Commit Graph

1600 Commits (6a69e4dfbdc2762445b0f16a9e2c66e06f3b2bab)

Author SHA1 Message Date
Adrian Turjak 6a69e4dfbd add support for auth_receipts and multi-method auth
- new exception when an auth receipt is returned.
- a new method for auth receipt.
- support to existing v3 Auth plugins to add additional methods.
- Added a new MultiFactor plugin with loading support which
  takes method names as strings.

Change-Id: Ie6601a50011118e3a07be9752f747c2298ff5230
Closes-Bug: #1839748
4 years ago
Dmitry Tantsur bca9ee7d3c Allow requesting fixed retry delay instead of exponential
Clients like ironicclient and swiftclient use fixed delay for their
build-in retry functionality. To replace it without changing behavior
we need a similar feature.

Change-Id: I1f9de98dae5719842f03d45e5a9d724199d5718b
4 years ago
Eric Fried 3fd9ce7007 reno: per-request global_request_id
Adds a release note for the per-request global_request_id kwarg that was
added via [1].

[1] Ied73320fcd813ae796e40cbdb30717900486b92c

Change-Id: I2c347e928b20c9533dc2758adc75bc8fdd78c006
4 years ago
Eric Fried df57e0ec3b Add a per-request global_request_id
Adapter.__init__ takes a global_request_id which causes the
X-Openstack-Request-Id header to be set on each request. This is fine if
the Adapter is used for only one "request" (in the sense of e.g. "a
server create" -- see [1]), but is too broad if the Adapter is reused
for multiple requests. For example, Nova's SchedulerReportClient (used
to communicate with Placement) creates a single instance of Adapter for
the life of the process [2][3][4]. Openstack SDK's Proxy objects [5]
endure for the life of a Connection.

So what is needed is a way to manage the X-Openstack-Request-Id header
on a per-request basis.

This commit adds a global_request_id kwarg to
keystoneauth1.session.Session.request, which is the funnel point for all
requests coming through Adapter as well as Session itself. (All the
methods feeding into that one already accept and pass through arbitrary
**kwargs.) If present, the value in the X-Openstack-Request-Id header is
set accordingly. Note that this will *override*
Adapter.global_request_id, which is exactly what we want, as described

[2] bea9058f02/nova/scheduler/client/ (L200)
[3] bea9058f02/nova/scheduler/client/ (L243)
[4] bea9058f02/nova/ (L1219-L1221)
[5] bf6651f149/openstack/ (L114)

Change-Id: Ied73320fcd813ae796e40cbdb30717900486b92c
4 years ago
Corey Bryant 92ec14c66b Add Python 3 Train unit tests
This is a mechanically generated patch to ensure unit testing is in place
for all of the Tested Runtimes for Train.

See the Train python3-updates goal document for details:

Change-Id: I0e4ec9d2b2e283beae6332923f44806ad7add9f8
Story: #2005924
Task: #34215
4 years ago
Zuul aee0d8a130 Merge "Limit interval between retries to 1 minute" 4 years ago
Zuul 996c8c66d4 Merge "Allow setting retry counts for Adapter via configuration options" 4 years ago
Colleen Murphy b56a2a82d5 Cap bandit
Pin bandit to <1.6.0 because subsequent releases don't work for us.

Change-Id: I5a6d0b7b1e5c9fda4e16b107b026fac2b44a051f
4 years ago
Dmitry Tantsur 34c005ae5f Limit interval between retries to 1 minute
Currently it grows exponentially, exceeding 1 hour after 15 retries.
While we don't expect people to have so many retries, we should not
let them shoot their legs.

Change-Id: I01dfaa1c379340a0d41fcfdb07298fdef6110941
4 years ago
Dmitry Tantsur 92921c6016 Allow setting retry counts for Adapter via configuration options
Change-Id: I67ba69bfff69676ceb28b8a7515f10f5eff21c4c
4 years ago
Michael McCune 96559d6009 add a handler for unknown HTTP errors
This change adds logic to handle a situation where an error response has
been received by HTTP but its body schema is an unknown format.

This issue came up during a review of related changes:

Change-Id: I21a33052e951f515988fdfd8ab1f42440ca9d4f8
4 years ago
Michael McCune 01d2da9e47 add handling for multiple error returns
This change adds logic to the `exceptions.from_response` to handle
errors formatted in accordance with the API-SIG guidelines. When there
are multiple errors returned, only the first error will be included in
the exception with a note informing that there were more errors.

API SIG guideline:

email thread for content:

related neutron bug:

Change-Id: I1f06c2cd5c4e93e04582d4ffbb434db92010d712
4 years ago
Zuul 1c4334c73d Merge "Replace URLs with URLs" 4 years ago
Zuul af28ae516f Merge "Resolves a typo in a link to use Application Credentials" 4 years ago
caoyuan 0682135749 Replace URLs with URLs
Change-Id: Ifd65f93e3ddde4ac06a4f37a41238b81d7e03165
Closes-Bug: #1827008
4 years ago
Vishakha Agarwal 70720ff336 Blacklist bandit 1.6.0 & cap sphinx for 2.7
The latest version of bandit has broken directory
exclusion, so multiple test files are getting
flagged. This change blocks version 1.6.0 while
this issue is fixed for 1.6.1.

