5713 Commits

Author SHA1 Message Date
Henry Nash
8612a54f91 Add notifications for policy, region, service and endpoint.
The endpoint policy extension will need to ensure stale
associations are removed on deletion of these entities. Delete
events are already generated for endpoints. For completeness,
create and update notifcations for these entities have also
been implemented.

Partially implements: bp endpoint-policy
Change-Id: I5de15459f5b577955056ecc166b450963e85bbc9
2014-08-21 14:53:52 +01:00
Jenkins
d486e7663a Merge "Create authentication specific routes" 2014-08-21 05:43:43 +00:00
Jenkins
61255d0711 Merge "Allow LDAP lock attributes to be used as enable attributes" 2014-08-21 05:43:29 +00:00
David Lyle
652ebe4081 Fixing simple type in comment
Change-Id: Ia213bf0b842484360633a3d851d74cff5bfb3a8e
2014-08-19 17:06:16 -06:00
Jenkins
498a0032db Merge "Enable filtering of credentials by user ID" 2014-08-19 22:05:27 +00:00
Jenkins
d239f8c927 Merge "Use python convention for function names in test_notifications" 2014-08-19 20:30:47 +00:00
Jamie Lennox
eb25fc6424 Create authentication specific routes
These routes are purely based on your current authentication and bridge
the gap between what is available in the standard identity-api for
fetching scope targets based on user_id and what is required for the
federation APIs.

Implement /auth/projects /auth/domains and move /catalog to
/auth/catalog

Change-Id: I464c0ca5cc9f250d593340e9563de45b077dd4cd
Implements: blueprint auth-specific-data
2014-08-20 05:01:35 +10:00
Jenkins
a8b844251b Merge "Fixes an issue with the XMLEquals matcher" 2014-08-19 17:18:32 +00:00
Alexey Miroshkin
00597be4cc Enable filtering of credentials by user ID
A credentials entity has a user_id attribute. Currently the lack of a
filter of user_id means that we cannot use the keystone policy file to
enable users to have access to (only) their credentials. This fix solves
it by adding such a filter:

List credentials: `GET /credentials`
Optional query parameters:
- `user_id` (string)

Implements: blueprint filter-credentials-by-user

Closes-Bug: #1267096

Change-Id: Iff016fac37b50d55d77ec7511aae4e57af34f08f
2014-08-19 18:23:38 +04:00
Steve Martinelli
9ffdedb758 Expose context to create grant and delete grant
To correctly issue a CADF audit event for a change in role
assignments, we need to expose the context at the manager level.
Note that the driver signatures are *not* changing, just the
manager needs to know the context.

implements bp role-assignment-notifications

Change-Id: I116b185f5d1fc3f9cbb03ffcf3ce64c56a73d969
2014-08-18 12:51:32 -04:00
Jenkins
2e4977076c Merge "Use mail for the default LDAP email attribute name" 2014-08-18 03:08:10 +00:00
Steve Martinelli
ebf9c24ef3 Use python convention for function names in test_notifications
Renamed a few methods in test_notifications to follow the python
convention, using underscores instead of camelCase.

Change-Id: I48003566b8f5967185e5067ff3cfbf4324b81d43
2014-08-17 02:31:35 -04:00
Jenkins
45728c58aa Merge "Issue multiple SQL statements in separate engine.execute() calls" 2014-08-15 16:56:22 +00:00
Jenkins
9c9246be86 Merge "Support the hints mechanism in list_credentials()" 2014-08-15 16:38:38 +00:00
Rich Megginson
ab429148c3 Use mail for the default LDAP email attribute name
test_user_mixed_case_attribute passes when not using a live LDAP backend.
The test fails when using a live LDAP backend because the standard LDAP
email attribute is 'mail', but the test is expecting the LDAP backend to
use 'email' as the attribute name.  The fix is to use 'mail' as the
attribute returned by the LDAP backend, and 'email' as the corresponding
property in the User object.
To test, run the test_ldap_livetest test e.g.

