Commit Graph

109 Commits (6ee21bd722b3e1dbec3e5a211e32f10fb2a20603)

Author SHA1 Message Date
Yi Feng aa9c5d230f OAuth2.0 Client Credentials Grant Flow Support
Added a new OAuth2ClientCredential plugin, accessible via the
'v3oauth2clientcredential' entry point, making possible to authenticate
using an application credentials as an OAuth2.0 client credentials.

Change-Id: I77d6faef4cbc75abb8e7d86f386fb6d16e40cabf
2022-08-30 06:29:20 +00:00
Cyril Roelandt bb7c630504 Improve help messages for a few options
Closes-Bug: #1962037
Change-Id: If082a7f4cc09ffc42c68081dd43c2808b6c5f8a9
2022-02-23 20:59:08 +01:00
Steve Baker ff68663217 Implement HTTP Basic client support in keystoneauth1
A new basic auth plugin is added which enables HTTP Basic
authentication for standalone services. Like the noauth plugin, the
endpoint needs to be specified explicitly, along with the
username and password.

An example of a standalone server implementing HTTP Basic can be seen
in Ironic change

Change-Id: Ib3f0a9c518d031a67f9605cf64a8a9cc81131ed3
Story: 2007656
Task: 39741
2020-06-15 10:26:35 +12:00
Andreas Jaeger c096099416 Update hacking for Python3
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.

Fix problems found.

Update local hacking checks for new flake8.

Remove hacking and friends from lower-constraints, those are not
needed for co-installing.

Change-Id: I59f0854c089a6ed4f0c4dad7755f946dc95ada3a
2020-03-31 20:11:31 +02:00
Adrian Turjak 6a69e4dfbd add support for auth_receipts and multi-method auth
- new exception when an auth receipt is returned.
- a new method for auth receipt.
- support to existing v3 Auth plugins to add additional methods.
- Added a new MultiFactor plugin with loading support which
  takes method names as strings.

Change-Id: Ie6601a50011118e3a07be9752f747c2298ff5230
Closes-Bug: #1839748
2019-08-14 11:51:28 +12:00
Dmitry Tantsur bca9ee7d3c Allow requesting fixed retry delay instead of exponential
Clients like ironicclient and swiftclient use fixed delay for their
build-in retry functionality. To replace it without changing behavior
we need a similar feature.

Change-Id: I1f9de98dae5719842f03d45e5a9d724199d5718b
2019-07-29 13:07:38 +02:00
Dmitry Tantsur 92921c6016 Allow setting retry counts for Adapter via configuration options
Change-Id: I67ba69bfff69676ceb28b8a7515f10f5eff21c4c
2019-06-19 15:24:11 +02:00
Eric Fried f83f3fb750 Factor Adapter conf-processing logic into a helper
Subclasses of keystoneauth1.adapter.Adapter, such as openstacksdk's
openstack.proxy.Proxy [1], would like to be able to obtain configuration
from oslo_config conf options.

This commit splits the conf processing logic out of
keystoneauth1.loading.adapter.Adapter.load_from_conf_options (aka
keystoneauth1.loading.load_adapter_from_conf_options) into a helper
method, keystoneauth1.loading.adapter.process_conf_options.

This is a straight refactor, so no test changes are necessary.

[1] 16f2dbe3b0/openstack/ (L113)

Change-Id: I250c431ccf3883901f7dce151bc5011ac305f829
2019-03-18 10:45:51 -05:00
Monty Taylor 80323289c7
Add oslo.config option for split-loggers
For people setting creating Sessions via load_from_conf_options, such as
the OpenStack services, turning on split-loggers needs to be done in a
config file. In order to do that, we need to expose it in the conf
options list.

Don't add it to the argparse options for now - it would just add another
command line option that is less likely to see use.

Change-Id: I106c6acbe306e581d293612630ec810c11d9d61c
2018-05-16 15:42:03 -05:00
Monty Taylor 244780fba8
Collect timing information for API calls
python-openstackclient does this in a wrapper class around Session,
and openstacksdk does something similar that could be removed if support
were directly in keystoneauth.

Add this so that we can remove the custom wrapper/manipulation in
openstackclient and openstacksdk.

Change-Id: Icf00c66f57d20d2cef724c233160d3b1e0d52102
2018-05-16 15:41:59 -05:00
Zuul 33ae93d8c4 Merge "Add support for application credentials" 2018-01-19 22:45:45 +00:00
Colleen Murphy c2ae9e298e Add support for application credentials
Add new auth classes and loading options for application credentials.

