- new exception when an auth receipt is returned.
- a new method for auth receipt.
- support to existing v3 Auth plugins to add additional methods.
- Added a new MultiFactor plugin with loading support which
takes method names as strings.
Change-Id: Ie6601a50011118e3a07be9752f747c2298ff5230
Closes-Bug: #1839748
Clients like ironicclient and swiftclient use fixed delay for their
build-in retry functionality. To replace it without changing behavior
we need a similar feature.
Change-Id: I1f9de98dae5719842f03d45e5a9d724199d5718b
Adds a release note for the per-request global_request_id kwarg that was
added via [1].
[1] Ied73320fcd813ae796e40cbdb30717900486b92c
Change-Id: I2c347e928b20c9533dc2758adc75bc8fdd78c006
Adapter.__init__ takes a global_request_id which causes the
X-Openstack-Request-Id header to be set on each request. This is fine if
the Adapter is used for only one "request" (in the sense of e.g. "a
server create" -- see [1]), but is too broad if the Adapter is reused
for multiple requests. For example, Nova's SchedulerReportClient (used
to communicate with Placement) creates a single instance of Adapter for
the life of the process [2][3][4]. Openstack SDK's Proxy objects [5]
endure for the life of a Connection.
So what is needed is a way to manage the X-Openstack-Request-Id header
on a per-request basis.
This commit adds a global_request_id kwarg to
keystoneauth1.session.Session.request, which is the funnel point for all
requests coming through Adapter as well as Session itself. (All the
methods feeding into that one already accept and pass through arbitrary
**kwargs.) If present, the value in the X-Openstack-Request-Id header is
set accordingly. Note that this will *override*
Adapter.global_request_id, which is exactly what we want, as described
above.
[1] http://specs.openstack.org/openstack/oslo-specs/specs/pike/global-req-id.html
[2] bea9058f02/nova/scheduler/client/report.py (L200)
[3] bea9058f02/nova/scheduler/client/report.py (L243)
[4] bea9058f02/nova/utils.py (L1219-L1221)
[5] bf6651f149/openstack/proxy.py (L114)
Change-Id: Ied73320fcd813ae796e40cbdb30717900486b92c
Currently it grows exponentially, exceeding 1 hour after 15 retries.
While we don't expect people to have so many retries, we should not
let them shoot their legs.
Change-Id: I01dfaa1c379340a0d41fcfdb07298fdef6110941
The latest version of bandit has broken directory
exclusion, so multiple test files are getting
flagged. This change blocks version 1.6.0 while
this issue is fixed for 1.6.1.
This change also caps sphinx at <2.0.0 for python version 2.7.
Change-Id: Id4db764200be068df0dbe96306c2d53f79b49af7
Subclasses of keystoneauth1.adapter.Adapter, such as openstacksdk's
openstack.proxy.Proxy [1], would like to be able to obtain configuration
from oslo_config conf options.
This commit splits the conf processing logic out of
keystoneauth1.loading.adapter.Adapter.load_from_conf_options (aka
keystoneauth1.loading.load_adapter_from_conf_options) into a helper
method, keystoneauth1.loading.adapter.process_conf_options.
This is a straight refactor, so no test changes are necessary.
[1] 16f2dbe3b0/openstack/proxy.py (L113)
Change-Id: I250c431ccf3883901f7dce151bc5011ac305f829
Add file to the reno documentation build to show release notes for
stable/stein.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.
Change-Id: I7f3066154f30f3449e4bc54704ca01780ba10d6d
Sem-Ver: feature
When using keystoneclient sessions, the new parameter is not available
and breaks the keystoneclient unit tests[1]. Only use the semaphore
kwarg when using keystoneauth sessions.
[1] https://review.openstack.org/640953
Change-Id: I0cc7f2514e143ec532d8fb895618f7cf1fea9cc3
Python 3.5 was the target runtime for the Rocky release.
