14566 Commits

Author SHA1 Message Date
Zuul
569061cf30 Merge "Spelling Fix" 2020-09-14 13:36:33 +00:00
Ghanshyam Mann
0ba9e3a12e Fix gate by running l-c job on Bionic
l-c job template moved the l-c jobs running on Focal
and currently fails on many constraints.

Let's keep running l-c job on bionic as it was before and we
can move it to Focal once issues are identified and fixed.

- Fixing the hacking tests which are behaving differently between
< 3.8.0 (until Ubuntu Bionic) and 3.8.2 (Ubuntu Focal).

Squashing below review also
- https://review.opendev.org/#/c/750786/

Co-Author: Lance Bragstad <lbragstad@gmail.com>

Change-Id: If733e9824d87d8c73797f753e4daf95489bed9c2
2020-09-10 20:25:27 -05:00
Zuul
0b9d98b37b Merge "Write a symptom for checking memcache connections" 2020-08-28 03:34:51 +00:00
Zuul
1be0a430f5 Merge "Fix user creation with GRANT in MySQL 8.0(Ubuntu Focal)" 2020-08-28 03:34:34 +00:00
Lance Bragstad
bb0393623c Write a symptom for checking memcache connections
This makes it easier for operators to troubleshoot connection issues to
Memcached.

Related-Bug: 1332058

Change-Id: I6e67363822480314b93608bb1eae3514f1480f6d
2020-08-26 10:28:39 -05:00
Zuul
45c263113a Merge "NIT: Spelling Fix" 2020-08-25 22:54:42 +00:00
Zuul
63a4d95ea2 Merge "Remove an assignment from domain and project" 2020-08-25 22:54:38 +00:00
Zuul
f7c0b6bcd5 Merge "Bump pysaml2 requeriment to avoid CVE-2020-5390" 2020-08-25 15:38:54 +00:00
Zuul
73b325c836 Merge "Properly handle octet (byte) strings when converting LDAP responses" 2020-08-24 19:29:09 +00:00
Raildo Mascena
c0d63cecd8 Bump pysaml2 requeriment to avoid CVE-2020-5390
Although, Keystone doesn't use the pysaml2 signature on [0]
Would be nice to bump the pysaml2 version for, at least, 5.0.0[1] in
order to have the the CVE fix included[2].

[0]https://opendev.org/openstack/keystone/src/branch/master/keystone/federation/idp.py#L440-L521
[1] https://github.com/IdentityPython/pysaml2/releases/tag/v5.0.0
[2] https://github.com/advisories/GHSA-qf7v-8hj3-4xw7

Change-Id: I1d3776f7f1feb6485feecb140703f23027ca3a6f
2020-08-24 15:31:55 -03:00
Zuul
c36d015d41 Merge "Improve the update description for limits in api-ref" 2020-08-21 15:12:00 +00:00
Vishakha Agarwal
b54839f382 Fix user creation with GRANT in MySQL 8.0(Ubuntu Focal)
In Ubuntu Bionic (18.04) mysql 5.7 version used to create
the user implicitly when using using the GRANT.

Ubuntu Focal (20.04) has mysql 8.0 and with mysql 8.0 there
is no implicit user creation with GRANT. We need to
create the user first before using GRANT command.

This patch updates tools/test-setup.sh so that keystone supports
ubuntu focal.

Story: #2007865
Task: #40190

Change-Id: I86d10729cfc7c02f12df611b56f6e263969dfe4b
Closes-Bug: #1885825
2020-08-17 13:37:48 +05:30
Vishakha Agarwal
1b75e56a08 Improve the update description for limits in api-ref
The update registered limit updates the specified registered
limit. It will be wrong to describe it as "Update registered
limits". It should be singular. Same for updating a project
limit. This patch fixes the same.

Change-Id: Ie28f0661bd4402ebb8f9de37fff4c36b925c3b04
2020-08-13 15:50:49 +05:30
Vishakha Agarwal
88197d2175 Follow-up for bug-1891244
This patch closes the review comments of [1].

