Ensure that we validate the domain status of user/project for
a user authenticating via the v2 API.
This patch builds on the initial functional change done by Dolph,
and fixes up the tests that broke sure to domain being required in
any tests that setup data directly in the backends.
Fixes Bug #1130236
Change-Id: I66dfd453fb95fa4fa3fde713b663386a2c2ecdf8
Clean up clear_live_database so that all fixture data is removed. Make sure we
use the configured trees for each ldap object in tests. Ensure all live tests
pass or are skipped where appropriate.
Fixes: bug #1154277
Change-Id: I2eb4efe78e2c9d2a18bce339765b3ab5d20ac8f5
These fields are used for queries, and may need to be indexed
Also moves the delete token for... functions into the base class
for controllers.
Removed the token API revoke token call as that needed access to other
APIs. Logic was moved into the controller.
Bug 1152801
Change-Id: I59c360fe5aef905dfa30cb55ee54ff1fbe64dc58
Blueprint trusts
creates a trust. Using a trust, one user (the trustee), can then
create tokens with a subset of another user's (the trustor) roles and
projects.
If the impersonate flag in the trust is set, the token user_id is set
to the trustor's user ID
If the impersonate flag is not set, the token's user_is is set to the
trustee's user ID
check that both trustor and trustee are enabled prior to creating
the trust token.
sql and kvs backends
sql upgrade scripts
unit tests for backends, auth and v3 api
modifications to the trust controller for creating tokens
Authenticates that only user can be trustor in create
Deleting a trust invalidates all tokens created from that trust
Adds the trust id and the id of the trustee to the header of the token
policy rules for trust
This version has a workaround for testing against the KVS version
of the Service catalog
Change-Id: I5745f4d9a4180b59671a143a55ed87019e98ec76
There is nothing backend specific in geting the list of roles
for a user-domain, so we should move this function into backends
core. This also has the affect of now ensuring that the kvs and ldap
support will work, provided the specific backend supports roles on
users and domains. This is true today for kvs, but support in ldap
for domains is gated by other bugs.
Fixes bug #1131769
Change-Id: Id99accb33fd7cd8d6c37e64e140552c5bfe68349
Also implemented the following:
blueprint pluggable-identity-authentication-handlers
blueprint stop-ids-in-uris
blueprint multi-factor-authn (just the plumbing)
What's missing?
* domain scoping (will be implemented by Henry?)
Change-Id: I191c0b2cb3367b2a5f8a2dc674c284bb13ea97e3
Creates a separate name space for each domain for the name attribute of
user, groups and projects - meaning that the names of these entities
only have to be unique within that domain.
Implementation of this within the SQL backends is handled by simply
changing the uniqueness constraints on the relevant attributes. KVS
and LDAP backends do not yet support domain separation (blocked by
existing restrictions, already raised as bugs).
An issue exists for the downward migration with this change in that
if the database has been used and populated with the name space in place
then the downward migration may fail due to clashing names when you
try and revert to a global name space (raised as a separate bug)
This patch also improves the group support in the KVS backend and
cleans up string quoting in the 016 migration fucntions, and fixes an
issue where the SQL update_project was not updating a change in domain_id.
Change-Id: I8f0df0e1bf84bfd26b8ef5505fe5fafd930dc78b
Changes the relationship between users and projects.
There is no more direct membership in projects. Instead,
all membership is now done via roles.
A default role has been created called _member_ with a uuid (both
configurable) that will be added in place of the group membership
for databse upgrades.
DocImpact: https://bugs.launchpad.net/openstack-manuals/+bug/1087483
Change-Id: I2482f9ef7b838e5dade5096d6d00e81db71604d1
add list_projects
mod list_groups, list_domains, get_project_users to match sql response
not adding list_user_projects
fix list_projects to return refs
drop get_projects and get_all_projects
Change-Id: Ifa1433918b8770cd7d59f36f71f2e6b935625ae5
These changes lay the ground work for the implmentation of
domain-scoping, but are benign in that they don't change the token.
