10807 Commits

Author SHA1 Message Date
Lance Bragstad
d7b836e53e Default the resource backend to SQL
Previously, keystone had logic to default the resource backend,
without providing a default through configuration. This behavior was
removed and we should provide a sensible default for the resource
backend.

This commit defaults the resource backend to `sql` since that is
the only backend keystone currently supports. We also leave a warning
saying there isn't any reason to change the default unless a deployer
is writing a proprietary or custom resource backend.

Change-Id: Ic193eab397a0f10cdf86dec1816aec9da86f1ab8
Partial-Bug: 1630435
2016-10-05 14:19:54 +00:00
Jenkins
856bd73826 Merge "Make returning is_domain conditional" 2016-10-05 08:08:01 +00:00
Lance Bragstad
4fd55f230b Make returning is_domain conditional
During an upgrade, a node running this code may need to handle a
persisted token (UUID, PKI, or PKIZ) created without this attribute.

Closes-Bug: 1630259
Change-Id: I0c5959b6491bb13a02eb1b9b7e7e37d2f2d73f85
2016-10-04 23:22:00 -05:00
Lance Bragstad
29fbffaf37 Add tests for validating expired tokens
Change-Id: I421b9166849f3e5b29ac755130c04b6464f978b2
2016-10-04 20:56:44 +00:00
melissaml
5046ba01d8 Fix a typo in _init_.py
Removed redundant 'is'

Change-Id: I5cce9e333078c1b90b3e5f60f36436deac160e4c
2016-10-04 16:33:55 +08:00
Jenkins
2b53c547cb Merge "Remove the unused sdx doc files" 2016-10-03 20:26:37 +00:00
Jenkins
ebf24189d9 Merge "Update man page for Ocata release version and date" 2016-10-03 19:59:40 +00:00
OpenStack Proposal Bot
cd23e776b7 Updated from global requirements
Change-Id: I368a2f0d998082c4e7750f097d9629eb92f2d3ca
2016-09-30 19:59:39 +00:00
Jenkins
106bc4559b Merge "Remove the no use arg (auth=None)" 2016-09-30 16:54:58 +00:00
Eric Brown
38f9a82616 Remove the unused sdx doc files
The docs tree has a sdx file which appears to be unused. Tox runs
fine without it.

Change-Id: Ie4bca0060792d74a0451b3b8effa6284c8864ee9
2016-09-30 08:51:29 -07:00
OpenStack Proposal Bot
635d4a4c31 Updated from global requirements
Change-Id: I765656deac29b3bfd8f4a82d00bffbb2c6478fb1
2016-09-30 10:17:52 +00:00
George Tian
ec7cec0eda Remove the no use arg (auth=None)
Change-Id: I5b76687fc96882936c25e189a2f79bca62a2194c
2016-09-30 11:50:06 +08:00
Jenkins
83b5da9132 Merge "Fix typo in docstring" 2016-09-29 20:33:02 +00:00
Nam Nguyen Hoai
bb1e6d03ae Fix typo in docstring
Change-Id: If907bd4e1d29c555565d12d4f33604e514090d99
2016-09-30 14:18:34 +07:00
Jenkins
93c19263b0 Merge "Validate password history for self-service password changes" 2016-09-29 14:20:53 +00:00
Jenkins
9534e6ffd9 Merge "Make test_v3_auth exercise the whole API" 2016-09-29 13:21:04 +00:00
Jenkins
14eb2cc7a6 Merge "Add Apache 2.0 license to source file" 2016-09-29 13:20:00 +00:00
OpenStack Proposal Bot
86483a7d1b Updated from global requirements
Change-Id: I9e25740523cf77b901e5c5e95fd54fc5695f4c3b
2016-09-29 05:07:13 +00:00
Cao Xuan Hoang
28e6144209 Add Apache 2.0 license to source file
As per OpenStack licensing guide lines [1]:
[H102 H103] Newly contributed Source Code should be licensed under
the Apache 2.0 license.
[H104] Files with no code shouldn't contain any license header nor
comments, and must be left completely empty.

