In Queens development cycle, openstack_auth code was merged
into the horizon repository.
blueprint merge-openstack-auth
Change-Id: I74b10a90fe79fc768cfb8de6f68d3cd2f4938e51
In Django 1.10 a new Form property was introduced, defaulting to True,
which enabled HTML form validation for fields marked "required" in
Django. This changed old behavior, which was that required fields were
only validated server-side. This patch restores old behavior by setting
use_required_attribute to False for the inherited AuthenticationForm.
This problem arose because when WebSSO is enabled and a
non-keystone-credentials authentication method is selected from the
dropdown list, the now-hidden username and password fields are still
marked "required" and still validated client-side, even though they are
invisible to the user and cannot be filled in. It would be nice to fix
the javascript to properly turn the "required" attribute on or off
depending on what authentication method is selected and whether the
"required" fields are even visible, but for now this just restores the
behavior we had before Djanto 1.10.
Change-Id: I3e798a2288d9c33396b40a86b07ea8c163d3b525
Closes-bug: #1703109
Current hacking check actually does not check attribute-level
imports. We can safely drop import_exceptions from tox.ini.
Also drops noqa to guard import exceptions from the same reason.
Change-Id: I4e37931a7bfb0aa7867d027125ffcf66e414cf08
On clouds that use domain-specific Identity configuration[1], a user
must provide both their username and domain in order to log into
horizon. Without this patch, users must be aware of their domain's name
and enter it into a text box at login. This is sensible on public
clouds, because supplying potential domains to an unauthenticated user
exposes too much information about other customers and makes potential
attacks easier. On private clouds, however, it is a hinderance to
usability. For example, when migrating from a single-domain
configuration to a multi-domain configuration, users must now guess or
be informed of their domain in order to enter it in the text box. As
another example, when keystone domains are mapped to Active Directory
domains, the user may not be used to having to know their AD domains and
would prefer to select a likely one based on their geographical location
or department from a dropdown menu.
This patch adds support for a new config option,
"OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN" for enabling a dropdown menu
instead of a textbox when MULTIDOMAIN_SUPPORT is enabled. The dropdown
is disabled by default. If enabled, choices for domains to display and
submit are configured in "OPENSTACK_KEYSTONE_DOMAIN_CHOICES". It is not
possible to dynamically generate a list of domains before the user has
authenticated and this would be a huge security hole if this was
possible. Requiring the admin to statically set the domain list allows
them to hide private domains like the service users domain.
[1] https://docs.openstack.org/developer/keystone/configuration.html#domain-specific-drivers
Change-Id: Ie0a7e36b9975342fab81ddebb87880608d3ef187
Needed-By: I71d64182524d1f54745d9e42347b3a605fa2a920
Discovering REMOTE_IP using headers variables and displaing on console
log.
The messages will be:
"Login successful for user "%(username)s", remote address %(remote_ip)s."
and
"Login failed for user "%(username)s", remote address %(remote_ip)s."
This patch was tested behind haproxy and nginx reverse proxy.
To set variable that want to use, must inform using settings
SECURE_PROXY_ADDR_HEADER variable. Whitout this setting the remote ip
will use REMOTE_ADDR header variable.
Change-Id: I977be6cb1d029048b9862cac4b6596fc2e2b3431
Closes-Bug: #1461266
- Wrap the expected_url variable in a django 1.9 condition so that it
returns as expected.
- Use request.GET/request.POST instead of request.REQUEST
- Remove some conditional code required for old Django versions
This is the first step in getting Horizon to fully support Django 1.9.
It does *not* yet aim to offer full support, which is why the
requirements have not been bumped.
Change-Id: I7f8f3cde92cafdb5c9134baf75fc736cbf35ff6a
Partially-Implements: blueprint drop-dj17
Depends-On: Ia6cbbc281732e9c466edeaa76739122e006a997e
Currently there is no default value for
domain field of login form.
This patch add saving last login domain
name into coookies and pre-filling
'Domain' field value on login with
this saved value from cookies.
