Commit Graph

118 Commits (6ee21bd722b3e1dbec3e5a211e32f10fb2a20603)

Author SHA1 Message Date
Pavlo Shchelokovskyy ae646f8d37 Enforce scope mutual exclusion for system
we already fail when mutliple scope identifiers are provided, however
not when system scope is involved. As a result of the undocumented
priority of checks, when system scope is specified together with any
other scope, that other scope will silently be used.

Change-Id: I120ed63f6c1262d067eeb6168feab35278cacf6a
2022-12-02 18:03:47 +00:00
Hervé Beraud 11faa0e67d Fix linters and bindep on jammy
Bump linter requirements - follow the changes
made in keystone in commits
6dfde5b48b388e32e34a385c3a9ef48da7c7c49b and
5c71ebd7a92d25df83e2e7cc5fad9990e9eebbf5 in
order to fix compatibility with Python 3.10.

Remove python-dev from bindep - it's no longer
supported by jammy and lead us to the following
errors with the announce-release job:

No package matching 'python-dev' is available

Co-Authored-By: Herve Beraud <>
Change-Id: If687a2678733ce018bd31c602140f073ab1a1a65
2022-12-01 12:14:33 +00:00
Yi Feng aa9c5d230f OAuth2.0 Client Credentials Grant Flow Support
Added a new OAuth2ClientCredential plugin, accessible via the
'v3oauth2clientcredential' entry point, making possible to authenticate
using an application credentials as an OAuth2.0 client credentials.

Change-Id: I77d6faef4cbc75abb8e7d86f386fb6d16e40cabf
2022-08-30 06:29:20 +00:00
Lance Bragstad ad46262148 Inject /v3 in token path for v3 plugins
Without this, it's possible to get HTTP 404 errors from keystone if
OS_AUTH_URL isn't versioned (e.g., instead
of, even if OS_IDENTITY_API is set to

This commit works around this issue by checking the AUTH_URL before
building the token_url and appending '/v3' to the URL before sending the

Closes-Bug: 1876317

Change-Id: Ic75f0c9b36022b884105b87bfe05f4f8292d53b2
2020-05-22 09:38:27 -05:00
Andreas Jaeger c096099416 Update hacking for Python3
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.

Fix problems found.

Update local hacking checks for new flake8.

Remove hacking and friends from lower-constraints, those are not
needed for co-installing.

Change-Id: I59f0854c089a6ed4f0c4dad7755f946dc95ada3a
2020-03-31 20:11:31 +02:00
Guang Yee 81f9e07879 fix bandit complains
Since 'access_token' literal is not an actual token, we can safely
mark it as false positive so bandit can stop chirping.

Change-Id: Ib035b67fe8ec9185507929bf982cf18636411c08
2020-01-07 13:52:49 -08:00
Adrian Turjak 6a69e4dfbd add support for auth_receipts and multi-method auth
- new exception when an auth receipt is returned.
- a new method for auth receipt.
- support to existing v3 Auth plugins to add additional methods.
- Added a new MultiFactor plugin with loading support which
  takes method names as strings.

Change-Id: Ie6601a50011118e3a07be9752f747c2298ff5230
Closes-Bug: #1839748
2019-08-14 11:51:28 +12:00
Monty Taylor 83be7453fa
Add ability to filter version data by service-type
The get_all_version_data method is useful for getting a full listing of
what's going on with version discovery on a cloud. Sometimes though
people just want to see the versions for a specific service. Add a
filter to allow skipping making the version discovery call in the first
place, instead of needing to do that as a post-filtering step.

Change-Id: Ia3ca4be2976d1a5e7914fa8f2adbf7297e8cb1e1
2018-07-23 18:41:18 -05:00
Zuul 775550d256 Merge "Return the endpoint_override from EndpointData" 2018-05-16 21:52:28 +00:00
Eric Fried 8a963de05a
Return the endpoint_override from EndpointData
Setting up an Adapter with an endpoint_override, calling
get_endpoint_data() on that adapter, and accessing the `url` @property
of the resulting EndpointData now regurgitates the endpoint_override
initially set on the Adapter.

Change-Id: I1033c97a7b0e19a75fa0d3c5682cf18b75918514
Closes-Bug: #1707993
2018-05-16 10:30:48 -05:00
Monty Taylor 5c79260971
Infer version from old versioned service type aliases
The last piece of service type alias support is to handle volumev2,
volumev3, workflowv2, workflowv3 and friends.

