A token scoped to a domain wouldn't be revoked for a domain-wide
revocation event. This is because the code to convert a token to a
dict for revocation event processing didn't handle domain-scoped
tokens.
Partial-Bug: #1349597
Change-Id: Ib2c58f3fc8790dbe7f8b073d18d3fa9b0dff608d
The revocation event test used "user_domain_id" and
"project_domain_id" as token fields that the "domain_id"
revocation event field maps to, but the token fields are
actually "identity_domain_id" and "assignment_domain_id", as
can be seen in
keystone.contrib.revoke.model.build_token_values().
Change-Id: I208484da243403287eaa33893d57429c7e6d27c7
Partial-Bug: #1349597
When the server converted a V2 token to a V3 token it regenerated
the issued_at time.
This was causing the server to return a different issued_at time
when a V2 token was validated using the V3 API.
This was causing the server to fail to revoke a V2 token if it was
revoked before validating it first because the regenerated token was
considered to be after the revocation event.
Change-Id: I71fea3253295ee8794fb2c8211e1f030de3ae205
Closes-Bug: #1348820
There was no test that showed that when a V2 token is used in a V3
context its "issued_at" time changes. This affects validating a V2
token using V3 and also revoking a V2 token. The tests show the
current incorrect behavior.
Partial-Bug: #1348820
Change-Id: I2a3443847b2699384413933ae164fdc183aa110f
cURL examples depicting fetching accessible projects and domains upon
successfull retrieving federated unscoped token should also include
``X-Auth-Token`` header.
This patch adds headers to the examples.
Change-Id: I463e34511b8f9b19012fce955f04a0269d5de9cd
Closes-Bug: #1348680
For endpoint_filter extension we should remove all the endpoint
to project associations when we delete the associated endpoint
or project. Otherwise list_endpoints_for_project and
list_projects_for_endpoint API will return 404 response if the
associated endpoint or project has been deleted. Also, there will
be a lot of dirty data remaining in the database.
Change-Id: I48e9100a8fa92d10b7ffe5f89bfb8ba9cf78a0e7
Closes-Bug: #1305537
I think endpoint is not an important resource which other projects would
pay close attention to. So I think an internal notification is enough.
Change-Id: Ie42f2c867ea70fd41583151da0be19b9db682dad
Closes-Bug: #1337763
Create and move all token persistence code to a new token.persistence
module. This allows the token_provider_api to utilize the token
persistence service without introducing circular dependencies. A proxy
class, that will log a deprecation message if instantiated, has been
created for both the token.core.Manager object and token.core.Driver
object. These proxy objects are slated for removal in the K cycle.
Change-Id: Iae1240c6de4382332b967926efe31f5355554f6e
bp: non-persistent-tokens
Disable a domain revokes project scoped tokens
as well as revokes tokens that are under the same domain.
Change-Id: I43f7624ef40b18157611d4c15f5b3c65005bd8fb
Partial-Bug: #1294737
Using ldappool library to establish connection pooling.
Connection pooling is disabled by default.
Pooling specific configuration parameters are added in ldap section.
Added pool test using existing FakeLdap as connector class.
Added pool specific ldap live test. These tests are executed similar to
existing ldap live test.
Addressed async search_s and result3 API issues mentioned in review.
Added separate connection pool for end user auth bind done by keystone
identity ldap driver logic to avoid saturation of pool by these kind of
binds and limiting pool effectiveness for other ldap operations.
Rebased with lastest master and addressed doc comments.
Change-Id: If516a0d308a7f3be88df5583a30739a935076173
Closes-Bug: #1320997
bp: ldap-connection-pooling
DocImpact
- XML is parsed as bytes
- The XML returned from to_string is decoded from a byte string to a
text string for the comparison.
- Exception.message no longer exists in Python 3
bp python3
Change-Id: I3305433e52c0def422d9f04a4d9f04c6f017d10e
- The response body is a byte string in Python 3
- Exception.message no longer exists in Python 3
bp python3
Change-Id: I7aec5030feeebd304428174c77ce7793fa321c26
The evolution of the code as well as the Python 3 fixes has made some of
the module mocking unnecessary.
bp python3
Change-Id: I57e535012d89ee307acd43724dd678263704596f
Until we have a version of the python-ldap library (or a
replacement) these tests will not pass.
bp python3
Change-Id: Ie2f6e76de32a9ef74e57aab0f736b6b2f49c102b
This is the initial implementation of a jsonschema type
validator for the Keystone API. Something very similar to this is used
in Nova V3 for validation. By using jsonschema to validate API requests,
we can make parameters that are passed in fit the criteria we allow and
what is specified in the Identify API spec. This will also allow us to
validate parameters by wrapping the method that needs validation.
bp: api-validation
Change-Id: I1e1dc8e5ac3ad766f05444b16d56a22c89602b9f
The check_v2_token and check_v3_token perform the same work as
the corresponding validate_vX_token methods on the provider
api. The validate methods are used in favor of the check methods.
This patchset marks the check methods as deprecated, slated for
removal in the K cycle.
Change-Id: I717dd93ce359439af238dcf1f3349e9477e6b82b
bp: non-persistent-tokens
get_group_project_roles is now implemented in each driver.
SQL and LDAP backends will see significant improvements on
performance (less queries made to resolve the groups).
KVS backend now supports inheritance and runs correct unit
tests.
Co-Authored-By: Pablo Fernando Cargnelutti <pablo.fernando.cargnelutti@intel.com>
Change-Id: I7a0190cd4a3b1eb26a09ef6436ca5450cf837135
Closes-Bug: #1205506
Brant Knudson