  python -m testtools.run keystone.tests.test_ldap_livetest

Closes-Bug: #1321822

Change-Id: I2100b5706852fdc7dfea2d4473ef6685c8a2f874
2014-08-15 09:36:58 -06:00
David Stanek
0fdc042313 Bump hacking to 0.9.x series
Change-Id: I6c67a2c448f9d3d00867fe45233f7119fe627e93
Partial-Bug: #1328469
2014-08-14 20:42:48 -07:00
Jenkins
73a5892717 Merge "Rename bash8 requirement" 2014-08-15 02:45:48 +00:00
Jenkins
60761beb7a Merge "Keystone service throws error on receiving SIGHUP" 2014-08-15 01:21:01 +00:00
Jenkins
a1da397aa8 Merge "Do not require method attribute on plugins" 2014-08-14 06:56:21 +00:00
David Stanek
c4ec6eb424 Fixes an issue with the XMLEquals matcher
The matcher implementation would fail to match two documents that are
semantically equivalent, but sibling elements appear in different
document order.

Change-Id: I99dc6401e73be4c61bb265c3258b6245f2e7bb34
Closes-bug: #1347891
2014-08-14 02:28:28 +00:00
Adam Young
1a610dcc25 Do not require method attribute on plugins
Removes the condition that an authentication plugin knows the "method"
name that is going to be used to call it. This condition prevents
different mechanisms like "kerberos" and "saml" from using the same
backend plugin.

The client should not know how the server is enforcing the Kerberos
authentication,  mod_auth_kerb or embedded Kerberos,  but the
mod_auth_kerb implementation needs to use the same implementation as an
X509 implementation.

Closes-Bug: #1343709

Change-Id: I6c7d44d3809e5e88cc50c50b6df6f3a154df7ab2
2014-08-13 21:49:53 -04:00
Jenkins
409c94d616 Merge "Remove unnecessary declaration of CONF" 2014-08-13 23:15:47 +00:00
Jenkins
7ae6e54393 Merge "Remove _BaseFederationExtension" 2014-08-13 21:40:26 +00:00
Jenkins
ba7e95f6f1 Merge "Add a URL field to region table" 2014-08-13 21:03:04 +00:00
Jenkins
d7237bf1b4 Merge "Filter List Regions by 'parent_region_id'" 2014-08-13 21:03:00 +00:00
Marek Denis
0341cc116a Remove _BaseFederationExtension
This class is not needed at the moment as there is only one class that
inherits from it.

Change-Id: I3bb8eb2e1ae62753acadd34a539a6ece571e8913
2014-08-13 13:31:11 -05:00
Steve Martinelli
327f733d49 Add a URL field to region table
Allow a URL to be associated with a certain region.

implements bp keystone-to-keystone-federation

Change-Id: Ib61f9c4c9727eb5e81b7c71102133ef000be395d
2014-08-13 13:10:25 -04:00
Steve Martinelli
0ce4199975 Remove unnecessary declaration of CONF
Various files had unnecessary references to the keystone config
file. Remove those lines and the import statement.

Change-Id: Ie0f910cf3c647410e3a9b773fc4043622163b9e4
2014-08-13 11:21:08 -04:00
Andreas Jaeger
3a09c1f5a3 Rename bash8 requirement
The package bash8 has been renamed to bashate.

Change-Id: I0863e909997be630c7c17106c87ab383293b191d
2014-08-13 12:16:56 +02:00
Jenkins
2ea3006dc0 Merge "Updates the sample config" 2014-08-13 01:36:28 +00:00
Jenkins
af916ab701 Merge "Change V3 extensions to use resources" 2014-08-12 23:43:51 +00:00
Jenkins
aa172b831d Merge "Enhance V3 extension class to use resources" 2014-08-12 23:43:43 +00:00
Jenkins
719010aac2 Merge "remove unused import" 2014-08-12 21:20:44 +00:00
Jenkins
6abc002235 Merge "V3 Extension class" 2014-08-12 17:47:26 +00:00
Jenkins
8218d8cecf Merge "Change V3 router classes to use resources" 2014-08-12 17:39:52 +00:00
David Stanek
8c1a28b6c0 Updates the sample config
Change-Id: Ic138fde8934a09937751f36c67b1bba5e80ceb79
2014-08-12 16:38:03 +00:00
Jenkins
abe78467f3 Merge "Clean whitespace off token." 2014-08-12 05:42:12 +00:00
Jenkins
1aa0169880 Merge "add i18n to lxml error" 2014-08-12 03:13:46 +00:00
Jenkins
3e80e0b005 Merge "Remove assignment controller dependency on token_api" 2014-08-12 03:13:42 +00:00
Jenkins
0d8658f258 Merge "Enhance V3 router class for resources" 2014-08-12 03:13:33 +00:00
Steve Martinelli
1e1698ed0b remove unused import
Change-Id: I1e6e8bf558990db8025326b679bf72aa957bd446
2014-08-11 17:39:47 -04:00
Jenkins
89854d3acd Merge "Remove ec2 contrib dependency on token_api" 2014-08-11 21:28:10 +00:00
Jenkins
3e5c177708 Merge "Expose token revocation list via token_provider_api" 2014-08-11 21:26:33 +00:00
Adam Young
a9736aa8ac Clean whitespace off token.
A bogus, non-visible character may be appended to the token.
If it is, the hash will not match the original, and the token
will be incorrectly reported as invalid.