Change-Id: If267c17eecc2c4acaf62e27276afc185c1ae3616
2018-01-18 13:16:54 +01:00
Lance Bragstad f9ab615eb1 Implement system scope
This commit introduces the necessary bits in order to get system
scoped tokens from a keystone server.

bp system-scope

Change-Id: I538f2a6cd2b4113910dfdac250c14f17f80051f6
2018-01-17 15:50:11 +00:00
Vladyslav Drok 8e7cfabc27 Make none auth usable in CLI
Closes-Bug: #1724283
Change-Id: I3e477895ba0c989ffd0c91c45791e9f74173a3d6
2017-10-27 18:46:14 +03:00
Eric Fried e495c33d79 Recommend unversioned for endpoint-override
Update the help string for Adapter's endpoint-override conf option to
recommend specifying the unversioned endpoint.  This is so that ksa can
do the appropriate endpoint discovery itself.

Change-Id: I6178a7c0b80e22cc48f049efc24d1c74f26d4b2d
2017-09-05 10:34:31 -05:00
Monty Taylor 81ec69116a Protect against missing interface attribute
If deprecated options aren't registered, interface will not exist,
resulting in NoSuchOptError.

Add safeguards around accessing the interface opt, and appropriate test

Co-Authored-By: Eric Fried <>
Closes-Bug: #1707273
Change-Id: Ic3df9817f0038f8f610db70d7e34fe9d458606b6
2017-08-17 20:50:38 +00:00
Jenkins 2c5df20f80 Merge "Adapter.get_conf_options(deprecated_opts)" 2017-08-17 20:17:28 +00:00
Eric Fried aeb38d5d08 Adapter.get_conf_options(deprecated_opts)
Support a deprecated_opts dict kwarg to
keystoneauth1.loading.adapter.Adapter.get_conf_options that behaves just
like the one for keystoneauth1.loading.session.Session.get_conf_options

Ditto register_conf_options.

Change-Id: I40b568c1b8570b349def0a966526ed4515d08105
Closes-Bug: #1708673
2017-08-15 16:33:49 -05:00
Morgan Fainberg 335a8cdf03 Remove use of positional decorator
The positional decorator results in poorly maintainable code in
a misguided effort to emulate python3's key-word-arg only notation
and functionality. This patch removes keysteonauth's dependance
on the positional decorator.

Change-Id: I20106345747860365cd0203ba1b33a2900e045b9
2017-08-07 16:37:07 -07:00
Pavlo Shchelokovskyy 2195845fd1 Fix exception message in adapter loading
string formatting variable was missing

Change-Id: I74b614048a1a1fe00ca14fb0313a760909a068ce
2017-08-04 11:38:02 +03:00
Eric Fried 81363eca79 get_conf_options can exclude deprecated opts
Add the ability to exclude deprecated conf options from
Adapter.get_conf_options via a new kwarg, include_deprecated, which (for
backward compatibility) defaults to True.

Closes-Bug: #1706775
Change-Id: I9245d2b983482154959ba05d7d8496a947f1c701
2017-07-26 16:16:01 -05:00
Jenkins d40959cbd6 Merge "Remove deprecated_since for interface and fix text" 2017-07-18 11:04:31 +00:00
Jenkins 3071cf64cf Merge "Expose valid_interfaces as a ListOpt for config files" 2017-07-18 11:04:21 +00:00
Monty Taylor 4dc2a40f0b
Remove deprecated_since for interface and fix text
Version number for keystoneauth is still being debated. Remove this
as it's not strictly necessary anyway. The deprecation explanation is
also very clunky. Fix it.

Change-Id: I2cd39c5c01995b3e6cf22616c5343d8e1c4ce43b
2017-07-17 18:27:55 -05:00
Jenkins accecea89b Merge "Add min_version and max_version to adapter constructors" 2017-07-15 15:40:34 +00:00
Monty Taylor 98b7292aad
Expose valid_interfaces as a ListOpt for config files
interface can take a list of values now, so needs to be exposed as such
for config file consumption.

Since this is a new option we can be stricter. Add checking to make sure
only public, internal and admin can be passed as values.

Change-Id: I17043cd93072bbfd1389d44935bcf9a653e1d6a0
2017-07-15 09:17:53 -05:00
Jenkins 0847a6d990 Merge "Add 'none' identity plugin" 2017-07-14 22:41:18 +00:00
Monty Taylor 8161ed81d6 Add min_version and max_version to adapter constructors
They should be here as an Adapter is essentially a codified

Add them to the conf options for Adapter, since that is how Adapters get
defined in services which is one of the reasons for doing all of this

Change-Id: I8c6613bac09f28169e903b303c7330b1e90fe72d
2017-07-14 17:18:24 -05:00
Alvaro Lopez Garcia 62c83a073a Pass kwargs to the plugin getter
Although the getter and the load_from_argparse_arguments methods accept
kwargs, those were not passed from the load method to the inner
plugin.load_from_options_getter call.

