8863 Commits

Author SHA1 Message Date
Jenkins
4b12da44fe Merge "deprecate write support for identity LDAP" 2016-01-22 21:18:38 +00:00
Jenkins
fdf36f7aa8 Merge "Deprecate hash_algorithm config option" 2016-01-22 19:10:36 +00:00
Jenkins
76ecb5ea4b Merge "Mark memcache and memcache_pool token deprecated" 2016-01-22 19:10:20 +00:00
Jenkins
aa392b3863 Merge "List assignments with names" 2016-01-22 19:10:03 +00:00
Jenkins
6324ce1eba Merge "Remove additional references to ldap role attribs" 2016-01-22 19:03:22 +00:00
Jenkins
ea4abae947 Merge "Remove more ldap project references" 2016-01-22 18:56:18 +00:00
Jenkins
7766a4af6f Merge "Fix typo abstact in comments" 2016-01-22 10:40:32 +00:00
Jenkins
2bfe207536 Merge "Add checks for token data creep using jsonschema" 2016-01-22 05:49:46 +00:00
Jenkins
67e6c3e84e Merge "Doc FIX" 2016-01-22 03:58:52 +00:00
Eric Brown
0727114808 Remove additional references to ldap role attribs
This removes additional references to ldap role attributes found
in the documentation and tests.

Commit I1bd02d5834814959a93601fe53f115d0f9cc08a8 removed the ldap
role backend.

Change-Id: If8e74aca9b983c0f0e9779ea6e5e1260c1eb6dd7
2016-01-22 01:41:42 +00:00
Jenkins
5ba4dc7d7a Merge "Fix docstring" 2016-01-22 00:12:17 +00:00
Jenkins
1147107441 Merge "Add asserts for service providers" 2016-01-22 00:11:58 +00:00
Jenkins
e0be4bc993 Merge "Remove bandit tox environment" 2016-01-21 22:34:25 +00:00
Eric Brown
73a39e1b9e Remove more ldap project references
Commit I848bf41022224fec65cd9555a6e82790b296dcbe removed the
LDAP resource and assignment backends. As a result, some more
items can be removed, namely:

* ProjectLdapStructureMixin class is no longer used anywhere.
* references to project related ldap attributes in test conf files
* removal of references to ldap project attributes in configuration
  doc

Change-Id: I3efb32c39d3077f787e31533ef5407948a5d8cfd
2016-01-21 22:20:16 +00:00
Jenkins
8adb156939 Merge "Remove LDAP Role Backend" 2016-01-21 22:14:59 +00:00
Jenkins
a962238ced Merge "Remove LDAP Resource and LDAP Assignment backends" 2016-01-21 22:14:43 +00:00
Jenkins
63a40ee461 Merge "Removes KVS catalog backend" 2016-01-21 22:13:16 +00:00
Jenkins
b425b91894 Merge "Fix test_crud_user_project_role_grants" 9.0.0.0b2 2016-01-21 04:13:09 +00:00
Jenkins
2702645af1 Merge "Deprecating API v2.0" 2016-01-21 00:57:30 +00:00
lin-hua-cheng
fc3c7199dd Fix typo abstact in comments
Change-Id: I185ac0f62b1addd2787bc547bae13a972ecea39e
2016-01-20 16:43:55 -08:00
Steve Martinelli
99a427833b deprecate write support for identity LDAP
At the previous summit, we decided to deprecate write support for
idenity LPAP. It'll be removed in 2 releases. Several config
options were affected, and those operations should now have
deprecation warnings.

implements bp: deprecated-as-of-mitaka

Change-Id: I1e989d6c5e85ba303609c7bb36116a8bdedce9e4
2016-01-19 21:47:59 -05:00
Steve Martinelli
9ebbcac6f8 Deprecate hash_algorithm config option
The PKI and PKIz drivers are now deprecated, but one of the
config options that only works for PKI has not been deprecated.

implements bp: deprecated-as-of-mitaka

Change-Id: I55d5fb2a2678dccd8638b0460921ba6f8e76da6a
2016-01-19 21:47:18 -05:00
Morgan Fainberg
146a45bfde Mark memcache and memcache_pool token deprecated
Mark the memcache and memcache_pool token persistence backends
deprecated in favor of using the fernet token (no-persistence
needed) backend.

