This removes additional references to ldap role attributes found
in the documentation and tests.
Commit I1bd02d5834814959a93601fe53f115d0f9cc08a8 removed the ldap
role backend.
Change-Id: If8e74aca9b983c0f0e9779ea6e5e1260c1eb6dd7
Commit I848bf41022224fec65cd9555a6e82790b296dcbe removed the
LDAP resource and assignment backends. As a result, some more
items can be removed, namely:
* ProjectLdapStructureMixin class is no longer used anywhere.
* references to project related ldap attributes in test conf files
* removal of references to ldap project attributes in configuration
doc
Change-Id: I3efb32c39d3077f787e31533ef5407948a5d8cfd
At the previous summit, we decided to deprecate write support for
idenity LPAP. It'll be removed in 2 releases. Several config
options were affected, and those operations should now have
deprecation warnings.
implements bp: deprecated-as-of-mitaka
Change-Id: I1e989d6c5e85ba303609c7bb36116a8bdedce9e4
The PKI and PKIz drivers are now deprecated, but one of the
config options that only works for PKI has not been deprecated.
implements bp: deprecated-as-of-mitaka
Change-Id: I55d5fb2a2678dccd8638b0460921ba6f8e76da6a
Mark the memcache and memcache_pool token persistence backends
deprecated in favor of using the fernet token (no-persistence
needed) backend.
This is only deprecating the token persistence backends and does
not affect the cache layer.
implements bp deprecated-as-of-mitaka
Change-Id: I552774f95bc246f7f013350f5b11ae4ae482bdc5
When a client calls list assignment API what is returned is the
role id, user id or group id, and project id or domain id. Most users
then call the api again for each of these entities to get their names,
creating many api calls between the client and server. This can
be reduced by having the server do all the work instead.
This commit adds the functionality to include the user, role, group,
project, and domain names with the response if the parameter
'include_names' is set to True.
Change-Id: I0a1cc986b8a35aeafe567e5e7fee6eeb848ae113
Closes-Bug: #1479569
Implements: blueprint list-assignment-with-names
The LDAP Role Backend has been removed without the normal deprecation
notice in-code however, the Role backend was explicitly called out when
the deprecation announcement occured[1] and was explicitly included
as part of the deprecation of "assignment"-based LDAP. The LDAP Role
backend is not very useful without the other parts of the assignment
backend that were deprecated and removed.
[1] http://lists.openstack.org/pipermail/openstack/2015-January/011337.html
Change-Id: I1bd02d5834814959a93601fe53f115d0f9cc08a8
bp: removed-as-of-mitaka
LDAP Resource and LDAP Assignment backends have been slated for removal
in the Mitaka release. This patchset removes support for the deprecated
LDAP backends.
Change-Id: I848bf41022224fec65cd9555a6e82790b296dcbe
bp: removed-as-of-mitaka
The templated backend relied on the KVS backend to implement some
functionality. The functionality (CRUD for endpoint, services, etc.) is
arguably incorrect since it won't actually change the contents of the
catalog. The read only methods have been fixed to use the templated data
and the write methods raise NotImplemented.
bp: removed-as-of-mitaka
Partial-Bug: #1077282
Closes-Bug: #1367113
Closes-Bug: #1269789
Change-Id: Iaa68b18f0b6d7e9f5dc0cbf7d21a3d90dcdc1ea4
Previously, the assertValidUnscopedTokenResponse method only
ensured specific attributes were in the token response. These
checks didn't ensure that the token scope never grew.
This change makes it so that the assertion will fail if extra
attributes are added to the token response. This should help
us be more aware of changes that have token response data
creep by building the check into the tests.
This is implemented using the existing jsonschema work that
keystone has for validating API requests.
Change-Id: I15acd58a9efaac65ba066fbb7b81f15797b6573c
Partial-Bug: 1224273
Keystone team decided to deprecate v2.0 on Mitaka.
DocImpact: The keystone team recommends using v3 of our Identity API, so we
decided to formally deprecate API v2.0 on Mitaka. Authentication
routes and EC2 routes will not be deprecated for now, they will be kept
around indefinitely.
Partially implements: bp deprecated-as-of-mitaka
Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>
Change-Id: Ie3e484f08edd5acd3c89e76ba6a5c24d660a116d
CRD for the rules that allow one role to infer another role.
When listing roles, implied roles are inferred from any explicitly
assigned roles. A config option controls whether implied roles
are expanded in the auth data associated with tokens.
The list_assignment tests helper is also modified to
allow data driven tests for implied roles, and those new tests
are also included here.
Implied roles are not supported by the LDAP drivers; if you
try and CRD implied roles with an LDAP assignment driver a
NotImplemented is returned.
Co-Authored-By: Henry Nash <henryn@linux.vnet.ibm.com>
Partially implements: blueprint implied-roles
Change-Id: I6a9c23aea4b1f348c6c8c2b9274865806d856b82
Building on the earlier patch that provdided the 'new' url name
restriction, this patch adds the 'strict' open that prevents
authenticating to projects and domains with unsafe names.
A release note and config documentation is also added that covers
both this and the earlier patch.
Partially Implements: blueprint url-safe-naming
Change-Id: Ie69025e7759bae1067e05d9190bede192a5e6830
bandit is now part of linters environment, remove it from tox.ini.
Change-Id: Ia70f7026a2e6b96ea378cbff0c8b470a673a386b
Depends-On: Id7820a8fe188c4de3ba94916e07fd54b7bb4e6fd
Rename the pep8 environment to linters.
Use linters to signify that this runs a variety of
lint like jobs (name is used by other repos already).
Add pep8 back in as alias, so that developers get the same experience
running either of the environments.
When users run pep8, an information about linters is given.
Remove {posargs} from flake8, it's not used and breaks the alias.
Change-Id: Ic9efdcb13978d2f29312a4a1f0fdd859d55c8398
`keystone-manage bootstrap` will fail to create the assignment if
project or role exists, this is because the assignment creation
is not using the right role id or project id.
This patch will fix this issue.
Change-Id: I7359cfe8f573ae56556654f1eafcc75079e69ccc
Closes-Bug: #1534140
bp: bootstrap
The indentation for setting up the authorization context for oauth1 was not
indented properly, meaning it would set oauth1 variables regardless of oauth1
being used as an authentication method.
This commit fixes the intendation and adds two comments to improve readability.
Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>
Change-Id: I29aeaf4f97f85bbfbf33a7114b328cebc52d6479
create docs on how to configure keystone with the new
keystone-manage bootstrap option.
implements bp: bootstrap
Change-Id: I4c7520cc68aadd49179e40e77b2d5058125edf00