Added a new OAuth2ClientCredential plugin, accessible via the
'v3oauth2clientcredential' entry point, making possible to authenticate
using an application credentials as an OAuth2.0 client credentials.
A new basic auth plugin is added which enables HTTP Basic
authentication for standalone services. Like the noauth plugin, the
endpoint needs to be specified explicitly, along with the
username and password.
An example of a standalone server implementing HTTP Basic can be seen
in Ironic change https://review.opendev.org/#/c/727467/
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
Update local hacking checks for new flake8.
Remove hacking and friends from lower-constraints, those are not
needed for co-installing.
- new exception when an auth receipt is returned.
- a new method for auth receipt.
- support to existing v3 Auth plugins to add additional methods.
- Added a new MultiFactor plugin with loading support which
takes method names as strings.
Clients like ironicclient and swiftclient use fixed delay for their
build-in retry functionality. To replace it without changing behavior
we need a similar feature.
Subclasses of keystoneauth1.adapter.Adapter, such as openstacksdk's
openstack.proxy.Proxy , would like to be able to obtain configuration
from oslo_config conf options.
This commit splits the conf processing logic out of
keystoneauth1.loading.load_adapter_from_conf_options) into a helper
This is a straight refactor, so no test changes are necessary.
 16f2dbe3b0/openstack/proxy.py (L113)
For people setting creating Sessions via load_from_conf_options, such as
the OpenStack services, turning on split-loggers needs to be done in a
config file. In order to do that, we need to expose it in the conf
Don't add it to the argparse options for now - it would just add another
command line option that is less likely to see use.
python-openstackclient does this in a wrapper class around Session,
and openstacksdk does something similar that could be removed if support
were directly in keystoneauth.
Add this so that we can remove the custom wrapper/manipulation in
openstackclient and openstacksdk.
Update the help string for Adapter's endpoint-override conf option to
recommend specifying the unversioned endpoint. This is so that ksa can
do the appropriate endpoint discovery itself.
If deprecated options aren't registered, interface will not exist,
resulting in NoSuchOptError.
Add safeguards around accessing the interface opt, and appropriate test
Co-Authored-By: Eric Fried <email@example.com>
Support a deprecated_opts dict kwarg to
keystoneauth1.loading.adapter.Adapter.get_conf_options that behaves just
like the one for keystoneauth1.loading.session.Session.get_conf_options
The positional decorator results in poorly maintainable code in
a misguided effort to emulate python3's key-word-arg only notation
and functionality. This patch removes keysteonauth's dependance
on the positional decorator.
Add the ability to exclude deprecated conf options from
Adapter.get_conf_options via a new kwarg, include_deprecated, which (for
backward compatibility) defaults to True.
Version number for keystoneauth is still being debated. Remove this
as it's not strictly necessary anyway. The deprecation explanation is
also very clunky. Fix it.
interface can take a list of values now, so needs to be exposed as such
for config file consumption.
Since this is a new option we can be stricter. Add checking to make sure
only public, internal and admin can be passed as values.
They should be here as an Adapter is essentially a codified
Add them to the conf options for Adapter, since that is how Adapters get
defined in services which is one of the reasons for doing all of this
Although the getter and the load_from_argparse_arguments methods accept
kwargs, those were not passed from the load method to the inner
It does not accept any arguments and sets the token to 'notused'.
It does not have any endpoint/url associated,
and thus must be used together with adapter.Adapter.endpoint_override to
instantiate a session for client to a service that is deployed in
Unfortunately the 'noauth' name is already taken by
In the spirit of keystoneauth1.loading.session,
keystoneauth1.loading.adapter.Adapter is a BaseLoader subclass providing
oslo_config* options suitable for inclusion by config groups wishing to
support keystoneauth1.adapter.Adapter operations such as endpoint
*Future work should be done to move the argparse options from
keystoneauth1.adapter.Adapter into the new loading.adapter.Adapter class
Partial-Implements: bp use-service-catalog-for-endpoints
This change removes the soon-to-be unused "warnerrors" setting,
which will be replaced by "warning-is-error" in sphinx
releases >= 1.5. This also pre-emptively fixes most warnings
that came up when testing with sphinx >= 1.5:
- Multiple cases of Opts
- Redundant loading of todo extension
Added a comment to not to enable the new sphinx setting until
the issues with Changlog building are fixed.
Added setup.py to the list of files to ignore when building
A commonly requested document is what auth plugins are available and
what parameters do they accept. Create an extension that can iterate
through the stevedore namespace and render all its available options.
In Python 3 __ne__ by default delegates to __eq__ and inverts the
result, but in Python 2 they urge you to define __ne__ when you define
__eq__ for it to work properly . There are no implied relationships
among the comparison operators. The truth of x==y does not imply that
x!=y is false. Accordingly, when defining __eq__(), one should also
define __ne__() so that the operators will behave as expected.
to better the user experience, mark a few of the open id connect
options as required, users should get back more meaningful
as part of the change, there was also a discrepancy between what
the loader used for the authorization code, and what the plugin
was using. deprecate the old loader option (authorization-code)
in favor of the one used by the plugin (code).
The OpenID Connect specifies that all providers must return a JSON
discovery document  in a well-known location. We can let the user
pass this document instead of the individual endpoints (i.e. token and
authorization endpoint). Moreover, we can also check if the requested
grant_type (implicit to the used plugin, and one of client_credentials,
password, authorization_code) is supported by the provider before
starting the auth flow.
The prompt parameter is supposed to provide both an indication to
loaders that it is ok to prompt the user for input for an option and
also an appropriate message that can be used.
It would be up to the loader whether it wanted to use that message or
something it generated.
This will allow os-client-config and openstackclient better control over
the loading of sensitive authentication options.
An auth plugin that allows service clients to be authenticated
with the X.509 tokenless authentication. Please find typical configured
options in authentication-plugins.rst
implements bp keystone-tokenless-authz-with-x509-ssl-client-cert
The OpenID scope is something common to all the OpenID grant types,
therefore we move the OIDC scope parameter 'scope' from the OidcPassword
class into the base _OidcBase class, moving the option as well into the
Moreover, OpenID scopes are not handled properly, as the loaders have
the option defined as "openid-scope" whereas the class constructor
argument is named "openid".
Lastly, OpenID states that the OpenID scope MUST contain "openid" at
least, so we should include this in our defaults argument.
Add a create_plugin function to loaders. This can be used to create a
plugin based on options with more control than simply specifying a
plugin_class as a property.
The plugin_class property is no longer an abstractproperty however an
implementer must still provide either the plugin_class property or
implement the create_plugin function to succeed.
There is a missmatch between the option being defined in the
OpenIDConnectPassword loader and the OidcPassword class. The loader
defines it as "openid-scope" but the OidcPassword constructor only
Currently when iterating through plugins all plugins are loaded and
returned to the user. This is confusing for things like the kerberos
plugin where the required dependencies may not be available.
Add an available property on plugin loaders. Plugins that do not wish to
be shown to users can set available to false.
The lack of tests on this patch is unfortunate however any testing
involes a lot of mocking at levels lower than keystoneauth interact with
(i've tried). We would need to mock the pkg_resources layer that
stevedore uses and are essentially testing that EnabledExtensionManager
is doing the right thing.
I encourage people to verify this manually.