This is only deprecating the token persistence backends and does
not affect the cache layer.

implements bp deprecated-as-of-mitaka

Change-Id: I552774f95bc246f7f013350f5b11ae4ae482bdc5
2016-01-19 21:45:48 -05:00
Tom Cocozzello
dc212cd4d2 List assignments with names
When a client calls list assignment API what is returned is the
role id, user id or group id, and project id or domain id. Most users
then call the api again for each of these entities to get their names,
creating many api calls between the client and server.  This can
be reduced by having the server do all the work instead.

This commit adds the functionality to include the user, role, group,
project, and domain names with the response if the parameter
'include_names' is set to True.

Change-Id: I0a1cc986b8a35aeafe567e5e7fee6eeb848ae113
Closes-Bug: #1479569
Implements: blueprint list-assignment-with-names
2016-01-19 21:30:47 -05:00
Morgan Fainberg
d78fcc361e Remove LDAP Role Backend
The LDAP Role Backend has been removed without the normal deprecation
notice in-code however, the Role backend was explicitly called out when
the deprecation announcement occured[1] and was explicitly included
as part of the deprecation of "assignment"-based LDAP. The LDAP Role
backend is not very useful without the other parts of the assignment
backend that were deprecated and removed.

[1] http://lists.openstack.org/pipermail/openstack/2015-January/011337.html

Change-Id: I1bd02d5834814959a93601fe53f115d0f9cc08a8
bp: removed-as-of-mitaka
2016-01-19 21:27:42 -05:00
Morgan Fainberg
e6efbe62b8 Remove LDAP Resource and LDAP Assignment backends
LDAP Resource and LDAP Assignment backends have been slated for removal
in the Mitaka release. This patchset removes support for the deprecated
LDAP backends.

Change-Id: I848bf41022224fec65cd9555a6e82790b296dcbe
bp: removed-as-of-mitaka
2016-01-19 21:26:30 -05:00
David Stanek
b1b4350017 Removes KVS catalog backend
The templated backend relied on the KVS backend to implement some
functionality. The functionality (CRUD for endpoint, services, etc.) is
arguably incorrect since it won't actually change the contents of the
catalog. The read only methods have been fixed to use the templated data
and the write methods raise NotImplemented.

bp: removed-as-of-mitaka
Partial-Bug: #1077282
Closes-Bug: #1367113
Closes-Bug: #1269789
Change-Id: Iaa68b18f0b6d7e9f5dc0cbf7d21a3d90dcdc1ea4
2016-01-19 21:26:30 -05:00
Jenkins
1053b63e8c Merge "Implied roles driver and manager" 2016-01-20 00:58:54 +00:00
Jenkins
fbf4eccb29 Merge "Add support for strict url safe option on new projects and domains" 2016-01-19 22:58:55 +00:00
Brant Knudson
ce37670e28 Fix docstring
The params in this docstring were missing the "param" part.

Change-Id: I64b406f061143c5b3af35d4d542d82d0621cec5f
2016-01-19 16:50:42 -06:00
Jenkins
cf03c0d1b1 Merge "Enable id, enabled attributes filtering for list IdP API" 2016-01-19 17:45:50 +00:00
Jenkins
f4e402f631 Merge "Fix indentation for oauth context" 2016-01-19 17:45:40 +00:00
Jenkins
b0cea2d7f1 Merge "Add release note for revert of c4723550aa95be403ff591dd132c9024549eff10" 2016-01-19 17:45:29 +00:00
Jenkins
51a5f6f16c Merge "Add linters environment, keep pep8 as alias" 2016-01-19 17:18:12 +00:00
Lance Bragstad
1ad62ef692 Add checks for token data creep using jsonschema
Previously, the assertValidUnscopedTokenResponse method only
ensured specific attributes were in the token response. These
checks didn't ensure that the token scope never grew.

This change makes it so that the assertion will fail if extra
attributes are added to the token response. This should help
us be more aware of changes that have token response data
creep by building the check into the tests.

This is implemented using the existing jsonschema work that
keystone has for validating API requests.

Change-Id: I15acd58a9efaac65ba066fbb7b81f15797b6573c
Partial-Bug: 1224273
2016-01-19 10:14:27 -06:00
Raildo Mascena
e63a8311fa Deprecating API v2.0
Keystone team decided to deprecate v2.0 on Mitaka.

DocImpact: The keystone team recommends using v3 of our Identity API, so we
decided to formally deprecate API v2.0 on Mitaka. Authentication
routes and EC2 routes will not be deprecated for now, they will be kept
around indefinitely.