[1]https://review.opendev.org/#/c/745752/

Change-Id: I06b02b2ebfed35d4e82c5fc35ce8eb0bb20b2fc5
2020-08-13 15:40:35 +05:30
melanie witt
7d6c71ba26 Support format for msgpack < 1.0 in token formatter
msgpack v1.0 changed its data format [1] and during a rolling upgrade, attempts
to unpack cached tokens with old data format with the new default raw=False
result in the following error:

  UnicodeDecodeError: 'utf-8' codec can't decode byte 0x87 in
  position 3: invalid start byte

This passes raw=True to support backward-compat with the old format
until we are guaranteed to have msgpack >= 1.0 in the N-1 release of
a rolling upgrade.

Closes-Bug: #1891244

[1]
https://github.com/msgpack/msgpack-python/blob/v1.0.0/README.md#major-breaking-changes-in-msgpack-10

Change-Id: I6c61df6c097fef698c659c79402c4381ec7f3586
2020-08-11 21:37:24 +00:00
Zuul
06ab946af5 Merge "Skip tests to update u-c for PyMySql to 0.10.0" 2020-08-11 16:38:29 +00:00
Vishakha Agarwal
56da348b49 Skip tests to update u-c for PyMySql to 0.10.0
In the new version of PyMySql the error > 1000, will be
operational error [1], which is failing keystone migration
test cases [2] for backend mysql because we raise dberror
[3] which does not handle operational error.

PyMySQL hasn't been raised to 0.10.0 in the upper-constraints
yet, so this patch isn't going to be able to install it.
We can't raise the u-c since the current keystone jobs are
failing with it.

This patch overrides the test cases for backend SQL and skips
the same. This is so to make sure that failed test cases are
skipped because Once the upper-constraints are updated to
0.10.0 for PyMySql and merged, will revert the skip and
handle for 0.10.0.

[1]c3e5a63514
[2]https://da7bb9864083b9045f13-6176f3344d2541229da3be8329641f28.ssl.cf5.rackcdn.com/741837/2/check/cross-keystone-py36/d1a2e73/testr_results.html
[3]033e7aff87/keystone/tests/unit/test_sql_upgrade.py (L1867)

Related-Bug: #1890325
Change-Id: I207bb816affcb3e2725321de9a90a40c027a9f87
2020-08-10 14:09:30 +00:00
Vishakha Agarwal
f6df4e3243 Spelling Fix
This Patch fixes the 'middleware' spelling.

Change-Id: I6659ca49db86e5c20ecf80e4c4fff93328616eb6
2020-08-06 19:49:34 +05:30
Vishakha Agarwal
4ef7a2379a NIT: Spelling Fix
This patch fixes spelling "project" in test_sql_upgrade.py file.

Change-Id: I8b1a8dbea5fb17707e59fae8605cc615f1b51f2c
2020-08-06 16:13:38 +05:30
Lance Bragstad
8bf222ac5d Properly handle octet (byte) strings when converting LDAP responses
If LDAP returns a UUID as an octet string the LDAP driver will fail to
convert it to something meaningful. The error usually looks something
like:

  ID attribute objectGUID not found in LDAP object

Microsoft AD's `objectGUID` parameter is stored and transmitted as an
octet string [0]. If you attempt to use the `objectGUID` to generate
user or group IDs, you'll get an HTTP 404 because keystone can't decode
it properly. This is unfortunate because `objectGUID` are a fixed
length, UUID format, and ideal for generating IDs in keystone. As
opposed to using the object's CN, which is variable length, and can
generate hashes that are larger than keystone's database table limit for
user IDs.

