Having the user_id and project_id exposed in the plugin is a good first
step however we don't really expect the user to be interacting with the
plugins directly often - particularly as you need to pass session to the
methods.
Exposing get_user_id and get_project_id on the session and the adapter
in this way is very similar to the way we expose get_token and
get_endpoint on the session and adapter for use higher up.
Related-Bug: #1364724
Change-Id: If2f868c3ddc19133f18446e74f8e1b560a4798fa
The whole service catalog is embedded in every token, and by default
all token responses are logged at DEBUG. This adds a huge amount of
basically const data into system logs, over and over and over again.
We should not log the service catalog by default on every token
response. The following replaces the service catalog with the token
<removed>.
This reduces the compressed logs of API services by about 1/3.
Change-Id: I95832d0f13ca93c4618784da9d1eb9ca166cae53
The online docs for the Session class are unusable because the
arguments to __init__ were not displayed.
This and other issues in the docstrings for the class are corrected.
Change-Id: Ia03b785f132f7d21ba576c0c8d634051d7127319
python-keystoneclient displays curl statements for debugging/troubleshooting
purposes. For IPv6 URLs, curl requires --globoff to be passed in the
arguments. Since keystoneclient does not use curl directly, this patch
displays the curl commands with globoff option which works for both
IPv4 and IPv6 URLs.
Fix adapted from python-novaclient Ib7099e8e3bbc15f29bbaa1db37ef21e78a74e7bc
Closes-Bug: #1228744
Change-Id: Ia05e622dea653597d412ffe0987077616fbb18af
Keystoneclient didn't provide translated messages. With this
change, the messages are marked for translation.
DocImpact
Implements: blueprint keystoneclient-i18n
Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
If you are using a custom CA bundle rather than the default OS one then
we should log that as part of the curl statement to make debugging
easier.
Change-Id: I1a6ded02b75a3bc9b1ca880db8a9b9b460d36774
The argument to the :raises: directive is the class name. If the
class name is a valid reference it's rendered as a link to the
class. This change cleans up the :raises: directives to use the
reference correctly and use a valid class reference.
Change-Id: I84188b60de0ab4c6b5b2fb5a203c43bfde094707
The :returns: directive doesn't take an argument. To specify the
return type, use the :rtype: directive.
Change-Id: I3aaab824792333b3f75a10af92f5b712cc9b4ff6
Left timeutils and strutils in openstack/common since they are used in
openstack/common/apiclient and memorycache.
Change-Id: Idb5f09c159d907dfba84cd1f7501f650318af7d9
By logging the sha1 hash of the token, it can be tracked through
different services.
Closes-bug: #1329301
Change-Id: I9c338f6a418ab8dd34dbaaf918b0ea6e9cbe79d7
When you invoke any OpenStack API of any of the OpenStack services
e.g. glance, neutron, cinder, heat, ceilometer, nova, keystone
then it logs readable x-subject-token at the debug log level in the
respective log files.
Simply redacting the x-subject-token in keystone client response header
before logging it.
SecurityImpact
Closes-Bug: #1371355
Change-Id: Iac16c6358250677544761beea9f5c5d8ba29afac
Connection Errors can be transient and there are many clients (including
auth_token middleware) that allow retrying requests that fail.
We should support this in the session, disabled by default, rather than
have multiple implementations for it.
For the moment I have purposefully not added it as an option to
Session.__init__ though I can see arguments for it. This can be added
later if there becomes a particular need.
I have also purposefully distinguished between Connection Errors (and
connect_retries) and HTTP errors. I don't know a good way to generalize
retrying on HTTP errors and they can be added later if required.
Blueprint: session-retries
Change-Id: Ia219636663980433ddb9c00c6df7c8477df4ef99
As much as I'd prefer not to need this functionality there are plenty of
existing clients that we want to have use the adapter that can accept a
bypass argument such that it ignores the service catalog and uses that
URL for all requests.
We therefore need to be able to support similar functionality in our
adapter.