Change-Id: I7b2c831b85818a8c07616f44c1d501701c9d72f8
Closes-Bug: 1354765
2014-08-11 19:06:18 +00:00
Alexey Miroshkin
8aa322236a Support the hints mechanism in list_credentials()
This fix implements the hints mechanism, considering filters as hints,
so the particular backend implementation has an option to process or
ignore it. Since the EC2 credentials code calls list_credentials() with
user_id as a param, a separate method list_credentials_for_user has been
introduced to provide the compatibility while support the standard hints
mechanism in list_credentials().

This fix doesn't plug hints into the controller, it prepares the way for
implementation of the bp filter-credentials-by-user to support filtering
credentials by user in a follow on patch.

Closes-Bug: #1353511

Change-Id: Ibcf59aa45a8fc7e5cc66fd4edb91ae8fdc641d93
2014-08-11 15:35:44 +04:00
abhishekkekane
825f3e7820 Keystone service throws error on receiving SIGHUP
This patch resolves following erorrs:
1. AttributeError: 'Server' object has no attribute 'reset'.
2. error: [Errno 9] Bad file descriptor
3. Can't dup an SSL object

When the SIGHUP signal is received by the service launcher in
common service framework, it calls the server's reset method.
As reset method is not present in Sever class of
keystone.common.environment.eventlet_server module, it raises
AttributeError: 'Server' object has no attribute 'reset'.

After adding reset method when SIGHUP signal is sent to service
parent process, it stops the service and then calls service start
method again. When it stops the service, it kills the eventlet
thread, which internally closes the wsgi server socket object.
This server socket object is now not usable again and it throws
following error, while restarting the service:

error: [Errno 9] Bad file descriptor

To resolve 'Bad file descriptor' error, creating duplicate
socket object, every time service starts.

As SSL object can not be duplicated, creating duplicate
socket object before converting a regular socket into an
SSL socket.

Closes-Bug: #1337850
Change-Id: I52caacc01a94428e4986ef68d032ad317e09b276
2014-08-10 23:36:05 -07:00
Jenkins
7ad7451c3e Merge "Remove fixture from openstack-common.conf" 2014-08-10 02:31:18 +00:00
Brant Knudson
1ed54951a3 Remove strutils and timeutils from openstack-common.conf
Since Keystone is changed to use strutils and timeutils from
oslo.utils, it doesn't directly use these modules from
oslo-incubator anymore, as such, they're removed from
openstack-common.conf.

Since these modules are still used internally by oslo-incubator
modules, they aren't removed from keystone in a sync.

Change-Id: Ia31e455c6441cfbfbe33271ccdef1030a8c3d5cc
2014-08-09 12:36:09 +00:00
Brant Knudson
b763d613b4 Use functions in oslo.utils
Keystone was using functions in oslo-incubator that have been
graduated into oslo.utils. This changes the function calls to use
the functions in oslo.utils.

Change-Id: I39365042de913e1b3edaf849e3f5578cef0b7b02
2014-08-09 12:36:09 +00:00
Jenkins
41ae15795e Merge "Class for V3 router packages" 2014-08-09 09:04:38 +00:00