191 Commits

Author SHA1 Message Date
Jenkins
61255d0711 Merge "Allow LDAP lock attributes to be used as enable attributes" 2014-08-21 05:43:29 +00:00
David Stanek
8c1a28b6c0 Updates the sample config
Change-Id: Ic138fde8934a09937751f36c67b1bba5e80ceb79
2014-08-12 16:38:03 +00:00
Steve Martinelli
87bf6822b5 Update control_exchange value in keystone.conf
The control_exchange comes from oslo and is set to 'openstack' by
default. This should be overridden by the projects that use
oslo.messaging, since projects should be placing notifications
on project specific exchanges.

Nova performs the override in the same manner:
https://github.com/openstack/nova/blob/master/nova/config.py#L33
https://github.com/openstack/nova/blob/master/nova/rpc.py#L77

Change-Id: Ifcc43dcccaa9d56e03922ce8cf0bf7fb8e93bdcc
2014-08-08 11:47:21 -04:00
Nathan Kinder
25ec22d281 Allow LDAP lock attributes to be used as enable attributes
Some LDAP servers support disabling accounts via a boolean "lock"
attribute. For these servers, a value in LDAP of "True" means that
the account is locked, while a value of "False" means the account
is active. When the "user_enabled_mask" and "user_enabled_emulation"
options are not in use, Keystone currently expects a boolean
"enabled" attribute where "True" means the account is enabled and
"False" means the account is disabled.

To support LDAP account lock attributes, we need a way to tell
Keystone that the boolean values from LDAP are inverted. This
adds a new "user_enabled_invert" setting that allows the enabled
boolean logic to be inverted in the resource (LDAP), while leaving
the logic as-is in the model (Keystone user object).  The existing
default behavior remains as-is.

DocImpact
Change-Id: I2a89d4b98c854e68e1bb10f53b8b29d92f945f60
Closes-bug: #1337029
2014-08-04 14:05:53 -07:00
Steve Martinelli
16d319f190 Update the config file
Noticed that some of the ec2 options no longer appear, so I ran
tox to update the config file.

Change-Id: I886d76f9d1201bdbb066b76928de7fe6244dfb58
2014-08-01 11:16:18 -04:00
Morgan Fainberg
e8af0c2efe Sample config update
Update the sample config post token persistence relocation.

Change-Id: Ia9dc3c6be9e7c619651cd6fa1d9bb8bd71806d9b
bp: non-persistent-tokens
2014-07-25 09:56:23 -07:00
Jenkins
d4aa780465 Merge "cache the catalog" 2014-07-24 20:20:36 +00:00
ajayaa
ee58a8cc97 cache the catalog
bp expand-keystone-caching

Change-Id: I448a7dc66210abbfa8568567fe5acd88a3b2771a
2014-07-24 17:57:14 +00:00
Arun Kant
ea689ff78f Adding support for ldap connection pooling.
Using ldappool library to establish connection pooling.
Connection pooling is disabled by default.
Pooling specific configuration parameters are added in ldap section.
Added pool test using existing FakeLdap as connector class.
Added pool specific ldap live test. These tests are executed similar to
existing ldap live test.
Addressed async search_s and result3 API issues mentioned in review.
Added separate connection pool for end user auth bind done by keystone
identity ldap driver logic to avoid saturation of pool by these kind of
binds and limiting pool effectiveness for other ldap operations.
Rebased with lastest master and addressed doc comments.

Change-Id: If516a0d308a7f3be88df5583a30739a935076173
Closes-Bug: #1320997
bp: ldap-connection-pooling
DocImpact
2014-07-23 12:11:48 -07:00
David Stanek
d517134ad9 Regenerate sample config file
The sample config file was regenerated using:
  tox -r -e sample_config

Change-Id: Idc5341b343c4fa5150be47c9c01cd67e216b1142
2014-07-21 13:34:35 +00:00
Jenkins
bbfd58a6c1 Merge "Do not use keystone's config for nova's port" 2014-07-11 23:36:17 +00:00
Henry Nash
1a50986e7c multi-backend support for identity
The current code has a number of problems and limitations in its
support for having domain-specific backends (e.g. a different LDAP
server per domain).  Not least of the problems is that you cannot
always infer the domain if an API call is just handed a user_id or
group_id. These issues are so severe that this feature is currently
marked as experimental.