Although it's an annoying scenario, luckily legacy code that uses them
has a clear meaning. volumev2, version='3' is just legit not a thing.

Change-Id: Iec09bcb16d8e9b09e09bf12d03c2a55e679ad70c
2018-05-03 15:28:54 -05:00
Monty Taylor 57f9736329
Make VersionData class
We're repeating ourselves a bunch with a plain dict that contains the
version data. Make a class to encapsulate it. Make the class a subclass
of dict so that json translation works.

Change-Id: Ic7d122487174a5b0378a8dfaa39514c5cb2a604b
2018-05-03 15:28:54 -05:00
Monty Taylor d6670ee5c9
Add methods to get all of the version data
We've got great discovery support, but if someone is wanting to find out
what is available and doesn't otherwise know what they're looking for,
they're out of luck.

Add a method to EndpointData which will return all of the version data
for a given service, and then add a method to the base auth plugin that
will use that method to collect all of the version discovery documents
for every service in the cloud.

This commit adds os-service-types so that the resulting datastructure
can return only official service type keys. A followup patch will also
use os-service-types to allow catalog lookups by service-type alias.

There is a change to the test_identity_common.V2.get_auth_data method
to remove the public and internal urls for keystone from the catalog.
The V3 catalog only has keystone on admin, so this makes them have
equivilent data.

Change-Id: I07243edb939865a5df8b283e7c626874ffd830db
2018-05-03 15:28:54 -05:00
Monty Taylor 0c6094631a
Fix W503 line-break-before-binary-operator
This just started happening. It's only two places though, so just fix

Change-Id: I00ae56543a2a9f24e35744bb35e7984edc2712d2
2018-04-13 10:47:35 -05:00
Jens Harbott 26cb0f6fcb Be more helpful when version discovery fails
Modify the error message for failed discovery in an attempt to better
help the user fixing the issue.

Include a reference to the actual exception that occured in the
error message. Add SSLError to the list of caught exceptions so that
we can log this case, too.

Add some unit tests to verify the handling of possible exceptions during
version discovery.

Change-Id: I9c26ab35d5515a937e016421e26e844212cb0bb3
Closes-Bug: 1749144
2018-03-21 09:17:01 +00:00
Zuul 80bfea8b3b Merge "Override support message in AuthorizationFailure class" 2018-02-24 02:50:33 +00:00
Colleen Murphy 8bd6312ebc Add pep8 import order validation
Add the flake8-import-order library to our test requirements so that we
can avoid these PEP8 violations and maintain consistent import ordering.
Also fix our violations.

This library is in requirements but is blacklisted from being
automatically updated since it is never shipped. For now, don't bother
to pin it.

Change-Id: I4e788292b98b7f2f835cc80081763b2d249fe43e
2018-02-15 20:07:04 +01:00
deepak_mourya 6c309e2bc2 Override support message in AuthorizationFailure class
AuthorizationFailure exception class should support
message override

class AuthorizationFailure(base.ClientException):
    message = "Cannot authorize API client."

Users will only be able to see the above message
"Cannot authorize API client." which is less useful to debug.

Change-Id: I27ac6ebfb68ba3edad08a5c97b91f4abab9b395f
Closes-Bug: #1745930
2018-02-12 12:14:38 +05:30
Zuul 33ae93d8c4 Merge "Add support for application credentials" 2018-01-19 22:45:45 +00:00
Colleen Murphy c2ae9e298e Add support for application credentials
Add new auth classes and loading options for application credentials.

Change-Id: If267c17eecc2c4acaf62e27276afc185c1ae3616
2018-01-18 13:16:54 +01:00
Lance Bragstad f9ab615eb1 Implement system scope
This commit introduces the necessary bits in order to get system
scoped tokens from a keystone server.

bp system-scope

Change-Id: I538f2a6cd2b4113910dfdac250c14f17f80051f6
2018-01-17 15:50:11 +00:00
Jenkins 89333b6fa0 Merge "Add version discovery support to BaseAuthPlugin" 2017-10-06 17:11:08 +00:00
Gage Hugo 65dffd87fa Correct docs usage of keystoneauth1 session
keystoneclient.session has been long deprecated in favor of
keystoneauth1.session. This change corrects entries in the
documentation to use the correct library's session.

