801 Commits

Author SHA1 Message Date
Zuul
7048252d9b Merge "db: Remove legacy migrations" 2023-06-27 16:02:10 +00:00
OpenStack Proposal Bot
f64b741ddb Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I85f65708996160a6b87bc29435dab8e71a2a01d6
2023-05-17 02:17:17 +00:00
ba953a247e Update master for stable/2023.1
Add file to the reno documentation build to show release notes for
stable/2023.1.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.1.

Sem-Ver: feature
Change-Id: Ic6effa352660f0405d5f4bcd15f3be44b0cc423c
2023-03-07 11:54:19 +00:00
Zuul
c08d97672d Merge "OAuth 2.0 Mutual-TLS Support" 2023-03-03 17:14:58 +00:00
sunyonggen
f6a0cce440 OAuth 2.0 Mutual-TLS Support
The OAuth2.0 Access Token API is modified, support to get an OAuth2.0
certificate-bound access token from the keystone identity server with
OAuth 2.0 credentials and Mutual-TLS certificates.

Co-Authored-By: Hiromu Asahina <hiromu.asahina.az@hco.ntt.co.jp>
Change-Id: I885527bec61429b1437a046097a16491848b5a0a
Implements: blueprint support-oauth2-mtls
2023-03-03 11:28:05 +09:00
Stephen Finucane
8c9462f6fa db: Remove legacy migrations
sqlalchemy-migrate does not (and will not) support sqlalchemy 2.0. We
need to drop these migrations to ensure we can upgrade our sqlalchemy
version.

Change-Id: I31ba9e4f129a7cc28744e814b5fd28eb284ae3de
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2023-02-28 17:26:39 +00:00
Dave Wilde (d34dh0r53)
3288af579d Force algo specific maximum length
The bcrypt algorithm that we use for password hashing silently
length limits the size of the password that is hashed giving the
user a false sense of security [0].  This patch adds a check
in the verify_length_and_trunc_password function for the hash in
use and updates the max_length accordingly, this will override
the configured value and log a warning if the password is truncated.

[0]: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues

Closes-bug: #1901891
Change-Id: I8d0bb2438b23227b5a66b94af6f8e198084fcd8d
2023-02-22 14:43:35 -06:00
Dave Wilde (d34dh0r53)
8f999d1c1f Limit token expiration to application credential expiration
If a token is issued with an application credential we need to check
the expiration of the application credential to ensure that the token
does not outlive the application credential. This ensures that if the
token expiration is greaten than that of the application credential it
is reset to the expiration of the application credential and a warning
is logged. Please see CVE-2022-2447 for more information.

Closes-Bug: 1992183
Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
2022-10-21 12:36:39 -05:00
Zuul
02db926396 Merge "Update master for stable/zed" 2022-09-27 15:06:59 +00:00
Zuul
8d591489a9 Merge "remove unicode prefix from code" 2022-09-16 17:15:00 +00:00
1ac8821651 Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.

Sem-Ver: feature
Change-Id: I1f5579cf3b8e5055b3a26867c8cb1d39d2ea86fc
2022-09-14 07:41:45 +00:00
OpenStack Proposal Bot
1ea9f7557d Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I2d496fd5a76ca31a2ebbf275fdc348e8fc44394f
2022-09-08 03:35:35 +00:00
Zuul
051aca8e8a Merge "OAuth2.0 Client Credentials Grant Flow Support" 2022-08-26 17:09:42 +00:00
niuke
eae6adf00b remove unicode prefix from code
Change-Id: I0de3c786fa2617a44094c37827ebd93a8dfcf3b6
2022-08-15 10:53:41 +08:00
Zuul
f0f96d465d Merge "sql: Integrate alembic" 2022-07-29 17:54:06 +00:00
Zuul
9bb51da863 Merge "Only log warnings about token length when length exceeds max_token_size" 2022-07-25 23:37:34 +00:00
OpenStack Proposal Bot
c01e17f459 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I69d52a1d921e2c9376baef9ab54ba41aa9602b07
2022-07-02 03:08:54 +00:00
Stephen Finucane
f174b4fa7c sql: Integrate alembic
Switch to alembic for real by integrating it into the 'db sync' command
flow. From a user-facing perspective, things should remain pretty much
the same as before, with the key difference being that version
information (i.e. what's shown by 'keystone-manage db_sync --check' or
'keystone-manage db_version') will now take the form of a hash rather
than an integer. There are a few differences for contributors however.
The changes are described in the included release note and
documentation.