The current target py3 runtime for Stein is Python 3.6,
so there is no reason to keep testing against the older version. Also
correct setup.cfg and tox.ini to reflect the current supported Python
versions.
https://governance.openstack.org/tc/reference/runtimes/stein.html#python-runtime-for-stein
Change-Id: I9d1b57b981269fea3afe39cf524350f3c4a7d944
shade/openstacksdk has implemented client-side rate limiting on top of
keystoneauth for ages and uses it extensively in nodepool. As part of an
effort to refactor that code a new approach was devised which was much
simpler and therfore suitable for inclusion in keystoneauth directly.
The underlying goal is two-fold, but fundamentally is about allowing a
user to add some settings so that they can avoid slamming their cloud.
First, allow a user to express that they never want to exceed a given
rate. Second, allow a user to limit the number of concurrent requests
allowed to be in flight.
The settings and logic are added to Adapter and not Session so that the
settings can easily be per-service. There is no need to block requests
to nova on a neutron rate limit, after all.
Co-Authored-By: Ian Wienand <iwienand@redhat.com>
Needed-By: https://review.openstack.org/604926
Change-Id: Ic831e03a37d804f45b7ee58c87f92fa0f4411ad8
To help enable testing authenticating with application credentials in
keystonemiddleware we need the keystoneauth token fixtures to support
application credentials. This change adds application credentials to the
fixtures along with mocking of the new access rules attribute. Additionally,
add support for the new attribute in the AccessInfoV3 object so that
it will fully represent the new structure.
bp whitelist-extension-for-app-creds
Change-Id: Ia6fece77390942ac012be1c80691ba86dc1e49b4
Since application credentials are used in some tokens it is important
to expose those attributes in the AccessInfoV3 object in the same way we
expose other token data.
Change-Id: I36a0b8dd275df8fcee556ed305c34c16a90384e8
Small cleanups:
* Use openstack-lower-constraints-jobs template, remove individual
jobs.
* Sort list of templates
Change-Id: Ib3faad6ed1a286376d5b60ce33f8cb757a9eda6b
Needed-By: https://review.openstack.org/623229
On a cloud that has inaccessible version discovery documents AND uses
integer project ids, the discovery fallback logic can fail because the
project id parses as a (very large) version.
Check to see that the url segment in the fallback code begins with a v,
so that we're only attempting to parse versions from actual candidate
segments.
Closes-Bug: #1806109
Change-Id: Id90b3b9e4852494a4678b0a9bb67362babdc971c
We already run python3.6 unit tests in CI. Add the py36 environment to
the tox file so that developers with python3.6 available locally can opt
into running that version too.
Change-Id: I499db960450b9628636d503a4d7f1cc163d38e3a
For (unclear) historical reasons the root single version endpoint also
contains "id" and "links" fields. This makes the current workaround
for old-style endpoints take priority over the correct algorithm.
This change reorders the code, so that if "version" is present, it
always take priority over the workaround.
The unit tests are updated to be closer to real output from ironic.
Change-Id: I743b954c6c5b2f986c213acb6ec6af7e08c9f5f8
Sphinx 1.6 deprecated using the application object to perform logging
and it will be removed in the upcoming 2.0 release. This updates our
extensions to use the recommended sphinx.util.logging instead.
Change-Id: I3abce4e3c147befd0235820cb8850fe18f6dee42
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
Typing docstrings for the next patch was annoying. Reformat the
docstrings to wrap at the front rather than in visual blocks.
Change-Id: I08fc1e45e032197f3bb0b8311c032b471494ef80
The trailng slash on a pathless url is not meaningful, but we were
treating the url given to the discovery cache as if it were. In some
circumstances, such as an endpoint_override that didn't match the
found discovery document perfectly, a double-request could be made.
Normalize root urls in the caching code so that https://example.com and
https://example.com/ would be the same.
Change-Id: I70a5911cf0f213a7816fe8d58c6cca4702ff71bb
Adrian Turjak
OpenStack Release Bot