138 Commits

Author SHA1 Message Date
Zuul
ed45883380 Merge "Add JSON driver for access rules config" 2019-03-07 09:43:33 +00:00
Vishakha Agarwal
a022e27307 Drop py35 jobs
Python 3.5 was the target runtime for the Rocky release.
The current target py3 runtime for Stein is Python 3.6,
so there is no reason to keep testing against the older
version.

https://governance.openstack.org/tc/reference/runtimes/stein.html#python-runtime-for-stein

Change-Id: I618c0d263d4c0f497aef59f24215b60169948ea9
2019-03-05 10:56:57 +05:30
Colleen Murphy
f028ca4edd Add JSON driver for access rules config
The access rules config driver will read a JSON file that represents
rules for accessing service APIs. This is to support application
credential access rules, which will be checked against the configured
rules upon creation. The name for this new API is borrowed from Istio's
near identical concept[1].

[1] https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1/#AccessRule

bp whitelist-extension-for-app-creds

Change-Id: If8b9c1e9df55874052dfd9b99fbcea6e06c1ca35
2019-03-03 18:33:11 +01:00
Lance Bragstad
96adccd0ec Implement JWS token provider
This commit introduces a class that implements the JWS token provider
functionality.

bp json-web-tokens

Change-Id: Ie16110894348a83e3a80cba4649e6cccdc3c84b1
2019-02-07 23:04:39 +00:00
Corey Bryant
eca0829c4c PY3: switch to using unicode text values
In Python 3, python-ldap no longer allows bytes for some fields (DNs,
RDNs, attribute names, queries). Instead, text values are represented
as str, the Unicode text type. Compatibility support is provided for
Python 2 by setting bytes_mode=False [1].

Update the keystone LDAP backend to adhere to this behavior by using
bytes_mode=False for Python 2 and dropping UTF-8 encoding and decoding
fields that are now represented as text in python-ldap.

[1] More details about byte/str usage in python-ldap can be found at:
http://www.python-ldap.org/en/latest/bytes_mode.html#bytes-mode

Note that at a minimum python-ldappool 2.3.1 is required. For more
details see Depends-On's below.

Change-Id: Ifdd0644cd7042407a008c85c0b2c40a971c90bc3
Closes-Bug: #1798184
Depends-On: https://review.openstack.org/611401
Depends-On: https://review.openstack.org/613632
Depends-On: https://review.openstack.org/614052
2019-01-14 14:25:39 -05:00
ZhongShengping
6469f5c316 Change openstack-dev to openstack-discuss
Mailinglists have been updated. Openstack-discuss replaces openstack-dev.

Change-Id: I447cca1b13c8da7a1ff362274b3e3f75cd6b9e48
2018-12-04 10:00:29 +08:00
Adrian Turjak
d9e6c1d4dd Implement auth receipts spec
Adds a new model and provider for receipts which are
very similar to tokens (fernet based), and share the
same fernet mechanisms.

Adds changes to the auth layer to handle the creation,
validation, and consumptions of receipts as part of
the auth process.

Change-Id: Iccb6e6fc7aee57c58a53f90c1d671402b8efcdbb
bp: mfa-auth-receipt
2018-11-02 15:06:19 +01:00
Zuul
d04bb1e7e6 Merge "Remove paste-ini" 2018-10-24 08:29:22 +00:00
Zuul
41078e422e Merge "Internally defined middleware don't use stevedore" 2018-10-19 23:33:03 +00:00
Zuul
f8becfb448 Merge "Implement scaffolding for upgrade checks" 2018-10-19 17:20:55 +00:00
Lance Bragstad
6369796ebe Implement scaffolding for upgrade checks
One of the community goals for Stein is to implement a command-line
tool for operators that runs programmable checks that might impact
upgradability.

This commit lays down the basic structure for the upgrade checks and
ties it up to `keystone-status` command.

Story: 2003657
Task: 26135
Change-Id: I6586827104156ac549217967a1b9171f1a3b32e4
2018-10-17 16:54:53 -04:00
Morgan Fainberg
ea6755a825 Remove paste-ini
Remove the paste-ini for Stein release. It has not been used since
Rocky and was maintained for simplicity of deployment projects.

