The access rules config driver will read a JSON file that represents
rules for accessing service APIs. This is to support application
credential access rules, which will be checked against the configured
rules upon creation. The name for this new API is borrowed from Istio's
near identical concept[1].
[1] https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1/#AccessRule
bp whitelist-extension-for-app-creds
Change-Id: If8b9c1e9df55874052dfd9b99fbcea6e06c1ca35
This commit introduces a class that implements the JWS token provider
functionality.
bp json-web-tokens
Change-Id: Ie16110894348a83e3a80cba4649e6cccdc3c84b1
In Python 3, python-ldap no longer allows bytes for some fields (DNs,
RDNs, attribute names, queries). Instead, text values are represented
as str, the Unicode text type. Compatibility support is provided for
Python 2 by setting bytes_mode=False [1].
Update the keystone LDAP backend to adhere to this behavior by using
bytes_mode=False for Python 2 and dropping UTF-8 encoding and decoding
fields that are now represented as text in python-ldap.
[1] More details about byte/str usage in python-ldap can be found at:
http://www.python-ldap.org/en/latest/bytes_mode.html#bytes-mode
Note that at a minimum python-ldappool 2.3.1 is required. For more
details see Depends-On's below.
Change-Id: Ifdd0644cd7042407a008c85c0b2c40a971c90bc3
Closes-Bug: #1798184
Depends-On: https://review.openstack.org/611401
Depends-On: https://review.openstack.org/613632
Depends-On: https://review.openstack.org/614052
Adds a new model and provider for receipts which are
very similar to tokens (fernet based), and share the
same fernet mechanisms.
Adds changes to the auth layer to handle the creation,
validation, and consumptions of receipts as part of
the auth process.
Change-Id: Iccb6e6fc7aee57c58a53f90c1d671402b8efcdbb
bp: mfa-auth-receipt
One of the community goals for Stein is to implement a command-line
tool for operators that runs programmable checks that might impact
upgradability.
This commit lays down the basic structure for the upgrade checks and
ties it up to `keystone-status` command.
Story: 2003657
Task: 26135
Change-Id: I6586827104156ac549217967a1b9171f1a3b32e4
Remove the paste-ini for Stein release. It has not been used since
Rocky and was maintained for simplicity of deployment projects.
Change-Id: Iec0c204e8521694e4d48dbef03a72ecdb173e435
For internally defined middleware (URL Normalizer and AuthContext)
Do not use stevedore to load, apply directly. This also cleans up
a lingering entry in the setup.cfg for token_auth.
Test Changes:
* entry points test no longer looks for url_normalize and
build_auth_context
Change-Id: I58d3c23ad4f70668ada4eae94a94d3f5fe750b3b
Partial-Bug: #1776504
Replace the JSON Body middleware with flask-native before-request
function.
The body filtering and storing data in
request.environ['openstack.params'] was not used in the code base and
has been dropped.
Test Changes:
* JSON Body middleware has been removed, no testing of the removed code
* JSON Body Before Request Method has been implemented and associated
testing (mirroring the JSON Body middleware code).
* Test entry points no longer looks for JSON Body middleware.
Change-Id: I84491865870b6bf2b8f094b524ee8b77510f0054
Partial-Bug: #1776504
This patch introduced the hierarchical limit structure
into Keystone.
The strict two level enforcement model is added as well.
Change-Id: Ic80e435a14ad7d6d4eccd4cd6365fb2d99fd26c1
bp: strict-two-level-model
Create the base implementation of the RBAC enforcer with compat code
for the legacy mechanism via @protected decorators.
Change-Id: I80662d9b23e706b720d56670cb849318e951a3b4
Parital-Bug: #1776504
This patchset removes the lingering code that supported paste.deploy
that is obsolted by the loader wrapped around keystone's use of Flask.
* The keystone-paste.ini file has been removed.
* All options have been removed (without deprecation) as they are no
longer referenced.
* The TokenAuthMiddleware code (with deprecation warning) has been
removed as it was only provided to ensure compatibility with paste.ini
files that were not updated (ensuring not breaking a deployer that
did not update paste.ini file to remove it from the pipeline).
* Paste deploy entrypoints have been removed.
Change-Id: I35064a440ef718f50c7e644e8b2d56a99c3ec74f
Basic conversion of Keystone's core application to flask framework.
This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.
Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7
Both of these drivers were staged for removal in Rocky. Now that
Rocky is open for development we can remove them. This commit removes
just the bare-bones aspects of each. Subsequent patches will do the
following:
- Remove test class that were only meant for sql or uuid scenarios
- Refactor the notification framework to not hint at token storage
- Refactor the token provider API interfaces to be simpler and
cleaner
- Remove the needs_persistence property from the token provider API
and document the ability to push that logic into individual
providers that require it
- Return 403 Forbidden for all requests to fetch a revocation list
- Remove the signing directory configuration options
These changes will result in simpler interfaces which will be
important for people implementing their own token providers and
storage layers.
bp removed-as-of-rocky
Change-Id: I76d5c29f6b1572ee3ec7f2b1af63ff31572de2ce
Add an auth plugin for application credentials and update the common
auth utilities to understand an auth method of 'application_credential'
and validate and scope accordingly.
By default, application credentials should not be allowed to be used for
creating other application credentials or trusts. If a user creates an
application credential with flag `allow_application_credential_creation`
then that application should be allowed to be used for creating and
deleting other application credentials and trusts. Ensure a flag is set
in the token if this property is set to allow this behavior.
bp application-credentials
Change-Id: I15a03e79128a11314d06751b94343f22d533243a
Add a sql model and driver for application credential CRUD operations
and authentication.
bp application-credentials
Change-Id: I192052434c0b0d49d1612824aec1034507dfd233
Because we have policy in code, we should be able to use the
oslo.policy CLI scripts to produce sample policy files and render
complete policies based on overrides on disk. This was broken
because keystone wasn't removing unexpected commandline arguments
before passing them to oslo.config to parse. This prevented
people from generating complete policy files like they would for
horizon.
This commit exposes a get_enforcer() that substitutes an empty list
in place of arguments passed in through the system. This makes it
so that oslo.config doesn't choke when processing configuration
values.
Change-Id: I22583258eac5b3a64208355d18ccfa62dba1871d
Closes-Bug: 1740951
as "admin_token_auth" is removed from paste file. some related contents
are useless and shoud be removed also.
Change-Id: Ia2263eda93559603a31d9a492e5501424613188e
bp: removed-as-of-queens
In order to make it simpler to use the default
configuration files when deploying services
from source, the files are added to pbr's
data_files section so that the files are
included in the built wheels and therefore
deployed with the code. Packaging and deployment
tools can then more easily use the default files
if they wish to.
This pattern is already established with similar
files for neutron and the glance metadefs as has
been mentioned in the related bug report.
Change-Id: I505a2cdff3ec699dcb4a37106765ef889872d367
Closes-Bug: #1718356
This change has been implemented to avoid the need to backport
signficantly impactful Foreign Key dropping backports.
Resource is highly relational data and it makes sense to allow the
use of FKs from other subsystems to project/domains.
Change-Id: Ic3831d1c7ae41fe4d406d60a013770cc1258584f
With the docs migration and re-arrangement, some docs
have been shifted to new places, however the referenced
links are still old. Some of them give 404 error or
just point to the home page. This patch fixes those URLs.
Change-Id: Ie6b18ab3d4aa346dac8436dd426277fee4f07fcd
Since Sphinx 1.6 released, pbr's build_sphinx extension has been broken.
Specifically, pbr's [build_sphinx]/builders option is ignored. Luckily,
sphinx itself ipmlemented the feature but called it just 'builder'[1].
This patch fixes the config setting name and then cleans up a Sphinx
extension inclusion that is now automatically included.
[1] http://lists.openstack.org/pipermail/openstack-dev/2017-July/119396.html
Change-Id: I5da6a996ed442524ddb108a890df2d024ee07c4d
Since keystone_tempest_plugin is moved to a seperate repo, but we
have not remove its entry from packages section in setup.cfg. On
Installing keystone, It also installs keystone_tempest_plugin in
python sitelib directly which contains README.rst file only. which
does not addes value. So it is better to remove that entry.
Change-Id: I832600d841e9a84c3dfee7b5c3e8893ece1ae902
The plugin has been split into its own repository[1] in accordance with
Queens Goal "Split Tempest Plugins into Separate Repos/Projects[2]".
This patch removes the local copy as well as the setuptools entry point.
We can also now remove the autodoc_tree_excludes pbr option since
there's no more plugin to exclude and it defaults to [setup.py].