This change also caps sphinx at <2.0.0 for python version 2.7.

Change-Id: Id4db764200be068df0dbe96306c2d53f79b49af7
4 years ago
Chinmay Naik 2bb7f120c3 Resolves a typo in a link to use Application Credentials
Change-Id: I6a4ab4076e0a0722fdc1ee3b1685cc242b3dac4c
Closes-Bug: #1801101
4 years ago
OpenDev Sysadmins 9f1b9606e4 OpenDev Migration Patch
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:

Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at with any
questions you may have.
4 years ago
Zuul 6162d3dcf2 Merge "Update master for stable/stein" 4 years ago
Zuul 7731e7949c Merge "Update auth plugin name list in document" 4 years ago
ricolin b856b367b8 Update auth plugin name list in document
Change-Id: I6fbd3cac12f0e540a97b5a5a0d038a5931442fd8
4 years ago
Vishakha Agarwal e70d34184f Update the min version of tox
In Train, we will use python3.6 and 3.7 for which
the minimum tox version required is 2.5[1]


Change-Id: Ibe07f6fca6760b5897bc6a00f2dd40550f33d713
4 years ago
Eric Fried f83f3fb750 Factor Adapter conf-processing logic into a helper
Subclasses of keystoneauth1.adapter.Adapter, such as openstacksdk's
openstack.proxy.Proxy [1], would like to be able to obtain configuration
from oslo_config conf options.

This commit splits the conf processing logic out of
keystoneauth1.loading.adapter.Adapter.load_from_conf_options (aka
keystoneauth1.loading.load_adapter_from_conf_options) into a helper
method, keystoneauth1.loading.adapter.process_conf_options.

This is a straight refactor, so no test changes are necessary.

[1] 16f2dbe3b0/openstack/ (L113)

Change-Id: I250c431ccf3883901f7dce151bc5011ac305f829
4 years ago
OpenStack Release Bot 6910374a83 Update master for stable/stein
Add file to the reno documentation build to show release notes for

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on

Change-Id: I7f3066154f30f3449e4bc54704ca01780ba10d6d
Sem-Ver: feature
4 years ago
Zuul bde07bc95b Merge "Fix rate semaphore for keystoneclient" 4 years ago
Colleen Murphy 7b74cc9adb Fix rate semaphore for keystoneclient
When using keystoneclient sessions, the new parameter is not available
and breaks the keystoneclient unit tests[1]. Only use the semaphore
kwarg when using keystoneauth sessions.


Change-Id: I0cc7f2514e143ec532d8fb895618f7cf1fea9cc3
4 years ago
Zuul 23afb2d631 Merge "add python 3.7 unit test job" 4 years ago
Zuul d66a63b4e5 Merge "Drop py35 jobs" 4 years ago
Vishakha Agarwal 33a804a288 Drop py35 jobs
Python 3.5 was the target runtime for the Rocky release.
The current target py3 runtime for Stein is Python 3.6,
so there is no reason to keep testing against the older version. Also
correct setup.cfg and tox.ini to reflect the current supported Python

Change-Id: I9d1b57b981269fea3afe39cf524350f3c4a7d944
4 years ago
Zuul 0828f7048e Merge "Add support for client-side rate limiting" 4 years ago
Monty Taylor 09934718f7 Add support for client-side rate limiting
shade/openstacksdk has implemented client-side rate limiting on top of
keystoneauth for ages and uses it extensively in nodepool. As part of an
effort to refactor that code a new approach was devised which was much
simpler and therfore suitable for inclusion in keystoneauth directly.

The underlying goal is two-fold, but fundamentally is about allowing a
user to add some settings so that they can avoid slamming their cloud.
First, allow a user to express that they never want to exceed a given
rate. Second, allow a user to limit the number of concurrent requests
allowed to be in flight.

The settings and logic are added to Adapter and not Session so that the
settings can easily be per-service. There is no need to block requests
to nova on a neutron rate limit, after all.

Co-Authored-By: Ian Wienand <>
Change-Id: Ic831e03a37d804f45b7ee58c87f92fa0f4411ad8
4 years ago
Zuul 7f9ff9585d Merge "Expose app creds and new attrs in fixtures" 4 years ago
Colleen Murphy 8ea9bee56c Expose app creds and new attrs in fixtures
To help enable testing authenticating with application credentials in
keystonemiddleware we need the keystoneauth token fixtures to support
application credentials. This change adds application credentials to the
fixtures along with mocking of the new access rules attribute. Additionally,
add support for the new attribute in the AccessInfoV3 object so that
it will fully represent the new structure.

bp whitelist-extension-for-app-creds

Change-Id: Ia6fece77390942ac012be1c80691ba86dc1e49b4
4 years ago
Zuul e155bed14e Merge "Expose application credentials in AccessInfoV3" 4 years ago
Monty Taylor 26b41b2e82 Remove shade jobs
We're co-gating with openstacksdk, also doing so with shade is a
bit excessive.