Change-Id: Iec0c204e8521694e4d48dbef03a72ecdb173e435
2018-10-15 17:57:59 +00:00
Morgan Fainberg
18d597f8e8 Internally defined middleware don't use stevedore
For internally defined middleware (URL Normalizer and AuthContext)
Do not use stevedore to load, apply directly. This also cleans up
a lingering entry in the setup.cfg for token_auth.

Test Changes:

* entry points test no longer looks for url_normalize and
build_auth_context

Change-Id: I58d3c23ad4f70668ada4eae94a94d3f5fe750b3b
Partial-Bug: #1776504
2018-10-11 15:27:46 -07:00
Morgan Fainberg
ee9b035cf1 Replace JSON Body middleware with flask-native func
Replace the JSON Body middleware with flask-native before-request
function.

The body filtering and storing data in
request.environ['openstack.params'] was not used in the code base and
has been dropped.

Test Changes:

* JSON Body middleware has been removed, no testing of the removed code

* JSON Body Before Request Method has been implemented and associated
  testing (mirroring the JSON Body middleware code).

* Test entry points no longer looks for JSON Body middleware.

Change-Id: I84491865870b6bf2b8f094b524ee8b77510f0054
Partial-Bug: #1776504
2018-10-11 15:27:46 -07:00
Zuul
199e9b5238 Merge "Switch to python-ldap" 2018-07-18 17:44:25 +00:00
wangxiyuan
4b4835a01c Strict two level limit model
This patch introduced the hierarchical limit structure
into Keystone.

The strict two level enforcement model is added as well.

Change-Id: Ic80e435a14ad7d6d4eccd4cd6365fb2d99fd26c1
bp: strict-two-level-model
2018-07-17 11:59:58 +08:00
Dirk Mueller
0fa6f97891 Switch to python-ldap
pyldap is deprecated and merged with python-ldap, so we should depend
on it directly instead of the deprecated wrapper. For details see
https://pypi.org/project/pyldap/

Change-Id: I2c8ee2c792a476fe12c234a55af24144e6b511cd
Depends-On: https://review.openstack.org/#/c/582973/
2018-07-16 17:33:38 +02:00
Morgan Fainberg
bb3b15bbf0 Implement base for new RBAC Enforcer
Create the base implementation of the RBAC enforcer with compat code
for the legacy mechanism via @protected decorators.

Change-Id: I80662d9b23e706b720d56670cb849318e951a3b4
Parital-Bug: #1776504
2018-06-27 22:38:06 +00:00
Morgan Fainberg
8bf335bb01 Remove pastedeploy
This patchset removes the lingering code that supported paste.deploy
that is obsolted by the loader wrapped around keystone's use of Flask.

 * The keystone-paste.ini file has been removed.

 * All options have been removed (without deprecation) as they are no
   longer referenced.

 * The TokenAuthMiddleware code (with deprecation warning) has been
   removed as it was only provided to ensure compatibility with paste.ini
   files that were not updated (ensuring not breaking a deployer that
   did not update paste.ini file to remove it from the pipeline).

 * Paste deploy entrypoints have been removed.

Change-Id: I35064a440ef718f50c7e644e8b2d56a99c3ec74f
2018-06-06 19:30:26 +00:00
Morgan Fainberg
a11d6ca0eb Flaskification cleanup
Cleaning up 2 minor changes that were missed in the initial
flaskification change.

Change-Id: I27e7a506a9fd03fd1fb9efd8666d187cba965769
2018-06-06 19:30:20 +00:00
Morgan Fainberg
4ec6bc5a44 Convert Keystone to use Flask
Basic conversion of Keystone's core application to flask framework.

This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.

Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7
2018-06-04 20:14:41 -07:00
Nguyen Hai
a04a1dc782 Follow the new PTI for document build
- Follow new PTI for docs build
- Add sphinxcontrib.apidoc to replace pbr autodoc

REF:
https://governance.openstack.org/tc/reference/project-testing-interface.html
http://lists.openstack.org/pipermail/openstack-dev/2017-December/125710.html
http://lists.openstack.org/pipermail/openstack-dev/2018-March/128594.html