This patch fixes these issues by using a mapping layer to store
the domain and local ID for the public facing user and group IDs.
No API changes are required for this new support. An important
consequence of this change is that non-UUID IDs for backends
like LDAP do not escape from keystone.

To ensure backward compatibility with existing single backend
installations, the mapping is not used for the default driver.
An exception to this is that if a cloud provider wants to enable
mapping for the default LDAP driver then they can set a config
option to achieve this.

keystone-manage has been extended to provide options to purge
the mapping table.

Blueprint: multi-backend-uuids

Change-Id: I60f8965bb74b248e6a6c8f141289affa431ee3cf
2014-07-11 20:22:10 +01:00
Morgan Fainberg
f18911ea14 Do not use keystone's config for nova's port
Keystone's configuration should have no bearing on the catalog
for nova's port. Nova's port is "static" data from the templated
catalog perspective.

The 'compute_port' option has been marked as deprecated and
slated for removal in the L release. The default/sample
templated catalog files do not rely on this option any
longer.

Change-Id: I51b0ec951449360f002c2e7c900ded0f40e16044
Closes-Bug: #1335278
2014-07-01 11:03:59 -07:00
Morgan Fainberg
19e1db785d Do not support toggling key_manglers in cache layer
Due to needing to pass the PKI token (complete id) to the backend,
the cache layer needs to ensure that the cache-key is always
shortened down to a reasonable length. Disabling the key_mangler
should only have ever been done in limited debug configurations.
Real deployments would be unable to reliably run without the
key mangler (due to cache-key length on most systems being
exceeded by the Token calls).

This change of ID being passed around is for supporting
non-persistent tokens.

DocImpact: configuration.rst updated to reflect the change in
           configuration options for keystone cache layer.
bp: non-persistent-tokens

Change-Id: Ia4eb3df7ccffa58ee867120f698e24d926f0ec9e
2014-06-28 21:31:40 -07:00
Brant Knudson
ac4fa13ca1 Regenerate sample config file
The sample config file was regenerated using

 tox -r -e sample_config

Change-Id: I2e0b12369742b9fbe2ec97725e8771af64f2b2a5
2014-06-24 15:58:04 -05:00
Dolph Mathews
58fb797815 deprecate LDAP config options for 'tenants'
This deprecates all config options using the term 'tenant' in favor of
new options using the term 'project'.

Change-Id: I7eb6819de33f4d94a8bae75286bb02436152c64b
Closes-Bug: 1283841
2014-06-24 10:51:42 -05:00
Ilya Pekelny
8db9ba7906 oslo.db implementation
Use oslo.db library instead of common.db code.

Change-Id: I3019e35bf961b50cbd3d9737ba7c08b3f20536a0
2014-06-20 11:08:21 +03:00
Brant Knudson
e03c7af51c Document pkiz as provider in config
The pkiz provider wasn't documented as an option in the sample
config file.

Change-Id: I2657f46cb02d5bf044c6b9974257b41a0e839995
2014-06-19 12:22:43 -05:00
Jenkins
684701539b Merge "Fix the typo and reformat the comments for the added option" 2014-06-19 05:06:14 +00:00
Li Ma
b3f4e299e8 Fix the typo and reformat the comments for the added option
Change-Id: I01c471976f2c6d80bfe629b61ab75b81d6cabb1a
Related-Bug: #1175904
2014-06-18 19:24:23 -07:00
Steve Martinelli
30f06bb0c2 Update sample keystone.conf file
The sample file I generate seems to be different from the one
in the master branch.

