Some LDAP servers support disabling accounts via a boolean "lock"
attribute. For these servers, a value in LDAP of "True" means that
the account is locked, while a value of "False" means the account
is active. When the "user_enabled_mask" and "user_enabled_emulation"
options are not in use, Keystone currently expects a boolean
"enabled" attribute where "True" means the account is enabled and
"False" means the account is disabled.
To support LDAP account lock attributes, we need a way to tell
Keystone that the boolean values from LDAP are inverted. This
adds a new "user_enabled_invert" setting that allows the enabled
boolean logic to be inverted in the resource (LDAP), while leaving
the logic as-is in the model (Keystone user object). The existing
default behavior remains as-is.
DocImpact
Change-Id: I2a89d4b98c854e68e1bb10f53b8b29d92f945f60
Closes-bug: #1337029
Using ldappool library to establish connection pooling.
Connection pooling is disabled by default.
Pooling specific configuration parameters are added in ldap section.
Added pool test using existing FakeLdap as connector class.
Added pool specific ldap live test. These tests are executed similar to
existing ldap live test.
Addressed async search_s and result3 API issues mentioned in review.
Added separate connection pool for end user auth bind done by keystone
identity ldap driver logic to avoid saturation of pool by these kind of
binds and limiting pool effectiveness for other ldap operations.
Rebased with lastest master and addressed doc comments.
Change-Id: If516a0d308a7f3be88df5583a30739a935076173
Closes-Bug: #1320997
bp: ldap-connection-pooling
DocImpact
The current code has a number of problems and limitations in its
support for having domain-specific backends (e.g. a different LDAP
server per domain). Not least of the problems is that you cannot
always infer the domain if an API call is just handed a user_id or
group_id. These issues are so severe that this feature is currently
marked as experimental.
This patch fixes these issues by using a mapping layer to store
the domain and local ID for the public facing user and group IDs.
No API changes are required for this new support. An important
consequence of this change is that non-UUID IDs for backends
like LDAP do not escape from keystone.
To ensure backward compatibility with existing single backend
installations, the mapping is not used for the default driver.
An exception to this is that if a cloud provider wants to enable
mapping for the default LDAP driver then they can set a config
option to achieve this.
keystone-manage has been extended to provide options to purge
the mapping table.
Blueprint: multi-backend-uuids
Change-Id: I60f8965bb74b248e6a6c8f141289affa431ee3cf
Keystone's configuration should have no bearing on the catalog
for nova's port. Nova's port is "static" data from the templated
catalog perspective.
The 'compute_port' option has been marked as deprecated and
slated for removal in the L release. The default/sample
templated catalog files do not rely on this option any
longer.
Change-Id: I51b0ec951449360f002c2e7c900ded0f40e16044
Closes-Bug: #1335278
Due to needing to pass the PKI token (complete id) to the backend,
the cache layer needs to ensure that the cache-key is always
shortened down to a reasonable length. Disabling the key_mangler
should only have ever been done in limited debug configurations.
Real deployments would be unable to reliably run without the
key mangler (due to cache-key length on most systems being
exceeded by the Token calls).
This change of ID being passed around is for supporting
non-persistent tokens.
DocImpact: configuration.rst updated to reflect the change in
configuration options for keystone cache layer.
bp: non-persistent-tokens
Change-Id: Ia4eb3df7ccffa58ee867120f698e24d926f0ec9e
This deprecates all config options using the term 'tenant' in favor of
new options using the term 'project'.
Change-Id: I7eb6819de33f4d94a8bae75286bb02436152c64b
Closes-Bug: 1283841
The trunc_password function attempts to correct and truncate
password. It is not recommended to 'fix' invalid input and
continue on processing and logging it. Instead, strict check
is introduced to validate password. If a password exceeds the
maximum length, an HTTP 403 Forbidden error is thrown.
In order to keep compatibility, an option 'strict_password_check'
is also introduced to let operator decide which method to use.
DocImpact
Change-Id: I560daa843b94a05412af59a059de5a98bad2925e
Closes-Bug: #1175904
import and apply Oslo systemd module
drop old keystone.common.systemd
drop onready configuration parameter
- systemd notification is no-op when not running inside systemd
Oslo commit 53e1214c092f09e3851b1a1b55289a93a72b09ec
Change-Id: I80f325c9be9c171c2dc8d5526570bf64f0f87c78
This syncs Keystone with oslo-incubator commit hash
2fd457bf2ccbeb2b84ffb204778b6417cd5405ba .
In keystone:
$ rm -r keystone/openstack/common
In oslo-incubator:
$ python update.py ../keystone
The newer lockutils requires posix_ipc. It's already in
global-requirements.
Keystone uses gettextutils and versionutils from oslo-incubator
so those should be in openstack-common.conf. They were pulled in
as dependencies of other oslo-incubator modules but Keystone
shouldn't rely on that.
Keystone doesn't use log_handler directly so that module was
removed from openstack-common.conf. log_handler is available in
the oslo.messaging library.
Change-Id: I6082f4e0995ca35372f9b061d8f76890aa93250c
The LDAP OPT_DEBUG_LEVEL is very useful for debugging LDAP
problems with Keystone. This change makes it easier to set
and find. The default will be to have it disabled.
DocImpact
Change-Id: I342fe2eea752bd8632074600386f0173e7328132
Tokens were always hashed with MD5. This change allows tokens to
be hashed with SHA256 (or any other algorithm supported by the
keystoneclient token hash function). This is for security
hardening.