[0] https://docs.microsoft.com/en-us/windows/win32/ad/reading-an-objectampaposs-objectguid-and-creating-a-string-representation-of-the-guid

Change-Id: Id80b17bdff015e10340e636102576b7435bd564f
Closes-Bug: 1889936
2020-08-05 14:25:18 -05:00
Zuul
952959fb87 Merge "Fix api-ref for list endpoints" 2020-08-05 19:22:16 +00:00
Zuul
bcc751b3a2 Merge "Stop to use the __future__ module." 2020-07-31 08:42:30 +00:00
Zuul
d80f8ebc10 Merge "Fix invalid assertTrue which should be assertEqual" 2020-07-31 08:05:43 +00:00
zhufl
9633926434 Fix invalid assertTrue which should be assertEqual
self.assertTrue(len(user['federated']), 1) should be
self.assertEqual(len(user['federated']), 1).

Change-Id: If6bdfb074cb68271e69f8436111149d3aa312e6d
2020-07-30 08:55:10 +08:00
Zuul
b187dfd05a Merge "requirements: Drop os-testr" 2020-07-29 14:18:21 +00:00
Zuul
3da5eb8501 Merge "Fix "allow expired" feature for JWT" 2020-07-29 12:01:25 +00:00
Zuul
06633e1472 Merge "Port the grenade multinode job to Zuul v3" 2020-07-29 11:21:03 +00:00
Vishakha Agarwal
311184c394 Fix api-ref for list endpoints
According to the [1], list endpoints filter also have
``region_id`` parameter which is missing from api-ref.
This patch updates the same in api-ref.

[1]https://github.com/openstack/keystone/blob/master/keystone/api/endpoints.py#L78

Change-Id: I3982c98506f945b47c056ed1c9e5eee673a3662a
2020-07-28 17:40:54 +00:00
Vishakha Agarwal
3de085b1eb Fix lower-constraint for PyMySQL
keystone does not have any lower constraint for PyMySQL so the
latest version 0.10.0 is picked by the job which is failing [1]
In OpenStack, PyMySQL upper constraint is .9.3 means that version
is tested not 0.10.0 [2] let's add PyMySQL lower constraint also
so that we test lower-constraint job with correct lower version.

[1]https://zuul.opendev.org/t/openstack/build/3077d96f4fff4b7985cb763d0635d471/log/job-output.txt#621
[2]https://github.com/openstack/requirements/blob/master/upper-constraints.txt#L384

Change-Id: I3834b3b34641c006c70614d5331d292c41f8a346
Closes-Bug: #1888886
2020-07-24 19:58:30 +05:30
Zuul
dc68ee4816 Merge "Support regexes in whitelists/blacklists" 2020-07-16 20:03:47 +00:00
Zuul
c74ef439ef Merge "Cap jsonschema 3.2.0 as the minimal version" 2020-07-16 02:08:50 +00:00
Zuul
dbd0c73531 Merge "Fix doc for package mod_wsgi on Centos8/RHEL8" 2020-07-15 22:35:04 +00:00
Zuul
5feffb0319 Merge "Add ignore_user_inactivity user option" 2020-07-15 16:15:53 +00:00
Vishakha Agarwal
6b37a0abbb Fix doc for package mod_wsgi on Centos8/RHEL8
In the keystone installation for rdo [1], installation of
package mod_wsgi is required. But in Centos8/RHEL8 the
package name is updated to python3-mod_wsgi [2].

This patch updates the keystone doc about the same.

[1]https://docs.openstack.org/keystone/queens/install/keystone-install-rdo.html#install-and-configure-components
[2]https://docs.openstack.org/trove/latest/install/apache-mod-wsgi.html

Change-Id: Ic7aac07ab52275cc3b47481d8278a404909fc39f
Closes-Bug: #1886036
2020-07-10 19:24:21 +05:30
Stephen Finucane
5b552d8785 requirements: Drop os-testr
We migrated to os-testr some time ago. There's no reason to keep this
around as a dependency.

Change-Id: Iedde135b9de03229c27ed57638d0c404169f43ab
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2020-07-09 11:15:04 +01:00
Vishakha Agarwal
2707498474 Fix "allow expired" feature for JWT
GET /v3/auth/tokens?allow_expired=1 works fine with fernet tokens
returning the expired token data, whereas it returns exception
TokenNotFound for JWT. This patch fixes the same.