[1] http://git.openstack.org/cgit/openstack/keystone-tempest-plugin
[2] https://governance.openstack.org/tc/goals/queens/split-tempest-plugins.html
Depends-On: I47f59505126509b6b52cf04b8f7501e8ef4041b7
Change-Id: I1805b196b42b6a76c56e129a316e170e767455c1
An upcoming release of pbr will require explicitly stating which
builders are requested, rather than defaulting to html and man. Head off
any potential impact this may cause by explicitly setting this
configuration now.
Change-Id: I6983a5a988d8a595f2ab75580147da2e920ae030
This adds the entry point and config file necessary for using the
oslo.policy sample generation script. It also adds a tox target to
simplify the usage of it.
Change-Id: I7feb522b2ea5f56e48982169c7ebbb2ec2ef2cb3
Partially-Implements: bp policy-in-code
This change removes the unused "warnerrors" setting that
was part of [pbr] which was replaced by "warning-is-error"
in sphinx 1.5 and above[0]. This also fixes any warnings
and errors that came up when running `tox -edocs` using
this new feature:
- Invalid code example highlighting
- Redundant loading of todo extension
[0] http://lists.openstack.org/pipermail/openstack-dev/2017-March/113085.html
Change-Id: I9a8789b448ffa199b4539f57e692bac251d75036
Translations have been removed in
https://review.openstack.org/#/c/437811/ and compile_catalog
fails with "no message catalogs found" error.
Change-Id: Id0578920faa201a8ab2adf1f123416cfb17a1dd1
EndpointFilterCatalog was deprecated in Ocata in favor of
sql.Catalog.
Implements: bp removed-as-of-pike
Change-Id: I7f3eea85d4d8668e9e421b06a65086a736211106
KVS Code (core) and items depending on it was deprecated in Newton slated
for removal in Pike.
implements bp removed-as-of-pike
Closes-Bug: 1077282
Change-Id: I6ed4e3688f2a63b0fc439527957bc027db8d5d66
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I30a462e03d1fd7852511e22cac34c6bc0e8917f4
these were very out of date, though they are not used we should
try to keep them up to date. hopefully we are able to use them
instead of paste.ini one day.
Change-Id: I5d78011ff472bd0a33911310712f0f60708b447e
When building keystone docs, autodoc goes through all of
the project in order to auto-generate api docs. When going
through 'keystone_tempest_plugin', there are currently 6
warnings that are emitted due to issues with duplicate
option errors. These errors seem to be related to duplicate
named options between tempest and oslo.config, rather than
keystone.
Due to these warnings, there are already multiple issues with
the api page [1] not rendering everything.
This change adds 'keystone_tempest_plugin' to the exclusion list
for autodoc and as a result, removes the 6 warnings from doc building
since 'keystone_tempest_plugin' will no longer be auto-generated
with incomplete info.
[1] http://docs.openstack.org/developer/keystone/api/keystone_tempest_plugin.html
Change-Id: Icb5c518b2f1409e2e9580b14ba1ae0e44995a73c
Co-Authored-By: Tin Lam <tinlam@gmail.com>
Partial-Bug: #1602422
Now that there exists only a gate job for Python 3.5 and not 3.4,
we should remove those references to the 3.4 that is untested.
Change-Id: Ia017d1199f8ca31808680b91c708823711127659
The setup.cfg for stevedore still contains references to the
memcache token persistence drivers even though those drivers were
removed in commit I4b8b88409abe8eea8f0a075aebbe9c569367c454.
bp removed-as-of-ocata
Change-Id: Iaaa3c5bc6d88ee45bef956a437e0fd711313be6b
This is the first step of several to remove PKI token support in
keystone. A large issue in removing PKI support is support for the
revocation list must be maintained.
This patch removes support for the token format, it's surrounding tests
and examples that are generated. Additionally, some wording has been
changed around the CLI and config options to make the distinction
between keys and certs used for PKI tokens and those used for getting
the revocation list (a list of tokens that are revoked, which is signed).
Future patches will:
- Remove the keystone-manage commands for generating certs
- Modify the revocation list (at /auth/tokens/OS-PKI/revoked) to return
a 403 if pki is not configured (instead of raising a 500). We cannot
remove the API as that would break an API contract.
- Options to configure PKI will be marked as deprecated
- If PKI is configured a normal signed list will be returned (same
behavior as today)
- Follow up patch to keystonemiddleware will make sure auth_token does
not rely on the revocation api at all.
Related-Bug: 1626778
Related-Bug: 1626779
Co-Authored-By: Boris Bobrov <bbobrov@mirantis.com>
bp removed-as-of-ocata
Change-Id: Icf1ebced44a675c88fb66a6c0431208ff5181574