Change-Id: I6ecfb41474798e9e980f05c2f7b09299c4758789
2014-06-18 14:23:18 +00:00
Jenkins
be2ee317c9 Merge "Password trunction makes password insecure" 2014-06-16 18:38:51 +00:00
Li Ma
94a2053cd0 Password trunction makes password insecure
The trunc_password function attempts to correct and truncate
password. It is not recommended to 'fix' invalid input and
continue on processing and logging it. Instead, strict check
is introduced to validate password. If a password exceeds the
maximum length, an HTTP 403 Forbidden error is thrown.

In order to keep compatibility, an option 'strict_password_check'
is also introduced to let operator decide which method to use.

DocImpact
Change-Id: I560daa843b94a05412af59a059de5a98bad2925e
Closes-Bug: #1175904
2014-06-13 21:24:59 -07:00
Dolph Mathews
6ed054951e document pki_setup and ssl_setup in keystone.conf.sample
Change-Id: I9630bfa623dbdb470b89978ebb4a8ec026c5e793
Closes-Bug: 1275823
2014-05-29 10:53:47 -05:00
Jenkins
8bef2b2cad Merge "Regenerate sample config" 2014-05-23 21:23:26 +00:00
Jenkins
3ca5ce4377 Merge "Make the LDAP debug option a configurable setting" 2014-05-14 20:52:55 +00:00
Brant Knudson
a001a4bc9c Regenerate sample config
The sample config file was out of date, so regenerated it with

 tox -e sample_config

Change-Id: Ib17ebcbc1b4c929da8ce3f1a31df33a3b798522d
2014-05-07 19:01:14 -05:00
Alan Pevec
c045ea108d Refactor service readiness notification
import and apply Oslo systemd module
drop old keystone.common.systemd
drop onready configuration parameter
 - systemd notification is no-op when not running inside systemd

Oslo commit 53e1214c092f09e3851b1a1b55289a93a72b09ec

Change-Id: I80f325c9be9c171c2dc8d5526570bf64f0f87c78
2014-04-24 22:49:11 +02:00
Jenkins
e954942d44 Merge "Fix typo on cache backend module" 2014-04-24 01:59:19 +00:00
Jenkins
0287d448cc Merge "Configurable token hash algorithm" 2014-04-23 05:42:47 +00:00
Alvaro Lopez Garcia
b8bbab7902 Fix typo on cache backend module
The correct module is 'dogpile.cache.memcached' and not
'dogpile.cache.memcache'.

Change-Id: Ie452c95dab4fcd04f65f6378c735490ee8cf4c70
2014-04-22 10:41:57 +02:00
Brant Knudson
ea7018fe5f Sync with oslo-incubator 2fd457b
This syncs Keystone with oslo-incubator commit hash
2fd457bf2ccbeb2b84ffb204778b6417cd5405ba .

In keystone:

 $ rm -r keystone/openstack/common

In oslo-incubator:

 $ python update.py ../keystone

The newer lockutils requires posix_ipc. It's already in
global-requirements.

Keystone uses gettextutils and versionutils from oslo-incubator
so those should be in openstack-common.conf. They were pulled in
as dependencies of other oslo-incubator modules but Keystone
shouldn't rely on that.

Keystone doesn't use log_handler directly so that module was
removed from openstack-common.conf. log_handler is available in
the oslo.messaging library.

Change-Id: I6082f4e0995ca35372f9b061d8f76890aa93250c
2014-04-15 15:14:25 -05:00
Matt Fischer
ae199d0050 Make the LDAP debug option a configurable setting
The LDAP OPT_DEBUG_LEVEL is very useful for debugging LDAP
problems with Keystone. This change makes it easier to set
and find. The default will be to have it disabled.

DocImpact

Change-Id: I342fe2eea752bd8632074600386f0173e7328132
2014-04-14 20:57:07 -06:00
Brant Knudson
bf4ff96472 Configurable token hash algorithm
Tokens were always hashed with MD5. This change allows tokens to
be hashed with SHA256 (or any other algorithm supported by the
keystoneclient token hash function). This is for security
hardening.

There's a new configuration option 'hash_algorithm' in the [token]
section. This is the algorithm to use for hashing PKI tokens, so is
used

a) when storing the token in the db
b) as the hash in the revocation list

hash_algorithm defaults to 'md5' for backwards compatibility.

