MIN_TOKEN_LIFE_SECONDS is the number of seconds that the token provided
must be valid for to be used when making authentication requests. 1
second has always been a dumb number and was not based on any existing
Because a user token may be reused by a service to make requests on
behalf of a user if the token is valid when sent it may not be valid for
the life of the request.
2 minutes is also an arbitrary value, but it should allow plenty of time
for service requests to complete before being rejected.
The keystone server understands that specifying unscoped in the scope
section of an auth request means that it should ignore the
default_project_id of a user and return an unscoped token.
This is the client side change to allow requesting these tokens via an
Implements: bp explicit-unscoped
The audit_id is now a standard part of the v2 and v3 tokens. Expose it
via AccessInfo so that it is usable for services and middleware.
assertRaisesRegexp is raising a warning message that indicated the
function is going to be deprecated, use assertRaisesRegex instead.
If the trust_id is unset it raises a KeyError. This is unusual from a
python perspective (if nothing else it should be AttributeError) and
different to all the other attributes of the fixture.
Return None if no trust_id is set on the fixture.
It has been mentioned a number of times that the self.requests naming
for the requests_mock object is confusing between whether you are
actually sending a request or are mocking a request.
Rename all entries of the requests object to requests_mock.
This cleans up a couple of entries where the older register_uri format
was being used in favour of using the HTTP method as the requests_mock
For keystonemiddleware, shade and other projects that do more
complicated option loading than simply CLI or CONF file provide a means
to load an auth plugin where options are discovered by a provided
This plugin is designed to work with the options as provided by
get_options rather than either the argparse or CONF registration
Use these as the default loading mechanism for the existing argparse and
CONF functions as it standardizes the mechanism between the two sources.
The basic Auth plugin for v3 tokens makes the assumption that you need
to pass in some AuthMethod objects. This works well for most auth types
where you want the plugin to construct the auth request for you.
In the case of federation though we want to be able to have a rescoping
plugin that will return an auth_ref and not take any auth_methods as
Extract the most basic part of the Auth plugin into BaseAuth class that
Auth and federation plugins can both inherit from.
The V3 authentication plugins file contained the existing plugins as
well as the base class. As we look to add new plugins it is simpler if
we break this file up.
It can become difficult to trace the client that created HTTP requests
as the logging all goes through the keystoneclient.session logger. Allow
passing the logger through the request function and make it able to be
set via the adapter so it can be set once per client instantiation.
This patch implements the new ways to get the project's hierarchy:
'subtree_as_ids': If True, returns projects IDs down the hierarchy
as a structured dictionay.
'parents_as_ids': If True, returns projects IDs up the hierarchy
as a structured dictionay.
Implements: blueprint hierarchical-multitenancy-improvements
If the same service_type was mentioned in the catalog more than once
then only the last entry would be parsed and any possible other matches
would be lost.
This was something that novaclient used to do, and as we are pushing
sessions as the way that clients should all work we need to maintain
Operations could fail if the response was logged and had a 'token'
field that's not a dict. The fix is to ignore all errors when
trying to remove the service catalog from the response.
Also, enhanced the service catalog removal code to support V2
Keystone v3 and v2 have different keywords in endpoint
dictionary. This patch adds ability for keystone client for correct
work with old and new API.
Move all the existing tests to the unit/ subdirectory. This gives us
some room to add a functional/ directory later with other tests.
This is a utility function that is used for reducing the amount of data
that is logged. It shouldn't be a public function.
I think there is very little risk from this in terms of compatibility as
it was only added recently.