Update git submodules
* Update keystonemiddleware from branch 'master' - Merge "Make sure audit middleware use own context" - Remove testr.conf as it's been replaced by stestr Change-Id: I73e5ed94cdd786d392a6a6b61b8ef4f630715482 - Make sure audit middleware use own context Keystone audit middleware requires to iterate req.context as dict, but Glance requires to access req.context.read_only. When glance enabled audit, they are conflict with each other. This patch fix this issue by store audit context in req.environ['audit.context'] Change-Id: Ib9a62a4cd0b7b9ffb9fa2d6440e8072d45ee0fee Closes-Bug: #1809101 Signed-off-by: Leehom Li <feli5@cisco.com> - Trivial: Update pypi url to new url Pypi url changed from [1] to [2] [1] https://pypi.python.org/pypi/<package> [2] https://pypi.org/project/<package> Change-Id: Ibb6247bfb2cfe1c77f6841be2773cbff9475e0c6 - Merge "Added request_id and global_request_id to CADF notifications" - Change openstack-dev to openstack-discuss Mailinglists have been updated. Openstack-discuss replaces openstack-dev. Change-Id: Ic98b7942c1f394a45958c86eb2d091490fc25b1f - Merge "Add py36 tox environment" - Added request_id and global_request_id to CADF notifications Change-Id: I8d571d3414071c68b4fa565dec46cc2d2941331c Closes-Bug: #1803940 - Merge "Stop supporting revocation list" - Add py36 tox environment We already run python3.6 unit tests in CI. Add the py36 environment to the tox file so that developers with python3.6 available locally can opt into running that version too. Change-Id: Ic7aad3d4adfafba226d3b1d1b2106d55135ce6ff - Documentation Fix - auth_url Port Number Made a small fix to the documentation - replacing the current auth_url port number 35357, in the configuration section of the [keystone_authtoken], with 5000. This was based on an online conversation with Colleen; with the removal of the v2 API from keystone the project now recommends use of port 5000 instead of the previous one. Change-Id: I750a4d0e75e0b919fd00ddf21c0e7ce62d495f95 - Stop supporting revocation list With keystone's move to eliminating pki, pkiz, and uuid tokens the revocation list is no longer generated. Keystonemiddleware no longer needs to attempt to retrieve it and reference it. Change-Id: Ief3bf1941e62f9136dbed11877bca81c4102041b closes-bug: #1361743 partial-bug: #1649735 partial-bug: #1736985 - Fix audit target service selection The keystonemiddleware audit code would select the wrong OpenStack service endpoint for a request if the cloud is not using unique TCP ports for each service endpoint. As most services are no longer using a port per service, but instead using unique paths, this caused the audit to select the wrong target service. This leads to incorrect audit logging due to the wrong audit map being used. This patch checks the request to see if a TCP port was present in the request, and if not, fall back to using the target_endpoint_type configured in the audit map file. Change-Id: Ie2e0bf74ecca485d599a4041bb770bd6e296bc99 Closes-bug: 1797584 - Merge "Skip the services with no endpoints when parsing service catalog" - Merge "Expect paste.deploy and gnocchi/panko options" - Skip the services with no endpoints when parsing service catalog When parsing the service catalog to find the source, audit middleware should skip over the services which have no endpoints instead of assuming they will have at least one endpoint. Change-Id: I287873e99338d95baaf20d52ecb3a43763a401fc Closes-Bug: #1800017 - Merge "Respect delay_auth_decision when Keystone is unavailable" - Respect delay_auth_decision when Keystone is unavailable The delay_auth_decision option has two main uses: 1. Allow a service to provide its own auth mechanism, separate from auth tokens (like Swift's tempurl middleware). 