[1] http://docs.openstack.org/developer/hacking/#openstack-licensing

Change-Id: I51a413acf6e63fb47418d8746aed5c7aac05f2d6
2016-09-29 10:59:04 +07:00
gengchc2
e828d591e7 Fix a typo in core.py and bp-domain-config-default-82e42d946ee7cb43.yaml
TrivialFix

Change-Id: I589825617f2b191a91bcf16915678e779d905749
2016-09-29 09:25:59 +08:00
Ronald De Rose
4be9164e53 Validate password history for self-service password changes
This patch adds password history validation to the change_password
(self-service) backend method.

backport: newton
Closes-Bug: #1628692
Change-Id: I6a21eb355a60b96da0615e64f57fa64289c0221e
2016-09-28 23:03:54 +00:00
Lance Bragstad
7f3296d4c5 Make test_v3_auth exercise the whole API
Throughout much of the v3 authentication tests, you'd see calls
directly into the token_provider_api. While this was convenient
because the backends were loaded automatically, it makes changing
the implementation of the backend harder because we're relying on
it in the tests by coding to it directly, instead of just testing
the behavior through the API.

This commit makes it so that all calls to validate a token actually
use the token API instead of passing tokens directly to the
token_provider_api, exercising a request from the controller to the
backend... no cheat days here!

Change-Id: I5e792831dc808270f91f2c343e93e44a653b8676
2016-09-28 20:23:33 +00:00
OpenStack Proposal Bot
a0ee0bbaf2 Updated from global requirements
Change-Id: Id638c4c2baba3f3a1d8e3526b07418067d045a89
2016-09-28 16:53:51 +00:00
Jenkins
fb6ff30009 Merge "Reorder APIs in api-ref doc for v3 users" 2016-09-28 11:32:27 +00:00
tengqm
abab343921 Reorder APIs in api-ref doc for v3 users
This patch reorders the APIs listed in the api-ref doc for v3 users so
that we have APIs documented in the following order:

- list users
- create user
- show user
- update user
- delete user
- list user groups
- list user projects
- change passwd

The rationale behind the change is that we want the order of API docs
for all resources to be consistent and easy to navigate. This patch
reorders the users APIs so that:

- Plural form of resources comes always come before singlar form because
  it has a unique URI;
- APIs about a specific resource (usually with an ID) are documented
  in the order of CRUD (create, retrieve, update and delete);
- All other helper APIs are documented at the end and they are grouped
  based on resource URIs when appropriate.

Change-Id: Ie594a45a51064a5f9089e2663bd970f10707ffaa
2016-09-27 21:35:38 -04:00
OpenStack Proposal Bot
a615a85f36 Updated from global requirements
Change-Id: I4119653386091e32572573adf02b37a83d158654
2016-09-27 10:00:38 +00:00
Jenkins
a0f986a14c Merge "Remove useless method override" 2016-09-27 09:00:30 +00:00
Jenkins
d76761de02 Merge "Remove unused path in the v2 token controller" 2016-09-27 08:09:18 +00:00
Eric Brown
d3ece04856 Update man page for Ocata release version and date
Sets the man page date and version to the release date of Ocata.

Change-Id: I3c2bc547130f5c61abbd009268b97520170cc535
2016-09-26 13:04:00 -07:00
Jenkins
d6dd1ed7e2 Merge "Using assertIsNone() instead of assertIs(None)" 2016-09-26 18:17:34 +00:00
Jenkins
63a1754045 Merge "Remove default=None when set value in config" 2016-09-26 13:49:36 +00:00
Jenkins
8a6d08b106 Merge "Add domain check in domain-specific role implication" 2016-09-26 13:13:20 +00:00
Cao Xuan Hoang
09131e1362 Using assertIsNone() instead of assertIs(None)
Following OpenStack Style Guidelines[1]:
[H203] Unit test assertions tend to give better messages for more
specific assertions. As a result, assertIsNone(...) is preferred over
assertEqual(None, ...) and assertIs(..,None)

[1] http://docs.openstack.org/developer/hacking/#unit-tests-and-assertraises

Change-Id: I9b0cedae367798ce282b0229c135b3f4a72f353a
2016-09-26 15:33:18 +07:00
Hieu LE
7b667447b5 Remove default=None when set value in config
By default oslo.cfg sets the default values as None.
Thus, there is no need to explicitly do this.