Depends-On: https://review.openstack.org/#/c/559334/
Change-Id: I1d5f01cf49f36567f5a891c69c7269d3e966b9c5
2018-04-09 01:13:58 +09:00
Zuul
3eeb4901b3 Merge "Remove domains *-log-* from compile_catalog" 2018-02-14 21:41:08 +00:00
Lance Bragstad
032dd49db2 Remove the sql token driver and uuid token provider
Both of these drivers were staged for removal in Rocky. Now that
Rocky is open for development we can remove them. This commit removes
just the bare-bones aspects of each. Subsequent patches will do the
following:

  - Remove test class that were only meant for sql or uuid scenarios
  - Refactor the notification framework to not hint at token storage
  - Refactor the token provider API interfaces to be simpler and
    cleaner
  - Remove the needs_persistence property from the token provider API
    and document the ability to push that logic into individual
    providers that require it
  - Return 403 Forbidden for all requests to fetch a revocation list
  - Remove the signing directory configuration options

These changes will result in simpler interfaces which will be
important for people implementing their own token providers and
storage layers.

bp removed-as-of-rocky

Change-Id: I76d5c29f6b1572ee3ec7f2b1af63ff31572de2ce
2018-02-12 17:32:47 +00:00
Colleen Murphy
29280b1f68 Add application credential auth plugin
Add an auth plugin for application credentials and update the common
auth utilities to understand an auth method of 'application_credential'
and validate and scope accordingly.

By default, application credentials should not be allowed to be used for
creating other application credentials or trusts. If a user creates an
application credential with flag `allow_application_credential_creation`
then that application should be allowed to be used for creating and
deleting other application credentials and trusts. Ensure a flag is set
in the token if this property is set to allow this behavior.

bp application-credentials

Change-Id: I15a03e79128a11314d06751b94343f22d533243a
2018-01-27 12:00:19 +01:00
wangxiyuan
0b241dcea5 Add limit provider
This patch adds the registered limit and project limit provider
Class.

Change-Id: I636cd9555ae6434b0e6dec958ae41ef852a48285
bp: unified-limits
2018-01-25 15:45:44 +08:00
Colleen Murphy
52a32aa583 Add application credentials driver
Add a sql model and driver for application credential CRUD operations
and authentication.

bp application-credentials

Change-Id: I192052434c0b0d49d1612824aec1034507dfd233
2018-01-17 20:56:53 +01:00
Lance Bragstad
85c957c503 Expose a get_enforcer method for oslo.policy scripts
Because we have policy in code, we should be able to use the
oslo.policy CLI scripts to produce sample policy files and render
complete policies based on overrides on disk. This was broken
because keystone wasn't removing unexpected commandline arguments
before passing them to oslo.config to parse. This prevented
people from generating complete policy files like they would for
horizon.

This commit exposes a get_enforcer() that substitutes an empty list
in place of arguments passed in through the system. This makes it
so that oslo.config doesn't choke when processing configuration
values.

Change-Id: I22583258eac5b3a64208355d18ccfa62dba1871d
Closes-Bug: 1740951
2018-01-03 20:47:56 +00:00
wangqiangbj
4fc045f820 remove "admin_token_auth" related content"
as "admin_token_auth" is removed from paste file. some related contents
are useless and shoud be removed also.

Change-Id: Ia2263eda93559603a31d9a492e5501424613188e
bp: removed-as-of-queens
2017-12-18 17:02:34 +08:00
Jesse Pretorius
0502d749a6 Add default configuration files to data_files
In order to make it simpler to use the default
configuration files when deploying services
from source, the files are added to pbr's
data_files section so that the files are
included in the built wheels and therefore
deployed with the code. Packaging and deployment
tools can then more easily use the default files
if they wish to.

This pattern is already established with similar
files for neutron and the glance metadefs as has
been mentioned in the related bug report.

Change-Id: I505a2cdff3ec699dcb4a37106765ef889872d367
Closes-Bug: #1718356
2017-09-21 13:53:41 +01:00
Morgan Fainberg
3d46c8a5d9 Resource backend is SQL only now
This change has been implemented to avoid the need to backport
signficantly impactful Foreign Key dropping backports.

Resource is highly relational data and it makes sense to allow the
use of FKs from other subsystems to project/domains.

Change-Id: Ic3831d1c7ae41fe4d406d60a013770cc1258584f
2017-08-14 19:01:02 +00:00
Samriddhi Jain
82785553dd Updated URLs in docs
With the docs migration and re-arrangement, some docs
have been shifted to new places, however the referenced
links are still old. Some of them give 404 error or
just point to the home page. This patch fixes those URLs.

