In Queens development cycle, openstack_auth code was merged
into the horizon repository.
blueprint merge-openstack-auth
Change-Id: I74b10a90fe79fc768cfb8de6f68d3cd2f4938e51
Current hacking check actually does not check attribute-level
imports. We can safely drop import_exceptions from tox.ini.
Also drops noqa to guard import exceptions from the same reason.
Change-Id: I4e37931a7bfb0aa7867d027125ffcf66e414cf08
* doc/source/conf.py: html_static_path pointed to nonexisting dir
* Fix indent error in python codes
* Insert blank lines before starting code block
* Enable warning-is-error in setup.cfg to prevent future warnings
* 'all_files' should be 'all-files' in setup.cfg
Change-Id: I7c5bc31be9c95ec78f18f895014a03cb003d7e04
This adds auth functionality to the Auth Drop down.
A new K2K django auth plugin has been added (With the intent
to do K2K at Login Time). Session variables have been
added so horizon can display the names of the Keystone Providers.
An endpoint was also added that allows the user to
switch keystone providers.
Change-Id: I75b1a10a3b40b5544b60f6fdc060e0070c585977
Implements: blueprint k2k-horizon
This makes sense because usually only the caller of
fix_auth_url_version() has enough context to decide what warning
message should be emitted (where did the wrong url come from? service
catalog or openstack_dashboard/settings.py?). This also will help to
reduce the number of redundant warnings, emitting them only when user
logs in or a value from service catalog was fixed.
The necessity of this change became obvious after discussion in
https://review.openstack.org/#/c/323786 comments.
Also a small refactoring was made to fix_auth_url_version() (which
previously was edited in haste) - to reuse existing helper functions,
this makes the code a bit cleaner.
Needed-By: I6c6a35b1c460e22dadf39634fce1bdfa257b8c63
Change-Id: I3a04d838a707465c8c6e81e0e6e2fcf918b7b059
This calculation uses the 'token_life' var which is a
datetime.timedelta object. timedelta.seconds gets us just the
'seconds' component of the object, truncating away any days, hours,
or weeks that might be included in the object.
What we want here is the total time in seconds, which is
total_seconds().
Closes-Bug: #1562452
Change-Id: I6a947abb891e1d34e1cf3aea53b345e0a804bacf
admin roles and admin permissions (like 'openstack.roles.xxxx')
depends on OPENSTACK_KEYSTONE_ADMIN_ROLES.
These information is needed with openstack_auth and Horizon at least
as common information.
So, this patch provide these methods as a convenient method at
openstack_auth.
Change-Id: Idad1860684b1e772fc31f16fc8c0263e49fc3919
Closes-Bug: #1536896
This change makes it so that the auth_url you have configured will
be the primary region used during initial login. This will help make
multi region keystone / horizon deployments more reliable and predictable.
Also, it may perform better if horizon is configured to point to the nearest
auth_url in multi region setups.
Change-Id: I99d40ed580a25f3694fbbd8e54d0b6416907f31b
Closes-bug: #1531003
This change adds the Keystone API version to the identity endpoint URL
retrieved from Keystone's endpoint list. This is neccessary in Kilo and
later, since identity endpoint URLs retrieved from Keystone no longer
contain the API version path they used to contain until Juno. See
https://bugs.launchpad.net/horizon/+bug/1508421 for a detailed analysis
of the problem.
Change-Id: Ieff5a6cdd1ad352a9731d46785802e8c36adcdd1
Closes-Bug: 1508421
With the keystoneauth release, the authentication library
should move from keystoneclient to keystoneauth.
Co-Authored-By: Diego Adolfo <diegoado@gmail.com>
Change-Id: If880022f447255e7d943915087e229778cc6acf8
Implements: blueprint keystoneauth-update
In order to perform identity operations in keystone v3 when the v3
policy file is used, a domain scoped token is required. Adding the
domain scoped token to the session as it remains valid until the user
logs out.
The domain scoped token is sizeable, so a check to make sure the
session backend used is not signed cookies, as this will overflow
the cookie.
Additionally, errors around getting and storing the domain scoped
token are logged, but doesn't block authentication, as it only blocks
identity operations.