Trivial-Fix

Change-Id: I5b822021a1fe83be3755791278df6b4f498e6fef
2016-09-26 13:14:20 +07:00
Jenkins
cb2b548f6b Merge "Fix the belongsTo query parameter" 2016-09-24 05:19:00 +00:00
Lance Bragstad
a0fb2169a2 Remove unused path in the v2 token controller
The _get_token_ref() method in keystone.token.controller did some
unnecessary checks and duplicated logic for checking the belongsTo
query parameter. The belongsTo query parameter wasn't possible since
the query parameter was never passed to _get_token_ref().

This commit cleans up the method and consoldiated the logic.

Change-Id: I097b0547b4395b016f80f03d97460ceda49fc8c6
2016-09-23 21:06:02 +00:00
Lance Bragstad
7f3f596351 Fix the belongsTo query parameter
The belongsTo query parameter is only supported by the v2.0
token validation API. It would check the ID of the project passed
to the belongsTo parameter against the project a token was scoped to.

This commit corrects the implementation, tests, and adds
documentation. It also moves the check to keystone.token.controller
since belongsTo is a v2-ism and doesn't belong in the
keystone.token.provider.

Closes-Bug: 1627085
Closes-Bug: 1626794
Change-Id: I4a06a498112b81093d7e5ef3142bb1e2d0f78138
2016-09-23 21:05:16 +00:00
Ronald De Rose
ba984dbd4b Fix 'API Specification for Endpoint Filtering' broken link
This patch fixes a broken link in the configuraton documentation.

Change-Id: Ibea0d1f964330f531e68321571c1be39d7235468
2016-09-23 18:08:08 +00:00
Sean Perry
e88097f4c0 Add domain check in domain-specific role implication
Forbids implication between domain-specific roles from different domains

Change-Id: I9d3b9747df04b425f8c708bb3436569f2baf47c8
Co-Authored-By: Steve Martinelli <s.martinelli@gmail.com>
Co-Authored-By: Mikhail Nikolaenko <mnikolaenko@mirantis.com>
Closes-Bug: #1590583
2016-09-23 10:58:03 -07:00
Lance Bragstad
f0172f8a8f Override credential key repository for null key tests
The null key for credential encryption tests certain encryption
behavior when a key repository doesn't exist locally. If you were
to run these tests locally with a key repository created in the
default location (`/etc/keystone/credential-keys`) the tests would
fail.

This commit makes the null key tests override the key_repository location in
config, but doesn't actually create the repository - so the null key is infact
tested.

Change-Id: I9c970cd846da2f9d52547ecb7271a20791fb3301
2016-09-23 14:44:03 +00:00
Brant Knudson
36be7e5d14 Remove useless method override
The default behavior when a method is called on an object is to call
the implementation in the superclass. So no need to override a
method just to call the superclass implementation.

This makes the code less confusing because readers will wonder what
the code doing here when it doesn't do anything.

Change-Id: If2a5e694114a97d989f88c16691062dbd7215427
2016-09-23 09:31:38 -05:00
Jenkins
dc9a1d5f70 Merge "remove memcache token persistence backends" 2016-09-22 19:57:44 +00:00
Jenkins
51cc8bca7f Merge "remove cache backends" 2016-09-22 19:56:55 +00:00
Jenkins
c024505b55 Merge "remove httpd/keystone.py" 2016-09-22 17:18:28 +00:00
Jenkins
c08114e618 Merge "remove saml2 auth plugin" 2016-09-22 16:42:46 +00:00
Jenkins
0da99e272c Merge "Tweak status code in api-ref doc for v3 users" 2016-09-22 06:49:10 +00:00
Steve Martinelli
564c4956f4 remove memcache token persistence backends
bp removed-as-of-ocata

Change-Id: I4b8b88409abe8eea8f0a075aebbe9c569367c454
2016-09-21 22:56:18 -04:00
Steve Martinelli
d1ed08d053 remove saml2 auth plugin
bp removed-as-of-ocata

Change-Id: I4d089db0121075ed143097cab243b6509bd4085b
2016-09-21 22:44:33 -04:00
Steve Martinelli
2388cef976 remove httpd/keystone.py
bp removed-as-of-ocata

Change-Id: I08cde7331816eeaafaec72fa792b2454458ca296
2016-09-21 22:35:52 -04:00
Steve Martinelli
1371fb4f45 remove cache backends
these were deprecated in mitaka in favor of oslo.cache
provided backends

bp removed-as-of-ocata

Change-Id: I788dd92d52de738acaa4d196727560391987f1c1
2016-09-21 22:30:53 -04:00