While multiple passwords are stored for a user, only the latest one is
used for authentication. When `created_at` in tests get changed, the
order of password might change too.
Keep the order of passwords by giving earlier passwords an earlier date
of creation.
Change-Id: I68861bc5c379dcf1cf060081f7802917d6f0c4b9
The base manager had an issue where if a property was accessed through the
__getattr__ it would be cached.
Closes-Bug: 1620722
Change-Id: Iad7ca87a30fd5fa9f8bc88a0c7f74acca2ae1a56
This patch corrects some parameter's type such as 'type: list'
to 'type: array' or 'type: array of...' to 'type: array' because we
don't have 'type: list' in 'JSON Schema primitive types' [1]
[1] http://json-schema.org/latest/json-schema-core.html#anchor8
Change-Id: Ic638ef48fcf0f60c55cec975ee20a71d1830b319
This patch fixes the following problems found in the api doc:
- The 'service_id' field should not appear in a service create request;
- The 'enabled', 'description' fields should be optional when doing a
service update.
Change-Id: Iac91a9f2d29a458f1e3eb93e64fea6a508b9980c
NotImplementedError is the name of the exception
(https://docs.python.org/2/library/exceptions.html).
NotImplemented is the name of a constant
(https://docs.python.org/2/library/constants.html).
>>> raise NotImplemented()
Traceback (most recent call last):
File "<pyshell#31>", line 1, in <module>
raise NotImplemented()
TypeError: 'NotImplementedType' object is not callable
>>> raise NotImplementedError()
Traceback (most recent call last):
File "<pyshell#32>", line 1, in <module>
raise NotImplementedError()
NotImplementedError
This patch fix it.
Change-Id: I36292e5ee18bd792205a8ff527f4ae9705c61b61
Closes-Bug: #1339855
Oslo config supports a deprecated_since parameter to add further
detail on when an option was deprecated. In that way, it's also
easier to know when n+2 releases has passed and the option is
ready for removal.
Change-Id: I26285897ff7c8c38192b7e1a34bb66b2b2e7e13f
Similar to the docter checks for fernet tokens, this patch adds
checks for credential fernet keys.
Change-Id: I62d77c9491adc4dcfc3e232b9dc1618b72ba04f5
The configuration and man page docs are missing some commands
noting the available options to the keystone-manage command.
Change-Id: Iba5efcf94e70f70bac899b8db377960fd35567d4
A previous refactor improved some of the logging we had when loading Fernet
keys. The log message makes sense from a token perspective since
`max_active_keys` is configured for the fernet token provider. For the
credential provider, it doesn't necessarily make sense because we don't expose
a `max_active_keys` option through configuration.
This commit makes it so the we only emit the log message when it is referencing
a fernet token key repository.
Change-Id: Iad04bd1340a9a59c465337dedcfcd1ea0bed4bde
This commit implements credential encryption through the following changes:
- additive schema change to store key hashes for credentials
- database migration to encrypt all pre-existing credentials
- contractive schema change to remove unencrypted credential column
- added code to the credential Manager to handle credential encryption
All credentials will be encrypted by default. There will not be a way to store
unencrypted credentials in keystone from this point forward.
Note that this implementation uses database triggers in the migration process.
If operators use the traditional offline migration method, it would be more
reliable if we didn't try to setup and tear down triggers, as they'll never be
used anyway. This makes it so that expand and contract migrations can skip
anything related to triggers.
Co-Authored-By: Werner Mendizabal <nonameentername@gmail.com>
bp credential-encryption
Depends-On: I433da9a257daa21ec3b5996b2bca571211f1fbba
Depends-On: Id3e8922adc154cfec5f7a36613e22eb0b49eeffe
Change-Id: I31b7539db436ad270462cfaa3b14213e0ed1fc04
The 105 migration added a password created_at column that was left as
nullable. This patch sets a default value for password created_at and
makes this column not nullable.
Closes-Bug: #1596500
Change-Id: I394467d554c786ecd9bf55367435c856c6723042
Now that we're able to grant authorization to federated users using
concrete role assignments, we can drop the requirement for the mapping
engine to result in any authorization (via group membership) at all.
Closes-Bug: #1601929
Change-Id: Ie144e20deb4a0bb987182de5c9231a14f0aa2bc8
Keystone had a problem where there was a memcached socket
opened very early on startup which then got shared between
worker processes when running under uwsgi. Since we don't have
a test or a way to ensure that no sockets are opened too early
for uwsgi, let's recommend setting lazy-apps to avoid issues.
Change-Id: I8b46c5424094d3abe9a986da4ee1143f72a91a4d
Related-Bug: 1600394
Since tokens are most often used right after being created,
cache them to bypass redundant validation.
The patch uses dogpile.cache internal functionality so some
calls may look strange
Implements bp pre-cache-tokens
Change-Id: I2e720eed6b0066738181afd1cbf73c5ff4d876f5
Currently, Keystone api-ref is not configured with logABug feature.
When users click "Report bug" button, it leads to
"bugs.launchpad.net/openstack-manuals" which is default.
We should change it to "bugs.launchpad.net/keystone/"
Change-Id: I8d6fc4d2a6ab9d7f444a02cbc2f756fdaa3de264
