Previously, the revocation matching engine was basically a black box
that seemed to mysteriously match some tokens and not others, and it was
difficult to understand why an event would match a given token at a
glance. Fixed.
Change-Id: I751d891dc1cec2bb22ad6a3948aafaa34fc835d1
This makes the code more verbose (and more redundant) in favor of making
it easier to read.
There was a pretty consistent pattern to what it was actually doing, but
each block of code was basically written differently. This makes them
all the same.
Change-Id: I0804f490e28cedfaea2016e796a773ba50cc821a
There was no log message showing what the cached value was when
the server fails to recreate a cached RevokeEvent, making it
difficult to debug the problem.
Change-Id: If142f2abd3cc497b11fb7529935d14af037c69f0
Partial-Bug: 1609566
Keystone has the code to prevent `None` value to be returned in the
revoke event, but there is wrong check condition that leads to
the `access_token_id` with None will be returned to end user.
Closes-Bug: #1603861
Change-Id: Ifc2908ffb6b8353d24a6416338d8fadb0e0b2a21
The field will help to figure out when the event is recorded, and thus
give a clue on when the revocation was done.
Change-Id: If5ba3bb9b68fff5f35be2b57af15584d69c6df8d
Closes-Bug: #1598040
In the process of caching service providers, a circular dependency was
uncovered between keystone's caching module and the revoke_model. This change
isolates the refactor to fix the circular dependency into it's own patch. A
separate follow on patch will add caching to service providers on token
creation and validation.
Change-Id: Iaa3c30d51270089b2d5999383d60ed0b2f7f56c8
The RevokeTree was built out of an attempt to optimize the search for
a match between a candidate token and the list of revocation events.
The performance proved to be poor, mostly due to the cost of creating
and checking hash values.
The RevokeTree code is also so complex that most of the team could not
understand it or troubleshoot it. There are some subtle bugs due to
race conditions with revocation events, and it is impossible to track
them down due to the code complexity.
This change replaces the tree based search with a linear search through
the list of revocation events. A failure-to-match will pass through
the entire list. A revoked token should match on O(n/2) comparisons.
With the past year of Fernet tokens in deployment, the feedback is that
the number of revocation events is small, and they only are kept for
the lifetime of the tokens (usually 1-8 hours) so the linear search is
not expected to slow down token validations in live deployments.
Future work will also reduce the number of revocation events.
Change-Id: Ib6a686494e897840b09d134ecf1ca50ce712f281
Currently tox ignores D401.
D400: First line should end with a period.
This change removes it and make keystone docstring compliantwith it.
Change-Id: I9a9520e69701718ff471eebbcc52199dacdd9c68
Currently tox ignores D401 (401: First line should be in imperative mood).
This change removes it and make keystoneauth docstring compliantwith it.
Change-Id: I136cf810f47c4c19f29216907a63f226930b5082
Partial-Bug: 1570049
Moves all domain operations to project table, mapping domains
to projects that have the is_domain attribute set to True. Removes all
manager references to domain driver calls.
The V8 legacy wrapper ensures that manager calls for projects
acting as a domain end up calling the underlying driver domain
methods, so that older drivers are still be supported.
The domain driver methods and the domain table will be removed in
follow-up patches.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Co-Authored-By: Rodrigo Duarte <rodrigods@lsd.ufcg.edu.br>
Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
Co-Authored-By: Adam Young <ayoung@redhat.com>
Co-Authored-By: Henry Nash <henryn@linux.vnet.ibm.com>
Change-Id: Ib22a0f3007cb7ef6b4df6f48da5f4d018e905f55
Implements: bp reseller
Use a request local cache, where possible, to offload requests
to the backend.
Change-Id: I8b744f75f21e9dd669a735a7717fd0d044d6d8ed
Depends-On: I6d1d28f5b974e79d44d1e86ea53c666e3f5771df
`dict.get()` returns `None` by default, if a key wasn't found.
Removing `None` as second argument to avoid redundancy.
Change-Id: I810854f50257b9dc805248ff1017521cc82d5d73
Remove revoke as an extension and move it to a core resource.
For now we leave the database migrations in the extension directory
until we have a general policy for merging these into core.
DocImpact: update keystone-paste and remove revoke from pipeline
Change-Id: I2d6f425a508b7acb4b4d079e4387f25bf7555683
Implements: bp move-extensions
In the event that the revocation event is created at the exact same
timestamp as the token's creation timestamp, the event's issued_before
will equal the token's issued_at and will thus not be revoked (according
to the current code).
This is much more likely to occur when a token's issue_at timestamp is
rounded to whole seconds (rather than carrying microsecond level
precision), as they are with Fernet and MySQL.
Change-Id: If1f5e546463f189a0b487140a620def545006c25
Closes-Bug: 1484237
Related-Bug: 1488208
Rewritten RevokeTree.is_revoked method to be more readable
and use less dynamic objects.
Recursion is used.
Implements bp revoke-tree-refactoring
Change-Id: I77fea330ee64f42c80ac7010a0c4dc4b8cbdfb07
oslo_utils.timeutils.isotime() is deprecated as of 1.6 so we need
to stop using it.
The deprecation message says to use datetime.datetime.isoformat()
instead, but the format of the string generated by isoformat isn't
the same as the format of the string generated by isotime. The string
is used in tokens and other public APIs and we can't change it
without potentially breaking clients.
So the workaround is to copy the current implementation from
oslo_utils.timeutils.isotime() to keystone.common.utils.isotime().