Closes-Bug: #1523957
Change-Id: Idbbd741358ecabeb51de47cdece662b5019d2092
Starting from Django 1.7 self.fields.keyOrder no longer works for
setting fields ordering, need to rearrange fields there by recreating
underlying OrderedDict.
Change-Id: Idd015f0fa59061af2afc3936d8c37b004118bb64
Closes-Bug: #1474157
To enable websso, make sure you have your environment configured.
Then add following to Horizon settings:
WEBSSO_ENABLED=True
Also make sure your KEYSTONE is version 3+
Depends on:
https://review.openstack.org/#/c/136177/https://review.openstack.org/#/c/151842/
Co-Authored-By: Thai Tran <tqtran@us.ibm.com>
Co-Authored-By: Jose Castro Leon <jose.castro.leon@cern.ch>
Co-Authored-By: Marek Denis <marek.denis@cern.ch>
Co-Authored-By: Lin Hua Cheng <os.lcheng@gmail.com>
implements bp federated-identity
Change-Id: Ief74bece750ffe633d4323238cad89bad61496ed
If the AVAILABLE_REGIONS list is empty, treat it the same as if
it wasn't specified at all. This is needed for when we can't
leave out a setting from configuration, in oslo_config.
Change-Id: I97552894e1f9c4312e64ec882ac604bae3b16b55
the horizon login page (and middleware) accesses the session
too early in the login process, which will create session records
in the session backend. This is especially problematic when non-cookie
backends are used.
Co-Authored-By: Tihomir Trifonov <t.trifonov@gmail.com>
Co-Authored-By: Eric Peterson <eric.peterson1@twcable.com>
Change-Id: I9a4999eb5f053515575ef09b8ba9d3bb3f114e5c
Closes-Bug: 1394370
After you enable v3 support, you will see a Domain field on
the login screen. However, the focus is still on the Username
field. It should be on the first field which is Domain.
Change-Id: I9d74a4f727d91e0db03988c00e5bc94979966e3b
Closes-bug: #1396812
The region from last login is used as the default selected
region when the Login page loads.
Change-Id: I3f431e8d2f89cd18ed873a54a1f4109ec95b9c11
Closes-Bug: #1392718
In Debian, we are going to release Jessie with Django 1.7,
which has just been released. Therefore, compatibility is
important for us.
This patch, which the Debian package already carries, fixes
2 small compatibility issues with Django 1.7. It is safe to
use openstack_auth with these patches and a lower version of
Django, which makes it safe to apply this patch.
Change-Id: I564cde889c56e12fc0fc1347537e66b576605a0d
H301 one import per line |
H304 No relative imports
When checking imports DJANGO_SETTINGS_MODULE environment needs to
be set. Add the following to tox.ini testenv:pep8.
setenv = DJANGO_SETTINGS_MODULE=openstack_auth.tests.settings
A part of blueprint openstack-hacking-compliant
Change-Id: I65a23c1e9a5d7a5852d448651254b6a3866f1dd3
Remove the following rules from ignore list
without any violations from these:
H201,H302,H303,H701,H702,H803
A part of blueprint openstack-hacking-compliant
Change-Id: I4e43e13234f7640ef216db168d873c4cc1198328
E121 continuation line indentation is not a multiple of four
E126 continuation line over-indented for hanging indent
E127 continuation line over-indented for visual indent
E128 continuation line under-indented for visual indent
A part of blueprint openstack-hacking-compliant
Change-Id: I06ce0ee5132178a777ce9b9e409ef1d24af1ea1f
For multi-domain model, set OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT
to True and the login form will prompt the user for Domain name.
For single-domain model, set OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT
to False. The application will use the name of the default domain in
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN to login.
Cleanup the unused Tenant field in the login form.
Implements blueprint login-domain-support
Some strings were not being localized because the string was already
translated at import time it seems.
Also added Chinese translation with help of Zhanghui
Akihiro Motoki