2. Allow a service to integrate with multiple auth middlewares which may want to use the same X-Auth-Token header. The first case works fine even when the service has trouble talking to Keystone -- the client doesn't send an X-Auth-Token header, so we never even attempt to contact Keystone. The second case can be problematic, however. The client will provide some token, and we don't know whether it's valid for Keystone, the other auth system, or neither. We have to *try* contacting Keystone, but if that was down we'd previously return a 503 without ever trying the other auth system. As a result, a Keystone failure results in a total system failure. Now, when delay_auth_decision is True and we cannot determine whether a token is valid or invalid, we'll instead declare the token invalid and defer the rejection. As a result, Keystone failures only affect Keystone users, and tokens issued by the other auth system may still be validated and used. Change-Id: Ie4b3319862ba7fbd329dc6883ce837e894d5270c - Merge "Use templates for cover and lower-constraints" - Merge "Remove tox_install.sh" - Use templates for cover and lower-constraints Use openstack-tox-cover template, this runs the cover job as non-voting in the check queue only. Use openstack-lower-constraints-jobs template Remove jobs that are part of the templates. Change-Id: I58f3bc27aab2885514b8c6a8379e1c2214bd1afd - Remove tox_install.sh As part of removing reliance on the old and deprecated zuul-cloner, we need to shift constraints declaration to the deps line. This means we unfortunately have to duplicate the extras declarations into test-requirements - because otherwise the contraints for keystonemiddleware conflicts with the installation of itself. Change-Id: I8dbb31d1c1fda6df386f456dcf1d8bbed6d168ce - No need to compare CONF content When setup AuthProtocol class, if the CONF object contains deprecated options, An Error "dictionary changed size during iteration" will raise when comparing the CONF content. Changing "!=" to "is not" here to avoid compare the CONF content anymore. Change-Id: I820aa244160db4f81149d2576386c86b46de0084 Closes-bug: #1789351 - add lib-forward-testing-python3 test job This is a mechanically generated patch to add a functional test job running under Python 3 as part of the python3-first goal. See the python3-first goal document for details: https://governance.openstack.org/tc/goals/stein/python3-first.html Change-Id: If3765f1d4fa236e37c48a68bcd1093addfc751ff Story: #2002586 Task: #24304 - add python 3.6 unit test job This is a mechanically generated patch to add a unit test job running under Python 3.6 as part of the python3-first goal. See the python3-first goal document for details: https://governance.openstack.org/tc/goals/stein/python3-first.html Change-Id: I3fcff11f87699cf36aabb37c7ccf9555280927a8 Story: #2002586 Task: #24304 - switch documentation job to new PTI This is a mechanically generated patch to switch the documentation jobs to use the new PTI versions of the jobs as part of the python3-first goal. See the python3-first goal document for details: https://governance.openstack.org/tc/goals/stein/python3-first.html Change-Id: Iee42c4b458e8ae8694efbee7e176cd2f8e8d49cd Story: #2002586 Task: #24304 - import zuul job settings from project-config This is a mechanically generated patch to complete step 1 of moving the zuul job settings out of project-config and into each project repository. Because there will be a separate patch on each branch, the branch specifiers for branch-specific jobs have been removed. Because this patch is generated by a script, there may be some cosmetic changes to the layout of the YAML file(s) as the contents are normalized. See the python3-first goal document for details: https://governance.openstack.org/tc/goals/stein/python3-first.html Change-Id: Idf1fdd88a3be46477804ad2fd961f7e1114b600b Story: #2002586 Task: #24304 - Merge "Handle DiscoveryFailure errors" - Merge "add releasenotes to readme.rst" - add releasenotes to readme.rst Change-Id: Ie30c97327684934ac44d41883070ce22e8aa7a19 - Handle DiscoveryFailure errors DiscoveryFailures can happen for a variety of reasons, ranging from service misconfiguration to a keystone outage to a transient network failure. If we don't catch and handle the failure here, it will almost certainly cause something further up the WSGI stack to send a 500 Internal Error (and likely log a traceback). A log line like Unable to validate token: Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. Unable to establish connection to http://keystone:35357: HTTPConnectionPool(host='keystone', port=35357): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fc53e22e050>: Failed to establish a new connection: [Errno 111] ECONNREFUSED',)) should be plenty enough for an operator to assess the situation; I don't need a 29-frame traceback. Change-Id: I946388c09b2ca0230d2cef009c679a7ac7c8398f - Update reno for stable/rocky Change-Id: If387869339f5b1abd91ef73237c9ea48a6fdbf77 - Replace port 35357 with 5000 With Keystone v3, the admin (35357) and public (5000) ports are the same and use the same keystone code paths for authentication. This patch set replace 35357 and only uses port 5000 Change-Id: I596e3a2b29b2954bf7caef6f9408d9b2b4e890ee - Merge "Fix KeystoneMiddleware memcachepool abstraction" - Fix KeystoneMiddleware memcachepool abstraction Keystonemiddleware's abstraction for the memcache pool was broken when converting to use a queue.Queue. The logic that placed the connection back into the pool was moved to .acquire and the reserve method was not using acquire. Change-Id: I0eda5981cbb661f63790258cf8e70c7340615159 Closes-Bug: #1782404 - Document endpoint interface and region behavior After some debugging following [0] to figure out why ksm was not connecting to the specified auth_url, found out that ksm connects to the identity server on the 'admin' interface [1] after authenticating with auth_url and fetching the catalog if keystoneauth is being used. Otherwise it connects on identity_uri and disregards the service catalog [2]. This behavior was not documented. [0]. http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-09-19.log.html#t2017-09-19T17:50:06 [1].d1b7a1f092/keystonemiddleware/auth_token/__init__.py (L936-L938)
[2].d1b7a1f092/keystonemiddleware/auth_token/_auth.py (L121-L130)
Change-Id: Ide40835de856012ac4dd71975beac9d32771f356 - Merge "fix tox python3 overrides" - Merge "Follow the new PTI for document build" - fix tox python3 overrides We want to default to running all tox environments under python 3, so set the basepython value in each environment. We do not want to specify a minor version number, because we do not want to have to update the file every time we upgrade python. We do not want to set the override once in testenv, because that breaks the more specific versions used in default environments like py35 and py36. Change-Id: I21491f302cbc6ca7a9b5ac12c487cf214bf4866e Signed-off-by: Doug Hellmann <doug@doughellmann.com> - Merge "Don't rely on pbr ChangeLog for docs" - Merge "Switch coverage tox env to stestr" - Follow the new PTI for document build For compliance with the Project Testing Interface as described in: https://governance.openstack.org/tc/reference/project-testing-interface.html http://lists.openstack.org/pipermail/openstack-dev/2017-December/125710.html http://lists.openstack.org/pipermail/openstack-dev/2018-March/128594.html Co-Authored-By: Nguyen Hai <nguyentrihai93@gmail.com> Change-Id: Ia0a27229f09467980ff4af014001febb017bb36d - Switch coverage tox env to stestr We already switched the unit tests to follow the updated PTI guidelines[1] but neglected to switch the coverage environment. Do that now. [1] https://governance.openstack.org/tc/reference/pti/python.html#python-test-running Change-Id: Ie153516196f18c030ea58e76a0eac15c86169c6b - Fix the title in index.rst The titles in the index.rst can't be shown in the webpage. This patch adds them back. Change-Id: I56febf6cb137b7f6dbc05365d48159be36d18c13 - Don't rely on pbr ChangeLog for docs The ChangeLog file is generated when we run `python setup.py sdist`, which doesn't naturally happen when we run `tox -edocs`, so on a fresh clone the docs build will fail because it references the ChangeLog file which isn't there. Since we don't rely on pbr any more for release notes and we have a sophisticated release note management tool, point the docs at the published release notes instead of the pbr ChangeLog. Change-Id: I614091eae739154337795a8f120b68686ad0ed0a - Merge "Introduce new header for system-scoped tokens" - Introduce new header for system-scoped tokens Keystonemiddleware attempts to parse user/service tokens and populate request headers for other services to consume. This information is important