The configuration and man page docs are missing some commands
noting the available options to the keystone-manage command.
Change-Id: Iba5efcf94e70f70bac899b8db377960fd35567d4
This commit implements credential encryption through the following changes:
- additive schema change to store key hashes for credentials
- database migration to encrypt all pre-existing credentials
- contractive schema change to remove unencrypted credential column
- added code to the credential Manager to handle credential encryption
All credentials will be encrypted by default. There will not be a way to store
unencrypted credentials in keystone from this point forward.
Note that this implementation uses database triggers in the migration process.
If operators use the traditional offline migration method, it would be more
reliable if we didn't try to setup and tear down triggers, as they'll never be
used anyway. This makes it so that expand and contract migrations can skip
anything related to triggers.
Co-Authored-By: Werner Mendizabal <nonameentername@gmail.com>
bp credential-encryption
Depends-On: I433da9a257daa21ec3b5996b2bca571211f1fbba
Depends-On: Id3e8922adc154cfec5f7a36613e22eb0b49eeffe
Change-Id: I31b7539db436ad270462cfaa3b14213e0ed1fc04
The 105 migration added a password created_at column that was left as
nullable. This patch sets a default value for password created_at and
makes this column not nullable.
Closes-Bug: #1596500
Change-Id: I394467d554c786ecd9bf55367435c856c6723042
Now that we're able to grant authorization to federated users using
concrete role assignments, we can drop the requirement for the mapping
engine to result in any authorization (via group membership) at all.
Closes-Bug: #1601929
Change-Id: Ie144e20deb4a0bb987182de5c9231a14f0aa2bc8
Keystone had a problem where there was a memcached socket
opened very early on startup which then got shared between
worker processes when running under uwsgi. Since we don't have
a test or a way to ensure that no sockets are opened too early
for uwsgi, let's recommend setting lazy-apps to avoid issues.
Change-Id: I8b46c5424094d3abe9a986da4ee1143f72a91a4d
Related-Bug: 1600394
Since tokens are most often used right after being created,
cache them to bypass redundant validation.
The patch uses dogpile.cache internal functionality so some
calls may look strange
Implements bp pre-cache-tokens
Change-Id: I2e720eed6b0066738181afd1cbf73c5ff4d876f5
Currently, Keystone api-ref is not configured with logABug feature.
When users click "Report bug" button, it leads to
"bugs.launchpad.net/openstack-manuals" which is default.
We should change it to "bugs.launchpad.net/keystone/"
Change-Id: I8d6fc4d2a6ab9d7f444a02cbc2f756fdaa3de264
The man page of keystone-manage needs mention of the command
credential_setup.
partially-implements bp credential-encryption
Change-Id: I8c3ee9f1d738d96a51fb5a71cd475b20106e1d61
The validate_v2_token method previously had a try/except that would catch any
ValidationErrors and raise a NotFound along with logging an error message. It
turns out that there were no opportunities for a ValidationError to be raised
from within the validate_v2_token method, making the try/except unnecessary and
untested.
This patch removes the try/except completely.
Change-Id: I0277ae89c0f8551c7e795ec1331af7da06134102
This introduces the various ways you can configure keystone to
authenticate users, and provides a little compare/contrast to help
people understand how each solution behaves at a high level before
diving deeper.
This patch covers:
- SQL
- LDAP (considering that all write operations are deprecated)
- External authentication (REMOTE_USER)
- OAuth 1.0a
- OpenID Connect
- SAMLv2
Change-Id: I86dfbd2c1f7fed199c612dd1456358e559da3fad
The v3_to_v2_token() method in keystone.token.providers.common
accepted token_id as an option parameter. This is because it was
not always passed in on validation. This commit makes token_id
a required parameter of the method and fixes its usage to always
supply it.
Change-Id: I6cc9c7a0e306dbbad61c77caa07df00fb3fa7a97
dogpile.cache's region invalidation is not designed to work across
processes. This patch enables distributed invalidation of keys in a
region.
Instead of using a static cache key, we use the original cache key
and append a dynamic value to it. This value is looked up in
memcached using the region name as a key. So anytime the value of
the region key changes the cache keys in that region are
effectively invalidated.
Closes-Bug: #1590779
Change-Id: Ib80d41d43ef815b37282d72ad68e7aa8e1ff354e