They include making domain_id a first-class attribute in the user
and project entity (i.e. move it out of the 'extra' attribute),
filling in domain grant and project support for the kvs backend and
fixing a series of issues in the mirgation to make it work for both
MySQL, Postgresql and sqlite.
A further, separate, commit will actually provide the code to
update the actual tokens once the v3 token support has been added.
blueprint domain-scoping
blueprint default-domain
Change-Id: I55ab7947a6a1efbab003bd234856bd3805bb4a63
Code was not including the attribute id for the member list
Bug 1115519
unit tests show that delete of user with roles assigned is broken for LDAP
Change-Id: Icfa7a4a970cb9db544c3c77af9531aae5c1f56b4
A continuation of the process to convert the term tenant
to project. These changes should only be visible in the
error messages produced, but should otherwise be
undetectable by calling programs.
Removes the TenantNotFound exception which propagates changes through
the code that calls the backends as well
Change-Id: I998a44bfd6aa85f67d58904bd7af25a56c73d48a
Added database string field length check, so when insert to a table, if the length of string field exceed the limit of column when, it will return a 400 error instead of truncating the string.
Change-Id: I7216fe736ea6e5a23b5647b107fcb2699f1fa99d
Fixes: bug #1090247
This implements the server side of groups of users. This
set of code provides all the crud functionality for groups as
well as the corresponding support for role assignments.
blueprint user-groups
The following deficiencies existing with the current version and
will be corrected ahead of the final Grizzly release:
1) There is only placeholder support for LDAP (Bug #1092187)
2) Domain role grants are accepted but not yet honored (Bug #1093248)
3) Token invalidation does not occur with group changes (Bug #1093493)
This update also fills in missing v3 grant unit testing and v3 grant
support within the kvs backend. In addition, there is a fix for
Bug #1092200 (uncaught exception when listing grants)
DocImpact
Change-Id: Ibd1783b04b2d7804eff90312e5ef591dca4d0695
This migrates the SQL backend such that v2 endpoints containing up to 3
URL's (public, internal and admin) stored in 'extra' are split into
unique endpoints.
Because legacy "endpoints" (each having publicUrl, internalUrl and
adminUrl) are no longer conceptually identical to v3's "endpoints" (each
having an interface and a url), new ID's are assigned to each entity and
each API continues to operate using with independent sets of endpoint
ID's.
Endpoints created on the v3 API are not exposed on the v2 API.
Change-Id: I2ba59d55907313ae65e908585fc49be0c4ce899a
modify tables by adding columns, and modify entities
by adding attributes for password, description and enabled
update tests to deal with change from 'False' and 'True' to the
python values False and True
Added a Text type from SQL Alchemy
Bug 1070351
Bug 1023544
Change-Id: I066c788b5d08a8f42a9b5412ea9e29e4fe9ba205
Fixtures are created before every test, so each fixture adds a
considerable amount of overhead to the overall test suite.
This patch attempts to eliminate fixtures utilized by only a few tests
in favor of re-cycling as many fixtures as possible. As a result, a few
tests are refactored to depend on different fixtures.
Change-Id: Idd4dcef5e38e304d19110c61886887fb64b4d658
To make keystone return HTTP 401 Unauthorized instead of 500 Internal Server
Error when processing request that miss the X-Auth-Token Header.
Fixes Bug 1053474
Change-Id: Ib830fce7bb3b29fa1bc385f64c7c0ecdf5cd1644
Bug 983304
Defines functions for the retrival and return of the tenant, user and
role objects in ldap. They will return in whatever order LDAP provides
them.
Additional fix for pep8 whitespace violation.
Additional change to add some minimal unit tests for the new functions
Tests have successfully run against a live LDAP server
Change-Id: I368ae4097bb9bcdaab7bca0ccc2f9204d58f69d8
This is related to lp 1035428; that bug is fixed in folsom,
but this test is also about to appear in stable/essex.
Change-Id: Iadd4091339aab2c3a8d474b44dcd11f8bfd1d510
Co-authored-by: Adam Young <ayoung@redhat.com>
Token revocations are captured in the backends,
During upgrade, all previous tickets are defaulted to valid.