SecurityImpact
DocImpact
Closes-Bug: #1174499

Change-Id: Iafe3c975d59818c8f362647f7ea5149a03deee47
2014-04-09 19:27:39 -05:00
Brant Knudson
b5c5354f43 Clean up config help text
These are suggestions to clean up the help text.

Change-Id: If22c6491b530da92ee1ce6411b57f0585817de38
2014-03-28 11:43:22 -05:00
Jamie Lennox
7a760caa5d Change the default version discovery URLs
The default discovery URLs for when the admin_endpoint and
public_endpoint configuration values are unset is to point to the
localhost. This is wrong in all but the most trivial cases.

It also has the problem of not being able to distinguish for the public
service whether it was accessed via the 'public' or 'private' endpoint,
meaning that all clients that correctly do discovery will end up routing
to the public URL.

The most sensible default is to simply use the requested URL as the
basis for pointing to the versioned endpoints as it at least assumes
that the endpoint is accessible relative to the location used to arrive
on the page.

As mentioned in comments this is not a perfect solution. HOST_URL is the
URL not including path (ie http://server:port) so we do not have access
to the prefix automatically. Unfortunately the way keystone uses these
endpoints I don't see a way of improving that without a more substantial
redesign.

This patch is ugly because our layers are so intertwined. It should be
nicer with pecan.

DocImpact: Changes the default values of admin_endpoint and
public_endpoint and how they are used. In most situations now these
values should be ignored in configuration.

Change-Id: Ia6d9fbeb60ada661dc2052c9bd51db7a1dc8cd4b
Closes-Bug: #1288009
2014-03-25 10:15:15 +10:00
Jenkins
0fb0dfdf41 Merge "Filter SAML2 assertion parameters with certain prefix." 2014-03-23 15:45:52 +00:00
Marek Denis
b304238c07 Filter SAML2 assertion parameters with certain prefix.
Add ``assertion_prefix`` option that filters environment parameters
that will be passed to the RuleProcessor object. Parameters' names
must start with ``assertion_prefix`` value.
If not configured, ``assertion_prefix`` defaults to an empty string,
and all environment parameters are passed to the RuleProcessor.

Change-Id: I2696bbadcfff9745d8edca6c896c13fda49d636e
Closes-Bug: #1293436
2014-03-23 02:05:58 +01:00
Dolph Mathews
1632e0f5c1 update sample conf
Change-Id: Ic80e79ff412a0156a94b2992efb9ec9487b41a2c
Partial-Bug: 1293781
Related-Bug: 1233365
2014-03-21 08:26:00 -05:00
Jenkins
2e720b5723 Merge "Make domain_id immutable by default" 2014-03-21 08:22:32 +00:00
Craig Jellick
9c15b73f83 Ability to turn off ldap referral chasing
When getting an ldap connection, check a config property to see if
referral chasing should be turned off.

Co-Authored-By: Dolph Mathews <dolph.mathews@gmail.com>
Change-Id: I3bb5cc11b3c5c9108cfa656d5f5de1eaeb103fe5
Closes-Bug: 1233365
2014-03-19 14:49:56 -05:00
Henry Nash
31c2634488 Make domain_id immutable by default
We already allow the domain_id in User, Group and Project entities
to be made immutable by use of a config option.  By default, however,
the domain_id is mutable.

This patch switches this so that the domain_id is immutable by default.
Although this changes existing functionality, it is felt that since
nearly all non-trivial production implementations that use domains
are going to want to restrict domain admin personas with a suitable
policy file, leaving the domain_id mutable by default represents a
potential vunerability that could be exploited.