Change-Id: I206705241ff9b84967d0d9c089b4795bcc26b65e
The fake session object is to prevent a cyclical dependency between
HTTPClient and the session from leaving hanging session objects around.
This is still necessary if you construct a client the old way however if
you are using the session properly then there is no cyclical dependency
and so we shouldn't prevent people using the connection pooling
advantages of the session.
Related-Bug: #1282089
Change-Id: Ifca2c7ddd95a81af01ee43246ecc8e74abf95602
This reverts commit 68c2fad55a71ca511ff959e589aa0a3f3dbd4b78.
Looks like this broke the stable branches. :(
Change-Id: I9d190e211ecfa80d573a6c48c0b485f3506fe947
Closes-Bug: #1357652
Tokens shouldn't be logged since a token could be gathered from a
log file and used. The client was logging the X-Auth-Token and
X-Subject-Token request headers. With this change, the X-Auth-Token
and X-Subject-Token are shown as "TOKEN_REDACTED".
Also, the "Authentication" header is also redacted.
This is for security hardening.
SecurityImpact
Closes-Bug: #1004114
Closes-Bug: #1327019
Change-Id: I1edc3821ed028471102cc9b95eb9f3b54c9e2778
Add the ability to turn off logging from the session object and then
handle logging of auth requests within their own sections. This is a
very simplistic ability to completely disable logging. Logging more
filtered debugging can be added later.
This new ability is utilized in this patch to prevent logging of
requests that include passwords. This covers authenticate, password
change, and user update requests that include passwords.
SecurityImpact
Change-Id: I3dabb94ab047e86b8730e73416c1a1c333688489
Closes-Bug: #1004114
Closes-Bug: #1327019
To be able to create profiling traces for Keystone, client should be
able to send special HTTP header that contains trace info.
This patch is as well important to be able to make cross project
traces. (Typical case nova calls keystone via python client, if
profiler is initialized in nova, keystone client will add extra
header, that will be parsed by special osprofiler middleware in keystone
api)
Don't worry no security issue here, trace information is signed by HMAC
key that is setted in api-paste.ini. So only person that knows HMAC key
is able to send proper header.
Change-Id: Ide6fe268613bb0cc9d9ec6fae2957cc570e9f851
We will want this to standardize session loading amongst the various
CLIs.
Implements: blueprint standard-client-params
Change-Id: Icc740db6d471a0953b7946e00e6317802b6d2255
Allow loading session objects from oslo.config. We want a generic way to
do this for auth_token middleware and for servers creating session
objects for inter-service communication.
DocImpact: This is the first step in standardizing all the config
options across projects. There are no changes to the config options that
keystoneclient actually consumes in this review.
Implements: blueprint standard-client-params
Change-Id: I1e83280b2f76f16041ed8d5ed598db70210112bd
To allow session to re-fetch a token on an Unauthorized call we add an
invalidate method to auth plugins that is expected to flush all the
current authentication data from the plugin such that it will be
refreshed on next request.
This is then used to reissue requests from session when an Unauthorized
is called.
Change-Id: I98fa76fd67e97dc0a8c1ec0bf734792c337b5177
blueprint: keystoneclient-auth-token
With the move to the apiclient exceptions from oslo the basic HTTP error
class was renamed. This was not reflected in all places in the code.
It was also not picked up by the tests because the apiclient tests
weren't running due to a missing __init__.py file. Because this should
be backwards compatible it was added to the list in exceptions, the
check that this is available is in the (now running) apiclient tests.
Blueprint: common-client-library-2
Change-Id: I307c1083f29e3207cc86aa938043270e5c32b4bb
Typically we want to have exceptions thrown when dealing with requests
that return an HTTP error. However when looking at integrating the
session object with other clients it becomes apparent that the exception
handling is sufficiently different that it is best for now to let the
existing error handling work.
Add an option to return the failed request rather than raise an
exception so existing clients can do there own error handling.
Blueprint: session-propagation
DocImpact: New session parameter.