Note that there are a couple of important design decisions here that are
worth examining:

- We drop the idea of the 'data_migration' branch entirely and the
  'keystone-manage db_sync --migrate' command is now a no-op. Neutron
  doesn't do data migrations like we do and yet they manage just fine.
  Dropping this gets us closer to neutron's behavior, which is a good
  thing for users.

- We haven't re-added the ability to specify a version when doing
  'db_sync'. Neutron has this, but the logic needed to get this working
  is complex and of questionable value. We've managed without the
  ability to sync to a version since Newton and can continue to do so
  until someone asks for it (and does the work).

- sqlalchemy-migrate is not removed entirely. Instead, upon doing a
  'db_sync' we will apply all sqlalchemy-migrate migrations up to the
  final '079_expand_update_local_id_limit' migration and dummy apply the
  initial alembic migration, after which we will switch over to alembic.
  In a future release we can remove the sqlalchemy-migrate migrations
  and rely entirely on alembic. Until then, keeping this allows fast
  forward upgrades to continue as a thing.

- Related to the above, we always apply *all* sqlalchemy-migrate
  migrations when calling 'db_sync', even if this command is called with
  e.g. '--expand' (meaning only apply the expand branch). This is
  because there is at most one "real" migration to apply, the Xena-era
  '079_expand_update_local_id_limit' migration, which is an expand-only
  migration. There is no risk to applying the empty "data_migration" and
  "contract" parts of this migration, and applying everything in one go
  results in *much* simpler logic.

Future changes will update documentation and add developer tooling for
(auto-)generating new migrations, a la 'neutron-db-manage revision'.

Change-Id: Ia376cb87f5159a4e79e2cfbab8442b6bcead708f
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2022-06-20 13:29:58 +01:00
Yi Feng
b554576f62 OAuth2.0 Client Credentials Grant Flow Support
The OAuth2.0 Access Token API is added, support to get an OAuth2.0
access token from the keystone identity server with application
credentials.

Change-Id: I4c54649a51534637be831450afc32d3ef8644ee5
2022-06-14 09:09:33 +00:00
OpenStack Proposal Bot
7e6d20be56 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I64d941148743d2c7902f16f5e81888a647249c6f
2022-05-26 03:19:32 +00:00
Ghanshyam Mann
5a0fbe975d Update python testing as per zed cycle teting runtime
In Zed cycle, we have dropped the python 3.6/3.7[1] testing
and its support.

[1] https://governance.openstack.org/tc/reference/runtimes/zed.html

Change-Id: I817a4d1506fb7f15e72d37015ae0ba9547e2aa52
2022-05-10 19:30:04 -05:00
433f541b97 Update master for stable/yoga
Add file to the reno documentation build to show release notes for
stable/yoga.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/yoga.

Sem-Ver: feature
Change-Id: I24bff76e6d727260446c6f8ff9709f409e2fae78
2022-03-11 11:29:44 +00:00
Zuul
8ef0bde1ce Merge "cmd: Remove deprecated '--extension' argument" 2022-02-08 15:58:09 +00:00
Zuul
ac3a779e10 Merge "sql: Remove legacy 'migrate_repo' migration repo" 2022-02-04 22:41:29 +00:00
Stephen Finucane
9f42c5ad6a cmd: Remove deprecated '--extension' argument
Remove option from 'db sync' and 'db version' commands of
'keystone-manage'. We also remove handling code for providing '--expand'
and '--migrate' in the same invocation, which isn't possible since
they're in a mutually exclusive group. Finally, we clean some formatting
things up in preparation for the alembic integration.