Change-Id: Ie6b18ab3d4aa346dac8436dd426277fee4f07fcd
2017-08-09 23:46:33 +05:30
Colleen Murphy
e08e7ccad7 Fix man page builds
Since Sphinx 1.6 released, pbr's build_sphinx extension has been broken.
Specifically, pbr's [build_sphinx]/builders option is ignored. Luckily,
sphinx itself ipmlemented the feature but called it just 'builder'[1].
This patch fixes the config setting name and then cleans up a Sphinx
extension inclusion that is now automatically included.

[1] http://lists.openstack.org/pipermail/openstack-dev/2017-July/119396.html

Change-Id: I5da6a996ed442524ddb108a890df2d024ee07c4d
2017-08-06 16:05:03 +02:00
Chandan Kumar
1f44f5f307 Remove keystone_tempest_plugin from setup.cfg
Since keystone_tempest_plugin is moved to a seperate repo, but we
have not remove its entry from packages section in setup.cfg. On
Installing keystone, It also installs keystone_tempest_plugin in
python sitelib directly which contains README.rst file only. which
does not addes value. So it is better to remove that entry.

Change-Id: I832600d841e9a84c3dfee7b5c3e8893ece1ae902
2017-06-28 23:55:30 +05:30
Colleen Murphy
6f4e37e9e6 Remove the local tempest plugin
The plugin has been split into its own repository[1] in accordance with
Queens Goal "Split Tempest Plugins into Separate Repos/Projects[2]".
This patch removes the local copy as well as the setuptools entry point.
We can also now remove the autodoc_tree_excludes pbr option since
there's no more plugin to exclude and it defaults to [setup.py].

[1] http://git.openstack.org/cgit/openstack/keystone-tempest-plugin
[2] https://governance.openstack.org/tc/goals/queens/split-tempest-plugins.html

Depends-On: I47f59505126509b6b52cf04b8f7501e8ef4041b7
Change-Id: I1805b196b42b6a76c56e129a316e170e767455c1
2017-06-06 11:48:37 +00:00
Stephen Finucane
c40d37c317 Explicitly set 'builders' option
An upcoming release of pbr will require explicitly stating which
builders are requested, rather than defaulting to html and man. Head off
any potential impact this may cause by explicitly setting this
configuration now.

Change-Id: I6983a5a988d8a595f2ab75580147da2e920ae030
2017-04-19 10:35:49 +01:00
Anthony Washington
9bb1556817 Add policy sample generation
This adds the entry point and config file necessary for using the
oslo.policy sample generation script. It also adds a tox target to
simplify the usage of it.

Change-Id: I7feb522b2ea5f56e48982169c7ebbb2ec2ef2cb3
Partially-Implements: bp policy-in-code
2017-03-29 15:48:57 +00:00
Jenkins
7048b6759b Merge "Remove pbr warnerrors in favor of sphinx check" 2017-03-09 01:21:36 +00:00
Gage Hugo
32da690e50 Remove pbr warnerrors in favor of sphinx check
This change removes the unused "warnerrors" setting that
was part of [pbr] which was replaced by "warning-is-error"
in sphinx 1.5 and above[0]. This also fixes any warnings
and errors that came up when running `tox -edocs` using
this new feature:

 - Invalid code example highlighting
 - Redundant loading of todo extension

[0] http://lists.openstack.org/pipermail/openstack-dev/2017-March/113085.html

Change-Id: I9a8789b448ffa199b4539f57e692bac251d75036
2017-03-03 14:04:10 -06:00
Alfredo Moralejo
3ed21ebc6c Remove domains *-log-* from compile_catalog
Translations have been removed in
https://review.openstack.org/#/c/437811/ and compile_catalog
fails with "no message catalogs found" error.

Change-Id: Id0578920faa201a8ab2adf1f123416cfb17a1dd1
2017-02-28 10:33:02 +01:00
Kristi Nikolla
d35f36916e Remove EndpointFilterCatalog
EndpointFilterCatalog was deprecated in Ocata in favor of
sql.Catalog.