Change-Id: I08f8989e335e442787fa4c75497ee4be3a1ec35a
2017-09-22 10:06:34 -05:00
Monty Taylor 46286b1cf9
Add version discovery support to BaseAuthPlugin
The new 'none' auth plugin and the old 'admin_token' plugin
are subclasses of BaseAuthPluign, not BaseIdentityPlugin.
That means if someone does:

  s = session.Session(noauth.NoAuth())
  a = adapter.Adapter(s, endpoint_override='')

to get an Adapter on an endpoint using the none plugin, then does




it will fail because the none plugin doesn't have those methods.

There is, however, nothing about those methods that necessarily needs
authentication. That is, they can work just fine in contexts without
a keystone token or without authentication of any sort.

Ironic/Bifrost is specifically a usecase here, as standalone Ironic
wants to use the 'none' plugin, but consuming the API still needs to
get microversion info from the given endpoint.

Add methods to BaseAuthPlugin that take less arguments since the ones
about finding services in catalogs make zero sense in none/admin_token

Change-Id: Id9bd19cca68206fc64d23b0eaa95aa3e5b01b676
2017-09-06 15:43:30 -05:00
Jenkins 0f3ab677a0 Merge "Fix docstring typo" 2017-08-24 19:32:05 +00:00
Jenkins 31c24c4bd9 Merge "Add method to get the api major version" 2017-08-24 19:31:52 +00:00
Jenkins ae66931463 Merge "Don't use mutable defaults in allow arguments" 2017-08-24 18:49:16 +00:00
Monty Taylor 322557ac92
Fix docstring typo
Change-Id: Ic73865c748009dafb09c5201dd01d5579bc75f35
2017-08-24 10:08:49 -04:00
Monty Taylor 0fa07d01c5
Add method to get the api major version
Similar to get_endpoint, which knows it doesn't need full endpoint_data,
if a user just wants to know what major version the discovery process
wound up with, there are cases in which we do not need to fetch
discovery documents. Provide an API call that a user can use when this
is the information they need to avoid them having to play games with
discover_versions settings.

Change-Id: I204a45d1d139a90176bcc2ef8d46decd09b2cd5b
2017-08-24 09:13:16 -04:00
Monty Taylor 2ef98f637e
Don't use mutable defaults in allow arguments
Not sure how these got here, but they shouldn't stay.

Change-Id: Ib584b9e7201fd8afeb5779c64f8368f2df96bcbf
2017-08-24 08:37:44 -04:00
Morgan Fainberg 335a8cdf03 Remove use of positional decorator
The positional decorator results in poorly maintainable code in
a misguided effort to emulate python3's key-word-arg only notation
and functionality. This patch removes keysteonauth's dependance
on the positional decorator.

Change-Id: I20106345747860365cd0203ba1b33a2900e045b9
2017-08-07 16:37:07 -07:00
Eric Fried 699fac136f Discourage 'version' and accept 'M.latest'
We're discouraging the use of the ambiguous and difficult-to-understand
'version' parameter in new discovery methods, instead encouraging the
use of min_version and max_version.

In order to make it possible to get the same functionality, though, we
need a way to say the same thing as version="M.m", which actually means,
"min version is M.m, and max version is the latest within major version

Introducing 'latest' syntax, which can be used in various ways,

min_version='2.3', max_version='2.latest'

...which is equivalent to the old school version='2.3'

Change-Id: Ife842333e25c33e54bbae4c1adb101014cb8e8db
2017-07-19 12:38:14 -05:00
Eric Fried 498320a5fb Nix EndpointData.get_versioned_data(authenticated)
Remove unused `authenticated` kwarg from as-yet-unreleased public API
EndpointData.get_versioned_data, and private method

Change-Id: I03a9969df4586c79b6b63d44fcb5474dd94e6ba2
Closes-Bug: #1703446
2017-07-10 14:44:47 -05:00
Monty Taylor 429b19c88c
Ensure we discover only when we should
There are a two interrelated pieces in this patch which are around
fixing up places where discovery was being re-run inappropriately.
They fall out from adding tests for the functionality and couldn't
be sanely shifted back further in the stack without a big dance.

Switch the default for "discover_versions" on all of the calls that
return an EndpointData to "True". It's a new feature and is a thing that
doesn't make a ton of sense to call if you don't want discovery run.
However, get_endpoint uses it, so needs to be able to pass in
discover_version=False, so the option is still useful. Make sure that
get_endpoint and other places where ksa calls get_endpoint_data on
behalf of the user work as before without unneeded discovery.

Add tests to show that we use actually use the discovery cache properly when
we've previously done discovery that can satisfy the new request. This
works from the microversion optimization patch, but we had to clean up
a couple of things to show it fully in a test.

