Update git submodules
* Update keystonemiddleware from branch 'master'
- Merge "Make sure audit middleware use own context"
- Remove testr.conf as it's been replaced by stestr
Change-Id: I73e5ed94cdd786d392a6a6b61b8ef4f630715482
- Make sure audit middleware use own context
Keystone audit middleware requires to iterate req.context as dict,
but Glance requires to access req.context.read_only.
When glance enabled audit, they are conflict with each other.
This patch fix this issue by store audit context in
req.environ['audit.context']
Change-Id: Ib9a62a4cd0b7b9ffb9fa2d6440e8072d45ee0fee
Closes-Bug: #1809101
Signed-off-by: Leehom Li <feli5@cisco.com>
- Trivial: Update pypi url to new url
Pypi url changed from [1] to [2]
[1] https://pypi.python.org/pypi/<package>
[2] https://pypi.org/project/<package>
Change-Id: Ibb6247bfb2cfe1c77f6841be2773cbff9475e0c6
- Merge "Added request_id and global_request_id to CADF notifications"
- Change openstack-dev to openstack-discuss
Mailinglists have been updated. Openstack-discuss replaces openstack-dev.
Change-Id: Ic98b7942c1f394a45958c86eb2d091490fc25b1f
- Merge "Add py36 tox environment"
- Added request_id and global_request_id to CADF notifications
Change-Id: I8d571d3414071c68b4fa565dec46cc2d2941331c
Closes-Bug: #1803940
- Merge "Stop supporting revocation list"
- Add py36 tox environment
We already run python3.6 unit tests in CI. Add the py36 environment to
the tox file so that developers with python3.6 available locally can opt
into running that version too.
Change-Id: Ic7aad3d4adfafba226d3b1d1b2106d55135ce6ff
- Documentation Fix - auth_url Port Number
Made a small fix to the documentation - replacing
the current auth_url port number 35357, in the
configuration section of the [keystone_authtoken],
with 5000.
This was based on an online conversation with Colleen;
with the removal of the v2 API from keystone the project
now recommends use of port 5000 instead of the previous one.
Change-Id: I750a4d0e75e0b919fd00ddf21c0e7ce62d495f95
- Stop supporting revocation list
With keystone's move to eliminating pki, pkiz, and uuid tokens the
revocation list is no longer generated. Keystonemiddleware no longer
needs to attempt to retrieve it and reference it.
Change-Id: Ief3bf1941e62f9136dbed11877bca81c4102041b
closes-bug: #1361743
partial-bug: #1649735
partial-bug: #1736985
- Fix audit target service selection
The keystonemiddleware audit code would select the wrong OpenStack service
endpoint for a request if the cloud is not using unique TCP ports for each
service endpoint. As most services are no longer using a port per service,
but instead using unique paths, this caused the audit to select the wrong
target service. This leads to incorrect audit logging due to the wrong
audit map being used.
This patch checks the request to see if a TCP port was present in the request,
and if not, fall back to using the target_endpoint_type configured in the
audit map file.
Change-Id: Ie2e0bf74ecca485d599a4041bb770bd6e296bc99
Closes-bug: 1797584
- Merge "Skip the services with no endpoints when parsing service catalog"
- Merge "Expect paste.deploy and gnocchi/panko options"
- Skip the services with no endpoints when parsing service catalog
When parsing the service catalog to find the source, audit middleware
should skip over the services which have no endpoints instead of
assuming they will have at least one endpoint.
Change-Id: I287873e99338d95baaf20d52ecb3a43763a401fc
Closes-Bug: #1800017
- Merge "Respect delay_auth_decision when Keystone is unavailable"
- Respect delay_auth_decision when Keystone is unavailable
The delay_auth_decision option has two main uses:
1. Allow a service to provide its own auth mechanism, separate from
auth tokens (like Swift's tempurl middleware).
2. Allow a service to integrate with multiple auth middlewares which
may want to use the same X-Auth-Token header.
The first case works fine even when the service has trouble talking to
Keystone -- the client doesn't send an X-Auth-Token header, so we never
even attempt to contact Keystone.