Change-Id: I03f6c58dce7d140d62055a97063aeb480498e5e6
Closes-Bug: #1886017
2020-07-08 17:30:36 +05:30
Zuul
05e9ac007f Merge "Add an enhanced debug configuration technique to caching guide" 2020-07-07 19:16:38 +00:00
Zuul
8639b38133 Merge "Add "explicit_domain_id" to api-ref" 2020-07-07 19:16:35 +00:00
Pavlo Shchelokovskyy
c9c655a1e1 Add ignore_user_inactivity user option
this option allows to override the
[security_compliance]disable_user_account_days_inactive setting from
config on per-user basis.

Co-Authored-By: Vishakha Agarwal <agarwalvishakha18@gmail.com>

Change-Id: Ida360e215426184195687bee2a800877af33af04
Closes-Bug: #1827431
2020-07-07 20:40:52 +05:30
Zuul
557e3e44dc Merge "Adding note for create a project without domain info" 2020-07-06 20:50:33 +00:00
Raildo Mascena
12020a0b83 Adding note for create a project without domain info
When we create a project, using a project scoped token,
without add the domain_id or domain information in the
project creation parameters, this project will be
automatically created on the default domain.

Change-Id: Ib7a2d47c2204b0639f029c3079f4fa86ee78e3a9
2020-07-03 11:36:06 -03:00
Zuul
3eb8cafb8d Merge "NIT: Fix Spelling in auth_context.py" 2020-07-02 08:23:53 +00:00
Zuul
194f09af36 Merge "Run federation jobs on Ubuntu Focal" 2020-07-01 19:20:48 +00:00
Vishakha Agarwal
ee9be2e92b Add "explicit_domain_id" to api-ref
In [1] a new parameter to domain API was added. This patch
updates the api-ref about the same.

[1] https://review.opendev.org/#/c/605235/

Change-Id: If288c3406e2fa840f698fec83d9643cfc0584f53
Closes-Bug: #1884062
2020-06-30 17:30:14 +00:00
Colleen Murphy
fb86048d0a Run federation jobs on Ubuntu Focal
The packaging issue that was never fixed for Bionic[1] doesn't seem to
be a problem on Focal, so let's switch back to Ubuntu.

[1] https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp2/+bug/1776489

Change-Id: I69b2c650d20e30e35c2388b824cb28fcef2bae77
Depends-on: https://review.opendev.org/726994
2020-06-30 10:17:54 -07:00
Zuul
0003168912 Merge "Bump hacking min version to 3.0.1" 2020-06-30 04:15:05 +00:00
Lance Bragstad
63e1181294 Add an enhanced debug configuration technique to caching guide
We often have operators ask why cache logging isn't included in their
logs despite setting `keystone.conf [DEFAULT] debug=True`. This is
because cache logging requires additional configuration that isn't
obvious unless your familiar with oslo.cache and dogpile already.

This commit adds a section to the caching guide that shows people how to
update their configuration files when they need to debug caching issues.

Change-Id: I33d37366ea9caf320f3738db637dea7386ff6448
2020-06-29 09:50:42 -05:00
Zuul
e3bd1d747d Merge "New config option 'user_limit' in credentials" 2020-06-23 20:22:29 +00:00
Zuul
41b0388f4b Merge "ldap: fix config option docs for *_tree_dn" 2020-06-22 10:06:24 +00:00
Vishakha Agarwal
28faa24e68 Remove an assignment from domain and project
When you setup a user with a role assignment on a domain
and then a role assignment on a project "acting as a domain",
you can't actually remove them. The database throws you the
error "Multiple rows were found for one()" since it gets two
results for "actor_id" with the same "target_id".

This patch fixes this problem by filtering the database query
by "type" field to determine whether it is a user domain relation
or a user project and then removing the assignment.

Change-Id: Ife92a3c9e0982baafb4224882681c0855f573580
Closes-Bug: #1754677
2020-06-22 14:43:22 +05:30