we already fail when mutliple scope identifiers are provided, however
not when system scope is involved. As a result of the undocumented
priority of checks, when system scope is specified together with any
other scope, that other scope will silently be used.
Change-Id: I120ed63f6c1262d067eeb6168feab35278cacf6a
Bump linter requirements - follow the changes
made in keystone in commits
6dfde5b48b388e32e34a385c3a9ef48da7c7c49b and
5c71ebd7a92d25df83e2e7cc5fad9990e9eebbf5 in
order to fix compatibility with Python 3.10.
Remove python-dev from bindep - it's no longer
supported by jammy and lead us to the following
errors with the announce-release job:
```
No package matching 'python-dev' is available
```
Co-Authored-By: Herve Beraud <hberaud@redhat.com>
Change-Id: If687a2678733ce018bd31c602140f073ab1a1a65
Added a new OAuth2ClientCredential plugin, accessible via the
'v3oauth2clientcredential' entry point, making possible to authenticate
using an application credentials as an OAuth2.0 client credentials.
Change-Id: I77d6faef4cbc75abb8e7d86f386fb6d16e40cabf
Without this, it's possible to get HTTP 404 errors from keystone if
OS_AUTH_URL isn't versioned (e.g., https://keystone.example.com/ instead
of https://keystone.example.com/v3), even if OS_IDENTITY_API is set to
3.
This commit works around this issue by checking the AUTH_URL before
building the token_url and appending '/v3' to the URL before sending the
request.
Closes-Bug: 1876317
Change-Id: Ic75f0c9b36022b884105b87bfe05f4f8292d53b2
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
Update local hacking checks for new flake8.
Remove hacking and friends from lower-constraints, those are not
needed for co-installing.
Change-Id: I59f0854c089a6ed4f0c4dad7755f946dc95ada3a
Since 'access_token' literal is not an actual token, we can safely
mark it as false positive so bandit can stop chirping.
Change-Id: Ib035b67fe8ec9185507929bf982cf18636411c08
- new exception when an auth receipt is returned.
- a new method for auth receipt.
- support to existing v3 Auth plugins to add additional methods.
- Added a new MultiFactor plugin with loading support which
takes method names as strings.
Change-Id: Ie6601a50011118e3a07be9752f747c2298ff5230
Closes-Bug: #1839748
The get_all_version_data method is useful for getting a full listing of
what's going on with version discovery on a cloud. Sometimes though
people just want to see the versions for a specific service. Add a
filter to allow skipping making the version discovery call in the first
place, instead of needing to do that as a post-filtering step.
Change-Id: Ia3ca4be2976d1a5e7914fa8f2adbf7297e8cb1e1
Setting up an Adapter with an endpoint_override, calling
get_endpoint_data() on that adapter, and accessing the `url` @property
of the resulting EndpointData now regurgitates the endpoint_override
initially set on the Adapter.
Change-Id: I1033c97a7b0e19a75fa0d3c5682cf18b75918514
Closes-Bug: #1707993
The last piece of service type alias support is to handle volumev2,
volumev3, workflowv2, workflowv3 and friends.
Although it's an annoying scenario, luckily legacy code that uses them
has a clear meaning. volumev2, version='3' is just legit not a thing.
Needed-By: https://review.openstack.org/564494
Change-Id: Iec09bcb16d8e9b09e09bf12d03c2a55e679ad70c
We're repeating ourselves a bunch with a plain dict that contains the
version data. Make a class to encapsulate it. Make the class a subclass
of dict so that json translation works.
Change-Id: Ic7d122487174a5b0378a8dfaa39514c5cb2a604b
We've got great discovery support, but if someone is wanting to find out
what is available and doesn't otherwise know what they're looking for,
they're out of luck.
Add a method to EndpointData which will return all of the version data
for a given service, and then add a method to the base auth plugin that
will use that method to collect all of the version discovery documents
for every service in the cloud.
This commit adds os-service-types so that the resulting datastructure
can return only official service type keys. A followup patch will also
use os-service-types to allow catalog lookups by service-type alias.