Change-Id: I198822d6f55353f1adeea9024db67abb24be54c7
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2022-01-21 13:39:30 +00:00
Grzegorz Grasza
f639c40534 Change the min value of pool_retry_max to 1
Value of 0 causes the pool to fail before it attempts to connect
to ldap, raising MaxConnectionReachedError.

Change-Id: Ia8450dc45dad5ceb4661807f51de66b5d70a6207
2022-01-18 11:41:59 +01:00
Stephen Finucane
503421d3d4 sql: Remove legacy 'migrate_repo' migration repo
This is now folded into the initial migration of the 'expand_repo'
repository. Previously, this was a dummy migration. We simply move
things across and remove any code that was trying to work with the older
repo since it's no longer necessary.

A release note is added, even though it's not really necessary since
nothing will change for users. It's more of a heads up that things are
afoot.

Change-Id: I59882d88fe593ec1ae37415b2157584f7f3c85f8
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2022-01-10 18:31:09 +00:00
Zuul
3cf93deac0 Merge "Deprecate ineffective [memcache] options" 2021-12-21 04:13:03 +00:00
Takashi Kajinami
9a8686aee0 Deprecate ineffective [memcache] options
These options were used by the memcache_pool backend for token
persistence, which was removed during Pike cycle.

Closes-Bug: #1941020
Change-Id: I2a0c2d46ebe81728f4ba0ff6d3072348e70f92dd
2021-12-12 22:55:43 +09:00
Zuul
fc9efc45b2 Merge "Accept STS and IAM services from Ceph Obj Gateway" 2021-12-10 17:02:22 +00:00
Stuart Grace
36d6fc7f8f Accept STS and IAM services from Ceph Obj Gateway
Ceph Object Gateway can use keystone for authenticating user requests
to its S3-compatible API, but recent versions also provide two other
AWS-compatible APIs for managing user access: Security Token Service
(STS) and Identity and Access Management (IAM). These attempt to
authenticate requests with Keystone but always receive 403 Access
Denied because _calculate_signature_v4() in api/s3tokens.py only
accepts "s3" as the service name. This patch accepts any of "s3" or
"sts" or "iam" as valid service names.

Change-Id: I69f16ed55dd9852859307b701a8391ba1e71c042
Closes-Bug: #1897280
2021-11-24 16:09:21 +00:00
3e63ce9428 Update master for stable/xena
Add file to the reno documentation build to show release notes for
stable/xena.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/xena.

Sem-Ver: feature
Change-Id: Idbdb763bbdabf0be0016c2f1675c3dd60fee93e7
2021-09-17 15:54:38 +00:00
Zuul
f03ff806c1 Merge "Update local_id limit to 255 characters" 2021-08-27 12:19:35 +00:00
Grzegorz Grasza
ce6031ca12 Update local_id limit to 255 characters
This avoids the "String length exceeded." error, when using LDAP
domain specific backend in case the user uses a user id
attribute, which can exceed the previous constraint of 64 chars.

Change-Id: I923a2a2a5e79c8f265ff436e96258288dddb867b
Closes-Bug: #1929066
Resolves: rhbz#1959345
2021-08-09 20:40:52 +02:00
a24d36a87f Update master for stable/wallaby
Add file to the reno documentation build to show release notes for
stable/wallaby.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/wallaby.

Sem-Ver: feature
Change-Id: Iab1e95d50f731e1573844e559d06b134cc279f08
2021-07-15 23:37:51 +00:00
Zuul
63ef8f81f3 Merge "Hide AccountLocked exception from end users" 2021-05-06 22:40:43 +00:00
Zuul
c777c4b859 Merge "Update master for stable/victoria" 2021-05-05 22:31:23 +00:00
Lance Bragstad
68bfb685d1 Only log warnings about token length when length exceeds max_token_size
Previously, the fernet token provider would log warnings when a fernet
token exceeded 255 characters, which is common for LDAP-backed
deployments. The warning is always issued, even when operators configure
keystone's max_token_size to a higher value, causing confusion because
it appears the configuration value is silently ignored.

