All users and groups are required to have a name. With this fix,
Keystone will ignore users and groups that do have only white
spaces as value for the LDAP attribute which Keystone has been
configured to use for that entity's name.
Change-Id: Id539e1b7e1cea8b05cd9bb753707e1fc98244d29
Closes-Bug: #1727726
The policies API should never be used. This marks it deprecated in
the API reference so that operators do not waste time looking at it.
It also logs a deprecation warning if the API is called.
Change-Id: I816997826e931a253777145e2c5f894e39182a8f
With the removal of the V2.0 API in Queens, this functionality
was only used with the v2 resource controller and can now be
removed. Also removed the associated tests.
Change-Id: Id0503bc0610cff5fb635cd021088658bc06aef26
This just adds a test to make sure we always return the tags
attribute when listing projects. This was brought up in a tempest
review:
https://review.openstack.org/#/c/485344/7
This commit just adds the test coverage.
Change-Id: I4cc8a150d4b0823755804937e50220dfcfb2a750
Since ec2 is the only use-case left for using the V2Controller,
we can consolidate what is left into two v3_to_v2 functions.
These can be removed once ec2 functionality is removed.
Change-Id: I3a4731738efe934238e38567a3c2cf514a3d7f23
Since v2.0 apis had been removed, this functionality was only used
with v2 token and no longer needed.
Change-Id: I450245120adf3184808386ba2c669080f2b23d1b
This patch implements a replacement of the legacy rolling
upgrade test previously implemented. The job and pipeline
is defined in-repo to ensure that the keystone team has
complete control over the voting status, pipelines it is
in, etc.
The test uses the 'upgrade' tox environment in the
openstack/openstack-ansible-os_keystone repository which
executes a build of two keystone containers using the
the head of the stable branch of keystone, then upgrades
to the proposed review. The upgrade is a complete rolling
upgrade using MariaDB as a database.
Depends-On: If39e4bec8db0be04b13dfc005ee404b73c0b65d3
Depends-On: Ia5ab6aa43f912b3cb4adf98154cd3da12688c2e0
Change-Id: I78bb5e18c1ce0ddf18494f7cd0ef1ab6953be771
When things go badly and we turn on debug logs, we start seeing this
message about a missing auth token for every auth request. To the
untrained eye, it looks like the culprit when you are debugging auth
problems. In reality, it usually just means the initial POST
/auth/tokens request was sent, which does not include the X-Auth-Token
header. This log adds more confusion than clarify, so this patch removes
itin favor of a code comment.
Change-Id: I4657523a170607d664b73ac1f1ab44d7f1460b33
Closes-bug: #1726736
Federation protocols in keystone are very confusing due to the way they
have evolved since the original service provider implementation where
the auth plugin was defined in saml2.py. We renamed saml2.py to
mapped.py[1] and now we can effectively support any federation protocol
as long as there is some kind of Apache module that can understand it
and pass certain IdP and user attributes through to keystone. So we
started recommending not using the 'saml2' auth plugin and instead using
the 'mapped' plugin, eventually removing the the notice when we removed
the plugin[2]. Since the name of the federation protocol resource
created in keystone must match one of the [auth]/methods, we also
changed the documentation to start creating the 'mapped' protocol and
use 'mapped' in the Apache settings[3]. This was really the wrong
course. 'mapped' is not a protocol. Using only 'mapped' prevents us from
defining multiple remote_id_attributes for different protocols.
This patch changes references to the 'mapped' protocol and 'mapped'
plugin back to 'saml2' (we never changed the openid ones). While the
saml2 plugin does not itself exist, it is defined as an entrypoint to
the mapped plugin, so it all works out. This doesn't solve the problem
for if we want to define different remote_id_attributes for different
SAML2.0 implementations, but there is a workaround for that[4]. Using
'saml2' as the protocol name is just much more intuitive than 'mapped'.
[1] https://git.openstack.org/cgit/openstack/keystone-specs/tree/specs/keystone/juno/generic-mapping-federation.rst
[2] https://review.openstack.org/#/c/397456/
[3] https://review.openstack.org/#/c/371210/
[4] https://bugs.launchpad.net/keystone/+bug/1724645/comments/1
Change-Id: I23fc3f1f651c12c4e3c1987dc71008e6e97b4ed8
Related-bug: #1724645
LDAP servers have sizelimit configuration to limit the number of
user/group objects that can be returned for an LDAP query. This
change catches the size limit exceeded exception when users/groups
returned from ldap search query exceeds the configured limit and
responds with an appropriate error message instead of default
500 error message.
Change-Id: I9949bb7d458b4b037616c701e0e4d362bfa36473
Closes-Bug: #1712415
With the removal of the v2.0 APIs in Queens, we can
remove the test here for authenticating with an expired
password for a v2 user.
Change-Id: Id7e6cc032fc2ffa2f19132de8d1ccb98ce6be93b
With the removal of the v2.0 APIs in Queens, we can remove
the testing for v2 tokens as well as the test fixtures for them.
Change-Id: I2e8388ba783a2f394d781800c6d7cd64243d3a28
With the removal of the v2.0 APIs in Queens, we can remove the
test for v2 get_catalog_endpoint_disabled as well as the test that
skips it for templated backend. This also updates the test fixture
endpoints to specify the v3 url.
Change-Id: Ic9521276cc8ac91c2a9b7553c34bea5690f03fa7
V2Controller and V3Controller inherit from Application. Both depend on
the "policy_api", but neither need "assignment_api" or
"token_provider_api".
This commit removes "assignment_api" and "token_provider_api" as
required dependencies and move the required annotation of "policy_api"
to V2Controller and V3Controller class declaration.
Change-Id: I5f7d61a0003797ed1bf0c342fef170260d0503fd
Since v2.0 identity api had been removed[1], these tests are
no longer needed.
[1]https://review.openstack.org/#/c/499783/
Change-Id: Iba1bd2e16fd5d0e816cf495ed10d5d82d8fe8038
This change corrects the "project_tag_query" to be
"project_tag_path" in order to follow the convention for
documentation.
Change-Id: I9968162f51b9fbdfc3d02fb54bc918d595aee9bd
