The endpoint policy extension will need to ensure stale
associations are removed on deletion of these entities. Delete
events are already generated for endpoints. For completeness,
create and update notifcations for these entities have also
been implemented.
Partially implements: bp endpoint-policy
Change-Id: I5de15459f5b577955056ecc166b450963e85bbc9
These routes are purely based on your current authentication and bridge
the gap between what is available in the standard identity-api for
fetching scope targets based on user_id and what is required for the
federation APIs.
Implement /auth/projects /auth/domains and move /catalog to
/auth/catalog
Change-Id: I464c0ca5cc9f250d593340e9563de45b077dd4cd
Implements: blueprint auth-specific-data
A credentials entity has a user_id attribute. Currently the lack of a
filter of user_id means that we cannot use the keystone policy file to
enable users to have access to (only) their credentials. This fix solves
it by adding such a filter:
List credentials: `GET /credentials`
Optional query parameters:
- `user_id` (string)
Implements: blueprint filter-credentials-by-user
Closes-Bug: #1267096
Change-Id: Iff016fac37b50d55d77ec7511aae4e57af34f08f
To correctly issue a CADF audit event for a change in role
assignments, we need to expose the context at the manager level.
Note that the driver signatures are *not* changing, just the
manager needs to know the context.
implements bp role-assignment-notifications
Change-Id: I116b185f5d1fc3f9cbb03ffcf3ce64c56a73d969
Renamed a few methods in test_notifications to follow the python
convention, using underscores instead of camelCase.
Change-Id: I48003566b8f5967185e5067ff3cfbf4324b81d43
test_user_mixed_case_attribute passes when not using a live LDAP backend.
The test fails when using a live LDAP backend because the standard LDAP
email attribute is 'mail', but the test is expecting the LDAP backend to
use 'email' as the attribute name. The fix is to use 'mail' as the
attribute returned by the LDAP backend, and 'email' as the corresponding
property in the User object.
To test, run the test_ldap_livetest test e.g.
python -m testtools.run keystone.tests.test_ldap_livetest
Closes-Bug: #1321822
Change-Id: I2100b5706852fdc7dfea2d4473ef6685c8a2f874
The matcher implementation would fail to match two documents that are
semantically equivalent, but sibling elements appear in different
document order.
Change-Id: I99dc6401e73be4c61bb265c3258b6245f2e7bb34
Closes-bug: #1347891
Removes the condition that an authentication plugin knows the "method"
name that is going to be used to call it. This condition prevents
different mechanisms like "kerberos" and "saml" from using the same
backend plugin.
The client should not know how the server is enforcing the Kerberos
authentication, mod_auth_kerb or embedded Kerberos, but the
mod_auth_kerb implementation needs to use the same implementation as an
X509 implementation.
Closes-Bug: #1343709
Change-Id: I6c7d44d3809e5e88cc50c50b6df6f3a154df7ab2
Various files had unnecessary references to the keystone config
file. Remove those lines and the import statement.
Change-Id: Ie0f910cf3c647410e3a9b773fc4043622163b9e4
A bogus, non-visible character may be appended to the token.
If it is, the hash will not match the original, and the token
will be incorrectly reported as invalid.
Change-Id: I7b2c831b85818a8c07616f44c1d501701c9d72f8
Closes-Bug: 1354765
This fix implements the hints mechanism, considering filters as hints,
so the particular backend implementation has an option to process or
ignore it. Since the EC2 credentials code calls list_credentials() with
user_id as a param, a separate method list_credentials_for_user has been
introduced to provide the compatibility while support the standard hints
mechanism in list_credentials().
This fix doesn't plug hints into the controller, it prepares the way for
implementation of the bp filter-credentials-by-user to support filtering
credentials by user in a follow on patch.
Closes-Bug: #1353511
Change-Id: Ibcf59aa45a8fc7e5cc66fd4edb91ae8fdc641d93
This patch resolves following erorrs:
1. AttributeError: 'Server' object has no attribute 'reset'.
2. error: [Errno 9] Bad file descriptor
3. Can't dup an SSL object
When the SIGHUP signal is received by the service launcher in
common service framework, it calls the server's reset method.
As reset method is not present in Sever class of
keystone.common.environment.eventlet_server module, it raises
AttributeError: 'Server' object has no attribute 'reset'.
After adding reset method when SIGHUP signal is sent to service
parent process, it stops the service and then calls service start
method again. When it stops the service, it kills the eventlet
thread, which internally closes the wsgi server socket object.
This server socket object is now not usable again and it throws
following error, while restarting the service:
error: [Errno 9] Bad file descriptor
To resolve 'Bad file descriptor' error, creating duplicate
socket object, every time service starts.
As SSL object can not be duplicated, creating duplicate
socket object before converting a regular socket into an
SSL socket.
Closes-Bug: #1337850
Change-Id: I52caacc01a94428e4986ef68d032ad317e09b276
Since Keystone is changed to use strutils and timeutils from
oslo.utils, it doesn't directly use these modules from
oslo-incubator anymore, as such, they're removed from
openstack-common.conf.
Since these modules are still used internally by oslo-incubator
modules, they aren't removed from keystone in a sync.
Change-Id: Ia31e455c6441cfbfbe33271ccdef1030a8c3d5cc
Keystone was using functions in oslo-incubator that have been
graduated into oslo.utils. This changes the function calls to use
the functions in oslo.utils.
Change-Id: I39365042de913e1b3edaf849e3f5578cef0b7b02