Revocation list returned as a signed document and can be fetched in an admin context via HTTP
Change config values for enable diable PKI
In the auth_token middleware, the revocation list is fetched prior
to validating tokens. Any tokens that are on the revocation list
will be treated as invalid.
Added in PKI token tests that check the same logic as the UUID tests.
Sample data for the tests is read out of the signing directory.
dropped number on sql scripts to pass tests.
Also fixes 1031373
Bug 1037683
Change-Id: Icef2f173e50fe3cce4273c161f69d41259bf5d23
Uses CMS to create tokens that can be verified without network calls.
Tokens encapsulate authorization information.
This includes user name and roles in JSON.
The JSON document info is cryptographically signed with a private key
from Keystone, in accordance with the Cryptographic Message Syntax (CMS)
in DER format and then Base64 encoded. The header, footer, and line breaks
are stripped to minimize the size, and slashes which are invalid in Base64
are converted to hyphens.
Since signed tokens are not validated against the Keystone server, they
continue to be valid until the expiration time. This means that even if a user
has their roles revoked or their account disabled, those changes will not take
effect until their token times out. The prototype for this is Kerberos, which
has the same limitation, and has funtioned sucessfully with it for decades. It
is possible to set the token time out for much shorter than the default of 8
hours, but that may mean that users tokens will time out prior to completion
of long running tasks.
This should be a drop in replacement for the current token production code.
Although the signed token is longer than the older format, the token is still
a unique stream of Alpha-Numeric characters.
The auth token middle_ware is capable of handling both uuid and signed tokens.
To start with, the PKI functionality is disabled. This will keep from breaking
the existing deployments. However, it can be enabled with the config value:
[signing]
disable_pki = False
The 'id_hash' column is added to the SQL schema because SQL alchemy insists on
each table having a primary key. However primary keys are limited to roughly
250 Characters (768 Bytes, but there is more than 1 varchar per byte) so the
ID field cannot be used as the primary key anymore. id_hash is a hash of the
id column, and should be used for lookups as it is indexed.
middleware/auth_token.py needs to stand alone in the other services, and uses
keystone.common.cms in order to verify tokens.
Token needs to have all of the data from the original authenticate code
contained in the signed document, as the authenticate RPC will no longer
be called in mand cases.
The datetime of expiry is signed in the token.
The certificates are accessible via web APIs. On the remote service side,
certificates needed to authenitcate tokens are stored in /tmp/keystone-signing
by default. Remote systems use Paste API to read configuration values.
Certificates are retrieved only if they are not on the local system.
When authenticating in Keystone systems, it still does the Database checks for
token presence. This allows Keystone to continue to enforce Timeout and
disabled users.
The service catalog has been added to the signed token. Although this greatly
increases the size of the token, it makes it consistant with what is fetched
during the token authenticate checks
This change also fixes time variations in expiry test. Although unrelated to
the above changes, it was making testing very frustrating.
For the database Upgrade scripts, we now only bring 'token' up to V1 in 001
script. This makes it possible to use the same 002 script for both upgrade
and initializing a new database.
Upon upgrade, the current UUID tokens are retained in the id_hash and id fields.
The mechanisms to verify uuid tokens work the same as before. On downgrade,
token_ids are dropped.
Takes into account changes for "Raise unauthorized if tenant disabled"
Bug 1003962
Change-Id: I89b5aa609143bbe09a36bfaf64758c5306e86de7
1. Verified name length while creating/updating user.
2. Disallowed blank user name in create/update.
3. Added unit test coverage.
Change-Id: I55cd5daf34f4f57d4163be403a7a75c5d22baa62
Fixes bug 1022575
Making change to tests/*py to pass pep8 tests.
pep8 tests started failing following
39b20acc933cb0fdf73075ddb9a9d82665b84b23 update pep8 to 1.3.3
04df79b64e5f2296df03579700535774e158f623 include tests dir in pep8 tests
Change-Id: I2d7dec0a87f1ae9b5f828d7f321b65bf8c06a421
