Although it is not needed, keystoneclient passed `id` in the payload.
For compatibility with it (and with other clients) we have to allow
passing other attributes.
Change-Id: I997d55de28825921ed33646a9ee5cf494b089aba
Closes-Bug: 1607751
All extension are now migrated into the keystone core and the
migrations in the old contrib folders just raise an error. Since
these can only be called from the now deprecated --extensions
options in keyston-manage, we might as well get rid of them all
and just raise the error in keystone manage. We can also clean
up the mirgation helpers accordingly
This clean up is useful ahead of layering on the rolling upgrade
support in keystone manage and the helpers.
Change-Id: I749dc7e13050e211df1f4fd144cb0479891e3e64
As a follow-on to commit I7bf0a914be13f88313c14bc196369de49cc7413f,
the documentation should also reflect that the domain config API
is now stable. Previous releases are still considered experimental.
Change-Id: I6fb993ac678d0aeaa43547c4b24b62d1a784a615
There were still a couple references remaining for using keystone
under eventlet. These are no longer applicable since keystone is
no longer supported under eventlet.
Change-Id: If6d2013cc2396d6d1df43f7f2091b5fa02115ca4
This allows the SecurityErrors to be deep copied without causing
annoying warning in the logs.
Closes-Bug: #1607107
Change-Id: I24635dd5ab10f736b82e9fea4d0a36b1a45c27f1
This introduces a feature support matrix to illustrate which of our
various token providers supports which API operations and features. This
is intended to mirror Nova's feature support matrix documentation page,
found here:
http://docs.openstack.org/developer/nova/support-matrix.html
After running `tox -e docs`, the result is embedded in
`doc/build/html/configuration.html`.
Change-Id: I3dc896a2906e25827a9e01afc7de5a737831c336
Alone with the enabling of schema validation for V2 API, the property
validation has been handled in controller level, property validation
based on clean.py in manager level is no long needed for creating a
project since schema validation is enabled for both V2 and V3.
The patch removes the call from `clean.py` and remove the relevant
testcases since we already have the testcases both in
`test_validation.py` or `test_v2_validation.py`.
Partially implements: bp schema-validation-extent
Change-Id: I9d2ea60d496d83372109ca227ee2091850de0213
- `bool`, `int`, whitespace are not valid name.
- The valid data type for `enabled` is `bool`, other type such as
`string`, `int` are invalid.
This change fix the gap between testcases in manager level and
testcases in `test_v2_validation.py` so that we can clean up the
testcases validated by clean.py in the follow up.
Partially implements: bp schema-validation-extent
Change-Id: Ifade298b9dafe7df3380c16de0a6fac4f941e9c3
A confusing log message is logged when translating SecurityErrors within
another translated string.
Related-bug: #1607107
Change-Id: I315e68462d7096a2cbc38c1717b549d59719b71b
Fixing a byte>str conversion bug present in the TOTP
passcode generation function that was only present in python3
which rendered TOTP auth non-functional in python3.
Also adding a test to check passcode generation returns the
correct format.
Closes-Bug: #1607119
Change-Id: Ie052d559c4eb2577d35caa9f6e240664cf4cf399
There are several occurances where the argument default of
tls_req_cert is set to 'demand'. This is an invalid option for the
function _common_ldap_initialization, which expects one of the values
of the dict LDAP_TLS_CERTS, not a key.
If tls_req_cert='demand' is given to _common_ldap_initialization,
you'll get:
"LDAP TLS: invalid TLS_REQUIRE_CERT Option=demand"
Change-Id: I2da2c041bac25ca7ebab8c32b464164279a6bd69
I was perusing through the token controller and saw a few places where we use
double-quotes mixed with single-quotes. We typically stick to one or the other.
Change-Id: Ia56117fea2aa719b3877a4827048b936103b3b81
This helps make our switch to fernet as the default token provider easier.
This is an effort to break https://review.openstack.org/#/c/258650 into
smaller, more reviewable pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayoung@redhat.com>
Change-Id: I67121265cf06eb11586c90c37c6439bcdb28acf0
Partial-Bug: 1561054
We should make AuthWithTrust something that is tested against both the uuid
token provider and the fernet token provider. This helps us move towards making
fernet the default token provider.
This is an effort to break https://review.openstack.org/#/c/258650 into
smaller, more reviewable pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayoung@redhat.com>
Change-Id: I0fd2187421fc677e7d422d4b449eec3056a134e9
Partial-Bug: 1561054
- add /v3/ to all routes;
- switch from 'localhost:port' and 'identity:port' endpoints to
'example.com/identity';
- fix typo.
Change-Id: If0d90ebab78e93fc9395b0e02436853a4ecbfa73
The 'enabled' key in the parameters list refers to a tenant, not a
user. The `/v2.0/users/{userId}/OS-KSADM/enabled` method is operating
on a user, so we should use the 'enabled_1' key. 'enabled_1' is not a
very descriptive name so let's call it 'enabled_user' instead.
Moreover, this parameter is required, so it does not make sense for it
to have a default when the user must supply a value, so this patch
modifies the 'enabled_1' (now called 'enabled_user') description to
reflect that.
Change-Id: I81a7c68d5000ca6acab74679b49eeb619a5b914e
This patch adds a new user response attribute, password_expires_at,
to the Identity API v3 documentation.
Passord expires validation implementation:
https://review.openstack.org/333360
Depends-On: I07c10de627898d6ac79578dc24292ded4a2190f1
Partially-implements: blueprint pci-dss
Change-Id: I37136f79488d7469f0b8b24e3f5628899e40cac0
This makes it so that when we validate a fernet federated token against v2.0
and raise an Unauthorized exception.
This is an effort to break https://review.openstack.org/#/c/258650 into
smaller, more reviewable pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: I321e9e72bb31617b4ecf8ba1e0171dfc099b88c7
Partial-Bug: 1561054
This makes it so that we properly advance the clock after revocation events.
Is also makes it easier to switch to Fernet as the default token provider.
This fix was originally a part of https://review.openstack.org/#/c/258650 but
this is an attempt to break 258650 into smaller, more reviewable, pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: I83509e81e4da26cad48ed3cb3f9733ddb7ae965e
Partial-Bug: 1561054
It only makes sense to run these tests against the UUID token provider. We
don't need to run this against the Fernet provider since keystone doesn't store
Fernet tokens.
This is an effort to break https://review.openstack.org/#/c/258650 into
smaller, more reviewable pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: I72aaf2967723c695cc445c2a1074adf5760dc46b
Partial-Bug: 1561054
Jenkins
Boris Bobrov
Henry Nash
Eric Brown
David Stanek
Dolph Mathews
Dave Chen
adriant
Tin Lam
Lance Bragstad
Clenimar Filemon
Colleen Murphy
Ronald De Rose