Change-Id: I1af353bf3eab88ebc148b606f683c114819e8330
Closes-Bug: 1697479
2017-06-12 17:04:42 +02:00
Pavlo Shchelokovskyy 070f8fd891 Add 'none' identity plugin
It does not accept any arguments and sets the token to 'notused'.
It does not have any endpoint/url associated,
and thus must be used together with adapter.Adapter.endpoint_override to
instantiate a session for client to a service that is deployed in
noauth/standalone mode.

Unfortunately the 'noauth' name is already taken by

Change-Id: I2f7175ea095aac774e7c5889880fcff15586559c
2017-06-08 14:42:03 +00:00
Eric Fried 1fd43be5ce Introduce keystoneauth1.loading.adapter
In the spirit of keystoneauth1.loading.session,
keystoneauth1.loading.adapter.Adapter is a BaseLoader subclass providing
oslo_config* options suitable for inclusion by config groups wishing to
support keystoneauth1.adapter.Adapter operations such as endpoint

*Future work should be done to move the argparse options from
keystoneauth1.adapter.Adapter into the new loading.adapter.Adapter class
for consistency.

Change-Id: Icb8c295799cc5ef4ca16f44c238838668fb7ab93
Partial-Implements: bp use-service-catalog-for-endpoints
2017-05-01 17:20:54 -05:00
Gage Hugo 7bf7619104 Remove pbr warnerrors in favor of sphinx check
This change removes the soon-to-be unused "warnerrors" setting,
which will be replaced by "warning-is-error" in sphinx
releases >= 1.5.[0] This also pre-emptively fixes most warnings
that came up when testing with sphinx >= 1.5:

- Multiple cases of Opts
- Redundant loading of todo extension

Added a comment to not to enable the new sphinx setting until
the issues with Changlog building are fixed.

Added to the list of files to ignore when building


Change-Id: Ia0079c6b551dd3896bc3d922a477f927757bd61b
2017-03-07 20:51:19 -06:00
Jamie Lennox c21ef89a88 Add a full listing of all auth plugins and there options
A commonly requested document is what auth plugins are available and
what parameters do they accept. Create an extension that can iterate
through the stevedore namespace and render all its available options.

Change-Id: Id0d0983c9803ce4e0ce201310a1603bc0ff30ca0
2017-01-10 14:40:28 +00:00
howardlee 7666acbb1e Add __ne__ built-in function
In Python 3 __ne__ by default delegates to __eq__ and inverts the
result, but in Python 2 they urge you to define __ne__ when you define
__eq__ for it to work properly [1]. There are no implied relationships
among the comparison operators. The truth of x==y does not imply that
x!=y is false. Accordingly, when defining __eq__(), one should also
define __ne__() so that the operators will behave as expected.


Change-Id: I6ad4b07911f6c8236dfcd048aceebd44cd760fe2
2017-01-06 14:32:41 +00:00
Steve Martinelli 827895281b mark a few oidc parameters as required
to better the user experience, mark a few of the open id connect
options as required, users should get back more meaningful
error messages.

as part of the change, there was also a discrepancy between what
the loader used for the authorization code, and what the plugin
was using. deprecate the old loader option (authorization-code)
in favor of the one used by the plugin (code).

Change-Id: I18318ef44f99e4f973176dd99b61770b1151f7a0
Partial-Bug: 1593192
2016-11-01 11:12:12 -04:00
melissaml 729e4cd846 Fix a typo in
Removed redundant 'the'

Change-Id: I4e72aeb4580ef197a9fd214b26879408e5a63a9e
2016-10-13 10:28:00 +08:00
Ji-Wei 2d3e376a2c Raise NotImplementedError instead of NotImplemented
NotImplementedError is the name of the exception
NotImplemented is the name of a constant

This patch fix it.

Change-Id: Icfbc0603d03e2001d1494027c492059687e15fa7
Closes-Bug: #1339855
2016-09-09 02:56:31 +00:00
Jenkins 4cc3dd0b17 Merge "Add prompt parameter to Opt" 2016-07-22 22:24:30 +00:00
Alvaro Lopez Garcia e5fd66ca35 oidc: implement client_credentials grant type
Change-Id: If1538726cb7e4cb87fad82c5daf50c67b161b52d
2016-07-20 09:59:05 +02:00
Alvaro Lopez Garcia 00746ea636 oidc: add discovery document support
The OpenID Connect specifies that all providers must return a JSON
discovery document [1] in a well-known location. We can let the user
pass this document instead of the individual endpoints (i.e. token and
authorization endpoint). Moreover, we can also check if the requested
grant_type (implicit to the used plugin, and one of client_credentials,
password, authorization_code) is supported by the provider before
starting the auth flow.