for services looking to build oslo.context objects from request environments. Change-Id: I0717c2a5207a647999b4f9bcdf11f728984f0812 Closes-Bug: 1766731 - Imported Translations from Zanata For more information about this automatic import see: https://docs.openstack.org/i18n/latest/reviewing-translation-import.html Change-Id: I27a90c1f3132af5cbbeb18a6e59f88f5fe387a36 - Merge "Double quote www_authenticate_uri" - Merge "Only include response body if there's a response" - Merge "Remove empty files" - Merge "Properly zero out max_retries in test_http_error_not_cached_token" - Fix the doc CI failure CI job now uses pip >= 10.0.0 to install the package. In pip >= 10.0.0, if the package name is missing, the command "pip install -U" returns error, but in pip < 10.0.0 it just logs warning. So this patch make sure the package name exists first. Change-Id: Id900640a7133f837ece8c6c0e7d2e4c17665a53d - Double quote www_authenticate_uri Based on the RFCs[1], in http header, a string of text is parsed as a single value if it is quoted using double-quote marks. This patch change the single quote to double quote in the header "WWW-Authenticate" which is returned when 401 error raises. [1]: https://tools.ietf.org/html/rfc7230#section-3.2.6 https://tools.ietf.org/html/rfc7235#section-2.1 Change-Id: I524c93d30607ea6ab70de92ceea207ee77f34c25 Closes-bug: #1762362 - Only include response body if there's a response When handling timeouts talking to the keystone server, you may see log messages like authtoken: Bad response code while validating token: 408 authtoken: Token validation failure. <traceback> AttributeError: 'NoneType' object has no attribute 'text' Since there's no response from the server when keystoneclient raises RequestTimeout [1], the `response` attribute is understandably None. Now, only log the response text if there's text to log. Additionally, log the response message (as well as status code) to provide as much context as we can for the error. [1] https://github.com/openstack/python-keystoneclient/blob/3.15.0/keystoneclient/session.py#L469 Change-Id: Id400e4c38d07cbe7e1866dd572a17fc54c31e82a - Properly zero out max_retries in test_http_error_not_cached_token Previously, we'd set _http_request_max_retries to 0, but that attribute was removed in 1.3.0. Now, test runs are several seconds faster when tests are executed serially. Related-Change: Id092e8f42f843dbfbc1c30589b50ba341ccf4aae Change-Id: I61d9b9617b1118d0696435d028bbda7a6c119bf8 - add lower-constraints job Create a tox environment for running the unit tests against the lower bounds of the dependencies. Create a lower-constraints.txt to be used to enforce the lower bounds in those tests. Add openstack-tox-lower-constraints job to the zuul configuration. See http://lists.openstack.org/pipermail/openstack-dev/2018-March/128352.html for more details. Change-Id: Ief8bbf14effa1266c62c4600f889a18f1fdbde32 Depends-On: https://review.openstack.org/555034 Signed-off-by: Doug Hellmann <doug@doughellmann.com> - Remove empty files examples/pki/cms/revocation_list.der is empty file. We probably should delete it. Change-Id: I15da1d514de07b76cf20d8fdf95cb11ffe816a70 - Expect paste.deploy and gnocchi/panko options The authtoken middleware has been printing warning log messages to the API logs for all services, reporting unexpected conf keys. This was traced back to paste.deploy adding 'here' and '__file__' and both gnocchi and panko adding 'configkey' keys in wsgi apps though these do not actually exist in the conf file. This change allows for those keys without printing a warning that unnecessarily confuses operators. But it's kind of a hack, especially the configkey bit. We shouldn't have to know about gnocchi/panko specifics like this. And it doesn't address the comment in the bug about what is seen for ironic. So I think there will still be more to do here. Change-Id: I678482309c7dd35ce147bebf13ebefc84251fe91 Partial-Bug: 1722444
This commit is contained in:
parent
e9dbb95ccc
commit
3f5494984c
|
@ -1 +1 @@
|
|||
Subproject commit f71642b1f0c432cb575912bed8e43013ce616ad9
|
||||
Subproject commit 4bc09580070c5f6afa9ef39a3d9d1641de557589
|
Loading…
Reference in New Issue