There is a change to the test_identity_common.V2.get_auth_data method
to remove the public and internal urls for keystone from the catalog.
The V3 catalog only has keystone on admin, so this makes them have
equivilent data.
Change-Id: I07243edb939865a5df8b283e7c626874ffd830db
Modify the error message for failed discovery in an attempt to better
help the user fixing the issue.
Include a reference to the actual exception that occured in the
error message. Add SSLError to the list of caught exceptions so that
we can log this case, too.
Add some unit tests to verify the handling of possible exceptions during
version discovery.
Change-Id: I9c26ab35d5515a937e016421e26e844212cb0bb3
Closes-Bug: 1749144
Add the flake8-import-order library to our test requirements so that we
can avoid these PEP8 violations and maintain consistent import ordering.
Also fix our violations.
This library is in requirements but is blacklisted from being
automatically updated since it is never shipped. For now, don't bother
to pin it.
Change-Id: I4e788292b98b7f2f835cc80081763b2d249fe43e
AuthorizationFailure exception class should support
message override
class AuthorizationFailure(base.ClientException):
message = "Cannot authorize API client."
Users will only be able to see the above message
"Cannot authorize API client." which is less useful to debug.
Change-Id: I27ac6ebfb68ba3edad08a5c97b91f4abab9b395f
Closes-Bug: #1745930
This commit introduces the necessary bits in order to get system
scoped tokens from a keystone server.
bp system-scope
Change-Id: I538f2a6cd2b4113910dfdac250c14f17f80051f6
keystoneclient.session has been long deprecated in favor of
keystoneauth1.session. This change corrects entries in the
documentation to use the correct library's session.
Change-Id: I08f8989e335e442787fa4c75497ee4be3a1ec35a
The new 'none' auth plugin and the old 'admin_token' plugin
are subclasses of BaseAuthPluign, not BaseIdentityPlugin.
That means if someone does:
s = session.Session(noauth.NoAuth())
a = adapter.Adapter(s, endpoint_override='https://example.com')
to get an Adapter on an endpoint using the none plugin, then does
either:
a.get_api_major_version()
or:
a.get_endpoint_data()
it will fail because the none plugin doesn't have those methods.
There is, however, nothing about those methods that necessarily needs
authentication. That is, they can work just fine in contexts without
a keystone token or without authentication of any sort.
Ironic/Bifrost is specifically a usecase here, as standalone Ironic
wants to use the 'none' plugin, but consuming the API still needs to
get microversion info from the given endpoint.
Add methods to BaseAuthPlugin that take less arguments since the ones
about finding services in catalogs make zero sense in none/admin_token
context.
Change-Id: Id9bd19cca68206fc64d23b0eaa95aa3e5b01b676
Similar to get_endpoint, which knows it doesn't need full endpoint_data,
if a user just wants to know what major version the discovery process
wound up with, there are cases in which we do not need to fetch
discovery documents. Provide an API call that a user can use when this
is the information they need to avoid them having to play games with
discover_versions settings.
Change-Id: I204a45d1d139a90176bcc2ef8d46decd09b2cd5b
The positional decorator results in poorly maintainable code in
a misguided effort to emulate python3's key-word-arg only notation
and functionality. This patch removes keysteonauth's dependance
on the positional decorator.
Change-Id: I20106345747860365cd0203ba1b33a2900e045b9
We're discouraging the use of the ambiguous and difficult-to-understand
'version' parameter in new discovery methods, instead encouraging the
use of min_version and max_version.
In order to make it possible to get the same functionality, though, we
need a way to say the same thing as version="M.m", which actually means,
"min version is M.m, and max version is the latest within major version
M".
Introducing 'latest' syntax, which can be used in various ways,
including:
min_version='2.3', max_version='2.latest'
...which is equivalent to the old school version='2.3'
Change-Id: Ife842333e25c33e54bbae4c1adb101014cb8e8db
Remove unused `authenticated` kwarg from as-yet-unreleased public API
EndpointData.get_versioned_data, and private method
EndpointData._set_version_info.