A call to delete the domain token is made on logout.
Support for the case of a user with a domain role but no project roles
is now supported as well. That is a user can log in with only scoping
to a domain. This allows domain admins to be able to configure identity
without requiring a project role.
Implements: blueprint domain-scoped-tokens
Change-Id: I0ed1737cdd80dc143f1df94700e311351d5d3b24
This patch takes advantage of python set comprehensions
syntax instead of constructing a list and converting
it to set later.
Also takes advantage of .isdisjoint function,
that returns True if two sets have a null intersection.
Should slightly improve performance and readability.
Closes-Bug: #1506925
Change-Id: Ia3d8b47efcf1b2280d7570e782fd196ce716ac8a
When authenticating a user in v3, always request
for an unscoped token. Otherwise it would automatically
default to the default project.
Change-Id: I9e1d9129e2fb35933c803096fca9f1236affc27f
Closes-Bug: #1474893
This is a simple change that will support removal of the last activiy
session field within the horizon middleware. Whith this change, a bunch
of horizon code can be removed.
Change-Id: Ia1c9f116ce731b80fb66a191d937a5ef509c81e9
Partialy-Closes: #1450914
When connection could not be establish to keystone, it mostly
caused by misconfiguration. Updating the error message to make
it easier to troubleshooting.
Change-Id: I292838e57474f524f9b2910e6c22648d41006207
Closes-Bug: #1452955
Don't assume that the service catalog is well-formed, added code
to safely parsing the catalog.
Parsing of region from service catalog has been fixed as well.
'region' has been deprecated in the Keystone V3 catalog in favor of
'region_id'. Fix how region is extracted by checking 'region_id' then
fallback to 'region'.
Change-Id: I7b649a8b90e20caa2d04fdd3f79b5b1ac775237c
Closes-Bug: #1424825
To enable websso, make sure you have your environment configured.
Then add following to Horizon settings:
WEBSSO_ENABLED=True
Also make sure your KEYSTONE is version 3+
Depends on:
https://review.openstack.org/#/c/136177/https://review.openstack.org/#/c/151842/
Co-Authored-By: Thai Tran <tqtran@us.ibm.com>
Co-Authored-By: Jose Castro Leon <jose.castro.leon@cern.ch>
Co-Authored-By: Marek Denis <marek.denis@cern.ch>
Co-Authored-By: Lin Hua Cheng <os.lcheng@gmail.com>
implements bp federated-identity
Change-Id: Ief74bece750ffe633d4323238cad89bad61496ed
Federation plugins and possibly others in the future need the ability to
customize how they retrieve projects from the keystone server. By making
it a method of the plugin it can be overridden by these plugins.
Change-Id: Ide2fd4edc7eb2d61fe95166ec9cbce9c2753c616
When I redeployed horizon using the newer plugin interfaces I noticed
that horizon already had the options AUTHENTICATION_BACKENDS and
AUTHENTICATION_URLS.
AUTH_PLUGINS is inconsistent here and we should update it to
AUTHENTICATION_PLUGINS. There has not been a release with this variable
to worry about.
Change-Id: Idab7770a9e61979fea15db63764423414665ba49
Address the comments made in the original authentication plugins patch.
* Add some additional logging to the standard username and password
plugin.
* Change the login error message to reflect additional authentication
mechanisms.
* Log a warning if no suitable authentication plugin is found. Given
the way horizon relies solely upon DOA the only real way this should
happen is a configuration error.
Change-Id: Ib827f26da793ef2e43b8f5a0f194293f442b3341
With federated and kerberos logins coming we need an extensible way to
specify additional ways to fetch an unscoped token from keystone.
Create a plugin model that when authenticate is called a series of
plugins can be queried for a token depending on the information
provided.
Closes-Bug: #1433389
Change-Id: Ifbd7077173844a8eb3400799fd512b62a5dc7dcc
Convert the existing DOA to using authentication plugins keeping as
close to the current code structure as possible.
This will allow us to add additional authentication plugins later and
to start changing horizon to use these plugins when talking to other
services rather than hacking tokens into the clients.
