Added a new OAuth2mTlsClientCredential plugin, accessible via the
'v3oauth2mtlsclientcredential' entry point, making possible to
authenticate using an OAuth 2.0 Mutual-TLS client credentials.
Co-Authored-By: Hiromu Asahina <hiromu.asahina.az@hco.ntt.co.jp>
Change-Id: I0e02ef18da5d60cdd1bcde07b07c2071b74b73d6
Implements: blueprint support-oauth2-mtls
Added a new OAuth2ClientCredential plugin, accessible via the
'v3oauth2clientcredential' entry point, making possible to authenticate
using an application credentials as an OAuth2.0 client credentials.
Change-Id: I77d6faef4cbc75abb8e7d86f386fb6d16e40cabf
A new basic auth plugin is added which enables HTTP Basic
authentication for standalone services. Like the noauth plugin, the
endpoint needs to be specified explicitly, along with the
username and password.
An example of a standalone server implementing HTTP Basic can be seen
in Ironic change https://review.opendev.org/#/c/727467/
Change-Id: Ib3f0a9c518d031a67f9605cf64a8a9cc81131ed3
Story: 2007656
Task: 39741
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
Update local hacking checks for new flake8.
Remove hacking and friends from lower-constraints, those are not
needed for co-installing.
Change-Id: I59f0854c089a6ed4f0c4dad7755f946dc95ada3a
- new exception when an auth receipt is returned.
- a new method for auth receipt.
- support to existing v3 Auth plugins to add additional methods.
- Added a new MultiFactor plugin with loading support which
takes method names as strings.
Change-Id: Ie6601a50011118e3a07be9752f747c2298ff5230
Closes-Bug: #1839748
Clients like ironicclient and swiftclient use fixed delay for their
build-in retry functionality. To replace it without changing behavior
we need a similar feature.
Change-Id: I1f9de98dae5719842f03d45e5a9d724199d5718b
Subclasses of keystoneauth1.adapter.Adapter, such as openstacksdk's
openstack.proxy.Proxy [1], would like to be able to obtain configuration
from oslo_config conf options.
This commit splits the conf processing logic out of
keystoneauth1.loading.adapter.Adapter.load_from_conf_options (aka
keystoneauth1.loading.load_adapter_from_conf_options) into a helper
method, keystoneauth1.loading.adapter.process_conf_options.
This is a straight refactor, so no test changes are necessary.
[1] 16f2dbe3b0/openstack/proxy.py (L113)
Change-Id: I250c431ccf3883901f7dce151bc5011ac305f829
For people setting creating Sessions via load_from_conf_options, such as
the OpenStack services, turning on split-loggers needs to be done in a
config file. In order to do that, we need to expose it in the conf
options list.
Don't add it to the argparse options for now - it would just add another
command line option that is less likely to see use.
Change-Id: I106c6acbe306e581d293612630ec810c11d9d61c
python-openstackclient does this in a wrapper class around Session,
and openstacksdk does something similar that could be removed if support
were directly in keystoneauth.
Add this so that we can remove the custom wrapper/manipulation in
openstackclient and openstacksdk.
Change-Id: Icf00c66f57d20d2cef724c233160d3b1e0d52102
This commit introduces the necessary bits in order to get system
scoped tokens from a keystone server.
bp system-scope
Change-Id: I538f2a6cd2b4113910dfdac250c14f17f80051f6
Update the help string for Adapter's endpoint-override conf option to
recommend specifying the unversioned endpoint. This is so that ksa can
do the appropriate endpoint discovery itself.
Change-Id: I6178a7c0b80e22cc48f049efc24d1c74f26d4b2d
If deprecated options aren't registered, interface will not exist,
resulting in NoSuchOptError.
Add safeguards around accessing the interface opt, and appropriate test
cases.
Co-Authored-By: Eric Fried <efried@us.ibm.com>
Closes-Bug: #1707273
Change-Id: Ic3df9817f0038f8f610db70d7e34fe9d458606b6
Support a deprecated_opts dict kwarg to
keystoneauth1.loading.adapter.Adapter.get_conf_options that behaves just
like the one for keystoneauth1.loading.session.Session.get_conf_options
Ditto register_conf_options.
Change-Id: I40b568c1b8570b349def0a966526ed4515d08105
Closes-Bug: #1708673
The positional decorator results in poorly maintainable code in
a misguided effort to emulate python3's key-word-arg only notation
and functionality. This patch removes keysteonauth's dependance
on the positional decorator.
Change-Id: I20106345747860365cd0203ba1b33a2900e045b9
Add the ability to exclude deprecated conf options from
Adapter.get_conf_options via a new kwarg, include_deprecated, which (for
backward compatibility) defaults to True.
Closes-Bug: #1706775
Change-Id: I9245d2b983482154959ba05d7d8496a947f1c701
Version number for keystoneauth is still being debated. Remove this
as it's not strictly necessary anyway. The deprecation explanation is
also very clunky. Fix it.
Change-Id: I2cd39c5c01995b3e6cf22616c5343d8e1c4ce43b
interface can take a list of values now, so needs to be exposed as such
for config file consumption.
Since this is a new option we can be stricter. Add checking to make sure
only public, internal and admin can be passed as values.
Change-Id: I17043cd93072bbfd1389d44935bcf9a653e1d6a0
They should be here as an Adapter is essentially a codified
endpoint_filter.
Add them to the conf options for Adapter, since that is how Adapters get
defined in services which is one of the reasons for doing all of this
work.
