Change I2423030bd0849c051d22f63bf60b6a5f41f72574 migrated Federation
api-ref docs into keystone repository.
Moving Identity Provider API to its own file is one of the TODO
comments left there, which is being addressed in this change.
Change-Id: I5c5b26c2d4c9920d6b9642eaf0fc47ed5bffb3cb
When token caching is turned on, upgrading from stable/liberty to
stable/mitaka or master causes tokens to fail to be issued for the
time-to-live of the cache. This is because as part of the token
issuance the token's role is looked up, and the cached version of the
role immediately after upgrade does not have a domain_id field, even
though that column was successfully added to the role database. This
patch hacks around that by artificially adding a null domain_id value
to the role reference.
This must be done in the manager, as opposed to the driver, because it
is the manager that is caching the value and so modifying the value
returned by the driver has no effect.
Change-Id: I55c791486f2a26ae995f693370b016895176a16f
Closes-bug: #1592169
Although it is not needed, keystoneclient passed `id` in the payload.
For compatibility with it (and with other clients) we have to allow
passing other attributes.
Change-Id: I997d55de28825921ed33646a9ee5cf494b089aba
Closes-Bug: 1607751
All extension are now migrated into the keystone core and the
migrations in the old contrib folders just raise an error. Since
these can only be called from the now deprecated --extensions
options in keyston-manage, we might as well get rid of them all
and just raise the error in keystone manage. We can also clean
up the mirgation helpers accordingly
This clean up is useful ahead of layering on the rolling upgrade
support in keystone manage and the helpers.
Change-Id: I749dc7e13050e211df1f4fd144cb0479891e3e64
As a follow-on to commit I7bf0a914be13f88313c14bc196369de49cc7413f,
the documentation should also reflect that the domain config API
is now stable. Previous releases are still considered experimental.
Change-Id: I6fb993ac678d0aeaa43547c4b24b62d1a784a615
There were still a couple references remaining for using keystone
under eventlet. These are no longer applicable since keystone is
no longer supported under eventlet.
Change-Id: If6d2013cc2396d6d1df43f7f2091b5fa02115ca4
This allows the SecurityErrors to be deep copied without causing
annoying warning in the logs.
Closes-Bug: #1607107
Change-Id: I24635dd5ab10f736b82e9fea4d0a36b1a45c27f1
This introduces a feature support matrix to illustrate which of our
various token providers supports which API operations and features. This
is intended to mirror Nova's feature support matrix documentation page,
found here:
http://docs.openstack.org/developer/nova/support-matrix.html
After running `tox -e docs`, the result is embedded in
`doc/build/html/configuration.html`.
Change-Id: I3dc896a2906e25827a9e01afc7de5a737831c336
Alone with the enabling of schema validation for V2 API, the property
validation has been handled in controller level, property validation
based on clean.py in manager level is no long needed for creating a
project since schema validation is enabled for both V2 and V3.
The patch removes the call from `clean.py` and remove the relevant
testcases since we already have the testcases both in
`test_validation.py` or `test_v2_validation.py`.
Partially implements: bp schema-validation-extent
Change-Id: I9d2ea60d496d83372109ca227ee2091850de0213
- `bool`, `int`, whitespace are not valid name.
- The valid data type for `enabled` is `bool`, other type such as
`string`, `int` are invalid.
This change fix the gap between testcases in manager level and
testcases in `test_v2_validation.py` so that we can clean up the
testcases validated by clean.py in the follow up.
Partially implements: bp schema-validation-extent
Change-Id: Ifade298b9dafe7df3380c16de0a6fac4f941e9c3
A confusing log message is logged when translating SecurityErrors within
another translated string.
Related-bug: #1607107
Change-Id: I315e68462d7096a2cbc38c1717b549d59719b71b
Fixing a byte>str conversion bug present in the TOTP
passcode generation function that was only present in python3
which rendered TOTP auth non-functional in python3.
Also adding a test to check passcode generation returns the
correct format.
Closes-Bug: #1607119
Change-Id: Ie052d559c4eb2577d35caa9f6e240664cf4cf399
There are several occurances where the argument default of
tls_req_cert is set to 'demand'. This is an invalid option for the
function _common_ldap_initialization, which expects one of the values
of the dict LDAP_TLS_CERTS, not a key.
If tls_req_cert='demand' is given to _common_ldap_initialization,
you'll get:
"LDAP TLS: invalid TLS_REQUIRE_CERT Option=demand"
Change-Id: I2da2c041bac25ca7ebab8c32b464164279a6bd69
I was perusing through the token controller and saw a few places where we use
double-quotes mixed with single-quotes. We typically stick to one or the other.
Change-Id: Ia56117fea2aa719b3877a4827048b936103b3b81
This helps make our switch to fernet as the default token provider easier.
This is an effort to break https://review.openstack.org/#/c/258650 into
smaller, more reviewable pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayoung@redhat.com>
Change-Id: I67121265cf06eb11586c90c37c6439bcdb28acf0
Partial-Bug: 1561054
We should make AuthWithTrust something that is tested against both the uuid
token provider and the fernet token provider. This helps us move towards making
fernet the default token provider.
This is an effort to break https://review.openstack.org/#/c/258650 into
smaller, more reviewable pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayoung@redhat.com>
Change-Id: I0fd2187421fc677e7d422d4b449eec3056a134e9
Partial-Bug: 1561054
- add /v3/ to all routes;
- switch from 'localhost:port' and 'identity:port' endpoints to
'example.com/identity';
- fix typo.
Change-Id: If0d90ebab78e93fc9395b0e02436853a4ecbfa73
The 'enabled' key in the parameters list refers to a tenant, not a
user. The `/v2.0/users/{userId}/OS-KSADM/enabled` method is operating
on a user, so we should use the 'enabled_1' key. 'enabled_1' is not a
very descriptive name so let's call it 'enabled_user' instead.
Moreover, this parameter is required, so it does not make sense for it
to have a default when the user must supply a value, so this patch
modifies the 'enabled_1' (now called 'enabled_user') description to
reflect that.
Change-Id: I81a7c68d5000ca6acab74679b49eeb619a5b914e
This patch adds a new user response attribute, password_expires_at,
to the Identity API v3 documentation.
Passord expires validation implementation:
https://review.openstack.org/333360
Depends-On: I07c10de627898d6ac79578dc24292ded4a2190f1
Partially-implements: blueprint pci-dss
Change-Id: I37136f79488d7469f0b8b24e3f5628899e40cac0