The second case can be problematic, however. The client will provide
some token, and we don't know whether it's valid for Keystone, the other
auth system, or neither. We have to *try* contacting Keystone, but if
that was down we'd previously return a 503 without ever trying the other
auth system. As a result, a Keystone failure results in a total system
failure.
Now, when delay_auth_decision is True and we cannot determine whether a
token is valid or invalid, we'll instead declare the token invalid and
defer the rejection. As a result, Keystone failures only affect Keystone
users, and tokens issued by the other auth system may still be validated
and used.
Change-Id: Ie4b3319862ba7fbd329dc6883ce837e894d5270c
- Merge "Use templates for cover and lower-constraints"
- Merge "Remove tox_install.sh"
- Use templates for cover and lower-constraints
Use openstack-tox-cover template, this runs the cover job as
non-voting in the check queue only.
Use openstack-lower-constraints-jobs template
Remove jobs that are part of the templates.
Change-Id: I58f3bc27aab2885514b8c6a8379e1c2214bd1afd
- Remove tox_install.sh
As part of removing reliance on the old and deprecated zuul-cloner, we
need to shift constraints declaration to the deps line. This means we
unfortunately have to duplicate the extras declarations into
test-requirements - because otherwise the contraints for
keystonemiddleware conflicts with the installation of itself.
Change-Id: I8dbb31d1c1fda6df386f456dcf1d8bbed6d168ce
- No need to compare CONF content
When setup AuthProtocol class, if the CONF object contains
deprecated options, An Error "dictionary changed size during
iteration" will raise when comparing the CONF content.
Changing "!=" to "is not" here to avoid compare the CONF
content anymore.
Change-Id: I820aa244160db4f81149d2576386c86b46de0084
Closes-bug: #1789351
- add lib-forward-testing-python3 test job
This is a mechanically generated patch to add a functional test job
running under Python 3 as part of the python3-first goal.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: If3765f1d4fa236e37c48a68bcd1093addfc751ff
Story: #2002586
Task: #24304
- add python 3.6 unit test job
This is a mechanically generated patch to add a unit test job running
under Python 3.6 as part of the python3-first goal.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: I3fcff11f87699cf36aabb37c7ccf9555280927a8
Story: #2002586
Task: #24304
- switch documentation job to new PTI
This is a mechanically generated patch to switch the documentation
jobs to use the new PTI versions of the jobs as part of the
python3-first goal.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: Iee42c4b458e8ae8694efbee7e176cd2f8e8d49cd
Story: #2002586
Task: #24304
- import zuul job settings from project-config
This is a mechanically generated patch to complete step 1 of moving
the zuul job settings out of project-config and into each project
repository.
Because there will be a separate patch on each branch, the branch
specifiers for branch-specific jobs have been removed.
Because this patch is generated by a script, there may be some
cosmetic changes to the layout of the YAML file(s) as the contents are
normalized.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: Idf1fdd88a3be46477804ad2fd961f7e1114b600b
Story: #2002586
Task: #24304
- Merge "Handle DiscoveryFailure errors"
- Merge "add releasenotes to readme.rst"
- add releasenotes to readme.rst
Change-Id: Ie30c97327684934ac44d41883070ce22e8aa7a19
- Handle DiscoveryFailure errors
DiscoveryFailures can happen for a variety of reasons, ranging
from service misconfiguration to a keystone outage to a transient
network failure. If we don't catch and handle the failure here,
it will almost certainly cause something further up the WSGI stack
to send a 500 Internal Error (and likely log a traceback).
A log line like
Unable to validate token: Could not find versioned identity
endpoints when attempting to authenticate. Please check that
your auth_url is correct. Unable to establish connection to
http://keystone:35357: HTTPConnectionPool(host='keystone',
port=35357): Max retries exceeded with url: / (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection
object at 0x7fc53e22e050>: Failed to establish a new
connection: [Errno 111] ECONNREFUSED',))
should be plenty enough for an operator to assess the situation;
I don't need a 29-frame traceback.