Change-Id: Idd9ad5044e998a6c514f6161f5159b44391a0849
Filter out the disabled projects from the list of projects that
authentication backend will attempt to scope to.
Tests has been updated, the backend will no longer attempts to
scope to disabled projects.
Change-Id: I0fcdcd2ce72cd6580a2985d637c4bbabc60e4377
Closes-Bug: #1223079
This change will make the region and project "sticky" in that whatever is selected
will remain selected. When users select other projects or login/logout the region will
stay what the user last selected, and users will try to be returned to the last used
project
Change-Id: I8b38ab2cb8b616ad6976aa8167b8209926054df4
Closes-Bug: 1357047
Closes-Bug: 1389401
In order to sync global-requirements, this patch bumps
hacking to 0.9.x series.
H236, H305, H307 errors are fixed in this patch.
H307 and H904 are added to the ignore list.
Change-Id: I37c16ad67912dec8ce1562676ae0ebbfbe277d99
The django.contrib.auth.views login and logout views take usefull parameters
which where dropped by the openstack_auth.views methods.
Added a TOKEN_TIMEOUT_MARGIN which allows to check token expiration minus a
time margin in seconds. This is usefull if you know a process will take a
certain time, you want to have your token still valid all this time (e.g. the
time it can take to render a view).
This patch is required for https://review.openstack.org/88220
Change-Id: I7508c40d6f1eaa2bf1eef5cc762052b15d6d9273
Closes-Bug: 1308918
utils.py, views.py and backend.py were using .replace('v3', 'v2.0') and
.replace('v2.0', 'v3') methods on url strings.
This is BAD because if you have v3 in your url's domain it brakes it.
A new url_path_replace method now only performs the replaces in the url path
and leaves the domain unchanged.
Some checks where performed to test if a substring was in the url path but the
tests where performed on the whole url and could return a false positive if the
substring exists in the domain name or in the query string.
The new has_in_url_path method checks only if the substring is in the path of
the url.
Change-Id: I030d928d83e5c91cf26101221649a299d146747d
Closes-Bug: 1324948
When the Horizon settings file specifies a v2.0 endpoint and
indicates v3 API to use with Keystone, the code redirects the
v2.0 to v3 without notice. Logging a warning, so deployers can
address the mismatch.
Closes-Bug: #1291457
Change-Id: If9e9e40af5ac23e8dea552d2d1a04597c67837a7
H301 one import per line |
H304 No relative imports
When checking imports DJANGO_SETTINGS_MODULE environment needs to
be set. Add the following to tox.ini testenv:pep8.
setenv = DJANGO_SETTINGS_MODULE=openstack_auth.tests.settings
A part of blueprint openstack-hacking-compliant
Change-Id: I65a23c1e9a5d7a5852d448651254b6a3866f1dd3
This is useful when users(client web forms) just provide
username/password to authenticate with django_openstack_auth. In this
case, they can still login if keystone version == 2.0 since keystone
v2.0 only requires username/password and auth_url to authenticate. In
most cases, auth_url can get from django(horizon)'s settings.
Fix-bug: #1316490
Change-Id: I2ed24238adb79b6ef33e4bf20232b6a924ad0b1f
E121 continuation line indentation is not a multiple of four
E126 continuation line over-indented for hanging indent
E127 continuation line over-indented for visual indent
E128 continuation line under-indented for visual indent
A part of blueprint openstack-hacking-compliant
Change-Id: I06ce0ee5132178a777ce9b9e409ef1d24af1ea1f
v2.0 of the keystone API was deprecated in icehouse-2, moving to
support v3 by default.
This also fixes a bug in Horizon where if you specify v3 for the
API version and v2.0 is still the auth url, login fails.
Implements blueprint keystone-v3-default
Partial-bug: #1267636
Change-Id: Ibc4872f24125fa74230eab781b002dffdba5f5da
Pass the value of the OPENSTACK_SSL_CACERT setting as the cacert
parameter when instantiating the keystoneclient.
Change-Id: I1efaf6a51af841233675a53e42d7b762cfbd4003
Closes-bug: 1240238
Akihiro Motoki