This commit fixes that issue by using the max_token_size configuration
parameter consistently in the fernet token provider.

Closes-Bug: 1926483

Change-Id: I4bb54aac9b950d59082a4468203a3249790839d7
2021-05-03 20:40:31 +00:00
Gage Hugo
ac2631ae33 Hide AccountLocked exception from end users
This change hides the AccountLocked exception from being returned
to the end user to hide sensitive information that a potential
malicious person could gain insight from.

The notification handler catches the AccountLocked exception as
before, but after sending the audit notification, it instead
bubbles up Unauthorized rather than AccountLocked.

Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>

Change-Id: Id51241989b22c52810391f3e8e1cadbf8613d873
Related-Bug: #1688137
2021-04-23 13:43:42 -05:00
Zuul
10057702ac Merge "Retry update_user when sqlalchemy raises StaleDataErrors" 2021-03-31 08:31:53 +00:00
Lance Bragstad
ceae3566e8 Retry update_user when sqlalchemy raises StaleDataErrors
Keystone's update_user() method in the SQL driver processes a lot of
information about how to update users. This includes evaluating password
logic and authentication attempts for PSI-DSS. This logic is evaluated
after keystone pulls the user record from SQL and before it exits the
context manager, which performs the write.

When multiple clients are all updating the same user reference, it's
more likely they will see an HTTP 500 because of race conditions exiting
the context manager. The HTTP 500 is due to stale data when updating
password expiration for old passwords, which happens when setting a new
password for a user.

This commit attempts to handle that case more gracefully than throwing a
500 by detecting StaleDataErrors from sqlalchemy and retrying.  The
identity sql backend will retry the request for clients that have
stale data change from underneath them.

Change-Id: I75590c20e90170ed862f46f0de7d61c7810b5c90
Closes-Bug: 1885753
2021-03-29 16:21:47 +00:00
OpenStack Proposal Bot
47df4ab8c1 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I2389bd16d4494db98db9450fc6c821d7b3410285
2021-03-27 06:54:43 +00:00
Zuul
c531d90d4b Merge "[goal] Deprecate the JSON formatted policy file" 2021-02-05 01:58:21 +00:00
Zuul
573196662e Merge "Support bytes type in generate_public_ID()" 2021-02-02 20:49:36 +00:00
Ghanshyam Mann
256160b849 [goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:

1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.

2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.

Also replace policy.json to policy.yaml ref from doc and tests.

[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: Ic65d2fd6ce7215b4a47a6fb41b9cbf991f27773b
2021-02-01 17:36:29 +00:00
Keigo Noha
f7df9fba82 Support bytes type in generate_public_ID()
python-ldap3.0 or later running on python3 uses str or bytes
data type according to what fields are returned.
local_id may be a bytes data type.
To handle it properly, mapping[key] needs to be examined for
identifying its data type and what python version is used.

Closes-Bug: #1901654
Change-Id: Iac097235fd31e166028c169d14ec0937c663c21c
2021-01-11 07:52:58 -05:00
Zuul
1c3131c6dc Merge "Use app cred user ID in policy enforcement" 2021-01-11 00:11:23 +00:00
OpenStack Proposal Bot
9ef800f0bc Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: Ic8c9b155a20aea11f74794aeb45a4e92e632148a
2021-01-09 06:47:38 +00:00
Lance Bragstad
2d7bf10a5a Use app cred user ID in policy enforcement
The application credential policies use the `rule:owner` policy to allow
users to manage their own credentials. The policy engine pulled the
user_id attribute from the request path instead of the actual
application credential. This allowed for users to exploit the
enforcement and view or delete application credentials they don't own.

This commit attempts to resolve the issue by updating the flask
parameters before they're translated to policy arguments and target
data, prior to policy enforcement.

Change-Id: I903d20fa41270499ca1c39d296120dd97cef5405
Closes-Bug: 1901207
2020-11-11 11:01:20 -06:00
Zuul
b0b93c0398 Merge "Generalize release note for bug 1878938" 2020-10-30 23:10:35 +00:00