemeral
users when doing updates.
Proposal
========
I fix the problem with creating an entry in the
local_user table while updating an ephemeral user
Closes-Bug: #1848342
Change-Id: I2ac6e90f24b94dc5c0d9c0758f008a388597036c
Without this patch, project members and readers can list any credentials
with the /v3/credentials API when enforce_scope is false. enforce_scope
is only applicable to project admins due to the admin-ness problem[1],
and this policy is not meant to allow project admins any access to users'
credentials (only system admins should be able to access them). However,
when enforce_scope is false, we need to preserve the old behavior of
project admins being able to list all credentials. This change mitigates
the problem by running the identity:get_credential policy check to
filter out credentials the user does not have access to. This will
impact performance.
Closes-bug: #1855080
[1] https://bugs.launchpad.net/keystone/+bug/968696
Change-Id: I5dd85a6b8368373a27aef2942a64499d020662ef
As LDAP is now read-only, trying to remove it was throwing an error.
We now only try to delete it when the driver is sql-based.
Change-Id: I15b92b35b31d0e5d735a629e7c154ddd7bdda03d
Closes-bug: #1848238
This reverts commit 3d46c8a5d93529b4050bab635486cfa6b05c9a85.
In the last commit, the foreign key constraints between the project
table and other tables were dropped, which allows us to restore the
configurability of the resource driver.
Change-Id: Iba4951e2d3965be5acec705385967d312456f1c7
In 2bd88d30 we added a new column domain_id to the user table to
deduplicate the domain_id columns in the local_user and nonlocal_user
tables, and at that point made the user.domain_id column a foreign key
referencing the project.id column. This is a problem that led to
3d46c8a5 in which we removed the ability for the resource driver to be
pluggable, since we had linked two sql backends together and made them
reliant on one another.
This commit removes the foreign key constraint from the user table and
the identity_provider table. For the user table, the sqlalchemy model
never reflected this schema so we don't need to change the model. For
the identity_provider table, we need to update the model. In both cases,
we already enforce, at the manager layer, the constraint that the
domain_id needs to reference a real domain ID[1][2], so we do not need
to rely on this constraint at the database layer.
[1] 43142e4470/keystone/identity/core.py (L935)
[2] 43142e4470/keystone/federation/core.py (L73-L77)
Partial-bug: #1672713
Change-Id: I7c068e350811e22622d1f1e7d8b0a55d4d7cab11
We've make all the default policies keystone supports better by
incorporating default roles and scope types. These changes have made
the ``policy.v3cloudsample.json`` file obsolete.
Let's simply things for users, operators, and develpers by removing
it.
A follow-on patch will remove the test_v3_protection.py file since
those behaviors are passing all the protection tests with the default
policies in code.
Related-Bug: 1805880
Closes-Bug: 1630434
Closes-Bug: 1806762
Change-Id: Ie45955f5cc54563cc9704d7cb2b656b5544ae030
Add file to the reno documentation build to show release notes for
stable/train.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/train.
Change-Id: Iacb5cf5e2491c75a3e983c0864a40dc205ab820d
Sem-Ver: feature
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default limit
behavior by removing them.
Change-Id: Ie0f333a9e8b60154711a24ba7d9ade531217eb71
Closes-Bug: 1805880
This commit introduces some tests that explicitly show how project
users are expected to behave with the limits API. A
subsequent patch will clean up the now obsolete policies in the
policy.v3cloudsample.json policy file.
Related-Bug: 1805880
Closes-Bug: 1818736
Change-Id: I12d1200d8a11cadcc4f7b2604d51d8e5c73ea4b7