Change-Id: I946388c09b2ca0230d2cef009c679a7ac7c8398f
- Update reno for stable/rocky
Change-Id: If387869339f5b1abd91ef73237c9ea48a6fdbf77
- Replace port 35357 with 5000
With Keystone v3, the admin (35357) and public (5000) ports are
the same and use the same keystone code paths for authentication.
This patch set replace 35357 and only uses port 5000
Change-Id: I596e3a2b29b2954bf7caef6f9408d9b2b4e890ee
- Merge "Fix KeystoneMiddleware memcachepool abstraction"
- Fix KeystoneMiddleware memcachepool abstraction
Keystonemiddleware's abstraction for the memcache pool was broken
when converting to use a queue.Queue. The logic that placed the
connection back into the pool was moved to .acquire and the reserve
method was not using acquire.
Change-Id: I0eda5981cbb661f63790258cf8e70c7340615159
Closes-Bug: #1782404
- Document endpoint interface and region behavior
After some debugging following [0] to figure out why ksm was
not connecting to the specified auth_url, found out that
ksm connects to the identity server on the 'admin' interface
[1] after authenticating with auth_url and fetching the catalog if
keystoneauth is being used. Otherwise it connects on identity_uri
and disregards the service catalog [2]. This behavior was not
documented.
[0]. http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-09-19.log.html#t2017-09-19T17:50:06
[1]. d1b7a1f092/keystonemiddleware/auth_token/__init__.py (L936-L938)
[2]. d1b7a1f092/keystonemiddleware/auth_token/_auth.py (L121-L130)
Change-Id: Ide40835de856012ac4dd71975beac9d32771f356
- Merge "fix tox python3 overrides"
- Merge "Follow the new PTI for document build"
- fix tox python3 overrides
We want to default to running all tox environments under python 3, so
set the basepython value in each environment.
We do not want to specify a minor version number, because we do not
want to have to update the file every time we upgrade python.
We do not want to set the override once in testenv, because that
breaks the more specific versions used in default environments like
py35 and py36.
Change-Id: I21491f302cbc6ca7a9b5ac12c487cf214bf4866e
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
- Merge "Don't rely on pbr ChangeLog for docs"
- Merge "Switch coverage tox env to stestr"
- Follow the new PTI for document build
For compliance with the Project Testing Interface as described in:
https://governance.openstack.org/tc/reference/project-testing-interface.html
http://lists.openstack.org/pipermail/openstack-dev/2017-December/125710.html
http://lists.openstack.org/pipermail/openstack-dev/2018-March/128594.html
Co-Authored-By: Nguyen Hai <nguyentrihai93@gmail.com>
Change-Id: Ia0a27229f09467980ff4af014001febb017bb36d
- Switch coverage tox env to stestr
We already switched the unit tests to follow the updated PTI
guidelines[1] but neglected to switch the coverage environment. Do that
now.
[1] https://governance.openstack.org/tc/reference/pti/python.html#python-test-running
Change-Id: Ie153516196f18c030ea58e76a0eac15c86169c6b
- Fix the title in index.rst
The titles in the index.rst can't be shown in the webpage.
This patch adds them back.
Change-Id: I56febf6cb137b7f6dbc05365d48159be36d18c13
- Don't rely on pbr ChangeLog for docs
The ChangeLog file is generated when we run `python setup.py sdist`,
which doesn't naturally happen when we run `tox -edocs`, so on a fresh
clone the docs build will fail because it references the ChangeLog file
which isn't there. Since we don't rely on pbr any more for release notes
and we have a sophisticated release note management tool, point the docs
at the published release notes instead of the pbr ChangeLog.
Change-Id: I614091eae739154337795a8f120b68686ad0ed0a
- Merge "Introduce new header for system-scoped tokens"
- Introduce new header for system-scoped tokens
Keystonemiddleware attempts to parse user/service tokens and populate
request headers for other services to consume. This information is
important for services looking to build oslo.context objects from
request environments.