Change-Id: I54053336edf1b3c2bd35a77dbd78f56388b8e806
2017-06-29 08:03:35 -05:00
Monty Taylor 2b949de8e9
Support a list of interface values
Sometimes, especially in places like service-to-service defaults, it's
very helpful to express a list of values. For instance, when thinking
about nova connecting to ironic, nova would like to have the default
value of "interface" be ['internal', 'public'] - which is to say, use
internal if it's there, but otherwise use public. This use case is covered
in the API-WG specs on discoverability.

Change-Id: I9102155c2d4ef1ef8bbb1d0fa26a5b5838108a4c
2017-06-29 08:03:34 -05:00
Monty Taylor 46054f42d4
Optimize matching version no microversion needed
In the case where we're just asking for an endpoint, and the endpoint in
the catalog matches the requested version, there is no need to fetch the
version discovery document.

Change-Id: I2c14337a3fcb1369652d43ca68e6a572fef6d425
2017-06-29 08:03:34 -05:00
Monty Taylor d2ef0287a3
Plumb endpoint_override through get_endpoint_data
If a user has provided an endpoint_override, they may still be
interested in version discovery data for the endpoint. Doing that is
always an opt-in behavior, so we set the strictness flag to prevent any
URL manipulations. We'll either return data or None.

Change-Id: I673beafd1e55fd096bb221b2ca6794bb124653b8
2017-06-29 08:03:34 -05:00
Monty Taylor d658f84a0f
Add support for version ranges
Just wanting "latest" isn't the full picture. A client could support,
say, v1 and v2 of an API but not v3 and would like to find an
appropriate matching endpoint.

Add two new arguments, min_version and max_version, rather than
repurpose the version argument.

This changes the behavior of versioned_data_for and versioned_url_for in
the case where version=None. Before that would return None, now it
returns the information about the endpoint that was in the catalog.

The booleans in this are a bit hard to read, as are the fun times with
latest and things being or not being defined. It's time to make the
versions into objects, but we'll do that as a followup.

Change-Id: I8ba948a712002775098b0a86c70f05e0c68250f5
2017-06-29 08:03:25 -05:00
Monty Taylor cdc10d8741
Add flags to turn discovery on and off
If a user does not specify a version, that means they want whatever is
in the catalog. However, they may still want discovery to be run for
things like microversion information. The new parameter
"discover_versions", if set to True, will run discovery even with no
version parameter. The inverse of this is "skip_discovery" which will
tell keystoneauth to not run discovery even if a version has been given.

Note: This adds some parameters to some methods that get removed by
change I54053336edf1b3c2bd35a77dbd78f56388b8e806 so we should not
actually land this one until we're ready to land the stack up to and
including that one.

Note: This adds two new methods that will have behavior changes in
patch I8ba948a712002775098b0a86c70f05e0c68250f5.

Change-Id: I897c39743089c5994b51336a4ad44eebed33ec35
2017-06-29 07:39:18 -05:00
Monty Taylor a4066a86b5
Add url manipulation and microversion collection
From the API-WG spec, there are two common patterns for service URLs
that can be interpreted. Trailing project_id and a string that starts
with v. If the project_id is in the URL, it needs to be removed before
discovery can happen, but it needs to be put back on to the url found
via discovery. If the endpointin the catalog has a version, and it
matches the version we're asking for, then we don't need to go hunting
for the unversioned doc.

Also, in the EndpointData we're collecting, we want to grab microversion
info, since we're already there in the discovery doc.

There is one behavior change that can be seen in the tests. If the
attempt at an unversioned discovery endpoint fails, we fall back to the
url from the catalog ... but we attempt to get a discovery document from
it because we need the metadata for microversions. The catalog URL should be
returned as the endpoint even if the second discovery call attempt
succeeds, so the user-facing interface is the same - there will just be,
in some cases, an additional URL fetch behind the scenes.

Change-Id: I2a036d65e4f7dba6f50daf6a0ce4589ee59ae95f
2017-06-26 06:00:34 -05:00
Monty Taylor e89e354335
Move version discovery logic to
As part of implementing the API-WG spec on version discovery, there are
more version manipulations and logic that need to happen between
fetching from the catalog and doing discovery.

Move the logic for doing that into the discovery file and attach it to
the EndpointData object.

This changes 2 interfaces, but neither of those interfaces have been in
a release.

The method "discover_versions" is renamed to "get_versioned_data" - since
the work it does is actually to get a versioned EndpointData object.