There's a new configuration option 'hash_algorithm' in the [token]
section. This is the algorithm to use for hashing PKI tokens, so is
used
a) when storing the token in the db
b) as the hash in the revocation list
hash_algorithm defaults to 'md5' for backwards compatibility.
SecurityImpact
DocImpact
Closes-Bug: #1174499
Change-Id: Iafe3c975d59818c8f362647f7ea5149a03deee47
The default discovery URLs for when the admin_endpoint and
public_endpoint configuration values are unset is to point to the
localhost. This is wrong in all but the most trivial cases.
It also has the problem of not being able to distinguish for the public
service whether it was accessed via the 'public' or 'private' endpoint,
meaning that all clients that correctly do discovery will end up routing
to the public URL.
The most sensible default is to simply use the requested URL as the
basis for pointing to the versioned endpoints as it at least assumes
that the endpoint is accessible relative to the location used to arrive
on the page.
As mentioned in comments this is not a perfect solution. HOST_URL is the
URL not including path (ie http://server:port) so we do not have access
to the prefix automatically. Unfortunately the way keystone uses these
endpoints I don't see a way of improving that without a more substantial
redesign.
This patch is ugly because our layers are so intertwined. It should be
nicer with pecan.
DocImpact: Changes the default values of admin_endpoint and
public_endpoint and how they are used. In most situations now these
values should be ignored in configuration.
Change-Id: Ia6d9fbeb60ada661dc2052c9bd51db7a1dc8cd4b
Closes-Bug: #1288009
Add ``assertion_prefix`` option that filters environment parameters
that will be passed to the RuleProcessor object. Parameters' names
must start with ``assertion_prefix`` value.
If not configured, ``assertion_prefix`` defaults to an empty string,
and all environment parameters are passed to the RuleProcessor.
Change-Id: I2696bbadcfff9745d8edca6c896c13fda49d636e
Closes-Bug: #1293436
When getting an ldap connection, check a config property to see if
referral chasing should be turned off.
Co-Authored-By: Dolph Mathews <dolph.mathews@gmail.com>
Change-Id: I3bb5cc11b3c5c9108cfa656d5f5de1eaeb103fe5
Closes-Bug: 1233365
We already allow the domain_id in User, Group and Project entities
to be made immutable by use of a config option. By default, however,
the domain_id is mutable.
This patch switches this so that the domain_id is immutable by default.
Although this changes existing functionality, it is felt that since
nearly all non-trivial production implementations that use domains
are going to want to restrict domain admin personas with a suitable
policy file, leaving the domain_id mutable by default represents a
potential vunerability that could be exploited.
Closes-Bug: 1294293
Change-Id: I0cb9fd4dc520d0a15bf54f4d138a3794d0ccd1d9
Currently, a user, group or project entity can be moved between
domains by updating their domain_id. There are situations where
this is not desirable (and in fact could create a potential security
hole) - for example when creating a domain admin persona, using an
appropriate policy file (such as policy.v3cloudsample).
For backward compatibility, the option to make the domain_id immutable
is controlled by a config option, with the default being no change
to existing functionality.
Change-Id: Idd847f471beae7387d6cc59af0a960a923da799f
Closes-Bug: 1291393
httplib.HTTPSConnection is known to not verify SSL certificates in Python 2.x.
Implementation got adapted to make use of the requests module instead.
SSL Verification is from now on enabled by default.
Can be disabled via an additional introduced configuration option:
`keystone_ec2_insecure=True`
SecurityImpact
DocImpact
Partial-Bug: 1188189
Change-Id: Ie6a6620685995add56f38dc34c9a0a733558146a
Cuts any direct imports of revoke.model as that
triggers the dependency registration.
In order to fix a dependecy resolution issue, changes the syncronziation to
using the same sort of chaching mechanism as the other drivers.
Adds the ability to Lazy activate providers for future or optional dependency
resolution.
Closes-Bug: 1291099
Related-Bug: 1292283
Change-Id: I0db36b295c2040ec1fb248cf75dc55c44c059211
This change sync's oslo-incubator's db module from commit hash
0a3436fbcd69b7e0cd1a768be15cbf794c803e3b
$ python update.py --nodeps --base keystone \
--dest-dir ../keystone \
--modules db,db.sqlalchemy
This includes a fix where the keystone server would log a warning
that starts with
This application has not enabled MySQL traditional mode ...
This change includes the following commits from oslo-incubator:
a1a8280 Fix excessive logging from db.sqlalchemy.session
dc2d829 Add lockutils fixture to OpportunisticTestCase
d10f871 Adapt DB provisioning code for CI requirements
5920bed Make db utils importable without migrate
9933bdd Get mysql_sql_mode parameter from config
96a2217 Prevent incorrect usage of _wrap_db_error()
20a7510 Add from_config() method to EngineFacade
fea119e Drop special case for MySQL traditional mode, update unit tests
a584166 Make TRADITIONAL the default SQL mode
5b9e9f4 Fix doc build errors in db.sqlalchemy
The above list was generated by doing the following in oslo-incubator:
$ git log --oneline --no-merges \
6ba44fd..0a3436fbcd69b7e0cd1a768be15cbf794c803e3b \
openstack/common/db/ openstack/common/db/sqlalchemy
The keystone log shows that the last sync was 6ba44fd:
$ git log -n1 --oneline --no-merges \
keystone/openstack/common/db \
keystone/openstack/common/db/sqlalchemy
8f7b87b Sync db, db.sqlalchemy, gettextutils from oslo-incubator 6ba44fd
Closes-Bug: #1271706
Change-Id: If537ff5166b8e9a6fc18c570cdd2e44943faac9c