Change-Id: I0717c2a5207a647999b4f9bcdf11f728984f0812
Closes-Bug: 1766731
- Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I27a90c1f3132af5cbbeb18a6e59f88f5fe387a36
- Merge "Double quote www_authenticate_uri"
- Merge "Only include response body if there's a response"
- Merge "Remove empty files"
- Merge "Properly zero out max_retries in test_http_error_not_cached_token"
- Fix the doc CI failure
CI job now uses pip >= 10.0.0 to install the package.
In pip >= 10.0.0, if the package name is missing, the command
"pip install -U" returns error, but in pip < 10.0.0 it
just logs warning.
So this patch make sure the package name exists first.
Change-Id: Id900640a7133f837ece8c6c0e7d2e4c17665a53d
- Double quote www_authenticate_uri
Based on the RFCs[1], in http header, a string of text is parsed
as a single value if it is quoted using double-quote marks.
This patch change the single quote to double quote in the header
"WWW-Authenticate" which is returned when 401 error raises.
[1]: https://tools.ietf.org/html/rfc7230#section-3.2.6
https://tools.ietf.org/html/rfc7235#section-2.1
Change-Id: I524c93d30607ea6ab70de92ceea207ee77f34c25
Closes-bug: #1762362
- Only include response body if there's a response
When handling timeouts talking to the keystone server, you may see log
messages like
authtoken: Bad response code while validating token: 408
authtoken: Token validation failure.
<traceback>
AttributeError: 'NoneType' object has no attribute 'text'
Since there's no response from the server when keystoneclient raises
RequestTimeout [1], the `response` attribute is understandably None.
Now, only log the response text if there's text to log. Additionally,
log the response message (as well as status code) to provide as much
context as we can for the error.
[1] https://github.com/openstack/python-keystoneclient/blob/3.15.0/keystoneclient/session.py#L469
Change-Id: Id400e4c38d07cbe7e1866dd572a17fc54c31e82a
- Properly zero out max_retries in test_http_error_not_cached_token
Previously, we'd set _http_request_max_retries to 0, but that attribute
was removed in 1.3.0. Now, test runs are several seconds faster when
tests are executed serially.
Related-Change: Id092e8f42f843dbfbc1c30589b50ba341ccf4aae
Change-Id: I61d9b9617b1118d0696435d028bbda7a6c119bf8
- add lower-constraints job
Create a tox environment for running the unit tests against the lower
bounds of the dependencies.
Create a lower-constraints.txt to be used to enforce the lower bounds
in those tests.
Add openstack-tox-lower-constraints job to the zuul configuration.
See http://lists.openstack.org/pipermail/openstack-dev/2018-March/128352.html
for more details.
Change-Id: Ief8bbf14effa1266c62c4600f889a18f1fdbde32
Depends-On: https://review.openstack.org/555034
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
- Remove empty files
examples/pki/cms/revocation_list.der
is empty file. We probably should delete it.
Change-Id: I15da1d514de07b76cf20d8fdf95cb11ffe816a70
- Expect paste.deploy and gnocchi/panko options
The authtoken middleware has been printing warning log messages to
the API logs for all services, reporting unexpected conf keys. This
was traced back to paste.deploy adding 'here' and '__file__' and
both gnocchi and panko adding 'configkey' keys in wsgi apps though
these do not actually exist in the conf file. This change allows
for those keys without printing a warning that unnecessarily
confuses operators.
But it's kind of a hack, especially the configkey bit. We shouldn't
have to know about gnocchi/panko specifics like this. And it doesn't
address the comment in the bug about what is seen for ironic. So I
think there will still be more to do here.
Change-Id: I678482309c7dd35ce147bebf13ebefc84251fe91
Partial-Bug: 1722444
This commit is contained in:
Zuul
Gerrit Code Review
parent
e9dbb95ccc
commit
3f5494984c
|
|
@ -1 +1 @@
|
|||
Subproject commit f71642b1f0c432cb575912bed8e43013ce616ad9
|
||||
Subproject commit 4bc09580070c5f6afa9ef39a3d9d1641de557589
|
||||
Loading…
Reference in New Issue