Fixes-bug: #1583682
Change-Id: I24b7960b25ddcff45552c0ab5541d92122d1d560
2016-07-14 10:19:10 +02:00
Jenkins 702f32a34b Merge "Add create_plugin to loader" 2016-07-08 22:19:33 +00:00
Jamie Lennox 71d2e1ad77 Add prompt parameter to Opt
The prompt parameter is supposed to provide both an indication to
loaders that it is ok to prompt the user for input for an option and
also an appropriate message that can be used.

It would be up to the loader whether it wanted to use that message or
something it generated.

This will allow os-client-config and openstackclient better control over
the loading of sensitive authentication options.

Related-Bug: #1519202
Change-Id: I7c39f25b78404950af6f6eaf21739be1c1ef9c6a
2016-07-07 10:20:21 +10:00
Jenkins 01d040b2be Merge "Auth plugin for X.509 tokenless authentication" 2016-07-06 03:53:26 +00:00
chioleong e203d61092 Auth plugin for X.509 tokenless authentication
An auth plugin that allows service clients to be authenticated
with the X.509 tokenless authentication. Please find typical configured
options in authentication-plugins.rst

implements bp keystone-tokenless-authz-with-x509-ssl-client-cert

Change-Id: Ie0298f0ef7f3891cfc81072ab9ef9e501773fe5f
2016-07-05 17:11:36 -07:00
Alvaro Lopez Garcia 68a7962488 oidc: fix OpenID scope management
The OpenID scope is something common to all the OpenID grant types,
therefore we move the OIDC scope parameter 'scope' from the OidcPassword
class into the base _OidcBase class, moving the option as well into the
corresponding loader.

Moreover, OpenID scopes are not handled properly, as the loaders have
the option defined as "openid-scope" whereas the class constructor
argument is named "openid".

Lastly, OpenID states that the OpenID scope MUST contain "openid" at
least, so we should include this in our defaults argument.

Closes-Bug: #1594272
Closes-Bug: #1597334
Change-Id: I9a242ae93a61737d032c19830c5d89ef6237f875
2016-07-04 11:08:55 +02:00
Jamie Lennox 784ac090ee Add create_plugin to loader
Add a create_plugin function to loaders. This can be used to create a
plugin based on options with more control than simply specifying a
plugin_class as a property.

The plugin_class property is no longer an abstractproperty however an
implementer must still provide either the plugin_class property or
implement the create_plugin function to succeed.

Change-Id: Iea2ff93cfc3c814c78f6d9cd7e0069bab7e0180b
Closes-Bug: #1595400
2016-07-01 09:32:05 +10:00
Alvaro Lopez Garcia bd18bc3d0d oidc: fix OpenID Connect scope option
There is a missmatch between the option being defined in the
OpenIDConnectPassword loader and the OidcPassword class. The loader
defines it as "openid-scope" but the OidcPassword constructor only
accepts "scope".

Closes-Bug: 1594272
Change-Id: I7dbaaa4eb52c900bcd19da4c274bd35dc8b98c6f
2016-06-24 13:07:00 +02:00
guang-yee 9e29e6e9c5 Support TOTP auth plugin
Add support for time-based one-time password (TOTP) authentication.

Change-Id: I004677ac7f0e2fb8c059ad14868e661e8ee4c1f9
2016-06-13 11:40:43 -07:00
Jamie Lennox bc614288b7 Add available flag to plugin loaders
Currently when iterating through plugins all plugins are loaded and
returned to the user. This is confusing for things like the kerberos
plugin where the required dependencies may not be available.

Add an available property on plugin loaders. Plugins that do not wish to
be shown to users can set available to false.

The lack of tests on this patch is unfortunate however any testing
involes a lot of mocking at levels lower than keystoneauth interact with
(i've tried). We would need to mock the pkg_resources layer that
stevedore uses and are essentially testing that EnabledExtensionManager
is doing the right thing.

I encourage people to verify this manually.

Closes-Bug: #1589740
Change-Id: I446441467ef32f7bc916221991388ac528df48f4
2016-06-07 13:30:10 +10:00
Alvaro Lopez Garcia 5623c01918 oidc: fix typo on class name
The class name was wrong, therefore it was not possible to load it from
the defined entry point. This change fixes it.

Fixes-Bug: 584636
Change-Id: I9b32899a6c9f06da3f406d01c8181e6277a34896
2016-05-23 12:14:49 +02:00