Closes-Bug: 1294293

Change-Id: I0cb9fd4dc520d0a15bf54f4d138a3794d0ccd1d9
2014-03-19 11:21:36 +00:00
Jenkins
d906f57748 Merge "Provide option to make domain_id immutable" 2014-03-18 07:10:11 +00:00
Jenkins
f3642bca8c Merge "Sync db, db.sqlalchemy from oslo-incubator 0a3436f" 2014-03-18 00:39:42 +00:00
Jenkins
d6f995be48 Merge "Replace httplib.HTTPSConnection in ec2_token" 2014-03-17 22:01:19 +00:00
Henry Nash
a2fa6a6f01 Provide option to make domain_id immutable
Currently, a user, group or project entity can be moved between
domains by updating their domain_id. There are situations where
this is not desirable (and in fact could create a potential security
hole) - for example when creating a domain admin persona, using an
appropriate policy file (such as policy.v3cloudsample).

For backward compatibility, the option to make the domain_id immutable
is controlled by a config option, with the default being no change
to existing functionality.

Change-Id: Idd847f471beae7387d6cc59af0a960a923da799f
Closes-Bug: 1291393
2014-03-17 18:16:44 +00:00
Daniel Gollub
5bd4c2984d Replace httplib.HTTPSConnection in ec2_token
httplib.HTTPSConnection is known to not verify SSL certificates in Python 2.x.
Implementation got adapted to make use of the requests module instead.

SSL Verification is from now on enabled by default.

Can be disabled via an additional introduced configuration option:

`keystone_ec2_insecure=True`

SecurityImpact
DocImpact
Partial-Bug: 1188189

Change-Id: Ie6a6620685995add56f38dc34c9a0a733558146a
2014-03-17 10:55:17 -05:00
Adam Young
7c9746c49b Don't automatically enable revocation events.
Cuts any direct imports of revoke.model as that
triggers the dependency registration.

In order to fix a dependecy resolution issue, changes the syncronziation to
using the same sort of chaching mechanism as the other drivers.

Adds the ability to Lazy activate providers for future or optional dependency
resolution.

Closes-Bug: 1291099
Related-Bug: 1292283
Change-Id: I0db36b295c2040ec1fb248cf75dc55c44c059211
2014-03-15 15:46:46 -07:00
Brant Knudson
d75c707886 Sync db, db.sqlalchemy from oslo-incubator 0a3436f
This change sync's oslo-incubator's db module from commit hash
0a3436fbcd69b7e0cd1a768be15cbf794c803e3b

$ python update.py --nodeps --base keystone \
    --dest-dir ../keystone \
    --modules db,db.sqlalchemy

This includes a fix where the keystone server would log a warning
that starts with

  This application has not enabled MySQL traditional mode ...

This change includes the following commits from oslo-incubator:

a1a8280 Fix excessive logging from db.sqlalchemy.session
dc2d829 Add lockutils fixture to OpportunisticTestCase
d10f871 Adapt DB provisioning code for CI requirements
5920bed Make db utils importable without migrate
9933bdd Get mysql_sql_mode parameter from config
96a2217 Prevent incorrect usage of _wrap_db_error()
20a7510 Add from_config() method to EngineFacade
fea119e Drop special case for MySQL traditional mode, update unit tests
a584166 Make TRADITIONAL the default SQL mode
5b9e9f4 Fix doc build errors in db.sqlalchemy

The above list was generated by doing the following in oslo-incubator:

 $ git log --oneline --no-merges \
     6ba44fd..0a3436fbcd69b7e0cd1a768be15cbf794c803e3b \
     openstack/common/db/ openstack/common/db/sqlalchemy

The keystone log shows that the last sync was 6ba44fd:

 $ git log -n1 --oneline --no-merges \
     keystone/openstack/common/db \
     keystone/openstack/common/db/sqlalchemy
 8f7b87b Sync db, db.sqlalchemy, gettextutils from oslo-incubator 6ba44fd

Closes-Bug: #1271706
Change-Id: If537ff5166b8e9a6fc18c570cdd2e44943faac9c
2014-03-14 15:54:34 -05:00
Brant Knudson
8dcb3f713e Update sample config
The sample config file was out of date, generated with

 $ tox -r -e sample_config

Change-Id: I51e0b35f21fc27edb8376310214d79afcb40cd77
2014-03-12 14:00:02 -05:00