Change-Id: I8c6613bac09f28169e903b303c7330b1e90fe72d
Although the getter and the load_from_argparse_arguments methods accept
kwargs, those were not passed from the load method to the inner
plugin.load_from_options_getter call.
Change-Id: I1af353bf3eab88ebc148b606f683c114819e8330
Closes-Bug: 1697479
It does not accept any arguments and sets the token to 'notused'.
It does not have any endpoint/url associated,
and thus must be used together with adapter.Adapter.endpoint_override to
instantiate a session for client to a service that is deployed in
noauth/standalone mode.
Unfortunately the 'noauth' name is already taken by
cinderclient.contrib.noauth.
Change-Id: I2f7175ea095aac774e7c5889880fcff15586559c
In the spirit of keystoneauth1.loading.session,
keystoneauth1.loading.adapter.Adapter is a BaseLoader subclass providing
oslo_config* options suitable for inclusion by config groups wishing to
support keystoneauth1.adapter.Adapter operations such as endpoint
discovery.
*Future work should be done to move the argparse options from
keystoneauth1.adapter.Adapter into the new loading.adapter.Adapter class
for consistency.
Change-Id: Icb8c295799cc5ef4ca16f44c238838668fb7ab93
Partial-Implements: bp use-service-catalog-for-endpoints
This change removes the soon-to-be unused "warnerrors" setting,
which will be replaced by "warning-is-error" in sphinx
releases >= 1.5.[0] This also pre-emptively fixes most warnings
that came up when testing with sphinx >= 1.5:
- Multiple cases of Opts
- Redundant loading of todo extension
Added a comment to not to enable the new sphinx setting until
the issues with Changlog building are fixed.
Added setup.py to the list of files to ignore when building
docs.
[0] http://lists.openstack.org/pipermail/openstack-dev/2017-March/113085.html
Change-Id: Ia0079c6b551dd3896bc3d922a477f927757bd61b
A commonly requested document is what auth plugins are available and
what parameters do they accept. Create an extension that can iterate
through the stevedore namespace and render all its available options.
Change-Id: Id0d0983c9803ce4e0ce201310a1603bc0ff30ca0
In Python 3 __ne__ by default delegates to __eq__ and inverts the
result, but in Python 2 they urge you to define __ne__ when you define
__eq__ for it to work properly [1]. There are no implied relationships
among the comparison operators. The truth of x==y does not imply that
x!=y is false. Accordingly, when defining __eq__(), one should also
define __ne__() so that the operators will behave as expected.
[1]https://docs.python.org/2/reference/datamodel.html#object.__ne__
Change-Id: I6ad4b07911f6c8236dfcd048aceebd44cd760fe2
to better the user experience, mark a few of the open id connect
options as required, users should get back more meaningful
error messages.
as part of the change, there was also a discrepancy between what
the loader used for the authorization code, and what the plugin
was using. deprecate the old loader option (authorization-code)
in favor of the one used by the plugin (code).
Change-Id: I18318ef44f99e4f973176dd99b61770b1151f7a0
Partial-Bug: 1593192
The OpenID Connect specifies that all providers must return a JSON
discovery document [1] in a well-known location. We can let the user
pass this document instead of the individual endpoints (i.e. token and
authorization endpoint). Moreover, we can also check if the requested
grant_type (implicit to the used plugin, and one of client_credentials,
password, authorization_code) is supported by the provider before
starting the auth flow.
[1] https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
Fixes-bug: #1583682
Change-Id: I24b7960b25ddcff45552c0ab5541d92122d1d560
The prompt parameter is supposed to provide both an indication to
loaders that it is ok to prompt the user for input for an option and
also an appropriate message that can be used.
It would be up to the loader whether it wanted to use that message or
something it generated.
This will allow os-client-config and openstackclient better control over
the loading of sensitive authentication options.
Related-Bug: #1519202
Change-Id: I7c39f25b78404950af6f6eaf21739be1c1ef9c6a
An auth plugin that allows service clients to be authenticated
with the X.509 tokenless authentication. Please find typical configured
options in authentication-plugins.rst
implements bp keystone-tokenless-authz-with-x509-ssl-client-cert
Change-Id: Ie0298f0ef7f3891cfc81072ab9ef9e501773fe5f
The OpenID scope is something common to all the OpenID grant types,
therefore we move the OIDC scope parameter 'scope' from the OidcPassword
class into the base _OidcBase class, moving the option as well into the
corresponding loader.
Moreover, OpenID scopes are not handled properly, as the loaders have
the option defined as "openid-scope" whereas the class constructor
argument is named "openid".
Lastly, OpenID states that the OpenID scope MUST contain "openid" at
least, so we should include this in our defaults argument.
Closes-Bug: #1594272
Closes-Bug: #1597334
Change-Id: I9a242ae93a61737d032c19830c5d89ef6237f875
Add a create_plugin function to loaders. This can be used to create a
plugin based on options with more control than simply specifying a
plugin_class as a property.
The plugin_class property is no longer an abstractproperty however an
implementer must still provide either the plugin_class property or
implement the create_plugin function to succeed.
Change-Id: Iea2ff93cfc3c814c78f6d9cd7e0069bab7e0180b
Closes-Bug: #1595400
There is a missmatch between the option being defined in the
OpenIDConnectPassword loader and the OidcPassword class. The loader
defines it as "openid-scope" but the OidcPassword constructor only
accepts "scope".
Closes-Bug: 1594272
Change-Id: I7dbaaa4eb52c900bcd19da4c274bd35dc8b98c6f
Zuul