It also now returns a new EndpointData object instead of mutating the
existing one. Especially with the name change, mutation seemed really

Change-Id: Ifeeac7af1ebd9d2d59a30d4503c8bcc0137e9370
2017-06-26 06:00:31 -05:00
Monty Taylor 68e0fe5179
Rework discovery cache
Allow the user to pass in a cache dict that will be used
in addition to the session and auth level caches. Make Session
always have a discovery_cache attribute and allow the user to
provide the cache at Session creation time. Finally, rename
the private variable to _discovery_cache from _endpoint_cache
since it's caching discovery objects, not endpoints.

Co-Authored-By: Samuel de Medeiros Queiroz <>
Change-Id: I0a0f489fd3bbecc4596e99acafcde1bff4e181f7
2017-06-25 16:31:27 -05:00
Monty Taylor 337e5af637
Add returning EndpointData objects from discovery
The existing version discovery process is awesome, but in the normal flows it
ultimately returns urls, not the full endpoint data, so it's not
possible to know what version was discovered.

Make an EndpointData object that gets created and plumb that through the
stack so that it's possible to request EndpointData instead of just
endpoints. The existing discovery logic is unchanged, and the existing
methods continue to return the data they returned before.

Change-Id: Id48861e7d6d20be16f61cb375a21bca4a43a2500
2017-06-09 09:01:54 -05:00
Samriddhi d0cdc355a4 Updated inconsistent value of scope parameter
For explicit unscoped authentication, the keystome server
specifies the scope parameter value as 'unscoped'. However
keystoneauth1 initialises it to {'unscoped': {}}. This
patch removes this inconsistency.

Updated the corresponding test for unscoped request which
checks the scope parameter in auth to match the 'unscoped'

Partial-Bug #1637682

Change-Id: I1c9d89fd86773f4acecbefcdad4dca6cff16b58d
2017-04-04 19:51:18 +05:30
Jamie Lennox 3ce5cb4bf6 Add an allow_version_hack flag to session and identity plugins.
Whilst historically we always wanted keystoneauth to do the most
permissive thing and allow a versioned or unversioned entry in a service
catalog there are now cases where we would prefer to fail when the
catalog is misconfigured. This will allow a client to opt out of
versioned catalog endpoints to insist that the deployment is correctly

Closes-Bug: #1668484
Change-Id: Ided0e0c7409994f703175fe61bd4043b840bcf1e
2017-02-28 19:21:55 +11:00
Jamie Lennox 3364703d3b Include the auth_url in the discovery failure message
The failed to discover message pops up a lot because it means that we
didn't get a sensible response to the version list request a plugin
makes. Debugging this can be a pain, but it's easier if we at least know
the URL that failed to be called.

Change-Id: Ibaa89b43b23ebacb72f441fde01dfd79b927f977
2017-02-24 10:30:41 -05:00
Gage Hugo fe5ded5e80 Fixed multiple target Auth warning in docstring
When building keystoneauth docs, the following warning would be

docstring of
WARNING: more than one target found for cross-reference u'Auth':

for the following files:

keystoneauth/keystoneauth1/identity/v3/ of

This change specifies the correct Auth object in get_auth_data's
docstring and the two warnings no longer appear

Change-Id: I2b204c9dfac1b6578620048ebbdf2c2b00ab5248
2017-02-08 15:25:35 -06:00
gengchc2 a00b8d844d Replace six.iteritems() with .items()
1.As mentioned in [1], we should avoid using
six.iteritems to achieve iterators. We can
use dict.items instead, as it will return
iterators in PY3 as well. And dict.items/keys
will more readable. 2.In py2, the performance
about list should be negligible, see the link [2].

Change-Id: I9f8f2c35f0d45d866076507a3a167aaafb8382e5
2016-12-09 10:59:00 +08:00
Juan Antonio Osorio Robles 08539ec4d6 Add reauthenticate to generic plugins
Currently, the plugins supported in the generic plugins all have a
reathenticate option, however, this is not passed anywhere in the
generic plugin interface. This adds it to the base class in order to
support this, and provide a more interchangeable interface between
the version-specific plugins and the generic one.

Change-Id: I35f1c9dcd20017b9c442b04c142e46cad4d15eb4
Closes-Bug: #1643782
2016-11-22 09:59:14 +02:00
melissaml f2242de6fe Fix a typo in

Change-Id: I6e7ea9bafd59a0915d3f88df595a0653af2a0f1e
2016-11-17 23:10:23 +08:00