Change-Id: I03a9969df4586c79b6b63d44fcb5474dd94e6ba2
Closes-Bug: #1703446
There are a two interrelated pieces in this patch which are around
fixing up places where discovery was being re-run inappropriately.
They fall out from adding tests for the functionality and couldn't
be sanely shifted back further in the stack without a big dance.
Switch the default for "discover_versions" on all of the calls that
return an EndpointData to "True". It's a new feature and is a thing that
doesn't make a ton of sense to call if you don't want discovery run.
However, get_endpoint uses it, so needs to be able to pass in
discover_version=False, so the option is still useful. Make sure that
get_endpoint and other places where ksa calls get_endpoint_data on
behalf of the user work as before without unneeded discovery.
Add tests to show that we use actually use the discovery cache properly when
we've previously done discovery that can satisfy the new request. This
works from the microversion optimization patch, but we had to clean up
a couple of things to show it fully in a test.
Change-Id: I54053336edf1b3c2bd35a77dbd78f56388b8e806
Sometimes, especially in places like service-to-service defaults, it's
very helpful to express a list of values. For instance, when thinking
about nova connecting to ironic, nova would like to have the default
value of "interface" be ['internal', 'public'] - which is to say, use
internal if it's there, but otherwise use public. This use case is covered
in the API-WG specs on discoverability.
Change-Id: I9102155c2d4ef1ef8bbb1d0fa26a5b5838108a4c
In the case where we're just asking for an endpoint, and the endpoint in
the catalog matches the requested version, there is no need to fetch the
version discovery document.
Change-Id: I2c14337a3fcb1369652d43ca68e6a572fef6d425
If a user has provided an endpoint_override, they may still be
interested in version discovery data for the endpoint. Doing that is
always an opt-in behavior, so we set the strictness flag to prevent any
URL manipulations. We'll either return data or None.
Change-Id: I673beafd1e55fd096bb221b2ca6794bb124653b8
Just wanting "latest" isn't the full picture. A client could support,
say, v1 and v2 of an API but not v3 and would like to find an
appropriate matching endpoint.
Add two new arguments, min_version and max_version, rather than
repurpose the version argument.
This changes the behavior of versioned_data_for and versioned_url_for in
the case where version=None. Before that would return None, now it
returns the information about the endpoint that was in the catalog.
The booleans in this are a bit hard to read, as are the fun times with
latest and things being or not being defined. It's time to make the
versions into objects, but we'll do that as a followup.
Change-Id: I8ba948a712002775098b0a86c70f05e0c68250f5
If a user does not specify a version, that means they want whatever is
in the catalog. However, they may still want discovery to be run for
things like microversion information. The new parameter
"discover_versions", if set to True, will run discovery even with no
version parameter. The inverse of this is "skip_discovery" which will
tell keystoneauth to not run discovery even if a version has been given.
Note: This adds some parameters to some methods that get removed by
change I54053336edf1b3c2bd35a77dbd78f56388b8e806 so we should not
actually land this one until we're ready to land the stack up to and
including that one.
Note: This adds two new methods that will have behavior changes in
patch I8ba948a712002775098b0a86c70f05e0c68250f5.
Change-Id: I897c39743089c5994b51336a4ad44eebed33ec35
From the API-WG spec, there are two common patterns for service URLs
that can be interpreted. Trailing project_id and a string that starts
with v. If the project_id is in the URL, it needs to be removed before
discovery can happen, but it needs to be put back on to the url found
via discovery. If the endpointin the catalog has a version, and it
matches the version we're asking for, then we don't need to go hunting
for the unversioned doc.
Also, in the EndpointData we're collecting, we want to grab microversion
info, since we're already there in the discovery doc.
There is one behavior change that can be seen in the tests. If the
attempt at an unversioned discovery endpoint fails, we fall back to the
url from the catalog ... but we attempt to get a discovery document from
it because we need the metadata for microversions. The catalog URL should be
returned as the endpoint even if the second discovery call attempt
succeeds, so the user-facing interface is the same - there will just be,
in some cases, an additional URL fetch behind the scenes.