Implements: bp removed-as-of-pike

Change-Id: I7f3eea85d4d8668e9e421b06a65086a736211106
2017-02-27 11:21:50 -05:00
Morgan Fainberg
b8b1e18930 Remove KVS code
KVS Code (core) and items depending on it was deprecated in Newton slated
for removal in Pike.

implements bp removed-as-of-pike
Closes-Bug: 1077282
Change-Id: I6ed4e3688f2a63b0fc439527957bc027db8d5d66
2017-02-03 02:25:19 +00:00
Eric Brown
30d9095d28 Use https for docs.openstack.org references
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.

Change-Id: I30a462e03d1fd7852511e22cac34c6bc0e8917f4
2017-01-30 16:05:08 -08:00
Steve Martinelli
e9a6a849b0 update entry points related to paste middleware
these were very out of date, though they are not used we should
try to keep them up to date. hopefully we are able to use them
instead of paste.ini one day.

Change-Id: I5d78011ff472bd0a33911310712f0f60708b447e
2017-01-22 01:10:17 -05:00
Gage Hugo
0d2f249f59 Exclude 'keystone_tempest_plugin' in doc build
When building keystone docs, autodoc goes through all of
the project in order to auto-generate api docs. When going
through 'keystone_tempest_plugin', there are currently 6
warnings that are emitted due to issues with duplicate
option errors. These errors seem to be related to duplicate
named options between tempest and oslo.config, rather than
keystone.

Due to these warnings, there are already multiple issues with
the api page [1] not rendering everything.

This change adds 'keystone_tempest_plugin' to the exclusion list
for autodoc and as a result, removes the 6 warnings from doc building
since 'keystone_tempest_plugin' will no longer be auto-generated
with incomplete info.

[1] http://docs.openstack.org/developer/keystone/api/keystone_tempest_plugin.html

Change-Id: Icb5c518b2f1409e2e9580b14ba1ae0e44995a73c
Co-Authored-By: Tin Lam <tinlam@gmail.com>
Partial-Bug: #1602422
2017-01-13 14:26:27 -06:00
Eric Brown
a2a06d0531 Remove references to Python 3.4
Now that there exists only a gate job for Python 3.5 and not 3.4,
we should remove those references to the 3.4 that is untested.

Change-Id: Ia017d1199f8ca31808680b91c708823711127659
2017-01-06 07:30:00 +00:00
Eric Brown
34b0cf2a1b Remove entry_points to non-existent drivers
The setup.cfg for stevedore still contains references to the
memcache token persistence drivers even though those drivers were
removed in commit I4b8b88409abe8eea8f0a075aebbe9c569367c454.

bp removed-as-of-ocata

Change-Id: Iaaa3c5bc6d88ee45bef956a437e0fd711313be6b
2016-11-16 23:38:25 -08:00
Steve Martinelli
8a66ef6354 Remove support for PKI and PKIz tokens
This is the first step of several to remove PKI token support in
keystone. A large issue in removing PKI support is support for the
revocation list must be maintained.

This patch removes support for the token format, it's surrounding tests
and examples that are generated. Additionally, some wording has been
changed around the CLI and config options to make the distinction
between keys and certs used for PKI tokens and those used for getting
the revocation list (a list of tokens that are revoked, which is signed).

Future patches will:

- Remove the keystone-manage commands for generating certs

- Modify the revocation list (at /auth/tokens/OS-PKI/revoked) to return
a 403 if pki is not configured (instead of raising a 500). We cannot
remove the API as that would break an API contract.

- Options to configure PKI will be marked as deprecated

- If PKI is configured a normal signed list will be returned (same
behavior as today)

- Follow up patch to keystonemiddleware will make sure auth_token does
not rely on the revocation api at all.

Related-Bug: 1626778
Related-Bug: 1626779

Co-Authored-By: Boris Bobrov <bbobrov@mirantis.com>
bp removed-as-of-ocata
Change-Id: Icf1ebced44a675c88fb66a6c0431208ff5181574
2016-11-01 22:05:01 +00:00
Jenkins
b96b217751 Merge "remove deprecated items from contrib" 2016-10-07 21:13:04 +00:00
OpenStack Proposal Bot
cd23e776b7 Updated from global requirements
Change-Id: I368a2f0d998082c4e7750f097d9629eb92f2d3ca
2016-09-30 19:59:39 +00:00