Apart from making keystoneclient follow the same patterns of using an
adapter that we are trying to push onto other clients this severs the
cyclical dependency between managers and the client object.
There are a few changes that have had to be rolled into one to make the
transition work. These can't be separated unfortunately as they are
interdependent.
* managers are now passed the adapter instead of the client. They
therefore don't have reference to the other managers on the client.
* The adapter has been subclassed to provide user_id as there are some
managers that require user_id be provided for changing passwords etc.
* client.auth_url has been replaced with a call to get_endpoint which is
supported by the adapter.
* management=True has been removed from all the managers and they now
correctly set the interface they want.
Change-Id: I49fbd50571f0c1484e1cbc3dcb2159d25b21b1bc
Keystoneclient didn't provide translated messages. With this
change, the messages are marked for translation.
DocImpact
Implements: blueprint keystoneclient-i18n
Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
The argument to the :raises: directive is the class name. If the
class name is a valid reference it's rendered as a link to the
class. This change cleans up the :raises: directives to use the
reference correctly and use a valid class reference.
Change-Id: I84188b60de0ab4c6b5b2fb5a203c43bfde094707
Left timeutils and strutils in openstack/common since they are used in
openstack/common/apiclient and memorycache.
Change-Id: Idb5f09c159d907dfba84cd1f7501f650318af7d9
This adds the client library class for the endpoint policy extension.
Implements: bp endpoint-policy
Change-Id: I7153d7a093f4299d7f912b0b4a9a02ffacdb9e69
The keystoneclient docstrings should give guidance for an
application developer to actually use the library. Here's a start.
Partial-Bug: #1330769
Change-Id: I1a9434704d0cd6b58de76933ff78c8d5c0aa3e3b
This was a simple factory that would give compatibility for the existing
client to load up the appropriate auth plugin. A more robust plugin
loading mechanism is coming for this and having it available encourages
other auth plugins that they should be using that where they shouldn't.
Just remove it from the auth plugin class. It shouldn't be used by
anyone else so lets keep it on the client objects.
Blueprint: plugin-params
Change-Id: I0618b646f302300d41c7dd7153a1c0bdc237a745
This patch adds role assignments list support
to keystoneclient.
Created RoleAssignment resource and RoleAssignmentManager
classes. RoleAssignmentManager only implements the list()
method, the other inherited methods from base.CrudManager
raises a MethodNotImplemented error with customized messages.
This bp is complimented with the OSC part:
https://blueprints.launchpad.net/python-openstackclient/+spec/roles-assignment-list
Change-Id: I164b58b67ff42320238e943ddfa9d0a8aadd0a6d
Implements: blueprint roles-assignment-support
Closes-Bug: #1246310
Add support for creating request and access tokens,
and to authorize request tokens. Also adding basic CRUD for
consumer entities.
DocImpact
Change-Id: Ib9d0b223f202a7e33cbad1602da5be7479cd3284
implements: bp add-oauth-support
The Domain Quota Management Driver uses the V3 Authentication Token.
Also, it tries to contact Keystone for getting list of projects in a
domain using V3 API like /v3/projects?domain_id=<id>. But the
keystone v3/client.py default uses V2 API and hence code changed
to convert V2 endpoints for V3 endpoints. This change is required
to implement blue print domain-quota-driver-api
Change-Id: If62ffc5e5252477bbe4d80f14c0a7653e11d5403
Closes-Bug: 1260916
In the future clients will simply pass the service they expect to talk
to and the path. This will prevent every service trying to get their own
base urls from the service catalog individually.
This can later be extended to have the auth plugin actually contact the
URL from the service catalog which will let us have unversioned
endpoints in the catalog handled from a single location.
Change-Id: I80f0b5b1dbb45565fec09d1cb2c0552cfb9a72f5
blueprint: auth-plugin-endpoints
This reverts commit 2e7bdb872e9660178451f71b35976a980f047300.
This commit I9137e3426c82c73855ae0e50317cfd6477195318 is the second
patch that broke stable/havana by introducing a dependency on oauthlib,
but oauthlib isn't in the stable/havana branch of global dependencies
(fix in progress Ib2e2aa2e75e7b7b43e0534eeb62e748d1edc0bc3). And we use
trunk clients in stable/havana gate jobs. So this patch broke both heat
and horizon, both of which import this file to support keystone's v3 API.
This is the final patch in reverting bp add-oauth-support.