Partially implements: bp deprecated-as-of-mitaka

Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>
Change-Id: Ie3e484f08edd5acd3c89e76ba6a5c24d660a116d
2016-01-19 14:00:25 +00:00
Jenkins
337bca93c2 Merge "Imported Translations from Zanata" 2016-01-19 13:37:36 +00:00
Jenkins
198127f317 Merge "Escape DN in enabled query" 2016-01-19 13:36:09 +00:00
Jenkins
67715f1b56 Merge "Test enabled emulation with special user_tree_dn" 2016-01-19 13:35:58 +00:00
Jenkins
3173a73167 Merge "Make sure the assignment creation use the right arguments" 2016-01-19 12:09:04 +00:00
Jenkins
7049fde3a6 Merge "Merge pep8 and bandit test environments" 2016-01-19 10:59:54 +00:00
Jenkins
d2070cdd18 Merge "document the bootstrapping process" 2016-01-19 07:05:55 +00:00
Adam Young
e27991e61a Implied roles driver and manager
CRD for the rules that allow one role to infer another role.
When listing roles, implied roles are inferred from any explicitly
assigned roles.  A config option controls whether implied roles
are expanded in the auth data associated with tokens.

The list_assignment tests helper is also modified to
allow data driven tests for implied roles, and those new tests
are also included here.

Implied roles are not supported by the LDAP drivers; if you
try and CRD implied roles with an LDAP assignment driver a
NotImplemented is returned.

Co-Authored-By: Henry Nash <henryn@linux.vnet.ibm.com>

Partially implements: blueprint implied-roles
Change-Id: I6a9c23aea4b1f348c6c8c2b9274865806d856b82
2016-01-19 03:47:49 +00:00
Henry Nash
60b52c1248 Add support for strict url safe option on new projects and domains
Building on the earlier patch that provdided the 'new' url name
restriction, this patch adds the 'strict' open that prevents
authenticating to projects and domains with unsafe names.

A release note and config documentation is also added that covers
both this and the earlier patch.

Partially Implements: blueprint url-safe-naming

Change-Id: Ie69025e7759bae1067e05d9190bede192a5e6830
2016-01-19 03:47:31 +00:00
Andreas Jaeger
625fdc154c Remove bandit tox environment
bandit is now part of linters environment, remove it from tox.ini.

Change-Id: Ia70f7026a2e6b96ea378cbff0c8b470a673a386b
Depends-On: Id7820a8fe188c4de3ba94916e07fd54b7bb4e6fd
2016-01-18 21:00:14 +01:00
Andreas Jaeger
d8bde4e487 Add linters environment, keep pep8 as alias
Rename the pep8 environment to linters.
Use linters to signify that this runs a variety of
lint like jobs (name is used by other repos already).
Add pep8 back in as alias, so that developers get the same experience
running either of the environments.
When users run pep8, an information about linters is given.

Remove {posargs} from flake8, it's not used and breaks the alias.

Change-Id: Ic9efdcb13978d2f29312a4a1f0fdd859d55c8398
2016-01-18 20:51:42 +01:00
Dave Chen
cda3853c41 Make sure the assignment creation use the right arguments
`keystone-manage bootstrap` will fail to create the assignment if
project or role exists, this is because the assignment creation
is not using the right role id or project id.

This patch will fix this issue.

Change-Id: I7359cfe8f573ae56556654f1eafcc75079e69ccc
Closes-Bug: #1534140
bp: bootstrap
2016-01-18 18:32:03 +00:00
Lance Bragstad
6706a9e814 Fix indentation for oauth context
The indentation for setting up the authorization context for oauth1 was not
indented properly, meaning it would set oauth1 variables regardless of oauth1
being used as an authentication method.

This commit fixes the intendation and adds two comments to improve readability.

Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>

Change-Id: I29aeaf4f97f85bbfbf33a7114b328cebc52d6479
2016-01-18 14:28:30 +00:00
OpenStack Proposal Bot
8653ec81a6 Imported Translations from Zanata
For more information about this automatic import see:
https://wiki.openstack.org/wiki/Translations/Infrastructure

Change-Id: I581ed1bd2b3e313ffc8b014207113fd7aa577c4d
2016-01-18 06:05:37 +00:00
Steve Martinelli
ec62601339 document the bootstrapping process
create docs on how to configure keystone with the new
keystone-manage bootstrap option.

implements bp: bootstrap

Change-Id: I4c7520cc68aadd49179e40e77b2d5058125edf00
2016-01-18 05:59:24 +00:00