Change-Id: I0c192b96f01844d4ebce49dc1efc76c193afa6d2
4 years ago
Corey Bryant a96cf6ed75 add python 3.7 unit test job
This is a mechanically generated patch to add a unit test job running
under Python 3.7.

See ML discussion here [1] for context.


Change-Id: Idb2fb5bf8633c5980132e701157715690f22546f
Story: #2004073
Task: #27422
4 years ago
Colleen Murphy 759a9a5f59 Expose application credentials in AccessInfoV3
Since application credentials are used in some tokens it is important
to expose those attributes in the AccessInfoV3 object in the same way we
expose other token data.

Change-Id: I36a0b8dd275df8fcee556ed305c34c16a90384e8
4 years ago
Andreas Jaeger 299bebc14d Use template for lower-constraints
Small cleanups:

* Use openstack-lower-constraints-jobs template, remove individual
* Sort list of templates

Change-Id: Ib3faad6ed1a286376d5b60ce33f8cb757a9eda6b
5 years ago
Vieri f2ad956f82 Change openstack-dev to openstack-discuss
Mailinglists have been updated. Openstack-discuss replaces openstack-dev.

Change-Id: Ifd1ee825acd098a6525b5c5f3932ce200cfe730e
5 years ago
Monty Taylor 4960c48aec
Fix version discovery for clouds with int project_ids
On a cloud that has inaccessible version discovery documents AND uses
integer project ids, the discovery fallback logic can fail because the
project id parses as a (very large) version.

Check to see that the url segment in the fallback code begins with a v,
so that we're only attempting to parse versions from actual candidate

Closes-Bug: #1806109
Change-Id: Id90b3b9e4852494a4678b0a9bb67362babdc971c
5 years ago
Zuul d8cee933fe Merge "Replacing the HTTP protocal with HTTPS in using-sessions.rst." 5 years ago
zhouxinyong 7939dc7ab9 Replacing the HTTP protocal with HTTPS in using-sessions.rst.
Change-Id: Ib4712414c48ed922ea62460730a4cd5749a3d481
5 years ago
Zuul 618908919b Merge "Add py36 tox environment" 5 years ago
Colleen Murphy 0db112c4a6 Add py36 tox environment
We already run python3.6 unit tests in CI. Add the py36 environment to
the tox file so that developers with python3.6 available locally can opt
into running that version too.

Change-Id: I499db960450b9628636d503a4d7f1cc163d38e3a
5 years ago
wangqiangbj b134b696f3 fix wrong spelling of "unnecessary"
Change-Id: I1db36cab2a3dce4c1ae1c1de0d17c945e779bd9d
5 years ago
Monty Taylor c6e87c8209
Add missing release note for ironic discovery fix
Change-Id: I3f0a6047ecb0569553d17eb7a066ac7023817c66
5 years ago
Dmitry Tantsur 72288d3b18 Make new-style single endpoint version discovery actually work for ironic
For (unclear) historical reasons the root single version endpoint also
contains "id" and "links" fields. This makes the current workaround
for old-style endpoints take priority over the correct algorithm.
This change reorders the code, so that if "version" is present, it
always take priority over the workaround.

The unit tests are updated to be closer to real output from ironic.

Change-Id: I743b954c6c5b2f986c213acb6ec6af7e08c9f5f8
5 years ago
Sean McGinnis 87ca0d72fa Update sphinx extension logging
Sphinx 1.6 deprecated using the application object to perform logging
and it will be removed in the upcoming 2.0 release. This updates our
extensions to use the recommended sphinx.util.logging instead.

Change-Id: I3abce4e3c147befd0235820cb8850fe18f6dee42
Signed-off-by: Sean McGinnis <>
5 years ago
Monty Taylor e878df1a16
Reformat Adapter docstring
Typing docstrings for the next patch was annoying. Reformat the
docstrings to wrap at the front rather than in visual blocks.

Change-Id: I08fc1e45e032197f3bb0b8311c032b471494ef80
5 years ago
Monty Taylor 106d91fb41
Cache root urls with and without trailing slashes
The trailng slash on a pathless url is not meaningful, but we were
treating the url given to the discovery cache as if it were. In some
circumstances, such as an endpoint_override that didn't match the
found discovery document perfectly, a double-request could be made.
Normalize root urls in the caching code so that and would be the same.

Change-Id: I70a5911cf0f213a7816fe8d58c6cca4702ff71bb
5 years ago