Change-Id: I63ea034e7c6eaaf42d4329526a902677a8dd709d
This further separates the concept of session and auth plugin so that
the session can be a completely standalone transport layer.
This is similar to how requests handles things. You can install an auth
plugin on the session object and then everything that works through the
session will be authenticated or you can specify the auth plugin per
request and only authenticate that request.
Change-Id: If4ed5af831cc35e259d9f963062261819f08a9d5
The exception module in oslo common code and in keystoneclient are similar.
In case of unification openstack clients, we should use modules from Oslo.
Changes of this patch:
- imported exceptions from common code instead of `apiclient.exception`
- added aliases for exceptions which was renamed
(reason: backwards compatibility)
- moved exceptions `EmptyCatalog` from `apiclient.exception` to `exceptions`
- cleaned `apiclient.exception` from duplicated exceptions
- `apiclient.__init__` and `apiclient.exceptions` are kept and labeled as
'deprecated'(reason: backwards compatibility)
bp common-client-library-2
Change-Id: Iedf4e5d753d4278d81751ba0f55fdef3566b56de
In the future clients will simply pass the service they expect to talk
to and the path. This will prevent every service trying to get their own
base urls from the service catalog individually.
This can later be extended to have the auth plugin actually contact the
URL from the service catalog which will let us have unversioned
endpoints in the catalog handled from a single location.
Change-Id: I80f0b5b1dbb45565fec09d1cb2c0552cfb9a72f5
blueprint: auth-plugin-endpoints
Apply the positional decorator to functions. It has been added as I
think best practice would dictate, though in some places it has been
added in a way that doesn't break existing tests.
Closes-Bug: #1295881
Change-Id: I4f7ddbede4cba4ab79d144ad1f9dc83ea76f204a
To prevent left over TCP connections from keystoneclient not correctly
cleaning up we shouldn't use a connection pool. This is not ideal but it
was a relatively new addition so shouldn't affect performance.
When we are able to find a long term solution to keystoneclient's other
problems we can move back to using a connection pool.
Change-Id: I45678ef89b88eea90ea04de1e3170f584b51fd8f
Closes-Bug: #1282089
Extract the authentication code from a v2 client and move it to a series
of auth plugins. Auth plugins each represent one method of
authenticating with a server and there is a factory method on the base
class to select the appropriate plugin from a group of arguments.
When a v2 client wants to do authentication it will create
a new v2 auth plugin, do the authentication and then take that result
for the client to use.
Change-Id: I4dd7474643ed5c2a3204ea2ec56029f926010c2c
blueprint: auth-plugins
We don't need vim modelines in each source file, it can be set in
user's vimrc.
Change-Id: Ic7a61430a0a320ce6b0c4518d9f5d988e35f8aae
Closes-Bug: #1229324
Provides the framework for creating authentication plugins and using
them from a session object.
To allow this system to co-exist with the original client there is a bit
of a hack. The client object itself is now also an authentication
plugin, that supports the original client pattern. If a client is
created without a session object then that session object uses the
client as it's authentication plugin.
Change-Id: I682c8dcd3705148aaa804a91f4ed48a5b74bdc12
blueprint: auth-plugins
Include the submitted data in the curl debug statement.
Initially fixed in: https://review.openstack.org/#/c/53501
Change-Id: I4e3e9e4799a508666fb37fafe864eea25b676836
Closes-Bug: #1249891
This was added in review: https://review.openstack.org/#/c/53500 but
lost in the conversion to using session. Add it back again.
Change-Id: Ia063eb018d3a7da706a02d60df63bfa1be21d147
Related-Bug: #1249891
Session.construct will create a session based upon the kwargs that used
to be passed to a client __init__ function. This will allow clients an
easy path to providing compatibility with deprecated arguments.
Make use of the function throughout discovery. Discovery was initially
released prior to the session object being completed and was therefore
handled with the same arguments as a client. Instead we should use a
session object so use the conversion function to convert those kwargs
into a session object if one is not provided.
Change-Id: I8dc1e0810ea6ebc6ea648ec37d7881825c566676