Commit subject was (but exceeds maximum pep8 subject length):
Revert "Add request/access token and consumer support for keystoneclient"
Fixes-Bug: #1292797
Change-Id: Ib45fb39b01ddcf5c8fc0179811efded84c0cb908
Add support for creating request and access tokens,
and to authorize request tokens. Also adding basic CRUD for
consumer entities.
implements: bp add-oauth-support
Change-Id: I9137e3426c82c73855ae0e50317cfd6477195318
Privatize some of the automatic auth plugin construction work. At some
point we are going to need to have this pluggable and i'm not sure the
current methods will suffice. It's better to keep this private until we
are sure rather than be stuck with a public API.
Change-Id: I2a10a9b28bef6c094b1330a0524f1c516f5103fd
Closes-Bug: #1287488
Extract the authentication code from a v3 client and move it to a series
of auth plugins. As v3 authentication can contain multiple
authentication methods this concept is represented by an AuthMethod. An
auth plugin then is provided with multiple mechanisms to authenticate
with.
There is also some helper class for the standard case where you only
need to authenticate with one method.
When a v3 client wants to do authentication it will create a new v3 auth
plugin, do the authentication and then take that result for the client
to use.
Change-Id: I5fa6a6e1c2e114e1428e35b723700c63a3cbed44
blueprint: auth-plugins
When deprecating the use of management_url from service_catalog we
updated the management_url setter for the project scoped token, however
we missed the domain scoped token case.
There is actually nothing we can do here to test this scenario as the
backwards compatibility code that was installed handles this for us and
there is no problem, however we should not be internally relying on
deprecated code.
Change-Id: I59bac4d9d74f2eb8bc6edd40518c7cd5a4fe1343
This patch adjust import items and add missing blank lines acording
to http://docs.openstack.org/developer/hacking/#imports
{{stdlib imports in human alphabetical order}}
\n
{{third-party lib imports in human alphabetical order}}
\n
{{project imports in human alphabetical order}}
\n
\n
{{begin your code}}
hacking project also enforce some checks for import group.
Let make the change in keytoneclient
Change-Id: Ic83bd5ee426905588f4a2d555851a9a01fc69f02
Setting management_url is intended to mean that this is an overriding
URL not one received from the service catalog. This was fixed for
project scoped tokens but was missed from domain scoped tokens.
Change-Id: I8484f4a26a5695ef7ae962918ad442fe20bd2caa
Related Change: I2fa41e2ae1b853bbb254698cf94b9314eb0f0903
Related-Bug: #1252927
Region name is taken as a parameter but is ignored in all communication
with the service catalog. Currently region can be stored in the token
data and then requests to url functions will return the appropriate
region. This is the wrong approach because there is nothing specific to
the token (or auth_data) that is region specific. Instead region
information should be held by the client.
Closes-Bug: 1147530
Closes-Bug: 1255992
Change-Id: I812aa89c8b4af28e294e63926a7f88e8246fffc5
Allow discovery of the API versions a server supports and create an
appropriate client based on this.
Implements: blueprint api-version-discovery
Change-Id: I63e6759889066a784dc47e35152c82e1ead7951d
For most things there is very little difference, but as we have a
jsonutils module we should probably be using it.
Change-Id: I406ea81bb56ad90cc9ff9b8b58b0d35b694dc802
Implements client support for the basic trusts API operations,
note this does not include support for the roles subpath operations,
support for those can be added in a subsequent patch.
Change-Id: I0c6ba12bad5cc8f3f10697d2a3dcf4f3be8c7ece
blueprint: delegation-impersonation-support
The discoverable entry point is to be client.Client however adding this
functionality to the current client.py is impossible as we end up with
circular dependencies.
This patch simply renames the current client.py to httpclient.py to make
future patches that will modify client.py more readable.
Required for: blueprint api-version-discovery
Change-Id: Ibcea03f6e1df0ae05329297166a8b8117fc3ce7b
Client V3 is a completely different implementation of the API, if we
want to intermix the V2 and V3 APIs then we don't need to version our
client at all.
Change-Id: I80579cd41df73ccfc6c8feb76843772829afac4e
Added support for domain scoping.
Enhancement on AccessInfo to support reading v2/v3 token information.
Enhancement on ServiceCatalog for reading/filtering v2/v3 service
catalog information.
Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
- F401: imported but unused
- F999: syntax error in doctest
Fixing a couple of the F401's simply required fixing the doctests syntax
where the imports were actually in use.
Change-Id: If78abbb143daf8d005a71c5ab52836df29c5e0cd
This initial change provides the support in keystoneclient to match the api
specified in the blueprint. Keystone itself does not yet support these
calls, so if you actually called these, then you would get an error from
the server. However the changes should be benign in terms of other api calls.
Blueprint keystone/+spec/user-groups
Api changes: review.openstack.org/#/c/18138
DocImpact
Change-Id: I9abfa82b39fa0c6d58fe0d22622944d3e6be39be
