issued_at is a standard part of V2 and V3 tokens so add it to
AccessInfo in a similar way to expiry. Also it should be included when
generating tokens so include it in fixtures.
Change-Id: I0d62d8ce6472466886751e10e98046b8e398e079
All the clients are currently storing samples of keystone tokens so that
they can use them in testing. This is bad as they are often out of date
or contain data that they shouldn't.
Create a V2 Token generator and make use of that for generating tokens
within our tests.
Change-Id: I72928692142c967d13391752ba57b3bdf7c1feab
blueprint: share-tokens
A new method was introduced on AccessInfo class. The method role_names
returns a list of role names of a user associated to the authorization
request.
bp keystoneclient-auth-ref-get-roles
DocImpact
Change-Id: I0862aaaa27193119dc83ef38100c88b48a1d24a4
Region name is taken as a parameter but is ignored in all communication
with the service catalog. Currently region can be stored in the token
data and then requests to url functions will return the appropriate
region. This is the wrong approach because there is nothing specific to
the token (or auth_data) that is region specific. Instead region
information should be held by the client.
Closes-Bug: 1147530
Closes-Bug: 1255992
Change-Id: I812aa89c8b4af28e294e63926a7f88e8246fffc5
It should be possible to authenticate against the v2 tokens
API with a trust_id, because it suports rescoping an existing
token to a trust, this patch adds client support for this.
Note with the current keystone code it's necessary to pass the
trustor tenant ID when rescoping with a trust where
impersonation==True, e.g:
c = client_v2.Client(username=TRUSTEE_USERNAME,
password=TRUSTEE_USERNAME,
tenant_name=TRUSTEE_TENANT_NAME,
auth_url=OS_AUTH_URL_V2)
c.authenticate(trust_id=trust_i.id, tenant_id=TRUSTOR_TENANT_ID)
Change-Id: I177c41af298b7437e2c6fb437aa9ce9a09773b9d
Closes-Bug: #1231483
Closes-Bug: #1217777
Method has_service_catalog is duplicate in AccessInfo, remove the
first one because this class is used as a base class.
Change-Id: Id5f6f0cfe223bd4f31b7c01a6bc1e750ad5a7cd8
user_domain_id and project_domain_id are already available, so simply
add an equivalent user_domain_name and project_domain_name if available.
The use of 'default' for v2 tokens is inspired from the default behaviour of
similar functions and what is used in auth_token middleware.
Change-Id: Ia9b345529072ab893d04c7a38fb7ba3acdc28227
Older token formats get decoded as a v2 token so we should support
reading project information from these tokens.
Change-Id: I31473a00b294bd0d7b535cfab8d2eaf09db97ff5
Implements client support for the basic trusts API operations,
note this does not include support for the roles subpath operations,
support for those can be added in a subsequent patch.
Change-Id: I0c6ba12bad5cc8f3f10697d2a3dcf4f3be8c7ece
blueprint: delegation-impersonation-support
Added support for domain scoping.
Enhancement on AccessInfo to support reading v2/v3 token information.
Enhancement on ServiceCatalog for reading/filtering v2/v3 service
catalog information.
Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
- E125: continuation line does not distinguish itself from next logical
line
- E126: continuation line over-indented for hanging indent
Change-Id: I626a6d5d57db927e8b239f90569b5601c772f28b
- There's no need to call parent init function since that's the default
behaviour.
- The token attribute is nor used nor updated anywhere.
Change-Id: Ib0b2729a396a2d761931ce0e178c49c49814eb21
Signed-off-by: Julien Danjou <julien@danjou.info>
User can optionally turn off keyring by specifying the --no-cache option.
It can also be disabled with environment variable OS-NO-CACHE.
Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
blueprint solidify-python-api
* extended and updated documentation strings
* updated README.rst with latest options
* made debug a pass-through value, optionally set on client (instead of
just being pulled from environment variable)
* adding AccessInfo object and associated tests
(access.AccessInfo meant to be a cacheable object external to client
and ultimately to replace service_catalog and it's existing functionality)
* extending authtoken to support lists of endpoints
* maintaining a single entity for client.management_url with first from
list of possible endpoints
* create project_name and project_id synonyms to match tenant_name and
tenant_id
* replacing authenticate call to a pure method, not overloading the
resource/manager path that confuses base URL concepts.
* throw AuthorizationFailure if client attempts to access keystone
resources before it has a management url
* special case listing tenant using auth_url for unscoped tokens authorized
through client
* special case listing tokens.authenticate for Dashboard to allow unscoped
tokens to hand back parity information to dashboard
Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
