We are going to start building OpenAPI using codegenerator directly in
the Keystone and move all the schemas into the codebasis. It is going to
be very helpful to immediately see whether generation is possible and
the OpenAPI spec is valid. Thus adding it as non-voting for now (and it
makes no sense of having non-voting job in gate).
Change-Id: Iaf418d69cbb55fbe9dde3f2ec4213e64345057c2
After reformatting there are some cases of previously strings split
across the lines were simply placed on a single line ("foo " "bar baz").
Join such cases properly.
Change-Id: Ie56d5ca35d3e0983a73554916f5399837a3b35b4
Ensure committing locally will raise bandit check errors before we push
the change by putting it into the pre-commit. Since pre-commit is
already invoked in the pep8 env we can drop bandit from there.
Change-Id: I4d9d5aa283fb6cb91d610e23c6a44e98d8df46aa
pyupgrade is a tool (and pre-commit hook) to automatically upgrade
syntax for newer versions of the language. It helps getting rid of
syntax required for older python versions not supported anymore and
prepare us for easier support of newer python versions. The tool is
already used in some other OpenStack projects, so it is time to start
using it also for Keystone.
The change is generated by uncommenting the pre-commit hook and
executing `pre-commit run -a` to convert the data. The same could be
also achieved by simply trying to commit and adding converted files in
few iterations.
Change-Id: Ia1f64709e57ebb4e44db128bfea4c5957b2071df
With this black performs linter check even before the commit is created
allowing devs to spot issues before sending change to the CI.
With this we also switch from flake8 to pre-commit to ensure we run the
same tests locally and in the CI thus preventing accidential drift.
Change-Id: I121f55a2f00817dc4b6061933752b81e01d62cb4
NotFound exceptions happen regularly during normal operations,
e.g. when doing "openstack role show member", so don't make a fuss
about them.
Change-Id: I59ad6fe4ff167a431eae943dd261d4a69c21e980
Improve code maintainability by enabling us to use automatic code
formatter. We use black as a relatively fast code formatter (ruff is an
lternative, but it will immediately require also changing all quotes
chaos). In the next change black is going to be added into the
pre-commit allowing contributors to spot formatting issues before
sending code to the CI sending precious run hours. Same steps has been
performed in the openstasksdk/cli and partially nova.
Steps performed:
- `black -l 79 -S keystone`
- add exceptions to the tox.ini for the lines which black decided not to
split
Following files are polished manually due to noqa headers and similar
being reformatted to wrong strings:
keystone/auth/plugins/totp.py
keystone/common/password_hashing.py
keystone/tests/unit/ksfixtures/__init__.py
Change-Id: I832ec4c152fa58fb0088d9f880add86a20ec95fc
When user requests new application credentials without specifying roles
explicitly all current roles from the token are being used for that
(including implied roles).
When new application credentials are requested specifying a role that
implies another role (i.e. member) only that role is added into the
list. This is not what is expected, so change it by looping through
every requested role and add every implied role into the list if it is
not already there.
Related-Bug: https://bugs.launchpad.net/keystone/+bug/2030061
Change-Id: I452313ac7e1e6960748bcd1e667fb7c0076eb7a2
python-all-dev is not available on the newer ubuntu images
(ubuntu-nobble). Replace it with `python3-dev` as used by majority of
other OpenStack repositories. This change does not fix the tests, it
just ensures tests are being executed.
Change-Id: I860ca5e6259459716e606a4c76002164d6a18668
As a starting point for the code renovation it makes sense to add
pre-commit with the same configuration as we spread across the other
services. For now comment out hooks that fail and address them one by
one.
At the end of the series we would have pre-commit executing all the
necessary checks (linting, flake, black, mypy, etc) and it will be
invoked directly in the `tox -e pep8` to unify all the processing. We
are going to re-format source code with `black` adding revisions to
git blame ignore to reduce amount of noise. This will help us to have
reasonable formatting of the code with possibility to just auto-format
the code.
Change-Id: Ia00f4209cde8f64828dc2d827d49bfc4bd6c1efa
This has been deprecated for removal [1]. Use the stdlib variant
instead.
[1] https://github.com/testing-cabal/testtools/commit/59b890db3c
Change-Id: I7701872d2de44bb7c8296501015c24d0741adc93
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
pytz will be removed from RHEL/CentOS 10 because of the built-in
zoneinfo[1].
Because the current usage of pytz can be very easily replaced, this
removes the dependency on pytz.
[1] https://issues.redhat.com/browse/RHEL-219
Change-Id: Ib90acd5ebb9a0c2cffd643bda0ecdafa97552008
Official recommendation for operators is to develop out-of-tree drivers
for the missing functionality. While this is easily possible there are
hurdles for configuring such drivers. Configuring them using FS requires
restart of Keystone when i.e. adding new domains to be processed with
the custom driver. Using database is a much better and dynamical
approach, but it currently is not allowing drivers to have specific
configuration. This change improves this flaws and contains of 3
individual parts that are submitted together to make testing easier.
- Allowing driver to register supported configuration option before
loading the driver (invoke DriverManager without calling the driver
and search for specific method present).
- Allow changing driver specific configuration through API (add 2 more
configuration options enabling listed options in the API)
- Documentation changes.
Change-Id: I99fa798ef60cdb7a488fe55de76cd931c6db3e89
The str(url) function in SQLAlchemy hides the password.
For a URL string that is to be re-used, use
render_as_string(hide_password=False).
Change-Id: I2ab28da5cc2b9ed3a1588259b2e94320662816bb
Credentials are associated with users so there is no reason we prevent
domain users from accessing the resources. In some services like heat
domain admin is used to generate keystone credentials and loosing
the scope check is required to continue supporting such use case.
Closes-Bug: #2062045
Change-Id: I140b302d879ce1cc1f8d8de9e666cc74278a977f
Domain admins are allowed to assign roles. So it should be allowed to
view roles.
Note that protection job is made non-voting until the domain admin role
test cases are updated.
Closes-Bug: #2059780
Change-Id: Ifc25cf32ffcdb3b8a62d6741bc38e14bca0d7763
This patch modifies a few policies to allow users with the "admin" role
to access /v3/auth/tokens and /v3/credentials. These policies were
missed when we implemented Phase 1 of Secure RBAC.
Change-Id: Id789c09121f1405f7ba5e4926498dab4ad98e057
This patch updates the devstack plugin so that tempest.conf is not
configured to use system-admin. Currently tempest uses an all-in
approach to configuring admin clients, and forcing system scope in
tempest when SRBAC is turned on results in test failures for services
that don't understand system scope.
With this patch, keystone test will be run with a project-scoped admin,
which should be fine since policies have been previously updated to
accept project-admin tokens as legacy admin for Phase 1. [1]
[1] f2f1a5c388
Change-Id: I39d50b8e6e55b0835670d753c3783f32b19b6c47
Add file to the reno documentation build to show release notes for
stable/2024.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2024.1.
Sem-Ver: feature
Change-Id: I269449185216e98155807b046b7bab48610911b3
The s3tokens and ec2tokens endpoint is a public API
that does not require authentication to be called but
that is what the testing does today.
This duplicates the "good request" tests by also
testing with noauth set so that we don't send a
token in the request, this can prevent bugs where
we would unintentionally require auth for these
endpoints.
Change-Id: Ibbde313ac8bcf3187c139bbd0840702f229534d0