Change-Id: I2a036d65e4f7dba6f50daf6a0ce4589ee59ae95f
As part of implementing the API-WG spec on version discovery, there are
more version manipulations and logic that need to happen between
fetching from the catalog and doing discovery.
Move the logic for doing that into the discovery file and attach it to
the EndpointData object.
This changes 2 interfaces, but neither of those interfaces have been in
a release.
The method "discover_versions" is renamed to "get_versioned_data" - since
the work it does is actually to get a versioned EndpointData object.
It also now returns a new EndpointData object instead of mutating the
existing one. Especially with the name change, mutation seemed really
off.
Change-Id: Ifeeac7af1ebd9d2d59a30d4503c8bcc0137e9370
Allow the user to pass in a cache dict that will be used
in addition to the session and auth level caches. Make Session
always have a discovery_cache attribute and allow the user to
provide the cache at Session creation time. Finally, rename
the private variable to _discovery_cache from _endpoint_cache
since it's caching discovery objects, not endpoints.
Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
Change-Id: I0a0f489fd3bbecc4596e99acafcde1bff4e181f7
The existing version discovery process is awesome, but in the normal flows it
ultimately returns urls, not the full endpoint data, so it's not
possible to know what version was discovered.
Make an EndpointData object that gets created and plumb that through the
stack so that it's possible to request EndpointData instead of just
endpoints. The existing discovery logic is unchanged, and the existing
methods continue to return the data they returned before.
Change-Id: Id48861e7d6d20be16f61cb375a21bca4a43a2500
For explicit unscoped authentication, the keystome server
specifies the scope parameter value as 'unscoped'. However
keystoneauth1 initialises it to {'unscoped': {}}. This
patch removes this inconsistency.
Updated the corresponding test for unscoped request which
checks the scope parameter in auth to match the 'unscoped'
string.
Partial-Bug #1637682
Change-Id: I1c9d89fd86773f4acecbefcdad4dca6cff16b58d
Whilst historically we always wanted keystoneauth to do the most
permissive thing and allow a versioned or unversioned entry in a service
catalog there are now cases where we would prefer to fail when the
catalog is misconfigured. This will allow a client to opt out of
versioned catalog endpoints to insist that the deployment is correctly
configured.
Closes-Bug: #1668484
Change-Id: Ided0e0c7409994f703175fe61bd4043b840bcf1e
The failed to discover message pops up a lot because it means that we
didn't get a sensible response to the version list request a plugin
makes. Debugging this can be a pain, but it's easier if we at least know
the URL that failed to be called.
Change-Id: Ibaa89b43b23ebacb72f441fde01dfd79b927f977
When building keystoneauth docs, the following warning would be
emitted:
docstring of
keystoneauth1.identity.v3.base.AuthMethod.get_auth_data:None:
WARNING: more than one target found for cross-reference u'Auth':
keystoneauth1.identity.v2.Auth,
keystoneauth1.identity.v3.base.Auth,
keystoneauth1.identity.v3.Auth
for the following files:
keystoneauth/keystoneauth1/identity/v3/base.py:docstring of
keystoneauth/keystoneauth1/identity/v3/__init__.py
This change specifies the correct Auth object in get_auth_data's
docstring and the two warnings no longer appear
Change-Id: I2b204c9dfac1b6578620048ebbdf2c2b00ab5248
1.As mentioned in [1], we should avoid using
six.iteritems to achieve iterators. We can
use dict.items instead, as it will return
iterators in PY3 as well. And dict.items/keys
will more readable. 2.In py2, the performance
about list should be negligible, see the link [2].
[1] https://wiki.openstack.org/wiki/Python3
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html
Change-Id: I9f8f2c35f0d45d866076507a3a167aaafb8382e5
Currently, the plugins supported in the generic plugins all have a
reathenticate option, however, this is not passed anywhere in the
generic plugin interface. This adds it to the base class in order to
support this, and provide a more interchangeable interface between
the version-specific plugins and the generic one.
Change-Id: I35f1c9dcd20017b9c442b04c142e46cad4d15eb4
Closes-Bug: #1643782
Pavlo Shchelokovskyy