Closes-Bug: 1461251
Change-Id: Icf821be8cd4ee7f52c1a3d89bfed302488c080f2
Some of the builtins (like map) have changed in Python3 in a way that
can lead to broken Python2 code.
bp python3
Change-Id: I632d857bd29a23db61538755f09da68f0cf7b723
PEP-0274 introduced dict comprehensions [1], these are benefits:
The dictionary constructor approach has two distinct disadvantages
from the proposed syntax though. First, it isn't as legible as a
dict comprehension. Second, it forces the programmer to create an
in-core list object first, which could be expensive.
Keystone dropped python 2.6 support in Kilo, we can leaverage this now.
There is deep dive about PEP-0274[2] and basic tests about
performance[3].
Note: This commit doesn't handle dict constructor with kwargs.
This commit also adds a hacking rule.
[1]http://legacy.python.org/dev/peps/pep-0274/
[2]http://doughellmann.com/2012/11/12/the-performance-impact-of-using-dict-instead-of-in-cpython-2-7-2.html
[3]http://paste.openstack.org/show/154798
Change-Id: Ie74719d0c969fa7819c243d5b162df6656c1e136
The oslo libraries are moving away from namespace packages.
A hacking check is added to enforce use of the new location.
bp drop-namespace-packages
Change-Id: I4ece3ad26c1888388a4a8839f7acf260228a9c71
AuthContextMiddleware and the fall-through in the controller base
_build_policy_check_credentials now utilizes the KeystoneToken
model and uses token_provider_api instead of token_api.
In support of this change, the token auth plugin, the auth_context
builder, token bind check, and token controller have all been updated
to utilize the KeystoneToken model. Support for the federation data
has been added to the KeystoneToken model so that it can be used
in the auth context and associated code.
Associated tests that passed a raw token_ref to methods that now
expect the KeystoneToken model have been updated. This includes an
update to the revocation model to guard against users without domain
data (the federated user case).
Change-Id: I81da15137a0ab3778d835c8de1ec8ed9e5b301f6
bp: non-persistent-tokens
Instead of using the expiry of the token which can collide (is non
unique in some/many cases) use the new Audit ID for the tokens when
revoking a single token via the token revocation events.
Support for revoking by the audit_chain_id has been added to the
token provider, however, the REST API has not been updated to
accept an argument to revoke the chain. Support for revoking
the entire chain is in place to allow Keystone to internally
revoke an entire chain in certain circumstances. Exposing the
ability to revoke the entire chain via the REST API may occur
based upon further design discussions.
Change-Id: I840355ccd9bcfcd88aa139184731c056808c2c8f
bp: non-persistent-tokens
Closes-Bug: 1292283
Keystone was using functions in oslo-incubator that have been
graduated into oslo.utils. This changes the function calls to use
the functions in oslo.utils.
Change-Id: I39365042de913e1b3edaf849e3f5578cef0b7b02
When MySQL is used to store revocation events, events are returned
from the database with the timestamps truncated to the second. This
causes a revocation event for a token (which has the issued_at
timestamp to the microsecond) to not match the revocation event and
therefore the token is not considered to be revoked.
The fix is to have the revocation events and token timestamps both
always be truncated to the second. This will cause all tokens for a
user that are issued within a second to be revoked when any of those
tokens are revoked, which shouldn't be a problem.
Change-Id: Ibd82b4ce910206dfd504c396614ae2ebed025e9b
Closes-Bug: #1347961
When a scoped token that was created from an unscoped token was
revoked, the original token wound up being revoked. This is because
the scope wasn't included in the revocation event. By including the
scope in the revocation event only the scoped token is revoked.
Change-Id: I5652663ab7e1176d3b1efc5d218a8a020498067e
Closes-Bug: #1347318
A token scoped to a domain wouldn't be revoked for a domain-wide
revocation event. This is because the code to convert a token to a
dict for revocation event processing didn't handle domain-scoped
tokens.
Partial-Bug: #1349597
Change-Id: Ib2c58f3fc8790dbe7f8b073d18d3fa9b0dff608d
An indentation error coupled with an early return lead to cases
where a subtree containing a pertinent revocation event was not
searched, and a revoked token would report as unrevoked.
Closes-bug: #1294292
Change-Id: If56ae64d8a30b461563ee8be002544117fb14215
Base API for reporting revocation events.
The KVS Backend uses the Dogpile backed KVS stores.
Modifies the places that were directly deleting tokens to also generate
revocation events.
Where possible the revocations are triggered by listening to the notifications.
Some places, the callers have been modified instead. This is usually due to
the need to iterate through a collection, such as users in a group.
Adds a config file option to disable the existing mechanisms that support
revoking a token by that token's id: revoke_by_id. This flag is necessary
to test that the revocation mechanism is working as defined, but will also
be part of the phased removal of the older mechanisms. TokenRevoke tests
have been extended to test both with and without revoke-by-id enabled.
Note: The links aren't populated in the list_events response.
SQL Backend for Revocation Events
Initializes the SQL Database for the revocation backend.
This patch refactors the sql migration call from the CLI
so that the test framework can use it as well. The sql
backend for revcations is exercized by test_notifications
and must be properly initialized.
Revoke By Search Tree
Co-Authored-By: Yuriy Taraday (Yoriksar)
create a set of nested maps for the events. Look up revocation by
traversing down the tree.
Blueprint: revocation-events
Change-Id: If76c8cd5d01a5b991c58a4d1a9d534b2a3da875a
Dolph Mathews
Brant Knudson
Dave Chen
Lance Bragstad
Adam Young
Navid Pustchi
henriquetruta
Morgan Fainberg
Raildo Mascena
Steve Martinelli
Alexander Makarov
David Stanek
ChangBo Guo(gcb)
Yuriy Taraday