This makes it easier for us to switch fernet to be the default token provider
because we can increment the clock in order to get the list of revocation
events.
This is an effort to break https://review.openstack.org/#/c/258650 into
smaller, more reviewable pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: Ia47a78509d033596b0101b28e9cd38abafdb199a
Partial-Bug: 1561054
The TestFetchRevocationList should be inherited and tested by the uuid token
provider. The other token providers don't support Revocation Lists, so don't
test them with it.
This is an effort to break https://review.openstack.org/#/c/258650 into
smaller, more reviewable pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: I6be1c5c583d336cc83cf3670c10d4364ddc16bbd
Partial-Bug: 1561054
Bind authentication is only supported by uuid, pki, and pkiz token providers.
This makes it easier to switch Fernet to be the default.
This fix was originally a part of https://review.openstack.org/#/c/258650 but
this is an attempt to break 258650 into smaller, more reviewable, pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: I195ae1def4e2e7e27125f09cf058718b73eb839e
Partial-Bug: 1561054
This helps us move towards fernet because we don't support bind authentication
with the Fernet provider, so when we set Fernet to be the default we won't run
these tests. We will only run Kerberos tests against token providers that
support it.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: Ie80f74e47046c5d8d3c2f31e5b84e4210e775f7f
Partial-Bug: 1561054
This commit makes it so that the AuthWithRemoteUser class no longer inherits
from other tests cases. Instead it inherits from `object` and I've added
several other classes that setup each token provider to test the cases in
AuthWithRemoteUser.
This helps us move towards making Fernet the default token provider.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: I3ae63c8ff50a897ef0ae6e8129abc02e5b93747c
Partial-Bug: 1561054
This makes AuthWithToken inherit directly from `object` and introduces other
test classes with specific test setup for each format to inherit AuthWithToken.
This will make the switch to Fernet as default provider easier.
This fix was originally a part of https://review.openstack.org/#/c/258650 but
this is an attempt to break 258650 into smaller, more reviewable, pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: I87a12160e31b2467af01dc8e7b01cc59d5907675
Partial-Bug: 1561054
Since the TokenCacheInvalidation tests are specific to token formats that
require persistent storage, it doesn't make sense to run them with Fernet
configured. This commit updated the classes the inherit TokenCacheInvalidation
to test all token formats except the Fernet format.
This fix was originally a part of https://review.openstack.org/#/c/258650 but
this is an attempt to break 258650 into smaller, more reviewable, pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: Iaaf0f29fa1d55b0028729b69704167957a6c5f8c
Partial-Bug: 1561054
Previously, TestAuthExternalDomain was inheriting from test_v3.RestfulTestCase,
which allowed it to run as part of the keystone test suite. This commit breaks
it into a class that only inherits from `object` and introduces 3 other classes
the inherit the old TestAuthExternalDomain and run the tests according to the
setup needed.
Since the Fernet provider doesn't support bind authentication, there is no test
class to setup Fernet and run the TestAuthExternalDomain behaviors. This change
will make defaulting to Fernet easier.
This fix was originally a part of https://review.openstack.org/#/c/258650 but
this is an attempt to break 258650 into smaller, more reviewable, pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: I28e575ddada8492bd4fc17b78cb00651d9d4af07
Partial-Bug: 1561054
This commit prepares the tests in keystone/tests/unit/test_v3_assignment.py for
the switch to make Fernet the default token provider. Since Fernet doesn't
support sub-second precision it is possible to get the wrong response when
using the token API within the same second as a revocation event. We can either
introduce a sleep (which slows down our tests) or mock the system clock.
We can use freezegun to mock the system clock. This commit uses freezegun to
increment the clock by one second in cases that fail with the Fernet provider.
This fix was originally a part of https://review.openstack.org/#/c/258650 but
this is an attempt to break 258650 into smaller, more reviewable, pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: I2604376f63cd84c2a3d1a640dfcfbc29e5682c73
Partial-Bug: 1561054
A number of the examples are also updated, since not all of
them were valid combinations of domain_id, parent_id and
is_domain.
Change-Id: Id642762cd6acfdf6142b24caf3de1d16db599065
This small change make it clear that the API can also disable a
user and the request body with `enabled` attribute is always needed.
Change-Id: I4e242d36e9830fd162634c5a864f6a787a4de9d7
Related-Bug: #1603905
user_id was listed twice under the update user request parameters.
This fix removes the duplicated parameter.
Change-Id: I9c70aff00f151c4907101335174adf3624d4f686
When using a identity driver without providing uuid, and using default
sql id mapping driver, if there are lots of users, then it may take
minutes to list users. Adding cache to the id mapping manager can
improve the performance.
After adding the cache, when listing 12000 users though the keystone
api, and the time is reduced from about 75 seconds to 20 seconds.
Closes-Bug: #1582585
Change-Id: I72eeb88926d8babb09a61e99f6f594371987f393
Since the Python 3.5 gate job builds cleanly now, we should claim
support for Python 3.5 in the metadata's classifier.
Change-Id: I215313560d6bb3501093c95870c12cde1f11b5a5
In 3.5, the ast module returns the correct value for the col_offset
of a function definition whereas earlier versions did not. The value
is off by one column.
Closes-Bug: #1603236
Change-Id: I7835d7ed8d652a6bd585e8e0372fab402424038d
These options should have been deprecated in Mitaka (when LDAP
write support was deprecated), but were missed. Mark them as
deprecated now.
bp deprecated-as-of-newton
Change-Id: I683c1cb27ff28d7600e743fe9a17ceab112a5ad3
This introduces a new keystone-manage command called 'doctor' which
attempts to diagnose and report on various ill-advised configurations
and deployment states.
The number of checks we could perform is basically endless, so this is
just a random sampling of checks to get the ball rolling. The idea is
that as new features are introduced, as default configurations change,
as we have new recommendations to make to deployers, etc, we can
implement new checks in keystone-manage doctor and communicate our
concerns directly to those operated affected deployments.
Change-Id: Ib6660c1a885c439ca03357870628b2ea52e39e9d
Implements: bp keystone-manage-doctor
Previously, AuthTokenTests inherited the test structure and ran the tests with
the default keystone configuration. This commit breaks AuthTokenTests to
inherit from `object` and sets up FernetAuthTokenTests and UUIDAuthTokenTests
to setup configuration appropriately and run the tests.
This fix was originally a part of https://review.openstack.org/#/c/258650 but
this is an attempt to break 258650 into smaller, more reviewable, pieces.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Adam Young <ayound@redhat.com>
Change-Id: I9acacfe7db4997add5505a9ee1972139af11979e
Partial-Bug: 1561054
Lance Bragstad
gage hugo
dineshbhor
Jenkins
Dave Chen
Henry Nash
liuhongjiang
OpenStack Proposal Bot
Eric Brown
Steve Martinelli
Dolph Mathews
Clenimar Filemon